Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00122
Sekar Kulandaivel, Shalabh Jain, J. Guajardo, V. Sekar
Electronic Control Units (ECUs) in modern vehicles have recently been targets for shutdown attacks, which can disable safety-critical vehicle functions and be used as means to launch more dangerous attacks. Existing attacks operate either by physical manipulation of the bus signals or message injection. However, we argue that these cannot simultaneously be remote, stealthy, and reliable. For instance, message injection is detected by modern Intrusion Detection System (IDS) proposals and requires strict synchronization that cannot be realized remotely. In this work, we introduce a new class of attacks that leverage the peripheral clock gating feature in modern automotive microcontroller units (MCUs). By using this capability, a remote adversary with purely software control can reliably "freeze" the output of a compromised ECU to insert arbitrary bits at any time instance. Utilizing on this insight, we develop the CANnon attack for remote shutdown. Since the CANnon attack produces error patterns indistinguishable from natural errors and does not require message insertion, detecting it with current techniques is difficult. We demonstrate this attack on two automotive MCUs used in modern passenger vehicle ECUs. We discuss potential mitigation strategies and countermeasures for such attacks.
{"title":"CANNON: Reliable and Stealthy Remote Shutdown Attacks via Unaltered Automotive Microcontrollers","authors":"Sekar Kulandaivel, Shalabh Jain, J. Guajardo, V. Sekar","doi":"10.1109/SP40001.2021.00122","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00122","url":null,"abstract":"Electronic Control Units (ECUs) in modern vehicles have recently been targets for shutdown attacks, which can disable safety-critical vehicle functions and be used as means to launch more dangerous attacks. Existing attacks operate either by physical manipulation of the bus signals or message injection. However, we argue that these cannot simultaneously be remote, stealthy, and reliable. For instance, message injection is detected by modern Intrusion Detection System (IDS) proposals and requires strict synchronization that cannot be realized remotely. In this work, we introduce a new class of attacks that leverage the peripheral clock gating feature in modern automotive microcontroller units (MCUs). By using this capability, a remote adversary with purely software control can reliably \"freeze\" the output of a compromised ECU to insert arbitrary bits at any time instance. Utilizing on this insight, we develop the CANnon attack for remote shutdown. Since the CANnon attack produces error patterns indistinguishable from natural errors and does not require message insertion, detecting it with current techniques is difficult. We demonstrate this attack on two automotive MCUs used in modern passenger vehicle ECUs. We discuss potential mitigation strategies and countermeasures for such attacks.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"14 1","pages":"195-210"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77950815","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00102
Norbert Ludant, T. Vo-Huu, Sashank Narain, G. Noubir
Bluetooth Low Energy advertisements are increasingly used for proximity privacy-preserving protocols. We investigate information leakage from BLE advertisements. Our analysis, among other things, reveals that the design of today’s Bluetooth chips enables the linking of BLE advertisements to Bluetooth Classic (BTC) frames, and to a globally unique identifier (BDADDR). We demonstrate that the inference of the BDADDR from BLE advertisements is robust achieving over 90% reliability across apps, mobile devices, density of devices, and tens of meters away from the victims. We discuss the implications of current chipsets vulnerability on privacy-preserving protocols. The attack, for instance, reveals the BDADDR of devices of infected users of contact-tracing apps. We also discuss how the vulnerability can lead to de-anonymization of victims. Furthermore, current mobile devices do not allow selective disabling of BTC independently of BLE which renders simple countermeasures impractical. We developed several mitigations for the Android OS and the Bluetooth stack and demonstrate their efficacy.
