We identify the threat of cross-site framing attacks, which involves planting false evidence that incriminates computer users, without requiring access to their computer. We further show that a variety of framing-evidence can be planted using only modest framing-attacker capabilities. The attacker can plant evidence in both the logs of popular reputable sites and in the computer of the victim, without requiring client-side malware and without leaving traces. To infect the records of several of the most popular sites, we identified operations that are often considered benign and hence not protected from cross-site request forgery (CSRF) attacks. We demonstrate the attacks on the largest search engines: Google, Bing, and Yahoo!, on Youtube and Facebook, and on the e-commerce sites: Amazon, eBay, and Craigslist. To plant pieces of framing evidence on the computer, we abused the vulnerabilities of browsers and weaknesses in the examination procedure done by forensic software. Specifically, we show that it is possible to manipulate the common NTFS file system and to plant files on the hard disk of the victim, without leaving any traces indicating that these files were created via the browser. We validated the effectiveness of the framing evidence with the assistance of law authorities, in addition to using prominent forensic software. This work also discusses tactics for defense against cross-site framing and its applicability to web-services, browsers, and forensic software.
{"title":"Cross-Site Framing Attacks","authors":"Nethanel Gelernter, Yoel Grinstein, A. Herzberg","doi":"10.1145/2818000.2818029","DOIUrl":"https://doi.org/10.1145/2818000.2818029","url":null,"abstract":"We identify the threat of cross-site framing attacks, which involves planting false evidence that incriminates computer users, without requiring access to their computer. We further show that a variety of framing-evidence can be planted using only modest framing-attacker capabilities. The attacker can plant evidence in both the logs of popular reputable sites and in the computer of the victim, without requiring client-side malware and without leaving traces. To infect the records of several of the most popular sites, we identified operations that are often considered benign and hence not protected from cross-site request forgery (CSRF) attacks. We demonstrate the attacks on the largest search engines: Google, Bing, and Yahoo!, on Youtube and Facebook, and on the e-commerce sites: Amazon, eBay, and Craigslist. To plant pieces of framing evidence on the computer, we abused the vulnerabilities of browsers and weaknesses in the examination procedure done by forensic software. Specifically, we show that it is possible to manipulate the common NTFS file system and to plant files on the hard disk of the victim, without leaving any traces indicating that these files were created via the browser. We validated the effectiveness of the framing evidence with the assistance of law authorities, in addition to using prominent forensic software. This work also discusses tactics for defense against cross-site framing and its applicability to web-services, browsers, and forensic software.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117038874","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
I. E. Bagci, U. Roedig, I. Martinovic, Matthias Schulz, M. Hollick
The Internet of Things (IoT) is increasingly used for critical applications and securing the IoT has become a major concern. Among other issues it is important to ensure that tampering with IoT devices is detected. Many IoT devices use WiFi for communication and Channel State Information (CSI) based tamper detection is a valid option. Each 802.11n WiFi frame contains a preamble which allows a receiver to estimate the impact of the wireless channel, the transmitter and the receiver on the signal. The estimation result - the CSI - is used by a receiver to extract the transmitted information. However, as the CSI depends on the communication environment and the transmitter hardware, it can be used as well for security purposes. If an attacker tampers with a transmitter it will have an effect on the CSI measured at a receiver. Unfortunately not only tamper events lead to CSI fluctuations; movement of people in the communication environment has an impact too. We propose to analyse CSI values of a transmission simultaneously at multiple receivers to improve distinction of tamper and movement events. A moving person is expected to have an impact on some but not all communication links between transmitter and the receivers. A tamper event impacts on all links between transmitter and the receivers. The paper describes the necessary algorithms for the proposed tamper detection method. In particular we analyse the tamper detection capability in practical deployments with varying intensity of people movement. In our experiments the proposed system deployed in a busy office environment was capable to detect 53% of tamper events (TPR = 53%) while creating zero false alarms (FPR = 0%).
