2010年1月 5日

[jsosug:00117]FYI: NDSS'10 プログラム


NDSS (Network and Distributed Systems Security Symposium) 2010 のプログ
Feb 28-Mar 3, San Diego, CA

USENIX Security 09 で Outstanding Student Paper だった Vanish の Sybil
Attack 攻撃が論文なっている。対応がはやい。

Session 1: Distributed Systems and Networks

Server-side Verification of Client Behavior in Online Games
Darrell Bethea, Robert Cochran and Michael Reiter
Online gaming is a lucrative industry, but one that is slowed by
cheating that compromises the gaming experience and hence drives
away players (and revenues). This paper develops a technique by
which game developers can enable game operators to validate the
behavior of game clients as being consistent with valid execution of
the sanctioned client software. The paper demonstrates its approach
in two case studies: one of the open-source game XPilot, and one of
a multiplayer game similar to Pac-Man.

Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs
Scott Wolchok, Owen S. Hofmann, Nadia Heninger, Edward W. Felten,
J. Alex Halderman, Christopher J. Rossbach, Brent Waters, and Emmett Witchel
We examine the security of Vanish, a recent proposal for creating
"self-destructing" data. Vanish works by encrypting messages and
scattering the keys in a million-node DHT, where they remain
accessible for only a few hours. We show that an attacker can defeat
Vanish by conducting a large Sybil attack against the DHT and
recording every value before it ages out. Optimizations allow the
attacker to reduce the cost by more than two orders of magnitude
from the Vanish authors' projections.

Stealth DoS Attacks on Secure Channels
Amir Herzberg and Haya Shulman
Can security mechanisms in IP layer, protect TCP from
denial/degradation (DoS) of service attacks, by a stealth adversary,
who can eavesdrop and inject (few) packets? We present such attacks
on IPsec without anti-replay window, and on IPsec with small
anti-replay window. We subsequently show how to calculate correct
size of anti-replay window. Then, we present a (slightly more
elaborate) attack that works for any size window. Finally we propose
modifications to IPsec gateway, that defend against the stealth DoS

Session 2: Web Security and Privacy

Protecting Browsers from Extension Vulnerabilities
Adam Barth, Adrienne Porter Felt, Prateek Saxena, and Aaron Boodman
Buggy browser extensions can be exploited by malicious web site
operators. In Firefox, these exploits are dangerous because
extensions run with the user's full privileges, including local
system access. We analyze 25 popular Firefox extensions and find
that 88% need less than the full set of privileges. We propose a new
browser extension platform based on least privilege, privilege
separation, and strong isolation. Our design has been adopted as the
Google Chrome extension system.

Adnostic: Privacy Preserving Targeted Advertising
Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen Nissenbaum and Solon Barocas
Adnostic is a practical architecture and prototype implementation
that enables targeted advertising without compromising user
privacy. Behavioral profiling and targeting in Adnostic takes place
in the browser while the ad network remains agnostic to the user's
interests. Our paper discusses the effectiveness of the system as
well as potential social engineering and web-based attacks on the
architecture. We also describe a cryptographic billing system that
lets ad networks bill the correct advertiser without knowing which
ad was displayed to the user.

FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications
Prateek Saxena, Steve Hanna, Pongsin Poosankam and Dawn Song
Much of the prior research on web application vulnerabilities has
focused on server-side vulnerabilities. This paper highlights a new
class of vulnerabilities, which we term client-side validation (or
CSV) vulnerabilities, that arise due to improper validation in
client-side JavaScript code and can result in a broad spectrum of
attacks. We propose a new dynamic analysis technique to
systematically discover this class of vulnerabilities that is
light-weight, efficient and has no false positives. We implement our
approach in a tool called FLAX. In our evaluation on live web
applications, FLAX has found numerous CSV vulnerabilities in the
wild, demonstrating both its practical scalability and the
prevalence of this class of vulnerabilities in real-world

Session 3: Intrusion Detection and Attack Analysis

Effective Anomaly Detection with Scarce Training Data
William Robertson, Federico Maggi, Christopher Kruegel and Giovanni Vigna
Learning-based anomaly detection has proven to be an effective
black-box technique for detecting unknown attacks. However, the
technique crucially depends upon both the quality and the
completeness of the training data, both of which are routinely
lacking in real-world settings. In this work, we present an approach
for remediating a local scarcity of training data by automatically
leveraging similar, well-trained models from other sites. We
experimentally demonstrate the efficacy of the approach in the
context of web application anomaly detection over a data set of more
than 58 million HTTP requests.

Large-Scale Automatic Classification of Phishing Pages
Colin Whittaker, Brian Ryner and Marria Nazif
We present the design and performance characteristics of a scalable
machine learning classifier that detects phishing websites. We use
this classifier to maintain Google's phishing blacklist
automatically, analyzing millions of potentially phishing pages
every day. To train our classifier, we use a dataset consisting of
millions of samples from previously classified pages labeled
according to our published blacklist. Despite noise in the training
labels, our classifier learns a robust model for identifying
phishing pages which correctly classifies more than 90% of phishing
pages several weeks after training concludes.

A Systematic Characterization of IM Threats using Honeypots
Iasonas Polakis, Thanasis Petsas, Evangelos P. Markatos and Spiros Antonatos
The popularity of instant messaging (IM) services has recently
attracted the interest of attackers that send malicious URLs or
files to the contact lists of compromised instant messaging accounts
or clients. This work aims to provide a systematic characterization
of IM threats based on the information collected by HoneyBuddy, a
honeypot-like infrastructure for detecting malicious activities in
IM networks. We also deploy the prototype implementation of our
myMSNhoneypot service, an early detection service that can inform
users if their accounts or IM clients have been compromised.

Session 4: Spam

On Network-level Clusters for Spam Detection
Zhiyun Qian, Zhuoqing Mao, Yinglian Xie and Fang Yu
Researchers have already recognized the need to identify IP clusters
instead of focusing on individual IP addresses to construct
blacklists for detecting spam. In this paper, building on BGP
clusters, we propose a significantly improved clustering approach
integrating both network origin and DNS information. False negative
rate can be reduced by 30% - 50% using 7 month traces compared to
directly applying various public IP-based blacklists and
SpamAssassin without affecting false positive rate.

Improving Spam Blacklisting Through Dynamic Thresholding and Speculative Aggregation
Sushant Sinha, Michael Bailey and Farnam Jahanian
Spam constitutes a significant fraction of all e-mail connection
attempts and routinely frustrates users, consumes resources, and
serves as an infection vector for malicious software. In an effort
to reduce the impact of these e-mails, operators have increasingly
turned to course-grained, reputation-based, dynamic policy
enforcement, or blacklisting. While scalable, blacklisting exhibits
both false positives and false negatives. In this paper, we argue
that blacklists should be tailored and present two techniques that
leverage local perspectives to significantly improve blacklist

Botnet Judo: Fighting Spam with Itself
Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker,
Vern Paxson, Nicholas Weaver and Stefan Savage
Judo is a system for better filtering spam by exploiting the vantage
point of the spammer. By instantiating and monitoring botnet hosts
in a controlled environment, we are able to monitor new spam as it
is created, and consequently infer the underlying template used to
generate polymorphic e-mail messages. We demonstrate this approach
on mail traces from a range of modern botnets and show that we can
automatically filter such spam precisely and with virtually no false

Session 5: Anonymity and Cryptographic Systems

Contractual Anonymity
Edward J. Schwartz, David Brumley and Jonathan M. McCune
We propose, develop, and implement techniques for achieving
contractual anonymity. In contractual anonymity, a user and service
provider enter into an anonymity contract. The user is guaranteed
anonymity and message unlinkability from the contractual anonymity
system unless she breaks the contract. The service provider is
guaranteed that it can identify users who break the contract. Our
system can enforce many types of contract policies, is efficient,
and has a small trusted computing base.

A3: An Extensible Platform for Application-Aware Anonymity
Micah Sherr, Andrew Mao, William R. Marczak, Wenchao Zhou and Boon Thau Loo
This paper presents the design and implementation of
Application-Aware Anonymity (A3), an extensible platform for
deploying anonymity-based services on the Internet. A3 allows
applications to tailor their anonymity and performance properties
according to their communication requirements. To support flexible
path construction, A3 exposes a declarative language (A3Log) that
enables applications to compactly specify path selection and
instantiation policies. A3Log is sufficiently versatile to represent
novel multi-metric performance constraints as well as existing relay
selection algorithms.

When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography
Thomas Ristenpart and Scott Yilek
Random number generators (RNGs) are consistently a weak link in the
secure use of cryptography. Routine cryptographic operations such as
encryption and signing can fail spectacularly given predictable or
repeated randomness, even when using good long-lived key
material. This has proved problematic in prior settings when RNG
implementation bugs, poor design, or low-entropy sources have
resulted in predictable randomness. We investigate a new way in
which RNGs fail due to reuse of virtual machine (VM) snapshots. We
exhibit such VM reset vulnerabilities in widely-used TLS clients and
servers: the attacker takes advantage of (or forces) snapshot replay
to compromise sessions or even expose a server's DSA signing
key. Our next contribution is a backwards-compatible framework for
hedging routine cryptographic operations against bad randomness,
thereby mitigating the damage due to randomness failures. We apply
our framework to the OpenSSL library and experimentally confirm that
it has little overhead.

Session 6: Security Protocols and Policies

InvisiType: Object-Oriented Security Policies
Jiwon Seo and Monica S. Lam
This paper proposes InvisiType, an object-oriented approach that
enables platform developers to enforce safety checks on third-party
extensions without requiring their cooperation. Developers
encapsulate safety checks in an InvisiType policy class and
selectively subjects objects at risk to these policies. The run-time
enforces these policies by changing the types of these objects
dynamically. Our InvisiType policies successfully found 19
cross-site scripting vulnerabilities and 6 access control errors in
total. The runtime overhead is small, indicating that the technique
is practical.

A Security Evaluation of DNSSEC with NSEC3
Jason Bau and John Mitchell
This paper studies the goals and operations of DNSSEC/NSEC3 and uses
Murphi, a finite-state enumeration tool, to check its security
properties in presence of a network attacker model. We uncover
several weaknesses in DNSSEC, including incorrect dependencies in
the signature chain and NSEC3 options that allow forged name
insertion into a domain. We then confirm the exploitability of the
NSEC3 vulnerability in a realistic laboratory DNSSEC domain. We
finally offer implementation and configuration advice minimizing
exploitability of the uncovered vulnerabilities.

On the Safety of Enterprise Policy Deployment
Yudong Gao, Ni Pan, Xu Chen and Z. Morley Mao
We present the first work to address the security issues of
enterprise policy deployment, an under-studied procedure that leaves
security vulnerabilities if not carefully designed. We formally
define insecure states during policy deployments and demonstrate
their security implications with real examples. We further propose
an efficient algorithm to generate deployment procedures that are
free of insecure states, and implement it on Group Policy framework
requiring no infrastructure modification. We show that our algorithm
adds minimal overhead while provably eliminating insecure
intermediate states.

Session 7: Languages and Systems Security

Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation
Suresh Chari, Shai Halevi and Wietse Venema
We analyze filename-based privilege escalation attacks, where victim
programs are "tricked" into opening unintended files. Solutions to
this problem nowadays are built into some applications, but we show
that it can be solved in the file system itself (or a library), thus
providing protection to all applications. Our solution build on a
new name-resolution procedure, ensuring that files in "safe
directories" cannot be opened using an "unsafe
pathname". Comprehensive tests on several UNIX variants confirm that
this solution is viable.

Joe-E: A Security-Oriented Subset of Java
Adrian Mettler, David Wagner and Tyler Close
Joe-E is a subset of Java that makes it easier to architect and
implement programs with strong security properties that can be
checked during a security review. It enables programmers to apply
the principle of least privilege to their programs; implement
application-specific reference monitors that cannot be bypassed;
introduce and use domain-specific security abstractions; safely
execute and interact with untrusted code; and build secure,
extensible systems. Joe-E provides object-capability security while
retaining the features and feel of a mainstream language.

Preventing Capability Leaks in Secure JavaScript Subsets
Matthew Finifter, Joel Weinberger and Adam Barth
To protect themselves from malicious web advertisements, publishers
wish to sandbox ads. One popular approach is to statically verify
that the ads conform to a "safe" subset of JavaScript that
blacklists known-dangerous properties. We show this approach is
insufficient because the ads can abuse new methods defined by the
hosting page. We propose an improved subset based on whitelisting
known-safe properties using namespaces.

Session 8: Malware

Binary Code Extraction and Interface Identification for Security Applications
Juan Caballero, Noah M. Johnson, Stephen McCamant, and Dawn Song
In this paper we conduct the first systematic study of binary code
reuse, the process of automatically identifying the interface and
extracting the instructions and data dependencies of a code fragment
from the program's binary, so that it is self-contained and can be
reused by external code. We propose a novel technique to identify
the prototype of an undocumented code fragment directly from the
program's binary, and use a combination of dynamic and static
analysis to extract the code.

Automatic Reverse Engineering of Data Structures from Binary Execution
Zhiqiang Lin, Xiangyu Zhang and Dongyan Xu
In many security and forensics applications, it is desirable to
uncover data structures in a binary program with their syntactic and
semantic definitions. We present REWARDS, a reverse engineering
technique that automatically reveals such information via dynamic
analysis. By performing runtime data flow tracking, REWARDS
identifies variables and resolves variable types based on
type-revealing execution points encountered during execution. We
demonstrate that REWARDS provides unique benefits to two
applications: memory image forensics and binary fuzzing for
vulnerability discovery.

Efficient Detection of Split Personalities in Malware
Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel and Giovanni Vigna
A current challenge in malware analysis is detecting
split-personality malware, i.e., malicious programs that, when run
in an emulated or virtualized analysis environment, behave
differently than on a real system. We developed a novel approach to
detect such malware by first recording the malware's interaction
with the operating system on an uninstrumented reference host and
then leveraging the collected information to deterministically
re-execute the program in a virtualized environment. If the
malware's behavior is different, we conclude that the program has a
split personality.


Japan secure operating system users group

投稿者 xml-rpc : 2010年1月 5日 10:44
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/92040