Security Protocols XXIII

The literature is rife with examples of attackers exploiting unexpected system behaviours that arise from program bugs. This problem is particularly widespread in contemporary application programs, owing to the complexity of their many interconnected parts. We consider this problem, and consider how runtime verification could be used to check an executing program against a model of expected behaviour generated during unit testing.

The obvious course of action is for the European Commission to make formal specification illegal and then announce victory.

In the study of secure protocols, we must both ensure that the design of the protocol is secure and that the implementation is correct. One implementation problem which has frequently occurred is that implementations fail to implement some of the checks which are needed for the protocol to be secure. For example, implementations may fail to validate certificates or fail to validate all aspects of the certificate. In this paper, we demonstrate that it is possible to change the design of a protocol to compel the implementation to carry out the checks. We assume that programmers will always do at least what is necessary to read and produce properly formatted messages. Then we use some simple cryptography to ensure that reading properly formatted messages essentially requires checking the parameters.

So my talk today is “Redesigning Secure Protocols to Compel Security Checks”. To set up the problem: a lot of secure protocols require certain checks to be performed. You write up the protocol, that’s perhaps your fiction And then later we have an implementation, that’s fact, one way or the other. And there are certain checks that are supposed to be in these protocols.

We introduce derailing attacks, a class of blocking attacks on security protocols. As opposed to blunt, low-level attacks such as persistent jamming, derailing only requires a minimal, application-level intervention from the attacker. We give a simple definition of derailing attacks in an abstract formal model, and demonstrate that derailing attacks are viable in practice through examples from two application domains, namely radio-frequency identification and fair exchange protocols.

I’m going to talk about Derailing Attacks. This is joint work with Saša, who’s in the audience, my name is Mohammad.

Establishing SoftWare-Only Root of Trust (SWORT) on a system comprises the attestation of the system’s malware-free state and loading of an authentic trusted-code image in that state, without allowing exploitable time gaps between the attestation, authenticity measurement, and load operations. In this paper, we present facts and fiction of SWORT protocol design on new embedded-systems architectures, discuss some previously unknown pitfalls of software-based attestation, and propose three new attacks. We describe the implementation of the first attack on a popular embedded-system platform (i.e., on the Gumstix FireStorm COM), establish the feasibility of the second, and argue the practicality of the third. We outline several challenges of attack countermeasures and argue that countermeasures must compose to achieve SWORT protocol security.

This presentation is based on joint work with Yanlin Li, Yueqiang Cheng, and Adrian Perrig.

This position paper explores the threat to individual privacy due to the widespread use of consumer drones. Present day consumer drones are equipped with sensors such as cameras and microphones, and their types and numbers can be well expected to increase in future. Drone operators have absolute control on where the drones fly and what the on-board sensors record with no options for bystanders to protect their privacy. This position paper proposes a policy language that allows homeowners, businesses, governments, and privacy-conscious individuals to specify location access-control for drones, and discusses how these policy-based controls might be realized in practice. This position paper also explores the potential future problem of managing consumer drone traffic that is likely to emerge with increasing use of consumer drones for various tasks. It proposes a privacy preserving traffic management protocol for directing drones towards their respective destinations without requiring drones to reveal their destinations.

Thanks for the introduction. Today I’m going to talk about privacy controls for consumer drones. This is going to be another split talk: I’m going to let my PhD student take over at some point.

Mankind is actively trying to communicate with extraterrestrial life. However, historically the discovery of new civilizations has led to war, subjugation, and even elimination. With that in mind, we believe that for any attempted contact with extraterrestrials our location must not be revealed. Therefore, we focus on the problem of location-private interstellar communication. We approach this as a security problem and propose to work towards solutions with tools from the domain of secure communications. As a first step, we give proposals for adversary models, security requirements, and security controls.

While the landing of a drone on the White House lawn is an issue, it is DEFINITELY not relevant if you relate it to the landing of a spaceship on that lawn.

We examine the lifetime of API vulnerabilities on Android and propose an exponential decay model of the uptake of updates after the release of a fix. We apply our model to a case study of the JavaScript-to-Java interface vulnerability. This vulnerability allows untrusted JavaScript in a WebView to break out of the JavaScript sandbox allowing remote code execution on Android phones; this can often then be further exploited to gain root access. While this vulnerability was first publicly disclosed in December 2012, we predict that the fix will not have been deployed to 95% of devices until December 2017, 5.17 years after the release of the fix. We show how this vulnerability is exploitable in many apps and the role that ad-libraries have in making this flaw so widespread.

Security protocols like TLS often have a two-sided upgrade problem, it takes a long time to upgrade, as both the client and the server must be upgraded.

The paper aims to start a discussion about challenges and possible caveats of performing network security experiments with high traffic volumes in virtual environment. A new framework for rapid evolution of denial-of-service attacks by genetic algorithms is presented. Issues with virtual environment that were encountered during initial work with the framework are listed.

Good morning, my name is Radim Ostadal, and today I would like to provide you with a brief overview of our research about the GANET project, particularly about the issues and difficulties we faced regarding the virtualized environment. GANET is an abbreviation for Genetic Algorithms in Networks. It is a framework for rapid evolution of denial-of-service attacks. Its core components are virtualization and genetic programming.

According to standard fiction, a user is able to securely keep long term keys on his device. However, in fact his device may become infected with malware, and an adversary may obtain a copy of his key. We propose an attacker model in which devices are “periodically trustworthy” — they may become infected by malware, and then later become trustworthy again after software patches and malware scans have been applied, in an ongoing cycle. This paper proposes a solution to make the usage of private keys by attackers detectable by using public transparently-maintained logs to monitor the usage of long-term secret keys.

Good morning everyone, this talk is about the question of what happens when your device gets contaminated by malware and becomes under the control of adversaries. Is there anything that you can still do in the way of security functionality, for example, could you still make use of cryptographic keys that are stored on the device.

As web browsers have become more sophisticated at blocking unauthorized attempts to track users’ online activities (incognito mode, Do Not Track), so too have trackers evolved to trump those protections. In many cases, these new forms of tracking have turned features designed to improve the web experience against user privacy. We focus on browser fingerprinting as a testbed for proposing a novel approach to fighting back for user privacy. By intercepting and obfuscating the information generated by browser fingerprinting scripts, the user not only frustrates the attempt to track their movements, but, more importantly, wider usage degrades the quality of trackers’ databases, reducing the effective entropy of their metrics, thereby yielding privacy gains for all users, not just those employing this method of obfuscation.

So we’re calling this one composite privacy, and we want to talk about shifting costs for web tracking or for user tracking. In previous years at this workshop we’ve presented ideas on a variety of subjects. We’ve talked about what we can learn from locks and from safecracking, we’ve talked about eVoting systems, we talked about the benefit you get from the attackers learning curve early in a vulnerability lifecycle, we’ve talked about the P25 radio systems and the problems with those, and we’ve also presented information on the lessons you can learn from casino security, and from military strategy.

Pico is a user authentication system that does not require remembering secrets. It is based on a personal handheld token that holds the user’s credentials and that is unlocked by a “personal aura” generated by digital accessories worn by the owner. The token, acting as prover, engages in a public-key-based authentication protocol with the verifier. What would happen to Pico if success of the mythical quantum computer meant secure public key primitives were no longer available, or if for other reasons such as energy consumption we preferred not to deploy them? More generally, what would happen under those circumstances to user authentication on the web, which relies heavily on public key cryptography through HTTPS/TLS?Although the symmetric-key-vs-public-key debate dates back to the 1990s, we note that the problematic aspects of public key deployment that were identified back then are still ubiquitous today. In particular, although public key cryptography is widely deployed on the web, revocation still doesn’t work.We discuss ways of providing desirable properties of public-key-based user authentication systems using symmetric-key primitives and tamper-evident tokens. In particular, we present a protocol through which a compromise of the user credentials file at one website does not require users to change their credentials at that website or any other.We also note that the current prototype of Pico, when working in compatibility mode through the Pico Lens (i.e. with websites that are unaware of the Pico protocols), doesn’t actually use public key cryptography, other than that implicit in TLS. With minor tweaks we adopt this as the native mode for Pico, dropping public key cryptography and achieving much greater deployability without any noteworthy loss in security.

I will start with a motivating story. This is a true story, one of the latest in a long series of similar stories. Once upon a time, in a certain land, in the year of Our Lord 2013, Adobe lost 153 million passwords. Adobe was broken into and every one of their 153 million customers had to change their password.

In the play Peter Pan, the fairy Tinker Bell is about to fade away and die because nobody believes in her any more, but is saved by the belief of the audience. This is a very old meme; the gods in Ancient Greece became less or more powerful depending on how many mortals sacrificed to them. On the face of it, this seems a democratic model of trust; it follows social consensus and crumbles when that is lost. However, the world of trust online is different. People trust CAs because they have to; Verisign and Comodo are dominant not because users trust them, but because merchants do. Two-sided market effects are bolstered by the hope that the large CAs are too big to fail. Proposed remedies from governments are little better; they declare themselves to be trusted and appoint favoured contractors as their bishops. Academics have proposed, for example in SPKI/SDSI, that trust should flow from individual users’ decisions; but how can that be aggregated in ways compatible with incentives? The final part of the problem is that current CAs are not just powerful but all-powerful: a compromise can let a hostile actor not just take over your session or impersonate your bank, but ‘upgrade’ the software on your computer. Omnipotent CAs with invisible failure modes are better seen as demons rather than as gods.Inspired by Tinker Bell, we propose a new approach: a trust service whose power arises directly from the number of users who decide to rely on it. Its power is limited to the provision of a single service, and failures to deliver this service should fairly rapidly become evident. As a proof of concept, we present a privacy-preserving reputation system to enhance quality of service in Tor, or a similar proxy network, with built-in incentives for correct behaviour. Tokens enable a node to interact directly with other nodes and are regulated by a distributed authority. Reputation is directly proportional to the number of tokens a node accumulates. By using blind signatures, we prevent the authority learning which entity has which tokens, so it cannot compromise privacy. Tokens lose value exponentially over time; this negative interest rate discourages hoarding. We demotivate costly system operations using taxes. We propose this reputation system not just as a concrete mechanism for systems requiring robust and privacy-preserving reputation metrics, but also as a thought experiment in how to fix the security economics of emergent trust.

OK, we’ve heard from previous talks about how TLS certificates are all or nothing. It’s particularly annoying that if I trust a certificate because I want to read a website, then in many systems that certificate can now update my operating system.

In the movie “Life is Beautiful”, Guido Orefice, the character interpreted by Roberto Benigni, convinces his son Giosuè that they have been interned in a nazi concentration camp not because they are Jews but because they are actually taking part in a long and complex game in which they, and in particular Giosuè, must perform the tasks that the guards give them. A ghastly experience is turned into a livable, at times even almost enjoyable, one.In this position paper, we advocate that, in the same spirit as Guido’s ingenious trick of turning a nazi camp into a sort of playground for his child, security should be beautiful; and if it isn’t so yet, it should then be made beautiful, so that the users experience it in that way. This is, of course, an extremely challenging objective, and we will discuss through further scenarios a few ways in which it could be made possible in the future. It turns out that the Peppa Pig cartoon may also be inspiring.

Let me start by saying this is joint work with Giampaolo Bella, and that what we have actually written, and that you can find in the proceedings, is not just a position paper, but actually a pro-position paper, where we are using the word pro-position not with the meaning of a true statement or false statement, but rather as something that we state for discussion and/or illustration. That is, I won’t give you answers, rather I will ask a few questions and propose what is perhaps a slightly different state of mind than the one that we are used to. Let me also say there are many connections to the talks that we’ve heard today and also yesterday, and I will try to make references as much as I can.

We believe that the handling of information security in fiction is, in general, neither technically realistic nor dramatically interesting. Furthermore, we believe that technically realistic treatment of information security could be an effective plot device. We provide examples (and one counterexample) from well regarded television shows to support our beliefs. We conclude with a short fictional work of our own creation that attempts to use information security in a technically realistic and dramatically interesting manner.

My coauthor Brad Rosen is a former student of mine who took a course I gave in 2003 entitled Sensitive Information in a Wired World.

Bitcoin has, since 2009, become an increasingly popular online currency, in large part because it resists regulation and provides anonymity. We discuss how Bitcoin has become both a highly useful tool for criminals and a lucrative target for crime, and argue that this arises from the same essential ideological and design choices that have driven Bitcoin’s success to date. In this paper, we survey the landscape of Bitcoin-related crime, such as dark markets and bitcoin theft, and speculate about possible future possibilities, including tax evasion and money laundering.

So our topic is “Bitcoin: Perils of an Unregulated Global P2P Currency”.

John Brunner postulates a technology that can record the thoughts and emotions generated by the human brain during sleep, and replay them on demand later for a third party. Isaac Asimov describes a device that can look into the past and display what actually happened. These fictional inventions raise interesting questions about the way we actually handle confidentiality and integrity of information at present, and suggest new threats and countermeasures.

I took the title for the theme of this workshop absolutely literally because I’ve been using fiction as a starting point.

This note describes an information theory problem that arose from some analysis of quantum key distribution protocols. The problem seems very natural and is very easy to state but has not to our knowledge been addressed before in the information theory literature: suppose that we have a random bit string y of length n and we reveal k bits at random positions, preserving the order but without revealing the positions, how much information about y is revealed?We show that while the cardinality of the set of compatible y strings depends only on n and k, the amount of leakage does depend on the exact revealed x string. We observe that the maximal leakage, measured as decrease in the Shannon entropy of the space of possible bit strings, corresponds to the x string being all zeros or all ones and that the minimum leakage corresponds to the alternating x strings. We derive a formula for the maximum leakage (minimal entropy) in terms of n and k. We discuss the relevance of other measures of information, in particular min-entropy, in a cryptographic context. Finally, we describe a simulation tool to explore these results.

What I am going to talk about is far from fiction, but the theme was fact or fiction, so I guess we are just on the fact side of things. This is joint work with Peter Ryan and Bill Roscoe from Oxford. First, I am going to briefly provide the context in which we faced this issue. It is an information theory puzzle that arose from a study, which resulted in a modification of one of the sub-protocols of quantum key distribution.

Secure computation has the potential to completely reshape the cybersecruity landscape, but this will happen only if we can make it practical. Despite significant improvements recently, secure computation is still orders of magnitude slower than computation in the clear. Even with the latest technology, running the killer apps, which are often data intensive, in secure computation is still a mission impossible. In this paper, I present two approaches that could lead to practical data intensive secure computation. The first approach is by designing data structures. Traditionally, data structures have been widely used in computer science to improve performance of computation. However, in secure computation they have been largely overlooked in the past. I will show that data structures could be effective performance boosters in secure computation. Another approach is by using fully homomorphic encryption (FHE). A common belief is that FHE is too inefficient to have any practical applications for the time being. Contrary to this common belief, I will show that in some cases FHE can actually lead to very efficient secure computation protocols. This is due to the high degree of internal parallelism in recent FHE schemes. The two approaches are explained with Private Set Intersection (PSI) as an example. I will also show the performance figures measured from prototype implementations.

The question then of course is whether any of the private data are leaked as a result of the design of the program.