{"title":"Using Channel State Information for Tamper Detection in the Internet of Things","authors":"I. E. Bagci, U. Roedig, I. Martinovic, Matthias Schulz, M. Hollick","doi":"10.1145/2818000.2818028","DOIUrl":"https://doi.org/10.1145/2818000.2818028","url":null,"abstract":"The Internet of Things (IoT) is increasingly used for critical applications and securing the IoT has become a major concern. Among other issues it is important to ensure that tampering with IoT devices is detected. Many IoT devices use WiFi for communication and Channel State Information (CSI) based tamper detection is a valid option. Each 802.11n WiFi frame contains a preamble which allows a receiver to estimate the impact of the wireless channel, the transmitter and the receiver on the signal. The estimation result - the CSI - is used by a receiver to extract the transmitted information. However, as the CSI depends on the communication environment and the transmitter hardware, it can be used as well for security purposes. If an attacker tampers with a transmitter it will have an effect on the CSI measured at a receiver. Unfortunately not only tamper events lead to CSI fluctuations; movement of people in the communication environment has an impact too. We propose to analyse CSI values of a transmission simultaneously at multiple receivers to improve distinction of tamper and movement events. A moving person is expected to have an impact on some but not all communication links between transmitter and the receivers. A tamper event impacts on all links between transmitter and the receivers. The paper describes the necessary algorithms for the proposed tamper detection method. In particular we analyse the tamper detection capability in practical deployments with varying intensity of people movement. In our experiments the proposed system deployed in a busy office environment was capable to detect 53% of tamper events (TPR = 53%) while creating zero false alarms (FPR = 0%).","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"51 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130876563","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
USB attacks are becoming more sophisticated. Rather than using USB devices solely as a delivery mechanism for host-side exploits, attackers are targeting the USB stack itself, embedding malicious code in device firmware to covertly request additional USB interfaces, providing unacknowledged and malicious functionality that lies outside the apparent purpose of the device. This allows for attacks such as BadUSB, where a USB storage device with malicious firmware is capable of covertly acting as a keyboard as well, allowing it to inject malicious scripts into the host machine. We observe that the root cause of such attacks is that the USB Stack exposes a set of unrestricted device privileges and note that the most reliable information about a device's capabilities comes from the end user's expectation of the device's functionality. We design and implement GoodUSB, a mediation architecture for the Linux USB Stack. We defend against BadUSB attacks by enforcing permissions based on user expectations of device functionality. GoodUSB includes a security image component to simplify use, and a honeypot mechanism for observing suspicious USB activities. GoodUSB introduces only 5.2% performance overhead compared to the unmodified Linux USB subsystem. It is an important step forward in defending against USB attacks and towards allowing the safe deployment of USB devices in the enterprise.
{"title":"Defending Against Malicious USB Firmware with GoodUSB","authors":"Jing Tian, Adam Bates, Kevin R. B. Butler","doi":"10.1145/2818000.2818040","DOIUrl":"https://doi.org/10.1145/2818000.2818040","url":null,"abstract":"USB attacks are becoming more sophisticated. Rather than using USB devices solely as a delivery mechanism for host-side exploits, attackers are targeting the USB stack itself, embedding malicious code in device firmware to covertly request additional USB interfaces, providing unacknowledged and malicious functionality that lies outside the apparent purpose of the device. This allows for attacks such as BadUSB, where a USB storage device with malicious firmware is capable of covertly acting as a keyboard as well, allowing it to inject malicious scripts into the host machine. We observe that the root cause of such attacks is that the USB Stack exposes a set of unrestricted device privileges and note that the most reliable information about a device's capabilities comes from the end user's expectation of the device's functionality. We design and implement GoodUSB, a mediation architecture for the Linux USB Stack. We defend against BadUSB attacks by enforcing permissions based on user expectations of device functionality. GoodUSB includes a security image component to simplify use, and a honeypot mechanism for observing suspicious USB activities. GoodUSB introduces only 5.2% performance overhead compared to the unmodified Linux USB subsystem. It is an important step forward in defending against USB attacks and towards allowing the safe deployment of USB devices in the enterprise.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123858635","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Andriana Gkaniatsou, F. McNeill, A. Bundy, G. Steel, R. Focardi, Claudio Bozzato
Smart-cards are considered to be one of the most secure, tamper-resistant, and trusted devices for implementing confidential operations, such as authentication, key management, encryption and decryption for financial, communication, security and data management purposes. The commonly used RSA PKCS#11 standard defines the Application Programming Interface for cryptographic devices such as smart-cards. Though there has been work on formally verifying the correctness of the implementation of PKCS#11 in the API level, little attention has been paid to the low-level cryptographic protocols that implement it. We present REPROVE, the first automated system that reverse-engineers the low-level communication between a smart-card and a reader, deduces the card's functionality and translates PKCS#11 cryptographic functions into communication steps. REPROVE analyzes both standard-conforming and proprietary implementations, and does not require access to the card. To the best of our knowledge, REPROVE is the first system to address proprietary implementations and the only system that maps cryptographic functions to communication steps and on-card operations. We have evaluated REPROVE on five commercially available smart-cards and we show how essential functions to gain access to the card's private objects and perform cryptographic functions can be compromised through reverse-engineering traces of the low-level communication.
{"title":"Getting to know your Card: Reverse-Engineering the Smart-Card Application Protocol Data Unit","authors":"Andriana Gkaniatsou, F. McNeill, A. Bundy, G. Steel, R. Focardi, Claudio Bozzato","doi":"10.1145/2818000.2818020","DOIUrl":"https://doi.org/10.1145/2818000.2818020","url":null,"abstract":"Smart-cards are considered to be one of the most secure, tamper-resistant, and trusted devices for implementing confidential operations, such as authentication, key management, encryption and decryption for financial, communication, security and data management purposes. The commonly used RSA PKCS#11 standard defines the Application Programming Interface for cryptographic devices such as smart-cards. Though there has been work on formally verifying the correctness of the implementation of PKCS#11 in the API level, little attention has been paid to the low-level cryptographic protocols that implement it. We present REPROVE, the first automated system that reverse-engineers the low-level communication between a smart-card and a reader, deduces the card's functionality and translates PKCS#11 cryptographic functions into communication steps. REPROVE analyzes both standard-conforming and proprietary implementations, and does not require access to the card. To the best of our knowledge, REPROVE is the first system to address proprietary implementations and the only system that maps cryptographic functions to communication steps and on-card operations. We have evaluated REPROVE on five commercially available smart-cards and we show how essential functions to gain access to the card's private objects and perform cryptographic functions can be compromised through reverse-engineering traces of the low-level communication.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115499449","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sankardas Roy, J. DeLoach, Yuping Li, Nic Herndon, Doina Caragea, Xinming Ou, Venkatesh Prasad Ranganath, Hongmin Li, Nicolais Guevara
Although Machine Learning (ML) based approaches have shown promise for Android malware detection, a set of critical challenges remain unaddressed. Some of those challenges arise in relation to proper evaluation of the detection approach while others are related to the design decisions of the same. In this paper, we systematically study the impact of these challenges as a set of research questions (i.e., hypotheses). We design an experimentation framework where we can reliably vary several parameters while evaluating ML-based Android malware detection approaches. The results from the experiments are then used to answer the research questions. Meanwhile, we also demonstrate the impact of some challenges on some existing ML-based approaches. The large (market-scale) dataset (benign and malicious apps) we use in the above experiments represents the real-world Android app security analysis scale. We envision this study to encourage the practice of employing a better evaluation strategy and better designs of future ML-based approaches for Android malware detection.
{"title":"Experimental Study with Real-world Data for Android App Security Analysis using Machine Learning","authors":"Sankardas Roy, J. DeLoach, Yuping Li, Nic Herndon, Doina Caragea, Xinming Ou, Venkatesh Prasad Ranganath, Hongmin Li, Nicolais Guevara","doi":"10.1145/2818000.2818038","DOIUrl":"https://doi.org/10.1145/2818000.2818038","url":null,"abstract":"Although Machine Learning (ML) based approaches have shown promise for Android malware detection, a set of critical challenges remain unaddressed. Some of those challenges arise in relation to proper evaluation of the detection approach while others are related to the design decisions of the same. In this paper, we systematically study the impact of these challenges as a set of research questions (i.e., hypotheses). We design an experimentation framework where we can reliably vary several parameters while evaluating ML-based Android malware detection approaches. The results from the experiments are then used to answer the research questions. Meanwhile, we also demonstrate the impact of some challenges on some existing ML-based approaches. The large (market-scale) dataset (benign and malicious apps) we use in the above experiments represents the real-world Android app security analysis scale. We envision this study to encourage the practice of employing a better evaluation strategy and better designs of future ML-based approaches for Android malware detection.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130113045","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The FPGA world recently experienced significant changes with the introduction of new Systems-on-Chip (SoCs) embedding high-end microprocessors and programmable logic on the same integrated circuit. The architecture of these SoCs can be exploited to offer an unprecedented level of monitoring of the memory accesses of running software components, a key element of performance, safety and security analysis. This paper presents the hardware / software implementation of such a memory tracing tool on one of these SoCs. It also proposes example applications in the security field and two attacks --- a pass-phrase retrieval and an access control bypass --- to demonstrate the power of hardware-assisted memory tracing.
