Information Security

Breaking MPC implementations through compression Abstract There are many cryptographic protocols in the literature that are scientifically and mathematically sound. By extension, cryptography today seeks to respond to numerous properties of the communication process beyond confidentiality (secrecy), such as integrity, authenticity, and anonymity. In addition to the theoretical evidence, implementations must be equally secure. Due to the ever-increasing intrusion from governments and other groups, citizens are now seeking alternatives ways of communication that do not leak information. In this paper, we analyze multiparty computation (MPC), which is a sub-field of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. This is a very useful method that can be used, for example, to carry out computations on anonymous data without having to leak that data. Thus, due to the importance of confidentiality in this type of technique, we analyze active and passive attacks using complexity measures (compression and entropy). We start by obtaining network traces and syscalls, then we analyze them using compression and entropy techniques. Finally, we cluster the traces and syscalls using standard clustering techniques. This approach does not need any deep specific knowledge of the implementations being analyzed. This paper presents a security analysis for four MPC frameworks, where three were identified as insecure. These insecure libraries leak information about the inputs provided by each party of the communication. Additionally, we have detected, through a careful analysis of its source code, that SPDZ-2’s secret sharing schema always produces the same results.

Mobile botnets meet social networks: design and analysis of a new type of botnet Abstract The ubiquitous nature of smartphone services and the popularity of online social networking can be a lethal combination that spreads malware and computer viruses in a quick and efficient manner to a large number of Internet users. In this article, we propose a new cellular botnet named SoCellBot that exploits online social networks (OSNs) to recruit bots and uses OSN messaging systems as communication channels between bots. Our proposed botnet is the first that uses the OSN platform as a means to recruit and control mobile cellular bots. The structure and characteristics of OSNs make this botnet harder to detect, more resilient to bot failures and more cost-effective to cellular bots. We present a comprehensive study of this new type of botnet in this article. We first analyze the characteristics of the botnet via simulations. We then present an analytical model to estimate the number of infected users (smart phones) over time. We also provide a real-life implementation of the botnet on a small-scale social network as proof of concept. Finally, we study and recommend effective mechanisms to detect recruitment malware spread by such a botnet in its early stages of propagation. The objective of this work is to raise awareness of new mobile botnets that exploit OSNs to recruit and control bots so that preventive measures can be implemented to deter this kind of attack in the future.

Double-spending prevention for Bitcoin zero-confirmation transactions Abstract Zero-confirmation transactions, i.e. transactions that have been broadcast but are still pending to be included in the blockchain, have gained attention in order to enable fast payments in Bitcoin, shortening the time for performing payments. Fast payments are desirable in certain scenarios, for instance, when buying in vending machines, fast food restaurants, or withdrawing from an ATM. Despite being quickly propagated through the network, zero-confirmation transactions are not protected against double-spending attacks, since the double-spending protection Bitcoin offers relies on the blockchain and, by definition, such transactions are not yet included in it. In this paper, we propose a double-spending prevention mechanism for Bitcoin zero-confirmation transactions. Our proposal is based on exploiting the flexibility of the Bitcoin scripting language together with a well-known vulnerability of the ECDSA signature scheme to discourage attackers from performing such an attack.

SSPFA: effective stack smashing protection for Android OS Abstract In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack buffer overflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Android devices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA, the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows without changing the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is not intrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over the proposed solution.

You click, I steal: analyzing and detecting click hijacking attacks in web pages Abstract Click Hijacking (clickjacking) is emerging as a web-based threat on the Internet. The prime objective of clickjacking is stealing user clicks. An attacker can carry out a clickjacking attack by tricking the victim into clicking an element that is barely visible or completely hidden. By stealing the victim’s clicks, an attacker could entice the victim to perform an unintended action from which the attacker can benefit. These actions include online money transactions, sharing malicious website links, initiate social networking links, etc. This paper presents an anatomy of advanced clickjacking attacks not yet reported in the literature. In particular, we propose new class of clickjacking attacks that employ SVG filters and create various effects with SVG filters. We demonstrate that current defense techniques are ineffective to deal with these sophisticated clickjacking attacks. Furthermore, we develop a novel detection method for such attacks based on the behavior (response) of a website active content against the user clicks (request). In our experiments, we found that our method can detect advanced Scalable Vector Graphics (SVG)-based attacks where most of the contemporary tools fail. We explore and utilize various common and distinguishing characteristics of malicious and legitimate web pages to build a behavioral model based on Finite State Automaton. We evaluate our proposal with a sample set of 78,000 web pages from various sources, and 1000 web pages known to involve clickjacking. Our results demonstrate that the proposed solution enjoys good accuracy and a negligible percentage of false positives (i.e., 0.28%), and zero false negatives in distinguishing clickjacking and legitimate websites.

SpyDetector: An approach for detecting side-channel attacks at runtime Abstract In this work, we first present a low-cost, anomaly-based semi-supervised approach, which is instrumental in detecting the presence of ongoing side-channel attacks at runtime. We are, in particular, concerned with attacks that are carried out by creating intentional contentions in shared resources with cryptographic applications using a “spy” process. At a very high level, the approach quantifies contentions in shared resources, associates these contentions with processes, such as with a victim process, and issues a warning at runtime whenever the contentions reach a “suspicious” level. We then adapt this approach to detect the presence of four different types of cache-based side-channel attacks, namely prime-and-probe attacks on advanced encryption standard (AES), flush-and-reload attacks on AES and elliptic curve digital signature algorithm with Montgomery ladder algorithm, and Flush + Flush attacks on AES. To this end, we vary the shared resources monitored, the level of granularity at which the contentions in these resources are quantified, and the way the suspicious levels of contentions are detected. We evaluate the proposed approach also in cross-virtual machine setups (when applicable). The results of our experiments support our basic hypothesis that spy processes, which leverage information leaked by cryptographic applications through some shared resources, ironically leak information by themselves through the same or related channels, which can be analyzed to detect the presence of ongoing attacks at runtime.

Analyzing XACML policies using answer set programming Abstract With the tremendous growth of Web applications and services, eXtensible Access Control Markup Language (XACML) has been broadly adopted to specify Web access control policies. However, when the policies are large or defined by multiple authorities, it has proved difficult to analyze errors and vulnerabilities in a manual fashion. Recent advances in the answer set programming (ASP) paradigm have provided a powerful problem-solving formalism that is capable of dealing with policy verification. In this paper, we employ ASP to analyze various properties of XACML policies. To this end, we first propose a structured mechanism to translate a XACML policy into an ASP program. Then, we leverage the features of off-the-shelf ASP solvers to specify and verify a wide range of properties of a XACML policy, including redundancy, conflicts, refinement, completeness, reachability, and usefulness. We present an empirical evaluation of the effectiveness and efficiency of a policy analysis tool implemented on top of the Clingo ASP solver. The evaluation results show that our approach is computationally more efficient compared with existing approaches.

Feature dynamic deep learning approach for DDoS mitigation within the ISP domain Abstract The emergence of the Mirai malware facilitated a DDoS attack vector to surge to almost 1 Tbps in 2016, instigated by less than 150,000 infected IoT devices. With the infection of five new IoT devices per minute, the size of Mirai botnet was enlarged to 2.5 millions devices by the end of 2016. The continuous adaptation of the Mirai malware enables the modern variant to dynamically update its malware scripts on the fly to launch even more advanced and malevolent DDoS attacks, which dramatically escalates the level of difficulty with mitigating DDoS attacks. Many researchers endeavour to develop mitigation systems to keep up with the increasing security threats. Nonetheless, most presented models provide inefficient solutions either by utilising auxiliary servers at the host site, on the cloud or at dedicated data scrubbing centres. Since internet service providers (ISPs) connect the internet with users, the mitigation system should be deployed within the ISP domain to deliver a more efficient solution. Accordingly, we propose a stacked self-organising map, which is a feature dynamic deep learning approach that utilises netflow data collected by the ISP to combat the dynamic nature of novel DDoS attacks.

Correction to: Using Hierarchical Timed Coloured Petri Nets in the formal study of TRBAC security policies In the original publication of this article, the third author’s name was incorrectly published.

SonarSnoop: active acoustic side-channel attacks Abstract We report the first active acoustic side-channel attack. Speakers are used to emit human inaudible acoustic signals, and the echo is recorded via microphones, turning the acoustic system of a smart phone into a sonar system. The echo signal can be used to profile user interaction with the device. For example, a victim’s finger movements can be inferred to steal Android unlock patterns. In our empirical study, the number of candidate unlock patterns that an attacker must try to authenticate herself to a Samsung S4 phone can be reduced by up to 70% using this novel acoustic side-channel. The attack is entirely unnoticeable to victims. Our approach can be easily applied to other application scenarios and device types. Overall, our work highlights a new family of security threats.