{"title":"Linking Bluetooth LE & Classic and Implications for Privacy-Preserving Bluetooth-Based Protocols","authors":"Norbert Ludant, T. Vo-Huu, Sashank Narain, G. Noubir","doi":"10.1109/SP40001.2021.00102","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00102","url":null,"abstract":"Bluetooth Low Energy advertisements are increasingly used for proximity privacy-preserving protocols. We investigate information leakage from BLE advertisements. Our analysis, among other things, reveals that the design of today’s Bluetooth chips enables the linking of BLE advertisements to Bluetooth Classic (BTC) frames, and to a globally unique identifier (BDADDR). We demonstrate that the inference of the BDADDR from BLE advertisements is robust achieving over 90% reliability across apps, mobile devices, density of devices, and tens of meters away from the victims. We discuss the implications of current chipsets vulnerability on privacy-preserving protocols. The attack, for instance, reveals the BDADDR of devices of infected users of contact-tracing apps. We also discuss how the vulnerability can lead to de-anonymization of victims. Furthermore, current mobile devices do not allow selective disabling of BTC independently of BLE which renders simple countermeasures impractical. We developed several mitigations for the Android OS and the Bluetooth stack and demonstrate their efficacy.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"11 1","pages":"1318-1331"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75147590","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00087
Tyler Crain, Christopher Natoli, V. Gramoli
Blockchain has found applications to track ownership of digital assets. Yet, several blockchains were shown vulnerable to network attacks. It is thus crucial for companies to adopt secure blockchains before moving them to production. In this paper, we present Red Belly Blockchain (RBBC), the first secure blockchain whose throughput scales to hundreds of geodistributed consensus participants. To this end, we drastically revisited Byzantine Fault Tolerant (BFT) blockchains through three contributions: (i) defining the Set Byzantine Con-sensus problem of agreeing on a superblock of all proposed blocks instead of a single block; (ii) adopting a fair leaderless design to offer censorship-resistance guaranteeing the commit of correctly requested transactions; (iii) introducing sharded verification to limit the number of signature verifications without hampering security. We evaluate RBBC on up to 1000 VMs of 3 different types, spread across 4 continents, and under attacks. Although its performance is affected by attacks, RBBC scales in that its throughput increases to hundreds of consensus nodes and achieves 30k TPS throughput and 3 second latency on 1000 VMs, hence improving by 3× both the latency and the throughput of its closest competitor.
{"title":"Red Belly: A Secure, Fair and Scalable Open Blockchain","authors":"Tyler Crain, Christopher Natoli, V. Gramoli","doi":"10.1109/SP40001.2021.00087","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00087","url":null,"abstract":"Blockchain has found applications to track ownership of digital assets. Yet, several blockchains were shown vulnerable to network attacks. It is thus crucial for companies to adopt secure blockchains before moving them to production. In this paper, we present Red Belly Blockchain (RBBC), the first secure blockchain whose throughput scales to hundreds of geodistributed consensus participants. To this end, we drastically revisited Byzantine Fault Tolerant (BFT) blockchains through three contributions: (i) defining the Set Byzantine Con-sensus problem of agreeing on a superblock of all proposed blocks instead of a single block; (ii) adopting a fair leaderless design to offer censorship-resistance guaranteeing the commit of correctly requested transactions; (iii) introducing sharded verification to limit the number of signature verifications without hampering security. We evaluate RBBC on up to 1000 VMs of 3 different types, spread across 4 continents, and under attacks. Although its performance is affected by attacks, RBBC scales in that its throughput increases to hundreds of consensus nodes and achieves 30k TPS throughput and 3 second latency on 1000 VMs, hence improving by 3× both the latency and the throughput of its closest competitor.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"51 1","pages":"466-483"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85116077","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00076
Yulong Cao, Ningfei Wang, Chaowei Xiao, Dawei Yang, Jin Fang, Ruigang Yang, Qi Alfred Chen, Mingyan Liu, Bo Li
In Autonomous Driving (AD) systems, perception is both security and safety critical. Despite various prior studies on its security issues, all of them only consider attacks on camera-or LiDAR-based AD perception alone. However, production AD systems today predominantly adopt a Multi-Sensor Fusion (MSF) based design, which in principle can be more robust against these attacks under the assumption that not all fusion sources are (or can be) attacked at the same time. In this paper, we present the first study of security issues of MSF-based perception in AD systems. We directly challenge the basic MSF design assumption above by exploring the possibility of attacking all fusion sources simultaneously. This allows us for the first time to understand how much security guarantee MSF can fundamentally provide as a general defense strategy for AD perception.We formulate the attack as an optimization problem to generate a physically-realizable, adversarial 3D-printed object that misleads an AD system to fail in detecting it and thus crash into it. To systematically generate such a physical-world attack, we propose a novel attack pipeline that addresses two main design challenges: (1) non-differentiable target camera and LiDAR sensing systems, and (2) non-differentiable cell-level aggregated features popularly used in LiDAR-based AD perception. We evaluate our attack on MSF algorithms included in representative open-source industry-grade AD systems in real-world driving scenarios. Our results show that the attack achieves over 90% success rate across different object types and MSF algorithms. Our attack is also found stealthy, robust to victim positions, transferable across MSF algorithms, and physical-world realizable after being 3D-printed and captured by LiDAR and camera devices. To concretely assess the end-to-end safety impact, we further perform simulation evaluation and show that it can cause a 100% vehicle collision rate for an industry-grade AD system. We also evaluate and discuss defense strategies.
{"title":"Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks","authors":"Yulong Cao, Ningfei Wang, Chaowei Xiao, Dawei Yang, Jin Fang, Ruigang Yang, Qi Alfred Chen, Mingyan Liu, Bo Li","doi":"10.1109/SP40001.2021.00076","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00076","url":null,"abstract":"In Autonomous Driving (AD) systems, perception is both security and safety critical. Despite various prior studies on its security issues, all of them only consider attacks on camera-or LiDAR-based AD perception alone. However, production AD systems today predominantly adopt a Multi-Sensor Fusion (MSF) based design, which in principle can be more robust against these attacks under the assumption that not all fusion sources are (or can be) attacked at the same time. In this paper, we present the first study of security issues of MSF-based perception in AD systems. We directly challenge the basic MSF design assumption above by exploring the possibility of attacking all fusion sources simultaneously. This allows us for the first time to understand how much security guarantee MSF can fundamentally provide as a general defense strategy for AD perception.We formulate the attack as an optimization problem to generate a physically-realizable, adversarial 3D-printed object that misleads an AD system to fail in detecting it and thus crash into it. To systematically generate such a physical-world attack, we propose a novel attack pipeline that addresses two main design challenges: (1) non-differentiable target camera and LiDAR sensing systems, and (2) non-differentiable cell-level aggregated features popularly used in LiDAR-based AD perception. We evaluate our attack on MSF algorithms included in representative open-source industry-grade AD systems in real-world driving scenarios. Our results show that the attack achieves over 90% success rate across different object types and MSF algorithms. Our attack is also found stealthy, robust to victim positions, transferable across MSF algorithms, and physical-world realizable after being 3D-printed and captured by LiDAR and camera devices. To concretely assess the end-to-end safety impact, we further perform simulation evaluation and show that it can cause a 100% vehicle collision rate for an industry-grade AD system. We also evaluate and discuss defense strategies.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"17 1","pages":"176-194"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87857907","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00059
Mingtian Tan, Junpeng Wan, Zhe Zhou, Zhou Li
PCIe (Peripheral Component Interconnect express) protocol is the de facto protocol to bridge CPU and peripheral devices like GPU, NIC, and SSD drive. There is an increasing demand to install more peripheral devices on a single machine, but the PCIe interfaces offered by Intel CPUs are fixed. To resolve such contention, PCIe switch, PCH (Platform Controller Hub), or virtualization cards are installed on the machine to allow multiple devices to share a PCIe interface. Congestion happens when the collective PCIe traffic from the devices overwhelm the PCIe link capacity, and transmission delay is then introduced.In this work, we found the PCIe delay not only harms device performance but also leaks sensitive information about a user who uses the machine. In particular, as user’s activities might trigger data movement over PCIe (e.g., between CPU and GPU), by measuring PCIe congestion, an adversary accessing another device can infer the victim’s secret indirectly. Therefore, the delay resulted from I/O congestion can be exploited as a side-channel. We demonstrate the threat from PCIe congestion through 2 attack scenarios and 4 victim settings. Specifically, an attacker can learn the workload of a GPU in a remote server by probing a RDMA NIC that shares the same PCIe switch and measuring the delays. Based on the measurement, the attacker is able to know the keystroke timings of the victim, what webpage is rendered on the GPU, and what machine-learning model is running on the GPU. Besides, when the victim is using a low-speed device, e.g., an Ethernet NIC, an attacker controlling an NVMe SSD can launch a similar attack when they share a PCH or virtualization card. The evaluation result shows our attack can achieve high accuracy (e.g., 96.31% accuracy in inferring webpage visited by a victim).