{"title":"Hardware-assisted Memory Tracing on New SoCs Embedding FPGA Fabrics","authors":"Letitia W. Li, Guillaume Duc, R. Pacalet","doi":"10.1145/2818000.2818030","DOIUrl":"https://doi.org/10.1145/2818000.2818030","url":null,"abstract":"The FPGA world recently experienced significant changes with the introduction of new Systems-on-Chip (SoCs) embedding high-end microprocessors and programmable logic on the same integrated circuit. The architecture of these SoCs can be exploited to offer an unprecedented level of monitoring of the memory accesses of running software components, a key element of performance, safety and security analysis. This paper presents the hardware / software implementation of such a memory tracing tool on one of these SoCs. It also proposes example applications in the security field and two attacks --- a pass-phrase retrieval and an access control bypass --- to demonstrate the power of hardware-assisted memory tracing.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133626054","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Bogaerts, Maarten Decat, B. Lagaisse, W. Joosen
Access control is an important part of security that restricts the actions that users can perform on resources. Policy models specify how these restrictions are formulated in policies. Over the last decades, we have seen several such models, including role-based access control and more recently, attribute-based access control. However, these models do not take into account the relationships between users, resources and entities and their corresponding properties. This limits the expressiveness of these models. In this work, we present Entity-Based Access Control (EBAC). EBAC introduces entities as a primary concept and takes into account both attributes and relationships to evaluate policies. In addition, we present Auctoritas. Auctoritas is a authorization system that provides a practical policy language and evaluation engine for EBAC. We find that EBAC increases the expressiveness of policies and fits the application domain well. Moreover, our evaluation shows that entity-based policies described in Auctoritas can be enforced with a low policy evaluation latency.
{"title":"Entity-Based Access Control: supporting more expressive access control policies","authors":"J. Bogaerts, Maarten Decat, B. Lagaisse, W. Joosen","doi":"10.1145/2818000.2818009","DOIUrl":"https://doi.org/10.1145/2818000.2818009","url":null,"abstract":"Access control is an important part of security that restricts the actions that users can perform on resources. Policy models specify how these restrictions are formulated in policies. Over the last decades, we have seen several such models, including role-based access control and more recently, attribute-based access control. However, these models do not take into account the relationships between users, resources and entities and their corresponding properties. This limits the expressiveness of these models. In this work, we present Entity-Based Access Control (EBAC). EBAC introduces entities as a primary concept and takes into account both attributes and relationships to evaluate policies. In addition, we present Auctoritas. Auctoritas is a authorization system that provides a practical policy language and evaluation engine for EBAC. We find that EBAC increases the expressiveness of policies and fits the application domain well. Moreover, our evaluation shows that entity-based policies described in Auctoritas can be enforced with a low policy evaluation latency.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"148 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121051912","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Thomas Hupperich, Davide Maiorca, Marc Kührer, Thorsten Holz, G. Giacinto
Client fingerprinting techniques enhance classical cookie-based user tracking to increase the robustness of tracking techniques. A unique identifier is created based on characteristic attributes of the client device, and then used for deployment of personalized advertisements or similar use cases. Whereas fingerprinting performs well for highly customized devices (especially desktop computers), these methods often lack in precision for highly standardized devices like mobile phones. In this paper, we show that widely used techniques do not perform well for mobile devices yet, but that it is possible to build a fingerprinting system for precise recognition and identification. We evaluate our proposed system in an online study and verify its robustness against misclassification. Fingerprinting of web clients is often seen as an offence to web users' privacy as it usually takes place without the users' knowledge, awareness, and consent. Thus, we also analyze whether it is possible to outrun fingerprinting of mobile devices. We investigate different scenarios in which users are able to circumvent a fingerprinting system and evade our newly created methods.
{"title":"On the Robustness of Mobile Device Fingerprinting: Can Mobile Users Escape Modern Web-Tracking Mechanisms?","authors":"Thomas Hupperich, Davide Maiorca, Marc Kührer, Thorsten Holz, G. Giacinto","doi":"10.1145/2818000.2818032","DOIUrl":"https://doi.org/10.1145/2818000.2818032","url":null,"abstract":"Client fingerprinting techniques enhance classical cookie-based user tracking to increase the robustness of tracking techniques. A unique identifier is created based on characteristic attributes of the client device, and then used for deployment of personalized advertisements or similar use cases. Whereas fingerprinting performs well for highly customized devices (especially desktop computers), these methods often lack in precision for highly standardized devices like mobile phones. In this paper, we show that widely used techniques do not perform well for mobile devices yet, but that it is possible to build a fingerprinting system for precise recognition and identification. We evaluate our proposed system in an online study and verify its robustness against misclassification. Fingerprinting of web clients is often seen as an offence to web users' privacy as it usually takes place without the users' knowledge, awareness, and consent. Thus, we also analyze whether it is possible to outrun fingerprinting of mobile devices. We investigate different scenarios in which users are able to circumvent a fingerprinting system and evade our newly created methods.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116741761","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Luca Falsina, Y. Fratantonio, S. Zanero, Christopher Krügel, G. Vigna, F. Maggi
Android introduced the dynamic code loading (DCL) mechanism to allow for code reuse, to achieve extensibility, to enable updating functionalities, or to boost application start-up performance. In spite of its wide adoption by developers, previous research has shown that the secure implementation of DCL-based functionality is challenging, often leading to remote code injection vulnerabilities. Unfortunately, previous attempts to address this problem by both the academic and Android developers communities are affected by either practicality or completeness issues, and, in some cases, are affected by severe vulnerabilities. In this paper, we propose, design, implement, and test Grab 'n Run, a novel code verification protocol and a series of supporting libraries, APIs, and tools, that address the problem by abstracting away from the developer many of the challenging implementation details. Grab 'n Run is designed to be practical: Among its tools, it provides a drop-in library, which requires no modifications to the Android framework or the underlying Dalvik/ART runtime, is very similar to the native API, and most code can be automatically rewritten to use it. Grab 'n Run also contains an application-rewriting tool, which allows to easily port legacy or third-party applications to use the secure APIs developed in this work. We evaluate the Grab 'n Run library with a user study, obtaining very encouraging results in vulnerability reduction, ease of use, and speed of development. We also show that the performance overhead introduced by our library is negligible. For the benefit of the security of the Android ecosystem, we released Grab 'n Run as open source.
Android引入了动态代码加载(DCL)机制,以允许代码重用、实现可扩展性、启用更新功能或提高应用程序启动性能。尽管它被开发人员广泛采用,但先前的研究表明,基于dcl的功能的安全实现具有挑战性,通常会导致远程代码注入漏洞。不幸的是,学术界和Android开发者社区之前解决这个问题的尝试受到实用性或完整性问题的影响,在某些情况下,还受到严重漏洞的影响。在本文中,我们提出、设计、实现和测试Grab 'n Run,这是一种新的代码验证协议和一系列支持库、api和工具,通过从开发人员那里抽象出许多具有挑战性的实现细节来解决问题。Grab 'n Run的设计是实用的:在它的工具中,它提供了一个插入式库,它不需要修改Android框架或底层的Dalvik/ART运行时,与本机API非常相似,大多数代码可以自动重写以使用它。Grab 'n Run还包含一个应用程序重写工具,它允许轻松地移植遗留或第三方应用程序来使用在这项工作中开发的安全api。我们通过用户研究来评估Grab 'n Run库,在减少漏洞、易用性和开发速度方面获得了非常令人鼓舞的结果。我们还展示了我们的库带来的性能开销可以忽略不计。为了保证Android生态系统的安全性,我们将Grab 'n Run作为开源版本发布。
{"title":"Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications","authors":"Luca Falsina, Y. Fratantonio, S. Zanero, Christopher Krügel, G. Vigna, F. Maggi","doi":"10.1145/2818000.2818042","DOIUrl":"https://doi.org/10.1145/2818000.2818042","url":null,"abstract":"Android introduced the dynamic code loading (DCL) mechanism to allow for code reuse, to achieve extensibility, to enable updating functionalities, or to boost application start-up performance. In spite of its wide adoption by developers, previous research has shown that the secure implementation of DCL-based functionality is challenging, often leading to remote code injection vulnerabilities. Unfortunately, previous attempts to address this problem by both the academic and Android developers communities are affected by either practicality or completeness issues, and, in some cases, are affected by severe vulnerabilities. In this paper, we propose, design, implement, and test Grab 'n Run, a novel code verification protocol and a series of supporting libraries, APIs, and tools, that address the problem by abstracting away from the developer many of the challenging implementation details. Grab 'n Run is designed to be practical: Among its tools, it provides a drop-in library, which requires no modifications to the Android framework or the underlying Dalvik/ART runtime, is very similar to the native API, and most code can be automatically rewritten to use it. Grab 'n Run also contains an application-rewriting tool, which allows to easily port legacy or third-party applications to use the secure APIs developed in this work. We evaluate the Grab 'n Run library with a user study, obtaining very encouraging results in vulnerability reduction, ease of use, and speed of development. We also show that the performance overhead introduced by our library is negligible. For the benefit of the security of the Android ecosystem, we released Grab 'n Run as open source.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114573854","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Crypto Phones represent an important approach for end-to-end VoIP security, claiming to prevent "wiretapping" and session hijacking attacks without relying upon third parties. In order to establish a secure session, Crypto Phones rely upon end users to perform two tasks: (1) checksum comparison: verbally communicating and matching short checksums displayed on users' devices, and (2) speaker verification: ascertaining that the voice announcing the checksum is the voice of the legitimate user at the other end. However, the human errors in executing these tasks may adversely affect the security and usability of Crypto Phones. Particularly, failure to detect mismatching checksums or imitated voices would result in a compromise of Crypto Phones session communications. We present a human factors study, with 128 online participants, investigating the security and usability of Crypto Phones with respect to both checksum comparison and speaker verification. To mimic a realistic VoIP scenario, we conducted our study using the WebRTC platform where each participant made a call to our IVR server via a browser, and was presented with several challenges having matching and mismatching checksums, spoken in the legitimate user's voice, different speakers' voices and automatically synthesized voices. Our results show that Crypto Phones offer a weak level of security (significantly weaker than that guaranteed by the underlying protocols), and their usability is low (although might still be acceptable). Quantitatively, the overall average likelihood of failing to detect an attack session was about 25-50%, while the average likelihood of accepting a legitimate session was about 75%. Moreover, while the theory promises an exponential increase in security with increase in checksum size, we found a degradation in security when moving from 2-word checksum to 4-word checksum.
{"title":"On the Security and Usability of Crypto Phones","authors":"Maliheh Shirvanian, Nitesh Saxena","doi":"10.1145/2818000.2818007","DOIUrl":"https://doi.org/10.1145/2818000.2818007","url":null,"abstract":"Crypto Phones represent an important approach for end-to-end VoIP security, claiming to prevent \"wiretapping\" and session hijacking attacks without relying upon third parties. In order to establish a secure session, Crypto Phones rely upon end users to perform two tasks: (1) checksum comparison: verbally communicating and matching short checksums displayed on users' devices, and (2) speaker verification: ascertaining that the voice announcing the checksum is the voice of the legitimate user at the other end. However, the human errors in executing these tasks may adversely affect the security and usability of Crypto Phones. Particularly, failure to detect mismatching checksums or imitated voices would result in a compromise of Crypto Phones session communications. We present a human factors study, with 128 online participants, investigating the security and usability of Crypto Phones with respect to both checksum comparison and speaker verification. To mimic a realistic VoIP scenario, we conducted our study using the WebRTC platform where each participant made a call to our IVR server via a browser, and was presented with several challenges having matching and mismatching checksums, spoken in the legitimate user's voice, different speakers' voices and automatically synthesized voices. Our results show that Crypto Phones offer a weak level of security (significantly weaker than that guaranteed by the underlying protocols), and their usability is low (although might still be acceptable). Quantitatively, the overall average likelihood of failing to detect an attack session was about 25-50%, while the average likelihood of accepting a legitimate session was about 75%. Moreover, while the theory promises an exponential increase in security with increase in checksum size, we found a degradation in security when moving from 2-word checksum to 4-word checksum.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117229489","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: