Information Security

In CRYPTO 2012, Sahai et al. raised the concern that in a cloud control system revocation of past keys should also be accompanied by updation of previously generated ciphertexts in order to prevent unread ciphertexts from being read by revoked users. Self-updatable encryption (SUE), introduced by Lee et al. in ASIACRYPT 2013, is a newly developed cryptographic primitive that realizes ciphertext update as an inbuilt functionality and thus improves the efficiency of key revocation and time evolution in cloud management. In SUE, a user can decrypt a ciphertext associated with a specific time if and only if the user possesses a private key corresponding to either the same time as that of the ciphertext or some future time. Furthermore, a ciphertext attached to a certain time can be updated to a new one attached to a future time using only public information. The SUE schemes available in the literature are either (a) fully secure but developed in a composite order bilinear group setting under highly non-standard assumptions or (b) designed in prime order bilinear groups but only selectively secure. This paper presents the

first fully secure

SUE scheme in

prime order bilinear groups

under

standard assumptions

, namely, the Decisional Linear and the Decisional Bilinear Diffie-Hellman assumptions. As pointed out by Freeman (EUROCRYPT 2010) and Lewko (EUROCRYPT 2012), the communication and storage, as well as, computational efficiency of prime order bilinear groups are much higher compared to that of composite order bilinear groups with an equivalent level of security. Consequently, our SUE scheme is highly cost-effective than the existing fully secure SUE.

We prove that, for a KEM/Tag-DEM (Key Encapsulation Mechanism/ Tag Data Encapsulation Mechanism) hybrid encryption scheme, if the adaptive chosen ciphertext secure KEM part has the properties of key malleability and key fingerprint and the Tag-DEM part is a one-time secure tag authenticated encryption, then the hybrid encryption is seucure against related key attacks (RKA). We show that several classical KEM schemes satisfy these two properties.

Service providers (SPs) that allow anonymous access need to protect their services against misbehaving users. Several schemes are proposed to achieve anonymous revocation without a trusted third party, thus protecting users’ privacy. They either have linear computational complexity in the size of the blacklist (EPID, BLAC, BLACR), or require all misbehaviors being identified in a time window (PEREA, PERM).

In ESORICS 2012, Yu

et al

propose an efficient scheme called PE(AR)

2

which does not require the SPs to review sessions in a timely manner. However, we find there are security problems in PE(AR)

2

. We propose ARBRA, a reputation-based revocation system for which the SPs can assign positive or negative scores to anonymous sessions and block the users whose reputations are not high enough. ARBRA allows the SPs to ramp up penalties for repeated misbehaviors from the same user and does not require the SPs to judge misbehaviors within a time window. Our benchmark shows that ARBRA has the best performance on the SP side among existing schemes and is also efficient on the user side even if the misbehavior list contains one million entries.

In this paper, we construct an Attribute-Based Signature (ABS) scheme for general circuits from multilinear maps. Our scheme is inspired by Garg et al.’s Attribute-Based Encryption (ABE) scheme at CRYPTO 2013. We prove selective unforgeability of our scheme in the standard model under the Multilinear Computational Diffie-Hellman (MCDH) assumption. The privacy security of our scheme is perfect.

We propose a new authenticated encryption scheme PAEQ, which employs a fixed public permutation. In contrast to the recent sponge-based proposals, our scheme is fully parallelizable. It also allows flexible key and nonce length, and is one of the few which achieves 128-bit security for both confidentiality and data authenticity with the same key length.

The permutation within PAEQ is a new design called AESQ, which is based on AES and is 512 bits wide. In contrast to similar constructions used in the SHA-3 competition, our permutation fully benefits from the newest Intel AES instructions and runs at 2.5 cycles per byte if used as the counter-mode PRF.

The full version of the paper is available at [7].

The hash function HAS-160 is standardized by the Korean government and widely used in Korea, and the hash function RIPEMD-160 is a worldwide ISO/IEC standard. In this paper, by careful analysis of the two hash functions, we propose a pseudo-preimage attack on 71-step HAS-160 (no padding) with complexity 2

158.13

and a preimage attack on 34-step RIPEMD-160 (with padding) with complexity 2

158.91

. Both of the attacks are from the first step. The improved results are derived from the differential meet-in-the-middle attack and biclique technique etc. As far as we know, they are the best pseudo-preimage and preimage attacks on step-reduced HAS-160 and RIPEMD-160 respectively in terms of the step number.