{"title":"Invisible Probe: Timing Attacks with PCIe Congestion Side-channel","authors":"Mingtian Tan, Junpeng Wan, Zhe Zhou, Zhou Li","doi":"10.1109/SP40001.2021.00059","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00059","url":null,"abstract":"PCIe (Peripheral Component Interconnect express) protocol is the de facto protocol to bridge CPU and peripheral devices like GPU, NIC, and SSD drive. There is an increasing demand to install more peripheral devices on a single machine, but the PCIe interfaces offered by Intel CPUs are fixed. To resolve such contention, PCIe switch, PCH (Platform Controller Hub), or virtualization cards are installed on the machine to allow multiple devices to share a PCIe interface. Congestion happens when the collective PCIe traffic from the devices overwhelm the PCIe link capacity, and transmission delay is then introduced.In this work, we found the PCIe delay not only harms device performance but also leaks sensitive information about a user who uses the machine. In particular, as user’s activities might trigger data movement over PCIe (e.g., between CPU and GPU), by measuring PCIe congestion, an adversary accessing another device can infer the victim’s secret indirectly. Therefore, the delay resulted from I/O congestion can be exploited as a side-channel. We demonstrate the threat from PCIe congestion through 2 attack scenarios and 4 victim settings. Specifically, an attacker can learn the workload of a GPU in a remote server by probing a RDMA NIC that shares the same PCIe switch and measuring the delays. Based on the measurement, the attacker is able to know the keystroke timings of the victim, what webpage is rendered on the GPU, and what machine-learning model is running on the GPU. Besides, when the victim is using a low-speed device, e.g., an Ethernet NIC, an attacker controlling an NVMe SSD can launch a similar attack when they share a PCH or virtualization card. The evaluation result shows our attack can achieve high accuracy (e.g., 96.31% accuracy in inferring webpage visited by a victim).","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"25 1","pages":"322-338"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88048284","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00009
H. Abdullah, Muhammad Sajidur Rahman, Washington Garcia, Kevin Warren, Anurag Swarnim Yadav, T. Shrimpton, Patrick Traynor
Automatic speech recognition and voice identification systems are being deployed in a wide array of applications, from providing control mechanisms to devices lacking traditional interfaces, to the automatic transcription of conversations and authentication of users. Many of these applications have significant security and privacy considerations. We develop attacks that force mistranscription and misidentification in state of the art systems, with minimal impact on human comprehension. Processing pipelines for modern systems are comprised of signal preprocessing and feature extraction steps, whose output is fed to a machine-learned model. Prior work has focused on the models, using white-box knowledge to tailor model-specific attacks. We focus on the pipeline stages before the models, which (unlike the models) are quite similar across systems. As such, our attacks are black-box, transferable, can be tuned to require zero queries to the target, and demonstrably achieve mistranscription and misidentification rates as high as 100% by modifying only a few frames of audio. We perform a study via Amazon Mechanical Turk demonstrating that there is no statistically significant difference between human perception of regular and perturbed audio. Our findings suggest that models may learn aspects of speech that are generally not perceived by human subjects, but that are crucial for model accuracy.
{"title":"Hear \"No Evil\", See \"Kenansville\"*: Efficient and Transferable Black-Box Attacks on Speech Recognition and Voice Identification Systems","authors":"H. Abdullah, Muhammad Sajidur Rahman, Washington Garcia, Kevin Warren, Anurag Swarnim Yadav, T. Shrimpton, Patrick Traynor","doi":"10.1109/SP40001.2021.00009","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00009","url":null,"abstract":"Automatic speech recognition and voice identification systems are being deployed in a wide array of applications, from providing control mechanisms to devices lacking traditional interfaces, to the automatic transcription of conversations and authentication of users. Many of these applications have significant security and privacy considerations. We develop attacks that force mistranscription and misidentification in state of the art systems, with minimal impact on human comprehension. Processing pipelines for modern systems are comprised of signal preprocessing and feature extraction steps, whose output is fed to a machine-learned model. Prior work has focused on the models, using white-box knowledge to tailor model-specific attacks. We focus on the pipeline stages before the models, which (unlike the models) are quite similar across systems. As such, our attacks are black-box, transferable, can be tuned to require zero queries to the target, and demonstrably achieve mistranscription and misidentification rates as high as 100% by modifying only a few frames of audio. We perform a study via Amazon Mechanical Turk demonstrating that there is no statistically significant difference between human perception of regular and perturbed audio. Our findings suggest that models may learn aspects of speech that are generally not perceived by human subjects, but that are crucial for model accuracy.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"39 1","pages":"712-729"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78627183","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00015
Gertjan Franken, Tom van Goethem, W. Joosen
In recent years, e-books have proven to be a very appealing alternative to physical books; nowadays, almost every written book is published in an electronic format next to its physical copy. In an attempt to promote consensus and to offer an alternative to emerging proprietary e-book formats, the Open eBook format was introduced, now known as the EPUB format. Building on existing web functionalities, this open format relies primarily on XHTML and CSS to construct e-books. As such, browser engines are often employed to render the contents of EPUBs. However, this implies that reading systems may face similar vulnerabilities as web browsers.In this paper, we report on a semi-automated evaluation of the security and privacy aspects of EPUB reading systems. This evaluation, which was performed on 97 EPUB reading systems covering seven platforms and five physical reading devices, revealed that almost none of the JavaScript-supporting reading systems sufficiently adhere to the EPUB specification’s security recommendations. Furthermore, our results indicate that 16 reading systems even allow an EPUB to leak information about the user’s file system, and in eight cases extract file contents. In addition to the semi-automated evaluation, we demonstrate that an attacker can launch even more potent attacks that may lead to a full compromise of a user’s system, by exploiting aspects specific to the implementation of reading systems used by millions of users. Finally, we investigate the root cause of the identified security and privacy issues, uncovering several flaws in both the implementation of EPUB reading system, as well as shortcomings of the EPUB specification.
{"title":"Reading Between the Lines: An Extensive Evaluation of the Security and Privacy Implications of EPUB Reading Systems","authors":"Gertjan Franken, Tom van Goethem, W. Joosen","doi":"10.1109/SP40001.2021.00015","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00015","url":null,"abstract":"In recent years, e-books have proven to be a very appealing alternative to physical books; nowadays, almost every written book is published in an electronic format next to its physical copy. In an attempt to promote consensus and to offer an alternative to emerging proprietary e-book formats, the Open eBook format was introduced, now known as the EPUB format. Building on existing web functionalities, this open format relies primarily on XHTML and CSS to construct e-books. As such, browser engines are often employed to render the contents of EPUBs. However, this implies that reading systems may face similar vulnerabilities as web browsers.In this paper, we report on a semi-automated evaluation of the security and privacy aspects of EPUB reading systems. This evaluation, which was performed on 97 EPUB reading systems covering seven platforms and five physical reading devices, revealed that almost none of the JavaScript-supporting reading systems sufficiently adhere to the EPUB specification’s security recommendations. Furthermore, our results indicate that 16 reading systems even allow an EPUB to leak information about the user’s file system, and in eight cases extract file contents. In addition to the semi-automated evaluation, we demonstrate that an attacker can launch even more potent attacks that may lead to a full compromise of a user’s system, by exploiting aspects specific to the implementation of reading systems used by millions of users. Finally, we investigate the root cause of the identified security and privacy issues, uncovering several flaws in both the implementation of EPUB reading system, as well as shortcomings of the EPUB specification.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"20 1","pages":"1730-1747"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82806522","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00025
Megan Chen, Carmit Hazay, Y. Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, Abhi Shelat, Muthuramakrishnan Venkitasubramaniam, Ruihan Wang
In this work, we design and implement the first protocol for distributed generation of an RSA modulus that can support thousands of parties and offers security against active corruption of an arbitrary number of parties. In a nutshell, we first design a highly optimized protocol for this scale that is secure against passive corruptions, and then amplify its security to withstand active corruptions using lightweight succinct zero-knowledge proofs. Our protocol achieves security with "identifiable abort," where a corrupted party is identified whenever the protocol aborts, and supports public verifiability.Our protocol against passive corruptions extends the recent work of Chen et al. (CRYPTO 2020) that, in turn, is based on the blueprint introduced in the original work of Boneh-Franklin protocol (CRYPTO 1997, J. ACM, 2001). Specifically, we reduce the task of sampling a modulus to secure distributed multiplication, which we implement via an efficient threshold additively homomorphic encryption scheme based on the Ring-LWE assumption. This results in a protocol where the (amortized) per-party communication cost grows logarithmically in the number of parties. In order to minimize the work done by the parties, we employ a "publicly verifiable" coordinator that is connected to all parties and only performs computations on public data.We implemented both the passive and the active variants of our protocol and ran experiments using 2 to 4,000 parties. This is the first implementation of any MPC protocol that can scale to more than 1,000 parties. For generating a 2048-bit modulus among 1,000 parties, our passive protocol executed in under 6 minutes and the active variant ran in under 25 minutes.
在这项工作中,我们设计并实现了第一个用于分布式生成RSA模量的协议,该协议可以支持数千个参与方,并提供防止任意数量参与方主动损坏的安全性。简而言之,我们首先为这种规模设计了一个高度优化的协议,该协议可以防止被动损坏,然后使用轻量级简洁的零知识证明来增强其安全性,以抵御主动损坏。我们的协议通过“可识别的中止”实现了安全性,只要协议中止,就可以识别出损坏的一方,并支持公共可验证性。我们针对被动损坏的协议扩展了Chen等人最近的工作(CRYPTO 2020),而后者又基于bonh - franklin协议(CRYPTO 1997, J. ACM, 2001)的原始工作中引入的蓝图。具体来说,我们减少了采样模数的任务,以实现安全的分布式乘法,我们通过基于Ring-LWE假设的有效阈值加性同态加密方案来实现。这导致协议中(平摊的)每一方通信成本在各方数量中呈对数增长。为了最大限度地减少各方所做的工作,我们使用了一个“公开可验证”的协调器,该协调器连接到所有各方,并且只对公共数据进行计算。我们实现了协议的被动和主动变体,并使用2到4000个参与方进行了实验。这是第一个可以扩展到1000多个参与方的MPC协议的实现。为了在1000个参与方中生成2048位模数,我们的被动协议在6分钟内执行,而主动协议在25分钟内执行。
{"title":"Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority","authors":"Megan Chen, Carmit Hazay, Y. Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, Abhi Shelat, Muthuramakrishnan Venkitasubramaniam, Ruihan Wang","doi":"10.1109/SP40001.2021.00025","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00025","url":null,"abstract":"In this work, we design and implement the first protocol for distributed generation of an RSA modulus that can support thousands of parties and offers security against active corruption of an arbitrary number of parties. In a nutshell, we first design a highly optimized protocol for this scale that is secure against passive corruptions, and then amplify its security to withstand active corruptions using lightweight succinct zero-knowledge proofs. Our protocol achieves security with \"identifiable abort,\" where a corrupted party is identified whenever the protocol aborts, and supports public verifiability.Our protocol against passive corruptions extends the recent work of Chen et al. (CRYPTO 2020) that, in turn, is based on the blueprint introduced in the original work of Boneh-Franklin protocol (CRYPTO 1997, J. ACM, 2001). Specifically, we reduce the task of sampling a modulus to secure distributed multiplication, which we implement via an efficient threshold additively homomorphic encryption scheme based on the Ring-LWE assumption. This results in a protocol where the (amortized) per-party communication cost grows logarithmically in the number of parties. In order to minimize the work done by the parties, we employ a \"publicly verifiable\" coordinator that is connected to all parties and only performs computations on public data.We implemented both the passive and the active variants of our protocol and ran experiments using 2 to 4,000 parties. This is the first implementation of any MPC protocol that can scale to more than 1,000 parties. For generating a 2048-bit modulus among 1,000 parties, our passive protocol executed in under 6 minutes and the active variant ran in under 25 minutes.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"16 1","pages":"590-607"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85299105","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00110
Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Jörg Schwenk
The Portable Document Format (PDF) is the de-facto standard for document exchange. The PDF specification defines two different types of digital signatures to guarantee the authenticity and integrity of documents: approval signatures and certification signatures. Approval signatures testify one specific state of the PDF document. Their security has been investigated at CCS’19. Certification signatures are more powerful and flexible. They cover more complex workflows, such as signing contracts by multiple parties. To achieve this goal, users can make specific changes to a signed document without invalidating the signature.This paper presents the first comprehensive security evaluation on certification signatures in PDFs. We describe two novel attack classes – Evil Annotation and Sneaky Signature attacks which abuse flaws in the current PDF specification. Both attack classes allow an attacker to significantly alter a certified document’s visible content without raising any warnings. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using Evil Annotation attacks and in 8 applications using Sneaky Signature by using PDF specification compliant exploits. We improved both attacks’ stealthiness with applications’ implementation issues and found only two applications secure to all attacks. On top, we show how to gain high privileged JavaScript execution in Adobe.We responsibly disclosed these issues and supported the vendors to fix the vulnerabilities. We also propose concrete countermeasures and improvements to the current specification to fix the issues.
{"title":"Breaking the Specification: PDF Certification","authors":"Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Jörg Schwenk","doi":"10.1109/SP40001.2021.00110","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00110","url":null,"abstract":"The Portable Document Format (PDF) is the de-facto standard for document exchange. The PDF specification defines two different types of digital signatures to guarantee the authenticity and integrity of documents: approval signatures and certification signatures. Approval signatures testify one specific state of the PDF document. Their security has been investigated at CCS’19. Certification signatures are more powerful and flexible. They cover more complex workflows, such as signing contracts by multiple parties. To achieve this goal, users can make specific changes to a signed document without invalidating the signature.This paper presents the first comprehensive security evaluation on certification signatures in PDFs. We describe two novel attack classes – Evil Annotation and Sneaky Signature attacks which abuse flaws in the current PDF specification. Both attack classes allow an attacker to significantly alter a certified document’s visible content without raising any warnings. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using Evil Annotation attacks and in 8 applications using Sneaky Signature by using PDF specification compliant exploits. We improved both attacks’ stealthiness with applications’ implementation issues and found only two applications secure to all attacks. On top, we show how to gain high privileged JavaScript execution in Adobe.We responsibly disclosed these issues and supported the vendors to fix the vulnerabilities. We also propose concrete countermeasures and improvements to the current specification to fix the issues.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"22 1","pages":"1485-1501"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76804667","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-05-01DOI: 10.1109/SP40001.2021.00089
David Heath, Yibin Yang, David Devecsery, V. Kolesnikov
We build a complete and efficient ZK toolchain that handles proof statements encoded as arbitrary ANSI C programs.Zero-Knowledge (ZK) proofs are foundational in cryptography. Recent ZK research has focused intensely on non-interactive proofs of small statements, useful in blockchain scenarios. We instead target large statements that are useful, e.g., in proving properties of programs.Recent work (Heath and Kolesnikov, CCS 2020 [HK20a]) designed an efficient proof-of-concept ZK machine (ZKM). Their machine executes arbitrary programs over a minimal instruction set, authenticating in ZK the program execution. In this work, we significantly extend this research thrust, both in terms of efficiency and generality. Our contributions include:• A rich and performance-oriented architecture for representing arbitrary ZK proofs as programs.• A complete compiler toolchain providing full support for ANSI C95 programs. We ran off-the-shelf buggy versions of the Linux programs sed and gzip, proving in ZK that each program has a bug. To our knowledge, this is the first ZK system capable of executing standard Linux programs.• Improved ZK oblivious RAM (ORAM). [HK20a] introduced an efficient ZK-specific ORAM BubbleRAM that consumes O(log2 n) communication per access. We extend BubbleRAM with multi-level caching, decreasing communication to O(log n) per access. This introduces the possibility of a cache miss, which we handle cheaply. Our experiments show that cache misses are rare; in isolation, i.e., ignoring other processor costs, BubbleCache improves communication over BubbleRAM by more than 8×. Using BubbleCache improves our processor’s total communication (including costs of cache misses) by ≈ 25-30%.• Numerous low-level optimizations, resulting in a CPU that is both more expressive and ≈ 5.5× faster than [HK20a]’s.• Attention to user experience. Our engineer-facing ZK instrumentation and extensions are minimal and easy to use.Put together, our system is efficient and general, and can run many standard Linux programs. The resultant machine runs at up to 11KHz on a 1Gbps LAN and supports MBs of RAM.
{"title":"Zero Knowledge for Everything and Everyone: Fast ZK Processor with Cached ORAM for ANSI C Programs","authors":"David Heath, Yibin Yang, David Devecsery, V. Kolesnikov","doi":"10.1109/SP40001.2021.00089","DOIUrl":"https://doi.org/10.1109/SP40001.2021.00089","url":null,"abstract":"We build a complete and efficient ZK toolchain that handles proof statements encoded as arbitrary ANSI C programs.Zero-Knowledge (ZK) proofs are foundational in cryptography. Recent ZK research has focused intensely on non-interactive proofs of small statements, useful in blockchain scenarios. We instead target large statements that are useful, e.g., in proving properties of programs.Recent work (Heath and Kolesnikov, CCS 2020 [HK20a]) designed an efficient proof-of-concept ZK machine (ZKM). Their machine executes arbitrary programs over a minimal instruction set, authenticating in ZK the program execution. In this work, we significantly extend this research thrust, both in terms of efficiency and generality. Our contributions include:• A rich and performance-oriented architecture for representing arbitrary ZK proofs as programs.• A complete compiler toolchain providing full support for ANSI C95 programs. We ran off-the-shelf buggy versions of the Linux programs sed and gzip, proving in ZK that each program has a bug. To our knowledge, this is the first ZK system capable of executing standard Linux programs.• Improved ZK oblivious RAM (ORAM). [HK20a] introduced an efficient ZK-specific ORAM BubbleRAM that consumes O(log2 n) communication per access. We extend BubbleRAM with multi-level caching, decreasing communication to O(log n) per access. This introduces the possibility of a cache miss, which we handle cheaply. Our experiments show that cache misses are rare; in isolation, i.e., ignoring other processor costs, BubbleCache improves communication over BubbleRAM by more than 8×. Using BubbleCache improves our processor’s total communication (including costs of cache misses) by ≈ 25-30%.• Numerous low-level optimizations, resulting in a CPU that is both more expressive and ≈ 5.5× faster than [HK20a]’s.• Attention to user experience. Our engineer-facing ZK instrumentation and extensions are minimal and easy to use.Put together, our system is efficient and general, and can run many standard Linux programs. The resultant machine runs at up to 11KHz on a 1Gbps LAN and supports MBs of RAM.","PeriodicalId":6786,"journal":{"name":"2021 IEEE Symposium on Security and Privacy (SP)","volume":"29 1","pages":"1538-1556"},"PeriodicalIF":0.0,"publicationDate":"2021-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78547745","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: