ASIA CCS '23: Proceedings of the ACM Asia Conference on Computer and Communications Security

Vulnerabilities pose a significant challenge in ensuring cyberse-security for information systems. In the past, vulnerabilities were mainly associated with functional defects in system software and hardware, known as "in-band vulnerabilities," whereby "band" refers to the functional domain. However, with the rapid development of the Internet of Things (IoT), new security issues have emerged that traditional vulnerability categorization may not fully cover. IoT devices rely on sensors and actuators to interact with the real world, but this interaction process between physical and digital systems has created defects that are difficult to analyze and detect. These defects include unintentional coupling effects of sensors from ambient analog signals or abnormal channels that were not intentionally designed, collectively known as "out-of-band vulnerabilities." Various security incidents have highlighted the prevalence of out-of-band vulnerabilities in IoT systems, and their activation can result in serious consequences.

To address this issue, we propose a vulnerability categorization framework that includes out-of-band vulnerabilities and provides examples for each category. Our talk highlights the need to shift the research paradigm for system security to encompass both in-band and out-of-band vulnerabilities in the intelligence era. Finally, we explore potential solutions for mitigating out-of-band vulnerabilities and securing IoT devices.

Fully Homomorphic Encryption over the Torus (TFHE) is a homomorphic encryption scheme which supports efficient Boolean operations over encrypted bits. TFHE has a unique feature in that the evaluation of each binary gate is followed by a bootstrapping procedure to refresh the noise of a ciphertext. In particular, this gate bootstrapping involves two algorithms called the blind rotation and key-switching.

In this work, we introduce several optimization techniques for the TFHE bootstrapping. We first define a new key distribution, called the block binary distribution, where the secret key can be expressed as a concatenation of several vectors of Hamming weight at most one. We analyze the hardness of (Ring) LWE with a block binary secret and provide candidate parameter sets which are secure against the best-known attacks. Then, we use the block key structure to simplify the inner working of blind rotation and reduce its complexity. We also modify the RLWE key generation and the gadget decomposition method to improve the performance of the key-switching algorithm in terms of complexity and noise growth.

Finally, we use the TFHE library to implement our algorithms and demonstrate their benchmarks. Our experimentation shows that the execution time of TFHE bootstrapping is reduced from 10.5ms down to 6.4ms under the same security level, and the size of the bootstrapping key decreases from 109MB to 60MB.

In this work, we introduce a lightweight secure aggregation protocol that guarantees liveness (i.e., guaranteed output delivery), robust against faulty inputs and security against malicious clients. First, we improve upon prior works in the “star”-like topology network with a central coordinating (also output) party, Bonawitz et al. (ACM CCS 2017) and Bell et al. (ACM CCS 2020), which are not robust against faulty inputs. Recent works, RoFL (Burkhalter et al.) and (concurrent work) ACORN (Bell et al.) show how to rely on zero-knowledge proofs to address such attacks at expense of significantly high computation costs. We also compare our protocol against the PRIO system by Gibbs and Boneh (USENIX 2017) which achieves the same task in an incomparable security model. We benchmark our protocol with implementation and demonstrate its concrete efficiency. Our solution scales to 1000s of clients, requires only a constant number of rounds, outperforms prior work in computational cost, and has competitive communication cost.

In today’s interconnected world, data has become a valuable asset, leading to a growing interest in protecting it through techniques such as privacy-preserving computation. Two well-known approaches are multi-party computation and homomorphic encryption with use cases such as privacy-preserving machine learning evaluating or training neural networks. For multi-party computation, one of the fundamental arithmetic operations is the secure multiplication in the malicious security model and by extension the multiplication of matrices which is expensive to compute in the malicious model. Transferring the problem of secure matrix multiplication to the homomorphic domain enables savings in communication complexity, reducing the main bottleneck.

In this work, we implement and optimize the homomorphic generation of matrix triples. We provide an open-source implementation for the leveled BGV (Brakerski Gentry Vaikuntanathan) scheme supporting plaintext moduli of arbitrary size using state-of-the-art implementation techniques. We also provide a new, use-case specific approach to parameter generation for leveled BGV-like schemes heuristically optimizing for computation time and taking into account architecture-specific constraints. Finally, we provide an in-depth analysis of the homomorphic circuit enabling the re-use of key switching keys and eliminating constant multiplications, combining our results in an implementation to generate homomorphic matrix triples for arbitrary plaintext moduli.

Our implementation is publicly available and up to 2.1 × faster compared to previous work while also providing new time-memory trade-offs for different computing environments. Furthermore, we implement and evaluate additional, use-case specific optimization opportunities such as matrix slicing for the matrix triple generation.

Smartphone sensors potentially threaten the privacy of individuals, placing society at risk. Previous studies have demonstrated that smartphone sensors are susceptible to privacy intrusion. Inspired by this finding, we designed a mechanism of invasion that targets the location privacy of subway passengers. Specifically, we recovered the travel trajectories of subway passengers using sensor data and matched them with railway data collected from OpenStreetMap. This study primarily exploits an accelerometer and gyroscope, which are suitable for subway tracking because they operate appropriately in underground and indoor conditions. Although these sensors are easily influenced by passenger activity, we devised a method for recovering clean trajectories of subway passengers by utilizing gravitational acceleration and event detection methods. Subsequently, we conducted several experiments to prove the threat and feasibility of our proposals, even in the presence of human-generated noise (e.g., texting, watching videos, playing games, device rotation, and changing positions) influencing the sensor data. Specifically, we applied dynamic time warping (DTW) to obtain the costs between the reference data and reconstructed trace. Finally, a cost combination mechanism aggregated the DTW costs and predicted the best matches.

Several applications require counting the number of distinct items in the data, which is known as the cardinality counting problem. Example applications include health applications such as rare disease patients counting for adequate awareness and funding, and counting the number of cases of a new disease for outbreak detection, marketing applications such as counting the visibility reached for a new product, and cybersecurity applications such as tracking the number of unique views of social media posts. The data needed for the counting is however often personal and sensitive, and need to be processed using privacy-preserving techniques. The quality of data in different databases, for example typos, errors and variations, poses additional challenges for accurate cardinality estimation. While privacy-preserving cardinality counting has gained much attention in the recent times and a few privacy-preserving algorithms have been developed for cardinality estimation, no work has so far been done on privacy-preserving cardinality counting using record linkage techniques with fuzzy matching and provable privacy guarantees. We propose a novel privacy-preserving record linkage algorithm using unsupervised clustering techniques to link and count the cardinality of individuals in multiple datasets without compromising their privacy or identity. In addition, existing Elbow methods to find the optimal number of clusters as the cardinality are far from accurate as they do not take into account the purity and completeness of generated clusters. We propose a novel method to find the optimal number of clusters in unsupervised learning. Our experimental results on real and synthetic datasets are highly promising in terms of significantly smaller error rate of less than 0.1 with a privacy budget ϵ = 1.0 compared to the state-of-the-art fuzzy matching and clustering method.

The increasingly popular virtual personal assistant (VPA) services, e.g., Amazon Alexa and Google Assistant, enable third-party developers to create and release VPA apps for end users to access through smart speakers. Given that VPA apps handle sensitive personal data, VPA service providers require developers to release a privacy policy document to declare their data handling practice. The privacy policies are regarded as legal or semi-legal documents, which are usually lengthy and complex for users to understand. In this work, we conducted a subjective study to investigate the level of users’ understanding of the privacy policies, targeting the VPA apps (i.e., skills) of Amazon Alexa, the most popular VPA service. Our study focused on technical terms, one of the greatest hurdles to users’ understanding. We found that 84.2% of our participants faced difficulty in understanding technical terms appeared in the skills’ privacy policies, even for participants with IT background. Additionally, 64.3% of them reported that explanations for the technical terms are generally lacking. To address this issue, we proposed two principles, i.e., domain-specificity principle and implication-oriented principle, to guide skill developers in creating easy-to-understand privacy policies. We evaluated their effectiveness by creating explanation sentences for 23 representative terms and examining users’ understanding through a second user study. Our results show that using explanation sentences based on these principles can significantly improve users’ understanding.

Federated learning (FL) provides a variety of privacy advantages by allowing clients to collaboratively train a model without sharing their private data. However, recent studies have shown that private information can still be leaked through shared gradients. To further minimize the risk of privacy leakage, existing defenses usually require clients to locally modify their gradients (e.g., differential privacy) prior to sharing with the server. While these approaches are effective in certain cases, they regard the entire data as a single entity to protect, which usually comes at a large cost in model utility. In this paper, we seek to reconcile utility and privacy in FL by proposing a user-configurable privacy defense, RecUP-FL, that can better focus on the user-specified sensitive attributes while obtaining significant improvements in utility over traditional defenses. Moreover, we observe that existing inference attacks often rely on a machine learning model to extract the private information (e.g., attributes). We thus formulate such a privacy defense as an adversarial learning problem, where RecUP-FL generates slight perturbations that can be added to the gradients before sharing to fool adversary models. To improve the transferability to un-queryable black-box adversary models, inspired by the idea of meta-learning, RecUP-FL forms a model zoo containing a set of substitute models and iteratively alternates between simulations of the white-box and the black-box adversarial attack scenarios to generate perturbations. Extensive experiments on four datasets under various adversarial settings (both attribute inference attack and data reconstruction attack) show that RecUP-FL can meet user-specified privacy constraints over the sensitive attributes while significantly improving the model utility compared with state-of-the-art privacy defenses.

The data used to train deep neural network (DNN) models in applications such as healthcare and finance typically contain sensitive information. A DNN model may suffer from overfitting– it will perform very well on samples seen during training, and poorly on samples not seen during training. Overfitted models have been shown to be susceptible to query-based attacks such as membership inference attacks (MIAs). MIAs aim to determine whether a sample belongs to the dataset used to train a classifier (members) or not (nonmembers). Recently, a new class of label-based MIAs (LAB MIAs) was proposed, where an adversary was only required to have knowledge of predicted labels of samples. LAB MIAs used the insight that member samples were typically located farther away from a classification decision boundary than nonmembers, and were shown to be highly effective across multiple datasets. Developing a defense against an adversary carrying out a LAB MIA on DNN models that cannot be retrained remains an open problem.

We present LDL, a light weight defense against LAB MIAs. LDL works by constructing a high-dimensional sphere around queried samples such that the model decision is unchanged for (noisy) variants of the sample within the sphere. This sphere of label-invariance creates ambiguity and prevents a querying adversary from correctly determining whether a sample is a member or a nonmember. We analytically characterize the success rate of an adversary carrying out a LAB MIA when LDL is deployed, and show that the formulation is consistent with experimental observations. We evaluate LDL on seven datasets– CIFAR-10, CIFAR-100, GTSRB, Face, Purchase, Location, and Texas– with varying sizes of training data. All of these datasets have been used by SOTA LAB MIAs. Our experiments demonstrate that LDL reduces the success rate of an adversary carrying out a LAB MIA in each case. We empirically compare LDL with defenses against LAB MIAs that require retraining of DNN models, and show that LDL performs favorably despite not needing to retrain the DNNs.

As graphs are getting larger and larger, federated graph learning (FGL) is increasingly adopted, which can train graph neural networks (GNNs) on distributed graph data. However, the privacy of graph data in FGL systems is an inevitable concern due to multi-party participation. Recent studies indicated that the gradient leakage of trained GNN can be used to infer private graph data information utilizing model inversion attacks (MIA). Moreover, the central server can legitimately access the local GNN gradients, which makes MIA difficult to counter if the attacker is at the central server. In this paper, we first identify a realistic crowdsourcing-based FGL scenario where MIA from the central server towards clients’ subgraph structures is a nonnegligible threat. Then, we propose a defense scheme, Subgraph-Out-of-Subgraph (SOS), to mitigate such MIA and meanwhile, maintain the prediction accuracy. We leverage the information bottleneck (IB) principle to extract task-relevant subgraphs out of the clients’ original subgraphs. The extracted IB-subgraphs are used for local GNN training and the local model updates will have less information about the original subgraphs, which renders the MIA harder to infer the original subgraph structure. Particularly, we devise a novel neural network-powered approach to overcome the intractability of graph data’s mutual information estimation in IB optimization. Additionally, we design a subgraph generation algorithm for finally yielding reasonable IB-subgraphs from the optimization results. Extensive experiments demonstrate the efficacy of the proposed scheme, the FGL system trained on IB-subgraphs is more robust against MIA attacks with minuscule accuracy loss.

Federated learning (FL) is a widely used distributed machine learning framework. However, recent studies have shown its susceptibility to poisoning membership inference attacks (MIA). In MIA, adversaries maliciously manipulate the local updates on selected samples and share the gradients with the server (i.e., poisoning). Since honest clients perform gradient descent on samples locally, an adversary can distinguish whether the attacked sample is a training sample based on observation of the change of the sample’s prediction. This type of attack exacerbates traditional passive MIA, yet the defense mechanisms remain largely unexplored.

In this work, we first investigate the effectiveness of the existing server-side robust aggregation algorithms (AGRs), designed to counter general poisoning attacks, in defending against poisoning MIA. We find that they are largely insufficient in mitigating poisoning MIA, as it targets specific victim samples and has minimal impact on model performance, unlike general poisoning. Thus, we propose a new client-side defense mechanism, called LoDen, which leverages the clients’ unique ability to detect any suspicious privacy attacks. We theoretically quantify the membership information leaked to the poisoning MIA and provide a bound for this leakage in LoDen. We perform an extensive experimental evaluation on four benchmark datasets against poisoning MIA, comparing LoDen with six state-of-the-art server-side AGRs. LoDen consistently achieves missing rate in detecting poisoning MIA across all settings, and reduces the poisoning MIA success rate to in most cases. The code of LoDen is available at https://github.com/UQ-Trust-Lab/LoDen.

Semi-supervised learning, which learns with only a small amount of labeled data while collecting voluminous unlabeled data to aid its training, has achieved promising performance lately, but it also raises a serious privacy concern: Whether a user’s data has been collected for use without authorization. In this paper, we propose a novel membership inference method against semi-supervised learning, serving to protect user data privacy. Due to involving both the labeled and unlabeled data, the membership patterns of semi-supervised learning’s training data cannot be well captured by the existing membership inference solutions. To this end, we propose two new metrics, i.e., inter-consistency and intra-entropy, tailored specifically to the semi-supervised learning paradigm, able to respectively measure the similarity and calculate the cross-entropy among prediction vectors from the perturbed versions. By exploiting the two metrics for membership inference, our method can dig out membership patterns imprinted on prediction outputs of semi-supervised learning models, thus facilitating effective membership inference. Extensive experiments have been conducted for comparing our method with five rectified baseline inference techniques across four datasets on six semi-supervised learning algorithms. Experimental results exhibit that our inference method achieves over 80% accuracy under each experimental setting, substantially outperforming all baseline techniques.

Deno is a runtime for JavaScript and TypeScript that is receiving great interest by developers, and is increasingly used for the construction of back-ends of web applications. A primary goal of Deno is to provide a secure and isolated environment for the execution of JavaScript programs. It also supports the execution of subprocesses, unfortunately without providing security guarantees.

In this work we propose Cage4Deno, a set of modifications to Deno enabling the creation of fine-grained sandboxes for the execution of subprocesses. The design of Cage4Deno satisfies the compatibility, transparency, flexibility, usability, security, and performance needs of a modern sandbox. The realization of these requirements partially stems from the use of Landlock and eBPF, two robust and efficient security technologies. Significant attention has been paid to the design of a flexible and compact policy model consisting of RWX permissions, which can be automatically created, and deny rules to declare exceptions. The sandbox effectiveness is demonstrated by successfully blocking a number of exploits for recent CVEs, while runtime experiments prove its efficiency. The proposal is associated with an open-source implementation.

Over the last two decades, the danger of sharing resources between programs has been repeatedly highlighted. Multiple side-channel attacks, which seek to exploit shared components for leaking information, have been devised, mostly targeting shared caching components. In response, the research community has proposed multiple cache designs that aim at curbing the source of side channels.

With multiple competing designs, there is a need for assessing the level of security against side-channel attacks that each design offers. Several metrics have been suggested for performing such evaluations. However, these tend to be limited both in terms of the potential adversaries they consider and in the applicability of the metric to real-world attacks, as opposed to attack techniques. Moreover, all existing metrics implicitly assume that a single metric can encompass the nuances of side-channel security.

In this work we propose CacheFX, a flexible framework for assessing and evaluating the resilience of cache designs to side-channel attacks. CacheFX allows the evaluator to implement various cache designs, victims, and attackers, as well as to exercise them for assessing the leakage of information via the cache.

To demonstrate the power of CacheFX, we implement multiple cache designs and replacement algorithms, and devise three evaluation metrics that measure different aspects of the caches: (1) the entropy induced by a memory access; (2) the complexity of building an eviction set; (3) protection against cryptographic attacks; Our experiments highlight that different security metrics give different insights to designs, making a comprehensive analysis mandatory. For instance, while eviction-set building was fastest for randomized skewed caches, these caches featured lower eviction entropy and higher practical attack complexity. Our experiments show that all non-partitioned designs allow for effective cryptographic attacks. However, in state-of-the-art secure caches, eviction-based attacks are more difficult to mount than occupancy-based attacks, highlighting the need to consider the latter in cache design.

Memory safety vulnerabilities are a severe threat to modern computer systems allowing adversaries to leak or modify security-critical data. To protect systems from this attack vector, full memory safety is required. As software-based countermeasures tend to induce significant runtime overheads, which is not acceptable for production code, hardware assistance is needed. Tagged memory architectures, e.g., already offered by the ARM MTE and SPARC ADI extensions, assign meta-information to memory objects, thus allowing to implement memory safety policies. However, due to the high tag collision probability caused by the small tag sizes, the protection guarantees of these schemes are limited.

This paper presents Multi-Tag, the first hardware-software co-design utilizing a multi-granular tagging structure that provides strong protection against spatial and temporal memory safety violations. By combining object-granular memory tags with page-granular tags stored in the page table entries, Multi-Tag overcomes the limitation of small tag sizes. Introducing page-granular tags significantly enhances the probabilistic protection capabilities of memory tagging without increasing the memory overhead or the system’s complexity. We develop a prototype implementation comprising a gem5 model of the tagged architecture, a Linux kernel extension, and an LLVM-based compiler toolchain. The simulated performance overhead for the SPEC CPU2017 and nbench-byte benchmarks highlights the practicability of our design.

ARMv8-A processors generally utilize optimization techniques such as multi-layer cache, out-of-order execution and branch prediction to improve performance. These optimization techniques are inevitably threatened by cache-related attacks including Flush+Reload, Flush+Flush, Meltdown, Spectre, and their variants. These attacks can break the isolation boundaries between different processes or even between user and kernel spaces. Researchers proposed many defense schemes to resist these cache-related attacks. However, they either need to modify the hardware architecture, have incomplete coverage, or introduce significant performance overhead.

In this paper, we propose FlushTime, a more secure collaborative framework of cache flush instructions and generic timer on ARMv8-A. Based on the instruction/register trap mechanism of ARMv8-A, FlushTime traps cache flush instructions and generic timer from user space into kernel space, and makes them cooperate with each other in kernel space. When a flush instruction is called, the generic timer resolution will be reduced for several time slices. This collaborative mechanism can greatly mitigate the threat of all flush-based cache-related attacks. Since normal applications rarely need to obtain high resolution timestamps immediately after calling a flush instruction, FlushTime does not affect the normal operation of the system. Security and performance evaluations show that FlushTime can resist all flush-based cache-related attacks while introducing an extremely low performance overhead.

Microarchitectural attacks typically rely on precise timing sources to uncover short-lived secret-dependent activity in the processor. In response, many browsers and even CPU vendors restrict access to fine-grained timers. While some attacks are still possible, several state-of-the-art microarchitectural attack vectors are actively hindered or even eliminated by these restrictions.

This paper proposes ShowTime, a general framework to expose arbitrary microarchitectural timing channels to coarse-grained timers. ShowTime consists of Convert routines, transforming microarchitectural leakage from one type to another, and Amplify routines, inflating the timing difference of a single microarchitectural event to make it distinguishable with crude sources of time.

We contribute several Convert and Amplify routines and show how to combine them into powerful attack primitives. We demonstrate how a single cache event can be amplified so that even the human eye can classify it with 98% accuracy and how stateless time differences as minuscule as 20 ns can be captured, converted, and amplified in a single observation. Additionally, we generate cache eviction sets, both in real-world restricted browser environments and natively using timers with precisions ranging from microseconds to seconds. Our findings imply that timer restrictions alone, even when ruthlessly implemented beyond practical limits, provide insufficient protection against CPU timing attacks.

Ensuring the integrity of a remote app or device is one of the most challenging concerns for the Android ecosystem. Software-based solutions provide limited protection and can usually be circumvented by repacking the mobile app or rooting the device. Newer protocols use trusted hardware to provide stronger remote attestation guarantees, e.g., Google SafetyNet, Samsung Knox (V2 and V3 attestation), and Android Key Attestation. So far, the protocols used by these systems have received relatively little attention. In this paper, we formally model these platforms using the Tamarin Prover and verify their security properties in the symbolic model of cryptography, revealing two vulnerabilities: we found a relay attack against Samsung Knox V2 that allows a malicious app to masquerade as an honest app, and an error in the recommended use case for Android Key Attestation that means that old—possibly out of date—attestations can be replayed. We employed our findings and the modelled platforms to tackle one of the most challenging problems in Android security, namely code protection, proposing and formally modelling a code protection scheme that ensures source code protection for mobile apps using a hardware root of trust.

Fuzzing has emerged as the most broadly used testing technique to discover bugs. Effective fuzzers rely on coverage to prioritize inputs that exercise new program areas. Edge-based code coverage of the Program Under Test (PUT) is the most commonly used coverage today. It is cheap to collect—a simple counter per basic block edge suffices. Unfortunately, edge coverage lacks context information: it exclusively records how many times each edge was executed but lacks the information necessary to trace actual paths of execution.

Our new fuzzer Arvin gathers probabilistic full traces of PUT executions to construct Dynamic Control Flow Graphs (DCFGs). These DCFGs observe a richer set of program behaviors, such as the "depth" of execution, different paths to reach the same basic block, and targeting specific functions and paths. Prioritizing the most promising inputs based on these behaviors improves fuzzing effectiveness by increasing the diversity of explored basic blocks.

Designing a DCFG-aware fuzzer raises a key challenge: collecting the required information needs complex instrumentation which results in performance overheads. Our prototype approximates DCFG and enables lightweight, asynchronous coordination between fuzzing processes, making DCFG-based fuzzing practical.

By approximating DCFGs, Arvin is fast, resulting in at least an eight-fold increase in fuzzing speed. Because it effectively prioritizes inputs using methods like depth comparison and directed exclusion, which are unavailable to other fuzzers, it finds bugs missed by others. We compare its ability to find bugs using various Linux programs and discover 50 bugs, 23 of which are uniquely found by Arvin.

In the past years, the CWE-190 integer overflow led to many vulnerabilities. Program verification techniques such as Abstract Interpretation can show that no such bug is present in a given program. To date, such techniques often aim to verify the correctness of source code. However, as the source code is not always available or might not have been subject to such an analysis, it is advisable to apply abstract integer range analysis to the binary. However, analyzing binaries imposes other challenges which are not always addressed accurately by existing analysis tools. As an example, some tools fail to model bitwise operators, recover type information or do not account for compiler optimizations. We propose techniques to address these limitations and illustrate their effects in our configurable reference implementation AbsIntIO. AbsIntIO applies abstract integer range analysis to binaries with the goal to show that no integer overflow is possible. We evaluate the effects of the improvements and observed a reduction of the error rates. Hence, the improvements provide a step towards verifying the correctness of binaries.

Driven by application diversification and market needs, software systems are integrating new features rapidly. However, this “feature creep” can compromise software security, as more code carries the risk of more vulnerabilities. This paper presents a system for disabling features activated by common input types, using a component called F-detector to detect feature-associated program control flow branches. The system includes a second component called F-blocker to disable features without disrupting application continuity. It does so by treating unwanted features as unexpected errors and leveraging error virtualization to recover execution, by redirecting it to appropriate existing error handling code. We implemented and evaluated the system on the Linux platform using 145 features from 9 programs, and results show that it can detect and disable all features with few errors, hence, outperforming previous works in terms of vulnerability mitigation through debloating.

Many mobile applications have resorted to deep neural networks (DNNs) because of their strong inference capabilities. Since both input data and DNN architectures could be sensitive, there is an increasing demand for secure DNN execution on mobile devices. Towards this end, hardware-based trusted execution environments on mobile devices (mobile TEEs), such as ARM TrustZone, have recently been exploited to execute CNN securely. However, running entire DNNs on mobile TEEs is challenging as TEEs have stringent resource and performance constraints. In this work, we develop a novel mobile TEE-based security framework that can efficiently execute the entire DNN in a resource-constrained mobile TEE with minimal inference time overhead. Specifically, we propose a progressive pruning to gradually identify and remove the redundant neurons from a DNN while maintaining a high inference accuracy. Next, we develop a memory optimization method to deallocate the memory storage of the pruned neurons utilizing the low-level programming technique. Finally, we devise a novel adaptive partitioning method that divides the pruned model into multiple partitions according to the available memory in the mobile TEE and loads the partitions into the mobile TEE separately with a minimal loading time overhead. Our experiments with various DNNs and open-source datasets demonstrate that we can achieve 2-30 times less inference time with comparable accuracy compared to existing approaches securing entire DNNs with mobile TEE.

A cryptanalytic time-memory trade-off is a technique introduced by M. Hellman in 1980 to perform brute-force attacks. It consists of a time-consuming precomputation phase performed and stored once and for all, which is then used to reduce the computation time of brute-force attacks. A variant, known as rainbow tables, introduced by Oechslin in 2003 is used by most of today’s off-the-shelf password-guessing tools. Precomputation of such tables is highly inefficient however, because much of the values computed during this task are eventually discarded. This paper revisits rainbow tables precomputation, challenging what has so far been regarded as an immutable foundation. The key idea consists in recycling values discarded during the precomputation phase, and adapting the brute force phase to make use of these recycled values. For a given memory and probability of success, the stepped rainbow tables thus created significantly reduce the workload induced by both the precomputation phase and the attack phase. The speedup obtained by using such tables is provided, and backed up by practical experiments.

Deep Neural Networks (DNN) are vulnerable to adversarial perturbations — small changes crafted deliberately on the input to mislead the model for wrong predictions. Adversarial attacks have disastrous consequences for deep learning empowered critical applications. Existing defense and detection techniques both require extensive knowledge of the model, testing inputs and even execution details. They are not viable for general deep learning implementations where the model internal is unknown, a common ‘black-box’ scenario for model users. Inspired by the fact that electromagnetic (EM) emanations of a model inference are dependent on both operations and data and may contain footprints of different input classes, we propose a framework, EMShepherd, to capture EM traces of model execution, perform processing on traces and exploit them for adversarial detection. Only benign samples and their EM traces are used to train the adversarial detector: a set of EM classifiers and class-specific unsupervised anomaly detectors. When the victim model system is under attack by an adversarial example, the model execution will be different from executions for the known classes, and the EM trace will be different. We demonstrate that our air-gapped EMShepherd can effectively detect different adversarial attacks on a commonly used FPGA deep learning accelerator for both Fashion MNIST and CIFAR-10 datasets. It achieves a detection rate on most types of adversarial samples, which is comparable to the state-of-the-art ‘white-box’ software-based detectors.

Differential signaling is a method of data transmission that uses two complementary electrical signals to encode information. This allows a receiver to reject any noise by looking at the difference between the two signals, assuming the noise affects both signals equally. Many protocols such as USB, Ethernet, and HDMI use differential signaling to achieve a robust communication channel in a noisy environment. This generally works well and has led many to believe that it is infeasible to remotely inject attacking signals into such a differential pair. In this paper, we challenge this assumption and show that an adversary can in fact inject malicious signals from a distance, purely using common-mode injection, i.e., injecting into both wires at the same time.

We explain in detail the principles that an attacker can exploit to achieve a successful injection of an arbitrary bit, and we analyze the success rate of injecting longer arbitrary messages. We demonstrate the attack on a real system and show that the success rate can reach as high as . Finally, we present a case study where we wirelessly inject a message into a Controller Area Network (CAN) bus, which is a differential signaling bus protocol used in many critical applications, including the automotive and aviation sector.

We report on experience using Tamarin, a security protocol model checker, to find numerous, serious exploitable vulnerabilities in EMV payment protocols. EMV is the international protocol standard for smartcard payment that is used in over 9 billion payment cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.

We have formalized a comprehensive model of EMV in Tamarin. We use our model to automatically discover new flaws that lead to critical attacks on EMV. In particular, an attacker can use a victim’s EMV card (e.g., Mastercard or Visa Card) for high-valued purchases without the victim’s PIN. We describe these attacks, their repair, and more generally why using formal methods is essential for critical protocols like payment protocols.

The success of deep learning in many application domains has been nothing short of dramatic. This has brought the spotlight onto security and privacy concerns with machine learning (ML). One such concern is the threat of model theft. I will discuss work on exploring the threat of model theft, especially in the form of “model extraction attacks” — when a model is made available to customers via an inference interface, a malicious customer can use repeated queries to this interface and use the information gained to construct a surrogate model. I will also discuss possible countermeasures, focusing on deterrence mechanisms that allow for model ownership resolution (MOR) based on watermarking or fingerprinting. In particular, I will discuss the robustness of MOR schemes. I will touch on the issue of conflicts that arise when protection mechanisms for multiple different threats need to be applied simultaneously to a given ML model, using MOR techniques as a case study.

This talk is based on work done with my students and collaborators, including Buse Atli Tekgul, Jian Liu, Mika Juuti, Rui Zhang, Samuel Marchal, and Sebastian Szyller. The work was funded in part by Intel Labs in the context of the Private AI consortium.

Telegram is a popular messenger with more than 550 million active users per month and with a large ecosystem of different clients. The wide adoption of Telegram by protestors relying on private and secure messaging provides motivation for developing a profound understanding of its cryptographic design and how this influences its security properties. Telegram has its own bespoke transport layer security protocol, MTProto 2.0. This protocol was recently subjected to a detailed study by Albrecht et al. (IEEE S&P 2022). They gave attacks on the protocol and its implementations, along with a security proof for a modified version of the protocol.

We complement that study by analysing a range of third-party client implementations of MTProto 2.0. We report practical replay attacks for the Pyrogram, Telethon and GramJS clients, and a more theoretical timing attack against the MadelineProto client. We show how vulnerable third-party clients can affect the security of the entire ecosystem, including official clients. Our analysis reveals that many third-party clients fail to securely implement MTProto 2.0. We discuss the reasons for these failures, focussing on complications in the design of MTProto 2.0 that lead developers to omit security-critical features or to implement the protocol in an insecure manner. We also discuss changes that could be made to MTProto 2.0 to remedy this situation. Overall, our work highlights the cryptographic fragility of the Telegram ecosystem.

Circuit-based Private Set Intersection (circuit-PSI) refers to cryptographic protocols that let two parties with input set X and Y compute a function f over the intersection set X ∩ Y, without revealing any other information. The research efforts for circuit-PSI mainly focus on the case where input set sizes |X| and |Y| are similar so far, and they scale poorly for extremely unbalanced set sizes |X| ≫ |Y|. Recently, Lepoint et al. (ASIACRYPT’21) proposed the first dedicated solutions for this problem, which has online cost only linear in the small set size |Y|. However, it requires an expensive setup phase that requires huge storage of about O(|X|) on the small set holder side, which can be problematic in applications where the small set holder is assumed to have restricted equipment.

In this work, we suggest new efficient proposals for circuit-PSI tailored for unbalanced inputs, which feature zero small set holder side storage, and comparable online phase performance to the previous work. At the technical core, we use homomorphic encryption (HE) based plain PSI protocols of Cong et al. (CCS’21), with several technically non-trivial arguments on algorithm and security.

We demonstrate the superiority of our proposals in several input set sizes by an implementation. As a representative example, for input sets of size 224 and 212, our proposals require zero storage on the small set holder whereas Lepoint et al. requires over 7GB. The online phase remains similar; over LAN network setting, ours takes 7.5 (or 20.9s) seconds with 45MB (or 11.7MB) communication, while Lepoint et al. requires 4.2 seconds with 117MB communication.

To detect runtime attacks against programs running on a remote computing platform, Control-Flow Attestation (CFA) lets a (trusted) verifier determine the legality of the program’s execution path, as recorded and reported by the remote platform (prover). However, besides complicating scalability due to verifier complexity, this assumption regarding the verifier’s trustworthiness renders existing CFA schemes prone to privacy breaches and implementation disclosure attacks under “honest-but-curious” adversaries. Thus, to suppress sensitive details from the verifier, we propose to have the prover outsource the verification of the attested execution path to an intermediate worker of which the verifier only learns the result. However, since a worker might be dishonest about the outcome of the verification, we propose a purely cryptographical solution of transforming the verification of the attested execution path into a verifiable computational task that can be reliably outsourced to a worker without relying on any trusted execution environment. Specifically, we propose to express a program-agnostic execution path verification task inside an arithmetic circuit whose correct execution can be verified by untrusted verifiers in zero knowledge.

Some of the most efficient protocols for Multi-Party Computation (MPC) follow a two-phase approach where correlated randomness, in particular Beaver triples, is generated in the offline phase and then used to speed up the online phase. Recently, more complex correlations have been introduced to optimize certain operations even further, such as matrix triples for matrix multiplications. In this paper, our goal is to improve the efficiency of the triple generation in general and in particular for classical field values as well as matrix operations. To this end, we modify the Overdrive LowGear protocol to remove the costly sacrificing step and therewith reduce the round complexity and the bandwidth. We extend the state-of-the-art MP-SPDZ implementation with our new protocols and show that the new offline phase outperforms state-of-the-art protocols for the generation of Beaver triples and matrix triples. For example, we save in bandwidth compared to Overdrive LowGear.

Over the years, security researchers have developed a broad spectrum of automatic code scanners that aim to find security vulnerabilities in applications. Security benchmarks are commonly used to evaluate novel scanners or program analysis techniques. Each benchmark consists of multiple positive test cases that reflect typical implementations of vulnerabilities, as well as negative test cases, that reflect secure implementations without security flaws. Based on this ground truth, researchers can demonstrate the recall and precision of their novel contributions.

However, as we found, existing security benchmarks are often underspecified with respect to their underlying assumptions and threat models. This may lead to misleading evaluation results when testing code scanners, since it requires the scanner to follow unclear and sometimes even contradictory assumptions.

To help improve the quality of benchmarks, we propose SecExploitLang, a specification language that allows the authors of benchmarks to specify security assumptions along with their test cases. We further present Exploiter, a tool than can automatically generate exploit code based on a test case and its SecExploitLang specification to demonstrate the correctness of the test case.

We created SecExploitLang specifications for two common security benchmarks and used Exploiter to evaluate the adequacy of their test case implementations. Our results show clear shortcomings in both benchmarks, i.e., a significant number of positive test cases turn out to be unexploitable, and even some negative test case implementation turn out to be exploitable. As we explain, the reasons for this include implementation defects, as well as design flaws, which impacts the meaningfulness of evaluations that were based on them. Our work shall highlight the importance of thorough benchmark design and evaluation, and the concepts and tools we propose shall facilitate this task.

Exponential growth in embedded systems is driving the research imperative to develop fuzzers to automate firmware testing to uncover software bugs and security vulnerabilities. But, employing fuzzing techniques in this context present a uniquely challenging proposition; a key problem is the need to deal with the diverse and large number of peripheral communications in an automated testing framework. Recent fuzzing approaches: i) employ re-hosting methods by executing code in an emulator because fuzzing on resource limited embedded systems is slow and unscalable; and ii) integrate models of hardware behaviour to overcome the challenges faced by the massive input-space to be explored created by peripheral devices and to generate inputs that are effective in aiding a fuzzer to make progress.

Our efforts expounds upon program execution behaviours unique to firmware to address the resulting input-space search problem. The techniques we propose improve the fuzzer’s ability to generate values likely to progress execution and avoids time consumed on mutating inputs that are functionally equivalent to other test cases.

We demonstrate the methods are highly efficient and effective at overcoming the input-space search problem. Our emulation-based implementation, Ember-IO, when compared to the existing state-of-the-art fuzzing framework across 21 firmware binaries, demonstrates up to 255% improvement in blocks covered. Further Ember-IO discovered 6 new bugs in the real-world firmware, previously not identified by state-of-the-art fuzzing frameworks. Importantly, Ember-IO integrated with the state-of-the-art fuzzer, Fuzzware, demonstrates similar or improved coverage across all firmware binaries whilst reproducing 3 of the 6 new bugs discovered by Ember-IO.

Concurrency bugs are one of the most harmful and hard-to-address issues in multithreaded software. Such bugs are hard to discover, reproduce, diagnose or fix due to their non-deterministic nature. Although more and more bug discovery solutions are proposed in recent years, it is difficult to evaluate them with existing concurrency bug datasets. The demand for building a high-quality benchmark of concurrency bugs emerges.

In this paper, we present an automated bug injection solution to automatically inject representative concurrency bugs into real world multithreaded C/C++ programs, and present the first triggerable and observable concurrency bug benchmark RaceBench. We have conducted a large-scale empirical study on concurrency bugs, learned their patterns, and built a program state model to characterize them, which enables us to inject representative bugs. To make the bugs triggerable, we follow the dynamic execution traces of target programs and inject bugs at locations that are reachable from the program entry. To make the bugs observable, these bugs are followed by explicit security assertions, removing the requirement of sophisticated sanitizers to detect the existence of such bugs. We built a benchmark consisting of 1500 bugs injected into 15 programs, and evaluated four concurrency bug discovery tools and one general bug discovery tool with it. Results showed that existing concurrency bug discovery solutions are still in the early stage, and our benchmark could shed light on the future direction of improvements.

Modern applications, written in high-level programming languages, enjoy the security benefits of memory and type safety. Unfortunately, even a single memory-unsafe library can wreak havoc on the rest of an otherwise safe application, nullifying all the security guarantees offered by the high-level language and its managed runtime. We perform a study across the Node.js ecosystem to understand the use patterns of binary add-ons. Taking the identified trends into account, we propose a new hybrid permission model aimed at protecting both a binary add-on and its language-specific wrapper. The permission model is applied all around a native add-on and is enforced through a hybrid language-binary scheme that interposes on accesses to sensitive resources from all parts of the native library. We infer the add-on’s permission set automatically over both its binary and JavaScript sides, via a set of novel program analyses. Applied to a wide variety of native add-ons, we show that our framework, BinWrap, reduces access to sensitive resources, defends against real-world exploits, and imposes an overhead that ranges between 0.71%–10.4%.

Binary function clone search is an essential capability that enables multiple applications and use cases, including reverse engineering, patch security inspection, threat analysis, vulnerable function detection, etc. As such, a surge of interest has been expressed in designing and implementing techniques to address function similarity on binary executables and firmware images. Although existing approaches have merit in fingerprinting function clones, they present limitations when the target binary code has been subjected to significant code transformation resulting from obfuscation, compiler optimization, and/or cross-compilation to multiple-CPU architectures. In this regard, we design and implement a system named BinFinder, which employs a neural network to learn binary function embeddings based on a set of extracted features that are resilient to both code obfuscation and compiler optimization techniques. Our experimental evaluation indicates that BinFinder outperforms state-of-the-art approaches for multi-CPU architectures by a large margin, with 46% higher Recall against Gemini, 55% higher Recall against SAFE, and 28% higher Recall against GMN. With respect to obfuscation and compiler optimization clone search approaches, BinFinder outperforms the asm2vec (single CPU architecture approach) with higher Recall and BinMatch (multi-CPU architecture approach) with higher Recall. Finally, our work is the first to provide noteworthy results with respect to binary clone search over the tigress obfuscator, which is a well-established open-source obfuscator.

Trusted Execution Environments (TEEs) and enclaves have become increasingly popular and are used from embedded devices to cloud servers. Today, many enclave architectures exist for different ISAs. However, some suffer from performance issues and controlled-channel attacks, while others only support constrained use cases for embedded devices or impose unrealistic constraints on the software. Modern cloud applications require a more flexible architecture that is both secure against such attacks and not constrained by, e.g., a limited number of physical memory ranges.

In this paper, we present SPEAR-V, a RISC-V-based enclave that provides a fast and flexible architecture for trusted computing that is compatible with current and future use cases while also aiming at mitigating controlled-channel attacks. With a single hardware primitive, our novel architecture enables two-way sandboxing. Enclaves are protected from hosts and vice versa. Furthermore, we show how shared memory and arbitrary nesting can be achieved without additional performance overheads. Our evaluation shows that, with minimal hardware changes, a flexible, performant, and secure enclave architecture can be constructed, imposing zero overhead on unprotected applications and an average overhead of 1% for protected applications.

As ARM is becoming more popular in today’s processor market, the OS kernel on ARM is gradually bloated to meet the market demand for more sophisticated services by absorbing diverse kernel extensions. Since this kernel bloating inevitably increases the attack surface, there has been a continuous effort to decrease the surface by dissociating or isolating untrusted extensions from the kernel. One approach in this effort is using software fault isolation (SFI) that instruments memory and control-transfer instructions to prevent isolated extensions from having unauthorized accesses to memory regions of the core kernel. Being implementable in pure software has been considered the greatest strength of SFI and thus popularly adopted by engineers to isolate kernel extensions, but software versions of SFI mostly suffer from high performance overhead, which can be a critical drawback for performance-sensitive mobile devices that overwhelmingly use ARM CPUs. The purpose of our work, named as Sfitag, is to make SFI for ARM kernel extensions more efficient by leveraging the hardware support from the latest ARM AArch64 architecture, called the ARM8.5-A memory tagging extension (MTE). For efficiency, Sfitag relies on MTE support when it allocates a tag value different from the core kernel for untrusted extensions and enforces extensions to use that value as a tag for pointers and memory objects. Consequently, in Sfitag, accessing the core kernel memory is legitimate only when the tag of a pointer matches the value of the kernel tag, which by means of MTE in effect enables us to safely confine unexpected and buggy behaviors of extensions within the space isolated from the kernel. Through our evaluation, we prove the effectiveness of Sfitag by showing that our MTE-supported SFI efficiently enforces isolation for extensions just with 1% slowdown on the throughput of a network driver and 5.7% on a block device driver.

Serial data bus networks are a crucial and vulnerable part of modern vehicles and weapons systems. Increasing concern over these networks is resulting in increased demand for intrusion prevention systems (IPSes) to stop attacks, not just detect them with an intrusion detection system (IDS). Considerations must be made to avoid the IPS becoming a de facto attacker. A defender needs to understand what attacks their IPS can safely prevent and how an attacker might circumvent their system. To enable this understanding, we propose a protocol-agnostic evaluation framework which: determines the viability of an IPS for different attack vectors, scores the suitability of an IDS to powering an IPS for certain attacks, and scores the efficacy of the IDS itself against those same attacks. With our framework we analyze IDS and IPS technologies for the CAN and MIL-STD-1553 serial data bus networks. These case studies demonstrate how a defender can use our framework to identify limitations in their IDS, while gearing the aspects of the IDS that work best towards safely powering an IPS. Our framework allows a defender to approach any potential security system fully aware of its limitations and how well it serves their own threat model.

In an emerging scam on social media platforms, cyber-miscreants are luring users into sending them a direct-message (DM) and are subsequently exploiting the messaging channel. We term this attack approach as the DM-Me scam. We report on a survey of 214 MTurk participants, in which we make the first effort to systematically study the susceptibility of users in falling victim to DM-Me scams. We find that most participants chose to send a direct message to at least one scammer, and made such choices more than half the time. This susceptibility can be attributed to the misplaced trust in scammers and the lack of negative consequences foreseen by participants in messaging accounts that they do not fully trust. Interestingly, our results also suggest that women mostly from the 31-40 age-group and who predominantly use Instagram a few times a week are less susceptible than men to financial DM-Me scams as they appear to face more discomfort in initiating a conversation with unfamiliar accounts for such services. We conclude with future research directions in mitigating the risks posed by DM-Me scammers, specifically by developing reliable indicators to aid users in assessing the trustworthiness of an account.

Covid19-themed attacks took the Internet by surprise in March 2020. Adversaries updated their attack strategies rapidly and started to exploit users’ attention to this unprecedented event and distribute their malicious payloads. In this work, we perform a retrospective analysis of adversarial operations over the first four months from February 15th, 2020 to June 16th, 2020. By combining a variety of measurement perspectives, we perform a three-step analysis, by (1) analyzing the composition, growth, and reachability of Covid19-themed attack pages, (2) identifying the modus operandi of attackers, and (3) assessing the actual impact on end-users. Our measurements serve as a lens into the fragile parts of the Web ecosystem during a previously unseen attack. We argue that precipitous growth of Covid19-themed attacks in just a few weeks represents adversaries’ technical and operational agility in adapting their attack strategies and also demonstrates how novice attack techniques can bypass common defense mechanisms and expose unsuspecting users to different forms of attacks. Drawing upon these analyses, we discuss what went poorly, in an effort to understand how the technical community can respond more effectively to such events in the future.

Passwords are the most common mechanism for authenticating users online. However, studies have shown that users find it difficult to create and manage secure passwords. To that end, passphrases are often recommended as a usable alternative to passwords, which would potentially be easy to remember and hard to guess. However, as we show, user-chosen passphrases fall short of being secure, while state-of-the-art machine-generated passphrases are difficult to remember.

In this work, we aim to tackle the drawbacks of the systems that generate passphrases for practical use. In particular, we address the problem of generating secure and memorable passphrases and compare them against user chosen passphrases in use. We identify and characterize 72, 999 user-chosen in-use unique English passphrases from prior leaked password databases. Then we leverage this understanding to create a novel framework for measuring memorability and guessability of passphrases. Utilizing our framework, we design MASCARA, which follows a constrained Markov generation process to create passphrases that optimize for both memorability and guessability. Our evaluation of passphrases shows that MASCARA -generated passphrases are harder to guess than in-use user-generated passphrases, while being easier to remember compared to state-of-the-art machine-generated passphrases. We conduct a two-part user study with crowdsourcing platform Prolific to demonstrate that users have highest memory-recall (and lowest error rate) while using MASCARA passphrases. Moreover, for passphrases of length desired by the users, the recall rate is 60-100% higher for MASCARA-generated passphrases compared to current system-generated ones.

Mix net is the most frequently used secure MPC (multi-party computation) application in the real world, where multiple routers cooperates to anonymise a batch of data. It builds an important network security mechanism to implement anonymous communication and has a wide range of applications like AI training and online services. So far, security of mix nets is only analysed in theoretic cryptographic models, and their security in real-world systems has not drawn enough attention from researchers. In this paper, several popular commercial mix net services are surveyed and they have a common strategy: developing an academic shuffling scheme into a real-world mix net system and assuming that its theoretic security properties can guarantee robustness of the systems in practical usages. Our analysis illustrates that the straightforward assumption is not reliable and a mix net has to face various challenges and attackers beyond their academic prototypes estimate. Especially, we show that in practice some users of a mix net may collude with the service providers to compromise reliability of the mix net, which is a realistic environment factor usually ignored in cryptographic protocol design. So, the anonymous communication services based on mix net in practical usage are not so reliable as widely believed and their applications in network security have non-negligible vulnerabilities or risks.

Elections are a special security problem because it is not good enough for systems to be secure and results correct - they must also be verifiably so. Even leaving aside the psychological aspects (some people don’t believe evidence, or don’t understand mathematically-based evidence), many nations’ election systems fall far short of this goal. In this talk I’ll discuss a setting increasingly common in the US, Australia and elsewhere: citizens vote privately on paper, then the votes are digitized and counted electronically. Sounds simple, doesn’t it? But producing publicly verifiable evidence of a correct outcome requires carefully-designed processes. Also, running these processes meaningfully requires active involvement from the public. I’ll discuss the attacker model and process of verifiable election audits. I’ll then explain our groundbreaking techniques for auditing instant-runoff (IRV) elections and other complex social choice functions, and describe important open problems, particularly for the single transferable vote.

Based on joint work with Michelle Blom, Andrew Conway, Alexander Ek, Philip B Stark, Peter J Stuckey and Damjan Vukcevic.

Federated learning—multi-party, distributed learning in a decentralized environment—is vulnerable to model poisoning attacks, more so than centralized learning. This is because malicious clients can collude and send in carefully tailored model updates to make the global model inaccurate. This motivated the development of Byzantine-resilient federated learning algorithms, such as Krum, Bulyan, FABA, and FoolsGold. However, a recently developed untargeted model poisoning attack showed that all prior defenses can be bypassed. The attack uses the intuition that simply by changing the sign of the gradient updates that the optimizer is computing, for a set of malicious clients, a model can be diverted from the optima to increase the test error rate. In this work, we develop FLAIR—a defense against this directed deviation attack (DDA), a state-of-the-art model poisoning attack. FLAIR is based on our intuition that in federated learning, certain patterns of gradient flips are indicative of an attack. This intuition is remarkably stable across different learning algorithms, models, and datasets. FLAIR assigns reputation scores to the participating clients based on their behavior during the training phase and then takes a weighted contribution of the clients. We show that where the existing defense baselines of FABA [IJCAI ’19], FoolsGold [Usenix ’20], and FLTrust [NDSS ’21] fail when 20-30% of the clients are malicious, FLAIR provides byzantine-robustness upto a malicious client percentage of 45%. We also show that FLAIR provides robustness against even a white-box version of DDA.

As the right to be forgotten has been legislated worldwide, many studies attempt to design machine unlearning mechanisms to enable data erasure from a trained model. Existing machine unlearning studies focus on centralized learning, where the server can access all users’ data. However, in a popular scenario, federated learning (FL), the server cannot access users’ training data. In this paper, we investigate the problem of machine unlearning in FL. We formalize a federated unlearning problem and propose a bayesian federated unlearning (BFU) approach to implement unlearning for a trained FL model without sharing raw data with the server. Specifically, we first introduce an unlearning rate in BFU to balance the trade-off between forgetting the erased data and remembering the original global model, making it adaptive to different unlearning tasks. Then, to mitigate accuracy degradation caused by unlearning, we propose BFU with parameter self-sharing (BFU-SS). BFU-SS considers data erasure and maintaining learning accuracy as two tasks and optimizes them together during unlearning. Extensive comparisons between our methods and the state-of-art federated unlearning method demonstrate the superiority of our proposed realizations.

Federated Learning (FL) is a machine learning technique that enables multiple parties to collaboratively train a model using their private datasets. Given its decentralized nature, FL has inherent vulnerabilities that make it susceptible to adversarial attacks. The success of an attack on FL depends upon several (latent) factors, including the adversary’s strength, the chosen attack strategy, and the effectiveness of the defense measures in place. There is a growing body of literature on empirical attack studies on FL, but no systematic way to compare and evaluate the completeness of these studies, which raises questions about their validity. To address this problem, we introduce a causal model that captures the relationship between the different (latent) factors, and their reflexive indicators, that can impact the success of an attack on FL. The proposed model, inspired by structural equation modeling, helps systematize the existing literature on FL attack studies and provides a way to compare and contrast their completeness. We validate the model and demonstrate its utility through experimental evaluation of select attack studies. Our aim is to help researchers in the FL domain design more complete attack studies and improve the understanding of FL vulnerabilities.

Federated Learning (FL) promises to offer a major paradigm shift in the way deep learning models are trained at scale, yet malicious clients can surreptitiously embed backdoors into models via trivial augmentation on their own subset of the data. This is especially true in small- and medium-scale FL systems, which consist of dozens, rather than millions, of clients. In this work, we investigate a novel attack scenario for an FL architecture consisting of multiple non-i.i.d. silos of data in which each distribution has a unique backdoor attacker and where the model convergences of adversaries are not more similar than those of benign clients. We propose a new method, dubbed Haywire, as a security-in-depth approach to respond to this novel attack scenario. Our defense utilizes a combination of kPCA dimensionality reduction of fully-connected layers in the network, KMeans anomaly detection to drop anomalous clients, and server aggregation robust to outliers via the Geometric Median. Our solution prevents the contamination of the global model despite having no access to the backdoor triggers. We evaluate the performance of Haywire from model-accuracy, defense-performance, and attack-success perspectives against multiple baselines. Through an extensive set of experiments, we find that Haywire produces the best performances at preventing backdoor attacks while simultaneously not unfairly penalizing benign clients. We carried out additional in-depth experiments across multiple runs that demonstrate the reliability of Haywire.

Deep learning technology has made it possible to generate realistic content of specific individuals. These ‘deepfakes’ can now be generated in real-time which enables attackers to impersonate people over audio and video calls. Moreover, some methods only need a few images or seconds of audio to steal an identity. Existing defenses perform passive analysis to detect fake content. However, with the rapid progress of deepfake quality, this may be a losing game.

In this paper, we propose D-CAPTCHA: an active defense against real-time deepfakes. The approach is to force the adversary into the spotlight by challenging the deepfake model to generate content which exceeds its capabilities. By doing so, passive detection becomes easier since the content will be distorted. In contrast to existing CAPTCHAs, we challenge the AI’s ability to create content as opposed to its ability to classify content. In this work we focus on real-time audio deepfakes and present preliminary results on video.

In our evaluation we found that D-CAPTCHA outperforms state-of-the-art audio deepfake detectors with an accuracy of 91-100% depending on the challenge (compared to 71% without challenges). We also performed a study on 41 volunteers to understand how threatening current real-time deepfake attacks are. We found that the majority of the volunteers could not tell the difference between real and fake audio.

In this work, we study the blockchain leader election problem. The purpose of such protocols is to elect a leader who decides on the next block to be appended to the blockchain, for each block proposal round. Solutions to this problem are vital for the security of blockchain systems. We introduce an efficient blockchain leader election method with security based solely on standard assumptions for cryptographic hash functions (rather than public-key cryptographic assumptions) and that does not involve a racing condition as in Proof-of-Work based approaches. Thanks to the former feature, our solution provides the highest confidence in security, even in the post-quantum era. A particularly scalable application of our solution is in the Proof-of-Stake setting, and we investigate our solution in the Algorand blockchain system. We believe our leader election approach can be easily adapted to a range of other blockchain settings.

At the core of Algorand’s leader election is a verifiable random function (VRF). Our approach is based on introducing a simpler primitive which still suffices for the blockchain leader election problem. In particular, we analyze the concrete requirements in an Algorand-like blockchain setting to accomplish leader election, which leads to the introduction of indexed VRF (iVRF). An iVRF satisfies modified uniqueness and pseudorandomness properties (versus a full-fledged VRF) that enable an efficient instantiation based on a hash function without requiring any complicated zero-knowledge proofs of correct PRF evaluation. We further extend iVRF to an authenticated iVRF with forward-security, which meets all the requirements to establish an Algorand-like consensus. Our solution is simple, flexible and incurs only a 32-byte additional overhead when combined with the current best solution to constructing a forward-secure signature (in the post-quantum setting).

We implemented our (authenticated) iVRF proposal in C language on a standard computer and show that it significantly outperforms other quantum-safe VRF proposals in almost all metrics. Particularly, iVRF evaluation and verification can be executed in 0.02 ms, which is even faster than ECVRF used in Algorand.

The Boolean functions satisfying secure properties on the restricted sets of inputs are studied recently due to their importance in the framework of the FLIP stream cipher. However, finding Boolean functions with optimal cryptographic properties is an open research problem in the cryptographic community. This paper presents an Improved Genetic Algorithm (IGA) with the directed changes that keep the weightwise balancedness of Boolean functions. A cross-protection strategy is proposed to ensure that the offspring has the same weightwise balancedness characteristics of the parents while implementing crossover. Then, a large number of weightwise (almost) perfectly balanced (W(A)PB) functions with a good nonlinearity profile are obtained based on IGA. Finally, we make comparisons between our constructions and relevant works. The comparisons show that IGA has a significant advantage for reaching the W(A)PB functions with high weightwise nonlinearity. Moreover, it is the first time to obtain the 8-variable WPB functions with the weightwise nonlinearity of 28 in the restricted sets of inputs with Hamming weight of 4, and list the statistical indicators of the weightwise nonlinearity for W(A)PB functions for input size n = 9, 10.

Secure Multi-Party Computation (MPC) is continuously becoming more and more practical. Many optimizations have been introduced, making MPC protocols more suitable for solving real-world problems. However, the MPC protocols and optimizations are usually implemented as a standalone proof of concept or in an MPC framework and are tightly coupled with special-purpose circuit formats, such as Bristol Format. This makes it very hard and time-consuming to re-use algorithmic advances and implemented applications in a different context. Developing generic algorithmic optimizations is exceptionally hard because the available MPC tools and formats are not generic and do not provide the necessary infrastructure.

In this paper, we present FUSE: A Framework for Unifying and Optimizing Secure Multi-Party Computation Implementations with Efficient Circuit Storage. FUSE provides a flexible intermediate representation (FUSE IR) that can be used across different platforms and in different programming languages, including C/C++, Java, Rust, and Python. We aim at making MPC tools more interoperable, removing the tight coupling between high-level compilers for MPC and specific MPC protocol engines, thus driving knowledge transfer. Our framework is inspired by the widely known LLVM compiler framework. FUSE is portable, extensible, and it provides implementation-agnostic optimizations.

As frontends, we implement HyCC (CCS’18), the Bristol circuit format, and MOTION (TOPS’22), s.t. these can be automatically converted to FUSE IR. We implement several generic optimization passes, such as automatic subgraph replacement and vectorization, to showcase the utility and efficiency of our framework. Finally, we implement as backends MOTION and MP-SPDZ (CCS’20), so that FUSE IR can be run by these frameworks in an MPC protocol, as well as other useful backends for JSON output and the DOT language for graph visualization. With FUSE, it is possible to use any implemented frontend with any implemented backend and vice-versa. FUSE IR is not only efficient to work on and much more generic than any other format so far – supporting, e.g., function calls, hybrid MPC protocols as well as user-defined building blocks, and annotations – while maintaining backwards-compatibility, but also compact, with smaller storage size than even minimalistic formats such as Bristol already for a few hundred operations.

The lattice-based cryptography is one of the most promising candidates in the era of post-quantum cryptography. It is necessary to precisely choose the practical parameters by evaluating the hardness of the underlying hard mathematical problems, such as the shortest vector problem (SVP). Currently, there are two state-of-the-art strategies for solving (approximate) SVP. One is the SVP-solving strategy proposed in G6K[5], which has the least solving time cost but high memory cost requirements; another is to execute progressive BKZ (pBKZ)[8] for pre-processing at first and call the high-dimensional SVP-oracle to find the short vector on the original lattice. Due to the strong pre-processing on the lattice basis, the memory cost of the latter strategy is usually smaller than that of the former strategy, while the time cost of pre-processing is relatively costly. In this paper, we first optimize the pnj-BKZ simulator when the jump value is quite large by giving a refined dimension for free (d4f) estimation. Then, based on our optimized pnj-BKZ simulator, we show a more accurate hardness estimation of LWE by considering technologies such as progressive BKZ pre-processing technology, jump strategy, and d4f technology. Furthermore, based on the sharper pnj-BKZ simulator, we propose an SVP-solving strategy trade-off between G6K and pBKZ, which derives less time cost than pBKZ within less memory compared with G6K. Experimental results show that when solving the TU Darmstadt SVP challenge, our algorithm can save 50%-66% of memory compared with G6K’s default SVP-solving strategy. Moreover, our algorithm speeds up the pre-processing stage by 7-30 times, saving the time cost by 4-6 times compared with the pBKZ default SVP-solving strategy. Using our proposed strategy, we solved the 170-dimensional TU Darmstadt SVP challenge and up to the 176-dimensional ideal lattice challenge.

Private join and compute (PJC) is a paradigm where two parties owing their private database securely join their databases and compute a function over the combined database. Inner product PJC, introduced by Lepoint et al. (Asiacrypt’21), is a class of PJC that has a wide range of applications such as secure analysis of advertising campaigns. In this computation, two parties, each of which has a set of identifier-value pairs, compute the inner product of the values after the (inner) join of their databases with respect to the identifiers. They proposed inner product PJC protocols that are specialized for the unbalanced setting where the input sizes of both parties are significantly different and not suitable for the balanced setting where the sizes of two inputs are relatively close.

We propose an inner product PJC protocol that is much more efficient than that by Lepoint et al. for balanced inputs in the setting where both parties are allowed to learn the intersection size additionally. Our protocol can be seen as an extension of the private intersection-sum protocol based on the decisional Diffie-Hellman assumption by Ion et al. (EuroS&P’20) and is especially communication-efficient as the private intersection-sum protocol. In the case where both input sizes are 216, the communication cost of our inner-product PJC protocol is 46 × less than that of the inner product PJC protocol by Lepoint et al.

Adversarial patch attacks create adversarial examples by injecting arbitrary distortions within a bounded region of the input to fool deep neural networks (DNNs). These attacks are robust (i.e., physically-realizable) and universally malicious, and hence represent a severe security threat to real-world DNN-based systems.

We propose Jujutsu, a two-stage technique to detect and mitigate robust and universal adversarial patch attacks. We first observe that adversarial patches are crafted as localized features that yield large influence on the prediction output, and continue to dominate the prediction on any input. Jujutsu leverages this observation for accurate attack detection with low false positives. Patch attacks corrupt only a localized region of the input, while the majority of the input remains unperturbed. Therefore, Jujutsu leverages generative adversarial networks (GAN) to perform localized attack recovery by synthesizing the semantic contents of the input that are corrupted by the attacks, and reconstructs a “clean” input for correct prediction.

We evaluate Jujutsu on four diverse datasets spanning 8 different DNN models, and find that it achieves superior performance and significantly outperforms four existing defenses. We further evaluate Jujutsu against physical-world attacks, as well as adaptive attacks.

Machine learning models are vulnerable to adversarial attacks. In this paper, we consider the scenario where a model is distributed to multiple buyers, among which a malicious buyer attempts to attack another buyer. The malicious buyer probes its copy of the model to search for adversarial samples and then presents the found samples to the victim’s copy of the model in order to replicate the attack. We point out that by distributing different copies of the model to different buyers, we can mitigate the attack such that adversarial samples found on one copy would not work on another copy. We observed that training a model with different randomness indeed mitigates such replication to a certain degree. However, there is no guarantee and retraining is computationally expensive. A number of works extended the retraining method to enhance the differences among models. However, a very limited number of models can be produced using such methods and the computational cost becomes even higher. Therefore, we propose a flexible parameter rewriting method that directly modifies the model’s parameters. This method does not require additional training and is able to generate a large number of copies in a more controllable manner, where each copy induces different adversarial regions. Experimentation studies show that rewriting can significantly mitigate the attacks while retaining high classification accuracy. For instance, on GTSRB dataset with respect to Hop Skip Jump attack, using attractor-based rewriter can reduce the success rate of replicating the attack to 0.5% while independently training copies with different randomness can reduce the success rate to 6.5%. From this study, we believe that there are many further directions worth exploring.

Deep neural networks excel at solving intuitive tasks that are hard to describe formally, such as classification, but are easily deceived by maliciously crafted samples, leading to misclassification. Recently, it has been observed that the attack-specific robustness of models obtained through adversarial training does not generalize well to novel or unseen attacks. While data augmentation through mixup in the input space has been shown to improve the generalization and robustness of models, there has been limited research progress on mixup in the latent space. Furthermore, almost no research on mixup has considered the robustness of models against emerging on-manifold adversarial attacks. In this paper, we first design a latent-space data augmentation strategy called dual-mode manifold interpolation, which allows for interpolating disentangled representations of source samples in two modes: convex mixing and binary mask mixing, to synthesize semantic samples. We then propose a resilient training framework, LatentRepresentationMixup (LarepMixup), that employs mixed examples and softlabel-based cross-entropy loss to refine the boundary. Experimental investigations on diverse datasets (CIFAR-10, SVHN, ImageNet-Mixed10) demonstrate that our approach delivers competitive performance in training models that are robust to off/on-manifold adversarial example attacks compared to leading mixup training techniques.

Backdoor attacks have emerged as an urgent threat to Deep Neural Networks (DNNs), where victim DNNs are furtively implanted with malicious neurons that could be triggered by the adversary. To defend against backdoor attacks, many works establish a staged pipeline to remove backdoors from victim DNNs: inspecting, locating, and erasing. However, in a scenario where a few clean data can be accessible, such pipeline is fragile and cannot erase backdoors completely without sacrificing model accuracy. To address this issue, in this paper, we propose a novel data-free holistic backdoor erasing (DHBE) framework. Instead of the staged pipeline, the DHBE treats the backdoor erasing task as a unified adversarial procedure, which seeks equilibrium between two different competing processes: distillation and backdoor regularization. In distillation, the backdoored DNN is distilled into a proxy model, transferring its knowledge about clean data, yet backdoors are simultaneously transferred. In backdoor regularization, the proxy model is holistically regularized to prevent from infecting any possible backdoor transferred from distillation. These two processes jointly proceed with data-free adversarial optimization until a clean, high-accuracy proxy model is obtained. With the novel adversarial design, our framework demonstrates its superiority in three aspects: 1) minimal detriment to model accuracy, 2) high tolerance for hyperparameters, and 3) no demand for clean data. Extensive experiments on various backdoor attacks and datasets are performed to verify the effectiveness of the proposed framework. Code is available at https://github.com/yanzhicong/DHBE

Since the inception of the Integrated Circuit (IC), the size of the transistors used to construct them has continually shrunk. While this advancement significantly improves computing capability, fabrication costs have skyrocketed. As a result, most IC designers must now outsource fabrication. Outsourcing, however, presents a security threat: comprehensive post-fabrication inspection is infeasible given the size of modern ICs, so it is nearly impossible to know if the foundry has altered the original design during fabrication (i.e., inserted a hardware Trojan). Defending against a foundry-side adversary is challenging because—even with as few as two gates—hardware Trojans can completely undermine software security. Researchers have attempted to both detect and prevent foundry-side attacks, but all existing defenses are ineffective against additive Trojans with footprints of a few gates or less.

We present Targeted Tamper-Evident Routing (T-TER), a layout-level defense against untrusted foundries, capable of thwarting the insertion of even the stealthiest hardware Trojans. T-TER is directed and routing-centric: it prevents foundry-side attackers from routing Trojan wires to, or directly adjacent to, security-critical wires by shielding them with guard wires. Unlike shield wires commonly deployed for cross-talk reduction, T-TER guard wires pose an additional technical challenge: they must be tamper-evident in both the digital (deletion attacks) and analog (move and jog attacks) domains. We address this challenge by developing a class of designed-in guard wires that are added to the design specifically to protect security-critical wires. T-TER’s guard wires incur minimal overhead, scale with design complexity, and provide tamper-evidence against attacks. We implement automated tools (on top of commercial CAD tools) for deploying guard wires around targeted nets within an open-source System-on-Chip. Lastly, using an existing IC threat assessment toolchain, we show T-TER defeats even the stealthiest known hardware Trojan, with ≈  1% overhead.

With wider availability of wireless interfaces and a rising integration of software, it becomes easier for attackers to access vehicular communication networks and exploit vulnerabilities in Electronic Control Units (ECUs). Once having compromised an ECU, the intruder can control safety-relevant functions without requiring physical access to the vehicle. An essential aspect for the feasibility of such attacks is the lack of security measures in the Controller Area Network (CAN). And although physical-based Intrusion Detection Systems (IDSs) gain relevance for CAN security, current voltage and time-based systems have reached a point where crucial improvements can only be achieved at intolerable expense. To assess the potential of novel approaches, we present SPARTA, an advanced Intrusion Detection and Prevention System (IDPS) which identifies the sending ECU by measuring signal arrival differences on the CAN bus. With a highly reliable detection procedure, SPARTA improves current IDSs and implements an active prevention mechanism to decimate the impact of attacks. In this context, it not only detects violations of the transmission authenticity, but also recognizes the attempt of a denial-of-service (DoS) attack. Further, SPARTA was designed to require few resources and to meet real-time constraints of automotive systems. For this reason, the entire approach was realized on a resource-constrained embedded system and evaluated on different CAN and CAN with Flexible Data-Rate (CAN-FD) setups to demonstrate the efficiency, performance and adaptability to external influences of a dynamic environment.

The iCloud Private Relay (PR) is a new feature introduced by Apple in June 2021 that aims to enhance online privacy by protecting a subset of web traffic from both local eavesdroppers and websites that use IP-based tracking. The service is integrated into Apple’s latest operating systems and uses a two-hop architecture where a user’s web traffic is relayed through two proxies run by disjoint entities.

PR’s multi-hop architecture resembles traditional anonymity systems such as Tor and mix networks. Such systems, however, are known to be susceptible to a vulnerability known as traffic analysis: an intercepting adversary (e.g., a malicious router) can attempt to compromise the privacy promises of such systems by analyzing characteristics (e.g., packet timings and sizes) of their network traffic. In particular, previous works have widely studied the susceptibility of Tor to website fingerprinting and flow correlation, two major forms of traffic analysis.

In this work, we are the first to investigate the threat of traffic analysis against the recently introduced PR. First, we explore PR’s current architecture to establish a comprehensive threat model of traffic analysis attacks against PR. Second, we quantify the potential likelihood of these attacks against PR by evaluating the risks imposed by real-world AS-level adversaries through empirical measurement of Internet routes. Our evaluations show that some autonomous systems are in a particularly strong position to perform traffic analysis on a large fraction of PR traffic. Finally, having demonstrated the potential for these attacks to occur, we evaluate the performance of several flow correlation and website fingerprinting attacks over PR traffic. Our evaluations show that PR is highly vulnerable to state-of-the-art website fingerprinting and flow correlation attacks, with both attacks achieving high success rates. We hope that our study will shed light on the significance of traffic analysis to the current PR deployment, convincing Apple to perform design adjustments to alleviate the risks.

Progressive web app (PWA) is a kind of web apps, which is designed to enhance users’ browsing experience by combining the advantages of a web app’s reachability and a native app’s diverse functionalities. PWA sites have a special JavaScript file, service worker, which is executed in a different thread from the browser’s main page. It thus can support unique functionalities such as offline usage and push service even after the browser is closed. Because of these features, the service worker has been a main target of many web attacks such as a DDOS attack, or abused to generate illegal sites such as darknet sites. However, previous attacks exploiting the push service have limitations in that they need the pre-installation of a malicious service worker or only can passively utilize the existing push notification from the legitimate site (e.g., hijacking the push notification to track users’ location).

In this study, we propose a novel crafted postMessage attack (CPA) using the postMessage() method, which leverages the benign service worker’s push service by exploiting the cross-site scripting (XSS) vulnerability. Unlike the previous attacks, CPA attackers can actively craft push notifications for imitating the legitimate site or enticing victims with a honeyed message. Besides, CPA attackers can sniff users’ personal interest (e.g., subscription states as well as browsing histories), and even unsubscribe them to block the receipt of the push notification from the legitimate site. To assess the real-world prevalence of the vulnerability causing CPA, we conduct a measurement study on popular PWA sites based on Tranco list by collecting a total of 9,005 PWA sites from the top 200k sites using a service worker. As a result, we found 376 sites among them are still vulnerable to the XSS attack, and 16 sites out of those 376 sites are vulnerable to our attack in total. We estimated the number of potential victims of CPA, and it turned out that up to 6.5 M users per month are susceptible to our attack. Based on our findings, we discuss the root cause of the vulnerabilities and practical mitigations of our attack.

Containerization allows bundling applications and their dependencies into a single image. The containerization framework Docker eases the use of this concept and enables sharing images publicly, gaining high momentum. However, it can lead to users creating and sharing images that include private keys or API secrets—either by mistake or out of negligence. This leakage impairs the creator’s security and that of everyone using the image. Yet, the extent of this practice and how to counteract it remains unclear.

In this paper, we analyze 337,171 images from Docker Hub and 8,076 other private registries unveiling that 8.5% of images indeed include secrets. Specifically, we find 52,107 private keys and 3,158 leaked API secrets, both opening a large attack surface, i.e., putting authentication and confidentiality of privacy-sensitive data at stake and even allow active attacks. We further document that those leaked keys are used in the wild: While we discovered 1,060 certificates relying on compromised keys being issued by public certificate authorities, based on further active Internet measurements, we find 275,269 TLS and SSH hosts using leaked private keys for authentication. To counteract this issue, we discuss how our methodology can be used to prevent secret leakage and reuse.

Container-based clouds—in which containers are the basic unit of isolation—face security concerns because, unlike Virtual Machines, containers directly interface with the underlying highly privileged kernel through the wide and vulnerable system call interface. Regardless of whether a container itself requires dangerous system calls, a compromised or malicious container sharing the host (a bad neighbor) can compromise the host kernel using a vulnerable syscall, thereby compromising all other containers sharing the host.

In this paper, rather than attempting to eliminate host compromise, we limit the effectiveness of attacks by bad neighbors to a subset of the cluster. To do this, we propose a new metric dubbed Extraneous System call Exposure (ExS). Scheduling containers to minimize ExS reduces the number of nodes that expose a vulnerable system call and as a result the number of affected containers in the cluster. Experimenting with 42 popular containers on SySched, our greedy scheduler implementation in Kubernetes, we demonstrate that SySched can reduce up to 46% more victim nodes and up to 48% more victim containers compared to the Kubernetes default scheduling while also reducing overall host attack surface by 20%.

Hardware peripherals such as GPUs and FPGAs are commonly available in server-grade computing to accelerate specific compute tasks, from database queries to machine learning. CSPs have integrated these accelerators into their infrastructure and let tenants combine and configure these components flexibly, based on their needs. Securing I/O interfaces is critical to ensure proper isolation between tenants in these highly complex, heterogeneous, yet shared server systems, especially in the cloud, where some peripherals may be under control of a malicious tenant.

In this work, we investigate the interfaces that connect peripheral hardware components to each other and the rest of the system. We show that the I/O memory management units (IOMMUs) — intended to ensure proper isolation of peripherals — are the source of a new attack surface: the I/O translation look-aside buffer (IOTLB). We show that by using an FPGA accelerator card one can gain precise information over IOTLB activity. That information can be used for covert communication between peripherals without bothering CPU or to directly extract leakage from neighboring accelerated compute jobs such as GPU-accelerated databases. We present the first qualitative and quantitative analysis of this newly uncovered attack surface before fine-grained channels become widely viable with the introduction of CXL and PCIe 5.0. In addition, we propose possible countermeasures that software developers, hardware designers, and system administrators can use to suppress the observed side-channel leakages and analyze their implicit costs.

As Smart TV devices become more prevalent in our lives, it becomes increasingly important to evaluate the security of these devices. In addition to a smart and connected ecosystem through apps, Smart TV devices expose a WiFi remote protocol, that provides a virtual remote capability and allows a WiFi enabled device (e.g., a Smartphone) to control the Smart TV. The WiFi remote protocol might pose certain security risks that are not present in traditional TVs. In this paper, we assess the security of WiFi remote protocols by first identifying the desired security properties so that we achieve the same level of security as in traditional TVs. Our analysis of four popular Smart TV platforms, Android TV, Amazon FireOS, Roku OS, and WebOS (for LG TVs), revealed that  all these platforms violate one or more of the identified security properties. To demonstrate the impact of these flaws, we develop Spook, which uses one of the commonly violated properties of a secure WiFi remote protocol to pair an Android mobile as a software remote to an Android TV. Subsequently, we hijack the Android TV device through the device debugger, enabling complete remote control of the device. All our findings have been communicated to the corresponding vendors. Google acknowledged our findings as a security vulnerability, assigned it a CVE, and released patches to the Android TV OS to partially mitigate the attack. We argue that these patches provide a stopgap solution without ensuring that WiFi remote protocol has all the desired security properties. We design and implement a WiFi remote protocol in the Android ecosystem using ARM TrustZone. Our evaluation shows that the proposed defense satisfies all the security properties and ensures that we have the flexibility of virtual remote without compromising security.

An “Authorised Push Payment” (APP) fraud refers to a case where fraudsters deceive a victim to make payments to bank accounts controlled by them. The total amount of money stolen via APP frauds is swiftly growing. Although regulators have provided guidelines to improve victims’ protection, the guidelines are vague, the implementation is lacking in transparency, and the victims are not receiving sufficient protection. To facilitate victims’ reimbursement, in this work, we propose a protocol called “Payment with Dispute Resolution” (PwDR) and formally define it. The protocol lets an honest victim prove its innocence to a third-party dispute resolver while preserving the protocol participants’ privacy. It makes black-box use of a standard online banking system. We implement its most computationally-intensive subroutine and analyse its runtime. We also evaluate its asymptotic cost. Our evaluation indicates that the protocol is efficient. It imposes only O(1) overheads to the customer and bank. Moreover, it takes a dispute resolver only 0.09 milliseconds to settle a dispute between the two parties.

Amazon Alexa’s booming third-party skill market has grown from 160 to 100,000 skills within three years. In this work, we make the first effort in demystifying the Alexa skill permission system by studying its security indicators. Our user study results show that most of the surveyed Alexa users did not understand the security implications of interacting with third parties via Alexa’s voice user interface (VUI). Despite the potential risks of undesired resource sharing, more than two-thirds of the surveyed Alexa users considered third-party skills safe because they think these skills are Alexa- or Amazon-owned applications. Together with other uncovered deficiencies of skill security indicator designs, our study indicates a pressing need for a paradigm shift in designing security indicators for VUI systems.

We define and formalise a generic cryptographic construction that underpins coupling of companion devices, e.g., biometrics-enabled devices, with main devices (e.g., PCs), in a user-aware manner, mainly for on-demand authentication and secure storage for applications running on the main device. We define the security requirements of such constructions, provide a full instantiation in a protocol-suite and prove its computational as well as Dolev-Yao security. Finally, we implement our protocol suite and one password-manager use-case.

Misuse of cryptographic APIs remains one of the most common flaws in Android applications. The complexity of cryptographic APIs frequently overwhelms developers. This can lead to mistakes that leak sensitive user data to trivial attacks. Despite herculean efforts by platform provider Google, countermeasures introduced so far were not successful in preventing these flaws. Users remain at risk until an effective systemic mitigation has been found.

In this paper, we propose a practical solution that mitigates crypto API misuse in compiled Android applications. It enables users to protect themselves against misuse exploitation until the research community has identified an effective long-term solution. CryptoShield consists of generic mitigation procedures for the most critical crypto API misuse scenarios and an implementation that autonomously extends protection onto all applications on an unrooted Android device. Our on-device CryptoShield Agent injects an instrumentation module into application packages, where it can intercept crypto API calls for detecting misuse and applying mitigations. Our solution was designed for real-world applicability. It retains the update flow through Google Play and can be integrated into existing MDM infrastructure.

As a demonstration of CryptoShield’s efficiency and efficacy, we conduct automated (1604 apps) and manual (99 apps) analyses on the most popular applications from Google Play, as well as measurements on synthetic benchmarks. Our solution mitigates crypto API misuse in 96 % of all vulnerable apps, while retaining full functionality for 92 % of all apps. On-device instrumentation takes roughly 11 seconds per application package on average, with minimal impact on package size (5 %) and negligible runtime overhead (571 ms on average app launches, 101 ms worst-case mitigation overhead per crypto API call).

Model extraction attack typically refers to extracting non-public information from a black-box machine learning model. Its unauthorized nature poses significant threat to intellectual property rights of the model owners. By using the well-designed queries and the predictions returned from the victim model, the adversary is able to train a clone model from scratch to obtain similar functionality as victim model. Recently, some methods have been proposed to perform model extraction attacks without using any in-distribution data (Data-free setting). Although these methods have been shown to achieve high clone accuracy, their query budgets are typically around 10 million or even exceed 20 million in some datasets, which lead to a high cost of model stealing and can be easily defended by limiting the number of queries. To illustrate the severe threats induced by model extraction attacks with limited query budget in realistic scenarios, we propose QUDA – a novel QUey-limited DAta-free model extraction attack that incorporates GAN pre-trained by public unrelated dataset to provide weak image prior and the technique of deep reinforcement learning to make query generation strategy more efficient. Compared with the state-of-the-art data-free model extraction method, QUDA achieves better results under query-limited condition (0.1M query budget) in FMNIST and CIFAR-10 datasets, and even outperforms the baseline method in most cases when QUDA uses only 10% query budget of its. QUDA issued a warning that solely relying on the limited numbers of queries or the confidentiality of training data is not reliable to protect model’s security and privacy. Potential countermeasures, such as detection-based defense approach, are also provided.

Adversarial attacks are a serious threat to the reliable deployment of machine learning models in safety-critical applications. They can misguide current models to predict incorrectly by slightly modifying the inputs. Recently, substantial work has shown that adversarial examples tend to deviate from the underlying data manifold of normal examples, whereas pre-trained masked language models can fit the manifold of normal NLP data. To explore how to use the masked language model in adversarial detection, we propose a novel textual adversarial example detection method, namely Masked Language Model-based Detection (MLMD), which can produce clearly distinguishable signals between normal examples and adversarial examples by exploring the changes in manifolds induced by the masked language model. MLMD features a plug and play usage (i.e., no need to retrain the victim model) for adversarial defense and it is agnostic to classification tasks, victim model’s architectures, and to-be-defended attack methods. We evaluate MLMD on various benchmark textual datasets, widely studied machine learning models, and state-of-the-art (SOTA) adversarial attacks (in total 3*4*4 = 48 settings). Experimental results show that MLMD can achieve strong performance, with detection accuracy up to 0.984, 0.967, and 0.901 on AG-NEWS, IMDB, and SST-2 datasets, respectively. Additionally, MLMD is superior, or at least comparable to, the SOTA detection defenses in detection accuracy and F1 score. Among many defenses based on the off-manifold assumption of adversarial examples, this work offers a new angle for capturing the manifold change. The code for this work is openly accessible at https://github.com/mlmddetection/MLMDdetection.

As a critical threat to deep neural networks (DNNs), backdoor attacks can be categorized into two types, i.e., source-agnostic backdoor attacks (SABAs) and source-specific backdoor attacks (SSBAs). Compared to traditional SABAs, SSBAs are more advanced in that they have superior stealthier in bypassing mainstream countermeasures that are effective against SABAs. Nonetheless, existing SSBAs suffer from two major limitations. First, they can hardly achieve a good trade-off between ASR (attack success rate) and FPR (false positive rate). Besides, they can be effectively detected by the state-of-the-art (SOTA) countermeasures (e.g., SCAn [40]).

To address the limitations above, we propose a new class of viable source-specific backdoor attacks coined as CASSOCK. Our key insight is that trigger designs when creating poisoned data and cover data in SSBAs play a crucial role in demonstrating a viable source-specific attack, which has not been considered by existing SSBAs. With this insight, we focus on trigger transparency and content when crafting triggers for poisoned dataset where a sample has an attacker-targeted label and cover dataset where a sample has a ground-truth label. Specifically, we implement CASSOCKTrans that designs a trigger with heterogeneous transparency to craft poisoned and cover datasets, presenting better attack performance than existing SSBAs. We also propose CASSOCKCont that extracts salient features of the attacker-targeted label to generate a trigger, entangling the trigger features with normal features of the label, which is stealthier in bypassing the SOTA defenses. While both CASSOCKTrans and CASSOCKCont are orthogonal, they are complementary to each other, generating a more powerful attack, called CASSOCKComp, with further improved attack performance and stealthiness. To demonstrate their viability, we perform a comprehensive evaluation of the three CASSOCK-based attacks on four popular datasets (i.e., MNIST, CIFAR10, GTSRB and LFW) and three SOTA defenses (i.e., extended Neural Cleanse [45], Februus [8], and SCAn [40]). Compared with a representative SSBA as a baseline (SSBABase), CASSOCK-based attacks have significantly advanced the attack performance, i.e., higher ASR and lower FPR with comparable CDA (clean data accuracy). Besides, CASSOCK-based attacks have effectively bypassed the SOTA defenses, and SSBABase cannot.

Reverse engineering of a stripped binary has a wide range of applications, yet it is challenging mainly due to the lack of contextually useful information within. Once debugging symbols (e.g., variable names, types, function names) are discarded, recovering such information is not technically viable with traditional approaches like static or dynamic binary analysis. We focus on a function symbol name recovery, which allows a reverse engineer to gain a quick overview of an unseen binary. The key insight is that a well-developed program labels a meaningful function name that describes its underlying semantics well. In this paper, we present AsmDepictor, the Transformer-based framework that generates a function symbol name from a set of assembly codes (i.e., machine instructions), which consists of three major components: binary code refinement, model training, and inference. To this end, we conduct systematic experiments on the effectiveness of code refinement that can enhance an overall performance. We introduce the per-layer positional embedding and Unique-softmax for AsmDepictor so that both can aid to capture a better relationship between tokens. Lastly, we devise a novel evaluation metric tailored for a short description length, the Jaccard* score. Our empirical evaluation shows that the performance of AsmDepictor by far surpasses that of the state-of-the-art models up to around 400%. The best AsmDepictor model achieves an F1 of 71.5 and Jaccard* of 75.4.

Inter-process isolation has been deployed in operating systems for decades, but secure intra-process isolation remains an active research topic. Achieving secure intra-process isolation within an operating system process is notoriously difficult. However, viable solutions that securely consolidate workloads into the same process have the potential to be extremely valuable.

In this work, we present native principal isolation, a technique to restrict threads’ access to process memory by enforcing intra-process security policies defined over a program’s application binary interface (ABI). A separate memory protection mechanism then enforces these policies. We present ThreadLock, a system that enforces native principal isolation policies using memory protection keys (MPKs) present on recent Intel CPUs. We demonstrate that ThreadLock efficiently restricts access to both thread-local data and sensitive information present in real workloads. We show how ThreadLock protects data within 3 real world applications, including the Apache web server, Redis in-memory data store, and MySQL relational database management system (RDBMS) with little performance overhead (+1.06% in the worst case). Furthermore, we show ThreadLock stops real world attacks against these popular programs. Our results show that native principal isolation is expressive enough to define effective intra-process security policies for real programs and that these policies may be enforced using MPKs without requiring any change to a program’s source or binary.

Cryptographic software running on embedded devices requires protection against physical side-channel attacks such as power analysis. Masking is a widely deployed countermeasure against these attacks and is directly implemented on algorithmic level. Many works study the security of masked cryptographic software on CPUs, pointing out potential problems on algorithmic/microarchitecture-level, as well as corresponding solutions, and even show masked software can be implemented efficiently and with strong (formal) security guarantees. However, these works also make the implicit assumption that software is executed directly on the CPU without any abstraction layers in-between, i.e., they focus exclusively on the bare-metal case. Many practical applications, including IoT and automotive/industrial environments, require multitasking embedded OSs on which masked software runs as one out of many concurrent tasks. For such applications, the potential impact of events like context switches on the secure execution of masked software has not been studied so far at all.

In this paper, we provide the first security analysis of masked cryptographic software spanning all three layers (SW, OS, CPU). First, we apply a formal verification approach to identify leaks within the execution of masked software that are caused by the embedded OS itself, rather than on algorithmic or microarchitecture level. After showing that these leaks are primarily caused by context switching, we propose several different strategies to harden a context switching routine against such leakage, ultimately allowing masked software from previous works to remain secure when being executed on embedded OSs. Finally, we present a case study focusing on FreeRTOS, a popular embedded OS for embedded devices, running on a RISC-V core, allowing us to evaluate the practicality and ease of integration of each strategy.

Active Directory (AD) is a popular information security management system for Windows domain networks and is an ongoing common target for cyber attacks. Most real-world Active Directory systems consist of millions of entities and links, and there are currently no efficient and effective solutions for hardening Active Directory systems of such scale. In this paper, we propose a novel and scalable double oracle-based algorithm for hardening large AD systems. We formulate the problem as a Stackelberg game between the defender and the attacker on a weighted AD attack graph, where the defender acts as the leader with a budget, and the objective is to find an optimal defender’s pure strategy. We show that our double oracle-based solution has significantly improved speed and scalability compared with previous solutions for hardening AD systems. Lastly, we compare with GoodHound weakest links and show that our solution provides better recommendations for targeting the elimination of optimal attack paths.

Increasingly, with embedded intelligence and control, IoT devices are being adopted faster than ever. However, the IoT landscape and its security implications are not yet fully understood. This paper seeks to shed light on this by focusing on a particular type of IoT devices, namely the ones using Bluetooth Low Energy (BLE). Our contributions are two-fold: First, we present Ble-Guuide, a framework for performing mobile app-centric security issue identification. We exploit Universally Unique Identifiers (UUIDs), which underpin data transmissions in BLE, to glean rich information regarding device functionality and the underlying security issues. We combine this with information from app descriptions and BLE libraries, to identify the corresponding security vulnerabilities in BLE devices and determine the security or privacy impact they could have depending on the device functionality. Second, we present a large-scale analysis of 17,243 free, BLE-enabled Android APKs, systematically crawled from the official Google Play store. By applying Ble-Guuide to this dataset, we uncover that more than 70% of these APKs contain at least one security vulnerability. We also obtain insights into the identified security vulnerabilities and their impact.

This paper aims to investigate the resilience of the internet in the face of censorship through a current case study: the war between Russia and Ukraine. We focus on whether Russia, as a major Internet power, has been using its network to deny access to Ukraine (and whether the Internet is resilient enough to route around such abuse). We consider how Internet accessibility changed over the course of the first few months, considering both hard and soft failures of website access. Our result, in brief, is that there is a substantial difference in network access to sites from Ukraine between March and July 2022, but Russian ASes are not causing significant collateral damage by filtering. In addition, we present the tools and resources developed in the project, including a classifier to detect soft-failures and a new multi-protocol implementation of Traceroute to locate internet censorship.

Federated Learning (FL)-based Intrusion Detection Systems (IDSs) have recently surfaced as viable privacy-preserving solution to decentralized grid zones. However, lack of consideration of communication delays and straggler nodes in conventional synchronous FL hinders their applications within the real-world. To level the playing field, we propose a novel semi-asynchronous FL solution on basis of a preset-cut-off time and a buffer system to mitigate the adverse effects of communication latency and stragglers. Furthermore, we leverage the use of a Deep Auto-encoder model for effective cyberattack detection. Experimental evaluations of our proposed framework on industrial control datasets validate superior attack detection while decreasing the adverse effects of communication latency and straggler nodes. Lastly, we notice a 30% improvement in the computation time in the presence of communication latency/straggler nodes, thus validating the robustness of our proposed method.

Moving Target Defenses (MTD) are proactive security countermeasures that change the attack surface in a system in ways that make it harder for attackers to succeed. These techniques have been shown to be effective, and their application in software-defined networking (SDN) against simple automated attacks is growing in popularity. However, with the increased knowledge of and ease of access to Artificial Intelligence (AI) techniques, AI is starting to be used to enhance cyber attacks, which are becoming increasingly complex. Hence, the evaluation of MTDs against simple automated attacks is no longer enough to demonstrate their effectiveness in increasing system security.

With this in mind, we propose a novel framework to evaluate MTD techniques in SDN. To this end, first, we develop a taxonomy of possible intelligent attacks against MTD techniques. Second, we show how our framework can be used to generate datasets to realize these intelligent attacks for evaluating and enhancing MTD techniques. Third, we experimentally demonstrate the feasibility of the proposed machine learning (ML) powered attacks, with an attacker who can determine the MTD trigger time from network traffic using ML, which they can use to maximize their attack window and increase their chances of success.

Cyber-physical systems (CPS), which are often required to satisfy critical properties such as safety, have been shown to be vulnerable to exploits originating from cyber and/or physical sides. Recently, novel resilient architectures, which equip CPS with capabilities of recovering to normal operations, have been developed to guarantee the safety of CPS under cyber attacks. These resilient architectures utilize distinct mechanisms involving different parameters and are seemingly unrelated. Currently, the analysis and design methods of one novel resilient architecture for CPS are not readily applicable to one another. Consequently, evaluating the appropriateness and effectiveness of a set of candidate resilient architectures to a given CPS is currently impractical. In this poster, we report our progress on the development of a common framework for analyzing the safety and assessing recovery performance of two or more resilient architectures intended for CPS under attacks. We formulate a hybrid model as a common representation of resilient architectures. Our insight is that the resilient architectures have a shared set of discrete states, including vulnerable, under attack, unsafe, and recovery modes, which can be mapped to the discrete states of the unifying hybrid model. The hybrid model enables a unified safety analysis. We parameterize the required behaviors for the cyber and physical components in order to guarantee safety. The parameters then inform the development of metrics to measure the resilience of CPS. For CPS consisting of multiple heterogeneous components, we show that the effect of interconnections on the spatial and temporal parameters can be quantified efficiently, allowing a compositional approach to the safety verification of large-scale CPS.

WebAssembly is a binary instruction format designed as a portable compilation target enabling the deployment of untrusted code in a safe and efficient manner. While it was originally designed to be run inside web browsers, modern runtimes like Wasmtime and WasmEdge can execute WebAssembly directly on various systems. In order to access system resources with a universal hostcall interface, a standardization effort named WebAssembly System Interface (WASI) is currently undergoing. With specific regard to the file system, runtimes must prevent hostcalls to access arbitrary locations, thus they introduce security checks to only permit access to a pre-defined list of directories. This approach not only suffers from poor granularity, it is also error-prone and has led to several security issues. In this work we replace the security checks in hostcall wrappers with eBPF programs, enabling the introduction of fine-grained per-module policies. Preliminary experiments confirm that our approach introduces limited overhead to existing runtimes.

Machine learning models have made significant breakthroughs across various domains. However, it is crucial to assess these models to obtain a complete understanding of their capabilities and limitations and ensure their effectiveness and reliability in solving real-world problems. In this paper, we present a framework, termed ML-Compass, that covers a broad range of machine learning abilities, including utility evaluation, neuron analysis, robustness evaluation, and interpretability examination. We use this framework to assess seven state-of-the-art classification models on four benchmark image datasets. Our results indicate that different models exhibit significant variation, even when trained on the same dataset. This highlights the importance of using the assessment framework to comprehend their behavior.

Traffic fingerprinting allows making inferences about encrypted traffic flows through passive observation. They have been used for tasks such as network performance management and analytics and in attacker settings such as censorship and surveillance. A key challenge when implementing traffic fingerprinting in real-time settings is how the state-of-the-art traffic fingerprint models can be ported into programmable in-network computing devices with limited computing resources. Towards this, in this work, we characterize the performance of binarized traffic fingerprinting neural networks that are efficient and well-suited for in-network computing devices and propose a new data encoding method that is better suited for network traffic. Overall, we show that the proposed binary neural network with first-layer binarization and last-layer quantization reduces the performance requirement of hardware equipment while retaining the accuracies of those models of binary datasets over 70%. Furthermore, when combined with our proposed encoding algorithm, accuracies of binarized models of numeric datasets show further improvements to achieve over 65% accuracy.

The predictive capabilities of machine learning models have improved significantly in recent years, leading to their widespread use in various fields. However, these models remain vulnerable to adversarial attacks, where carefully crafted inputs can mislead predictions and compromise the security of critical systems. Therefore, it is crucial to develop effective methods for detecting and preventing such attacks. Given that many neural network models are implemented using Python, this study addresses the issue of detecting adversarial examples from a new perspective by investigating information leakage in their Python model executions. To realize this objective, we propose a novel Python interpreter that utilizes Python bytecode instrumentation to profile layer-wise instruction-level program executions. We then search for information leakage on both legal and adversarial inputs, identifying their side-channel differences in call executions (i.e., call count, return values, and execution time) and synthesize the detection rule accordingly. Our approach is evaluated against TorchAttacks, AdvDoor, and RNN-Test attacks, targeting various models and applications. Our findings indicate that while there is call-return-value leakage on TorchAttacks images, there is no leakage to detect AdvDoor and RNN-Test attacks based on execution time or return values of string, integer, float, and Boolean type functions.

We have developed a novel ’Teacher-Student with human feedback’ model for Human-Artificial Intelligence (AI) collaborations in cybersecurity tasks. In our model, AI furnishes sufficient information about its decision-making process to enable human agents to provide feedback to improve the model. Our key innovations include: enhancing the interpretability of AI models by analyzing falsely detected samples using LIME and SHAP values; developing a novel posthoc explanation-based dynamic teacher-student model to address concept drift or concept shift; integrating human experts’ feedback on falsely detected samples to increase accuracy, precision, and recall values, without retraining the entire model; establishing a list of attack-based feature values for human experts to promote reproducibility. We show in experiments with real data and threat detection tasks that our model significantly improves the accuracy of existing AI algorithms for these tasks.

As Information Technology (IT) infrastructures have become increasingly complex to secure against accelerating cyber threats, current threat detection approaches have been largely silos in nature; security analysts in the environment are typically bombarded with large volume of security alerts that often cause severe fatigues and the possibility of judgement errors. This problem is further exacerbated by the number of false-positives that analysts may waste valuable time and resources pursuing. In this paper, we present how intuitive graph-based machine learning can be used to address the problem of alert fatigue and prioritize risky alerts to assist security analysts. The rationale and workflow of the proposed Graph Analysis (GA) algorithm is discussed in detail, with its effectiveness demonstrated by simulated experiments.