Given a Boolean function with

n

variables, a revised algorithm for computing the algebraic immunity

d

against conventional algebraic attacks in

O

(

D

2±

ε

) complexity is described for

$D=\sum _{i = 0}^d {n \choose i}$

and a small

ε

, which corrects and clarifies the most efficient algorithm so far at Eurocrypt 2006. An analysis of the success rate of the algorithm for determining the immunity against fast algebraic attacks in the above paper is also provided. Based on the revised algorithm, an algorithm for computing all the overdefined implicit equations on an S-box is given, which is the core of the algebraic attacks on block ciphers.

This paper addresses the issues of constructing zero- knowledge arguments of knowledge (ZKAOK) with properties such as a small number of rounds, public-coin and strict-polynomial-time simulation and extraction, and shows the existence of the following systems for

NP

for the first time under some assumptions.

There exists a 4-round auxiliary-input ZKAOK with strict-polynomial-time simulation and extraction. Previously even combining the strict-polynomial-time simulation and extraction construction by Barak and Lindell (STOC’02) with the recent 4-round zero-knowledge argument by Pandey

et al.

[ePrint’13] brings such a construction using at least 6 rounds.

There exists a 3-round bounded-auxiliary-input ZKAOK with strict-polynomial-time simulation and extraction. Previously the extractor of the 3-round construction by Bitansky

et al.

[STOC’14] runs in expected-polynomial-time.

There exists a 2-round public-coin bounded-auxiliary-input ZKAOK with strict-polynomial-time simulation which extractor works for bounded-size provers and runs in strict-polynomial-time.

We demonstrate a new non-black-box extraction technique based on differing-input obfuscation due to Ananth

et al.

[ePrint’13] to achieve strict-polynomial-time extraction.

Crypto-computing is a set of well-known techniques for computing with encrypted data. The security of the corresponding protocols are usually proven in the semi-honest model. In this work, we propose a new class of zero-knowledge proofs, which are tailored for crypto-computing protocols. First, these proofs directly employ properties of the underlying crypto systems and thus many facts have more concise proofs compared to generic solutions. Second, we show how to achieve universal composability in the trusted set-up model where all zero-knowledge proofs share the same system-wide parameters. Third, we derive a new protocol for multiplicative relations and show how to combine it with several crypto-computing frameworks.

With the emergence of cloud computing services, a resource-constrained client can outsource its computationally-heavy tasks to cloud providers. Because such service providers might not be fully trusted by the client, the need to verify integrity of the returned computation result arises. The ability to do so is called verifiable delegation or verifiable outsourcing. Furthermore, the data used in the computation may be sensitive and it is often desired to protect it from the cloud throughout the computation. In this work, we put forward solutions for verifiable outsourcing of matrix multiplications that favorably compare with the state of the art. Our goal is to minimize the cost of verifying the result without increasing overhead associated with other aspects of the scheme. In our scheme, the cost of verifying the result of computation uses only a single modulo exponentiation and the number of modulo multiplications linear in the size of the output matrix. This cost can be further reduced to avoid all cryptographic operations if the cloud is rational. A rational cloud is neither honest nor arbitrarily malicious, but rather economically motivated with the sole purpose of maximizing its monetary reward. We extend our core constructions with several desired features such as data protection, public verifiability, and computation chaining.

This paper develops a new hybrid model of floating point numbers suitable for operations in secure multi-party computations. The basic idea is to consider the significand of the floating point number as a fixed point number and implement elementary function applications separately of the significand. This gives the greatest performance gain for the power functions (e.g. inverse and square root), with computation speeds improving up to 18 times in certain configurations. Also other functions (like exponent and Gaussian error function) allow for the corresponding optimisation.

We have proposed new polynomials for approximation, and implemented and benchmarked all our algorithms on the Sharemind secure multi-party computation framework.

Asymmetric cryptographic algorithms (e.g., RSA and ECC) have been implemented on Graphics Processing Units (GPUs) for several years. These implementations mainly exploit the highly parallel GPU architecture and port the integer-based algorithms for common CPUs to GPUs, offering high performance. However, the great potential cryptographic computing power of GPUs, especially by the more powerful floating-point instructions, has not been comprehensively investigated in fact. In this paper, we try to fully exploit the floating-point computing power of GPUs for RSA, by various designs, including the floating-point-based Montgomery multiplication algorithm, the optimization for the fundamental operations and the utilization of the latest thread data sharing instruction

shuffle

. The experimental result on NVIDIA GTX Titan of 2048-bit RSA decryption reaches a throughput of 38,975 operations per second, achieves 2.21 times performance of the existing fastest integer-based work and outperforms the previous floating-point-based implementation by a large margin.

We study the problem of giving formal bounds on the information leakage of deterministic programs, when only a black-box access to the system is provided, and little is known about the input generation mechanism. After introducing a statistical set-up and defining a formal notion of information leakage

estimator

, we prove that, in the absence of significant a priori information about the output distribution, no such estimator can in fact exist that does significantly better than exhaustive enumeration of the input domain. Moreover, we show that the difficult part is essentially obtaining tight

upper

bounds. This motivates us to consider a relaxed scenario, where the analyst is given some control over the input distribution: an estimator is introduced that, with high probability, gives lower bounds irrespective of the underlying distribution, and tight upper bounds if the input distribution induces a “close to uniform” output distribution. We then define two methods, one based on Metropolis Monte Carlo and one based on Accept-Reject, that can ideally be employed to sample from one such input distribution, and discuss a practical methodology based on them. We finally demonstrate the proposed methodology with a few experiments, including an analysis of cache side-channels in sorting algorithms.

We present a novel

de-anonymization attack

on mobility trace data and social data. First, we design an Unified Similarity (US) measurement, based on which we present a US based De-Anonymization (DA) framework which iteratively de-anonymizes data with an accuracy guarantee. Then, to de-anonymize data

without the knowledge of the overlap size

between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. Finally, we examine DA/ADA on mobility traces and social data sets.

In intrusion forensics, it is difficult to find the evidences about who placed the hooks and how these hooks were placed simply by analyzing the memory dump. That’s because such behavior is transient and the snapshot of memory usually doesn’t contain enough information about it. Lack of this information will cause an uncompleted chain of evidence. Although dynamic analysis can trace this behavior by instruction-level analysis, this technique is slow and inconvenient in real forensic cases. And many investigated systems do not run in the virtualization environment that dynamic analysis needed.

So we present a new method to intercept processes and create accurate modification bitmaps to reveal the process’s memory behavior based on hardware events. A complete evidence chain is created for forensics by acquiring the process’s running snapshots and its file image path during the monitoring. Considering live forensic cases, we apply this method to a novel lightweight hypervisor which can build up a virtualization environment on-the-fly. Without modifying any code in target OS and suspending it, this method can monitor systems running on bare hardware. Its memory usage and performance impact on the investigated system is also proved to be acceptable in our experiment.

Memory introspection can be a powerful tool for analyzing contents of a system’s memory for any malicious code. Current approaches based on memory introspection have focused on Virtual Machines and using a privileged software entity, such as a hypervisor, to perform the introspection. Such software-based introspection, however, is susceptible to variety of attacks that may compromise the hypervisor and the introspection code. Furthermore, a hypervisor setup is not always wanted. In this work, we present a hardware-based approach to memory introspection. Dedicated hardware is introduced to read and analyze memory of the target system, independent of any hypervisor or OSes running on the system. We apply the new hardware approach to memory introspection to built-up an architecture that uses DMA and fine-grained memory introspection techniques in order to match network connections to the application-layer while being isolated and undetected from the operating system or the hypervisor. We call the proposed architecture SystemWall since it can be a standalone physical device which can be added as an expansion card to the mother board or a dedicated external box. The architecture is transparent and cannot be manipulated or deactivated by potential malware on the target system. We use the SystemWall in the evaluation to analyze the target system for malicious code and prevent unknown (malicious) applications from establishing network connections which can be used to spread viruses, spam or malware and to leak sensitive information.

In this paper we present

soundsquatting

, a previously unreported type of domain squatting which we uncovered during analysis of cybersquatting domains. In soundsquatting, an attacker takes advantage of homophones, i.e., words that sound alike, and registers homophone-including variants of popular domain names. We explain why soundsquatting is different from existing domain-squatting attacks, and describe a tool for the automatic generation of soundsquatting domains. Using our tool, we discover that attackers are already aware of the principles of soundsquatting and are monetizing them in various unethical and illegal ways. In addition, we register our own soundsquatting domains and study the population of users who reach our monitors, recording a monthly average of more than 1,700 non-bot page requests. Lastly, we show how sound-dependent users are particularly vulnerable to soundsquatting through the abuse of text-to-speech software.

Protecting the privacy of web users against tracking by blocking third-party content has become a cat-and-mouse game. Continuously changing tracking methods make it difficult to block all third-party content. On the other hand, it is necessary to accept some third-party content to ensure web site functionality. In this work we present the concept and an implementation for the automatic isolation of the locally stored web site state into separate containers. This eliminates the ability of trackers to re-identify users across different sites, by isolating HTTP cookies, HTML5 Web Storage, Indexed DB, and the browsing cache. The so-called Site Isolation was implemented for the Chromium browser and in addition secures the browser against CORS, CSRF, and click-jacking attacks, while limiting the impact of cache timing, and rendering engine hijacking. To evaluate the effectiveness of Site Isolation, we visited 1.6 million pages on over 94,000 distinct domains and compared the data saved against usual browsing. We show that top trackers collect enough information to identify billions of users reliably. In contrast, with Site Isolation in place the number of tracked pages can be reduced by 44%.

We present a new method of screening for malicious Android applications that uses two types of information about the application: the permissions that the application requests in its installation manifest and a metric called percentage of valid call sites (PVCS). PVCS measures the riskiness of the application based on a data flow graph. The information is used with machine learning algorithms to classify previously unseen applications as malicious or benign with a high degree of accuracy. Our classifier outperforms the previous state of the art by a significant margin, with particularly low false positive rates. Furthermore, the classifier evaluation is performed on malware families that were not used in the training phase, simulating the accuracy of the classifier on malware yet to be developed. We found that our PVCS metric and the SEND_SMS permission are the specific pieces of information that are most useful to the classifier.

Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as FileCross, that exploits the vulnerable

file://

to obtain users’ private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding

file://

access to private file zones, disabling JavaScript execution in

file://

URLs, or even blocking external

file://

URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.

Searchable encryption allows an untrusted server to search on encrypted data without knowing the underlying data contents. Traditional searchable encryption schemes focus only on single keyword or conjunctive keyword search. Several solutions have been recently proposed to design more expressive search criteria, but most of them are in the setting of symmetric key encryption. In this paper, based on the composite-order groups, we present an expressive and secure asymmetric searchable encryption (ESASE) scheme, which is the first that simultaneously supports conjunctive, disjunctive and negation search operations. We analyze the efficiency of ESASE and prove it is secure in the standard model. In addition, we show that how ESASE could be extended to support the range search and the multi-user setting.

We propose a new identity-based cryptographic primitive which we call graded encryption. In a graded encryption scheme, there is one central (mostly offline) authority and a number of sub-authorities holding master keys that correspond to different levels. As in identity-based encryption, a sender can encrypt a message using only the identity of the receiver (plus public parameters) but it may also specify a numerical grade

i

. Users may decrypt messages directed to their identity at grade

i

as long as they have executed a

key-upgrade

protocol with sub-authorities 1,…,

i

. We require a grade

i

ciphertext to be secure in a strong sense: as long as there is one sub-authority with index

j

 ≤ 

i

that is not corrupted, the plaintext should be hidden from any recipient that has not properly upgraded her identity.

Graded encryption is motivated by multi-stage games (e.g., “who wants to be a millionaire”) played in a distributed fashion. Players unlock ciphertexts that belong to a certain stage

i

only if they have met all challenges posed by sub-authorities {1,…,

i

}. This holds true even if players collaborate with some of the sub-authorities. We give an efficient construction that has secret key and ciphertext size of a constant number of group elements. We also demonstrate further applications of graded encryption such as proving that a certain path was followed in a graph.

Group signatures, which allow users of a group to anonymously produce signatures on behalf of the group, are an important cryptographic primitive for privacy-enhancing applications. Over the years, various approaches to enhanced anonymity management mechanisms, which extend the standard feature of opening of group signatures, have been proposed.

In this paper we show how pairing-based group signature schemes (PB-GSSs) based on the sign-and-encrypt-and-prove (SEP) paradigm can be generically transformed in order to support one particular enhanced anonymity management mechanism,

i.e.

, we propose a transformation that turns every such PB-GSS into a PB-GSS with

controllable linkability

. Basically, this transformation replaces the public key encryption scheme used for identity escrow within a group signature scheme with a modified all-or-nothing public key encryption with equality tests scheme (denoted AoN-PKEET

*

) instantiated from the respective public key encryption scheme. Thereby, the respective trapdoor is given to the linking authority as a linking key. The appealing benefit of this approach in contrast to other anonymity management mechanisms (such as those provided by traceable signatures) is that controllable linkability can be added to PB-GSSs based on the SEP paradigm

for free

,

i.e.

, it neither influences the signature size nor the computational costs for signers and verifiers in comparison to the scheme without this feature.

With the advent of cloud computing, a number of cloud providers have arisen to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and business organizations. SaaS (different than Software-as-a-Service in this context) refers to an architectural model in which a cloud provider provides digital storage on their own infrastructure. Three models exist amongst SaaS providers for protecting the confidentiality of data stored in the cloud: 1) no encryption (data is stored in plain text), 2) server-side encryption (data is encrypted once uploaded), and 3) client-side encryption (data is encrypted prior to upload). Through a combination of a Network and Source Code Analysis, this paper seeks to identify weaknesses in the third model, as it claims to offer 100% user data confidentiality throughout all data transactions. The weaknesses we uncovered primarily center around the fact that the cloud providers we evaluated (Wuala, Tresorit, and Spider Oak) were each operating in a Certificate Authority capacity to facilitate data sharing. In this capacity, they assume the role of both certificate issuer and certificate authorizer as denoted in a Public-Key Infrastructure (PKI) scheme - which gives them the ability to view user data contradicting their claims of 100% data confidentiality. We have collated our analysis and findings in this paper and explore some potential solutions to address these weaknesses in these sharing methods. The solutions proposed are a combination of best practices associated with the use of PKI and other cryptographic primitives generally accepted for protecting the confidentiality of shared information.

We consider the problem of detecting exploits based on return-oriented programming. In contrast to previous works we investigate to which extent we can detect ROP payloads by only analysing streaming data, i.e., we do not assume any modifications to the target machine, its kernel or its libraries. Neither do we attempt to execute any potentially malicious code in order to determine if it is an attack. While such a scenario has its limitations, we show that using a layered approach with a filtering mechanism together with the Fast Fourier Transform, it is possible to detect ROP payloads even in the presence of noise and assuming that the target system employs ASLR. Our approach, denoted eavesROP, thus provides a very lightweight and easily deployable mitigation against certain ROP attacks. It also provides the added merit of detecting the presence of a brute-force attack on ASLR since library base addresses are not assumed to be known by eavesROP.

This paper defines and analyzes injection attacks. The definition is based on the

NIE property

, which states that an application’s untrusted inputs must only produce Noncode Insertions or Expansions (i.e., NIEs) in output programs. That is, when applications generate output programs (such as SQL queries) based on untrusted inputs, the NIE property requires that inputs only affect output programs by inserting or expanding noncode tokens (such as string and float literals, lambda values, pointers, etc). This paper calls attacks based on violating the NIE property

BroNIEs

(i.e., Broken NIEs) and shows that all code-injection attacks are BroNIEs. In addition, BroNIEs contain many malicious injections that do not involve injections of code; we call such attacks

noncode

-injection attacks. In order to mitigate both code- and noncode-injection attacks, this paper presents an algorithm for detecting and preventing BroNIEs.

Software-intensive, modern vehicles comprise about 100 computers, which allow a plethora of attack combinations. This paper proposes an efficient attack forest construction method for a vehicle’s on-board network security evaluation, based on our system model, and predictions about attractiveness, exploitability, and attackers. We compiled various vehicle development databases and documents to a homogeneous system model. Our algorithm implementation can construct attack forests with typically sized system models usually within a few minutes and with an asymptotic, computational complexity of

O

(

n

* log(

n

)). Attack forests are a foundation for further security analysis and evaluation.

Payload attribution is a kind of traceback mechanism which has the ability to find the sources and destinations of packages containing certain excerpts and times of their occurrence. Existing payload attribution methods either fail to support wildcard query or suffers from low response speed. We propose Winnowing Double Structure with Wildcard Query (WDWQ), which support wildcard query efficiently and achieve higher wildcard query speed as well as lower false positive rate under an acceptable data reduction ratio. Our experiment shows that WDWQ is 20 times faster than the state-of-the-art payload attribution techniques.

The signature-based intrusion detection systems are one of the most commonly used software to protect computer networks by comparing incoming traffic with stored signatures. However, the process of signature matching is a key challenge, in which the workload is generally at least linear to the size of a target string. To solve this problem, exclusive signature matching (ESM) has been proposed based on the observation that most network packets would not match any IDS signatures. But this kind of schemes like the single character frequency-based ESM has not been extensively evaluated. In this paper, our interests are to verify the observation above and evaluate the single character frequency-based ESM in regular networks and hostile environments respectively. In the hostile experiment, we specifically design two malicious situations to test the scheme performance. The experimental results show that the single character frequency-based ESM works fine in a regular network, but its performance would be greatly decreased in a hostile environment.

Content-based Anomaly Detection (AD) techniques are regarded as a promising mechanism to detect ‘zero-day’ attacks. AD sensors have also been shown to perform better than signature-based systems in detecting polymorphic attacks. However, the False Positive Rates (FPRs) produced by current AD sensors have been a cause of concern. In this paper, we introduce and evaluate transAD, a system of network traffic inspection AD sensors that are based on Transductive Confidence Machines (TCM). Existing TCM-based implementations have very high FPRs when used as NIDS.

Our approach leverages an unsupervised machine-learning algorithm to identify anomalous packets and thus, unlike most AD sensors, transAD does not require manually labeled data. Moreover, transAD uses an ensemble of TCM sensors to achieve better detection rates and lower FPRs than single sensor implementations. Therefore, transAD presents a hardened defense against poisoning attacks.

We evaluated our prototype implementation using two real-world data sets collected from a public university’s network. TransAD processed approximately 1.1 million packets containing real attacks. To compute the ground truth, we manually labeled 18,500 alerts. In the course of scanning millions of packets, our sensor’s low FPR would significantly reduce the number of false alerts that need to be inspected by an operator, while maintaining a high detection rate.

Binary obfuscation is widely employed by malware distributors against malware analysis and detection. Mimimorphism is a novel technique arising from this arms race and technically opens a new line of obfuscation. It aims to defeat feature-based detection by generating malicious codes sharing features of benign programs. In order to forecast whether mimimorphic malware will burst out in the future, we evaluate current mimimorphic engines by measuring their mimicry outputs, as well as propose an approach to detection. In practice, we build a machine language model by doing a statistical study on code patterns of normal binary and use this model as a foundation for applying machine learning to detect mimimorphic malware. Experimental results show current mimimorphic engines are not powerful enough and mimicry executables can be effectively detected by our approach.

In this paper, we present

CodeXt

—a novel malware code extraction framework built upon selective symbolic execution (S2E). Upon real-time detection of the attack, CodeXt is able to automatically and accurately pinpoint the exact start and boundaries of the attack code even if it is mingled with random bytes in the memory dump. CodeXt has a generic way of handling self-modifying code and multiple layers of encoding, and it can automatically extract the complete hidden and transient code protected by multiple layers of sophisticated encoders without using any signature or pattern of the decoder. To the best of our knowledge, CodeXt is the first tool that can automatically extract code protected by Metasploit’s polymorphic xor additive feedback encoder Shikata-Ga-Nai, as well as transient code protected by multi-layer incremental encoding.

Cross-Site Scripting (XSS) attacks are at number three in the OWASP Top 10 2013 list [1] and according to a recent report by WhiteHat, 53% of the web applications are vulnerable to XSS attacks [2]. In this paper, we propose SIACHEN, a fine-grained, white-list and browser-enforced security policy language for the mitigation of XSS attacks. SIACHEN’s syntax is similar to Cascading Style Sheets (CSS) and its semantics is based on Content Security Policy (CSP) directives. CSP is a coarse-grained policy language and gives web site administrators a page-level control. Our policy language operates on

per-id

or

per-class

of web page’s HTML elements. SIACHEN also supports input validation and output encoding, which is missing in case of CSP. At the same time, SIACHEN leverages ECMAScript’s object freezing feature from the earlier work done by Heiderich

et al.

in [3]. SIACHEN glues together a number of disparate technologies into a single framework.

We implemented our proposal in the form of a client-side JavaScript library. Web site administrators can deliver the SIACHEN policy to the browser via a new header named “

X-Siachen-Policy

”. To show the applicability of our solution, we have added support of SIACHEN policy language in three open source web applications (i.e., PHPBB, PHPList & Damn Vulnerable Web App). Our evaluation shows reasonably low overhead is incurred by web applications and requires less amount of effort from developers’ side. We have tested our prototype against a large number of state-of-the-art, obfuscated and unobfuscated XSS attack vectors and found no bypass. To assist web site administrators, we present SIACHEN AiDer, an online service for the automated recommendation of policies. Further, this paper also presents results of a short survey of fifty popular desktop web applications and their mobile versions (100 in total). We have found an XSS in all surveyed sites but the main purpose of the survey is to find suitable venues for our prototype.

Many Chinese websites (relying parties) use OAuth 2.0 as the basis of a single sign-on service to ease password management for users. Many sites support five or more different OAuth 2.0 identity providers, giving users choice in their trust point. However, although OAuth 2.0 has been widely implemented (particularly in China), little attention has been paid to security in practice. In this paper we report on a detailed study of OAuth 2.0 implementation security for ten major identity providers and 60 relying parties, all based in China. This study reveals two critical vulnerabilities present in many implementations, both allowing an attacker to control a victim user’s accounts at a relying party without knowing the user’s account name or password. We provide simple, practical recommendations for identity providers and relying parties to enable them to mitigate these vulnerabilities. The vulnerabilities have been reported to the parties concerned.

Current efforts to increase the security of the boot sequence for mobile devices fall into two main categories: (i) secure boot: where each stage in the boot sequence is evaluated, aborting the boot process if a non expected component attempts to be loaded; and (ii) trusted boot: where a log is maintained with the components that have been loaded in the boot process for later audit. The first approach is often criticized for locking down devices, thus reducing users’ freedom to choose software. The second lacks the mechanisms to enforce any form of run-time verification. In this paper, we present the architecture for a two-phase boot verification that addresses these shortcomings. In the first phase, at boot-time the integrity of the bootloader and OS images are verified and logged; in the second phase, at run-time applications can check the boot traces and verify that the running software satisfies their security requirements. This is a first step towards supporting usage control primitives for running applications. Our approach relies on off-the-shelf secure hardware that is available in a multitude of mobile devices: ARM TrustZone as a Trusted Execution Environment, and Secure Element as a tamper-resistant unit.

Nowadays, smartphones have started being used as a tool to collect and spread politically sensitive or activism information. The exposure of the possession of such sensitive data shall pose a risk in severely threatening the life safety of the device owner. Particularly, the data owner may be caught and coerced to give away the encryption keys. Under this circumstances, applying the encryption to data still fails to mitigate such risk.

Plausibly deniable encryption (PDE) promisingly helps to circumvent the coercive attack by allowing the data owner to deny the existence of certain data. In this work, we present MobiHydra, a more pragmatic PDE scheme featuring multi-level deniability on mobile devices. MobiHydra is pragmatic in that it remarkably supports hiding opportunistic data without necessarily rebooting the device. In addition, MobiHydra favorably mitigates the so-called booting-time defect, which is a whistle-blower to expose the usage of PDE in previous solutions. We implement a prototype for MobiHydra on Google Nexus S. The evaluation results demonstrate that MobiHydra introduces very low overhead compared with other PDE solutions for mobile devices.