IFIP Information Security Conference & Privacy Conference - IFIP Technical Commitee 11


IFIP SEC 2018 - Programm

Keynote: Cryptographic failures: how and why they happen

Krystian Matusiewicz 

INTEL Technology Poland

Abstract. Cryptographic algorithms and protocols are one of the fundamental building blocks of modern digital systems. Cryptographic schemes provide security functions and by definition lie at the heart of any secure system. As with any heart failure, failures of cryptographic algorithms and implementations tend to be catastrophic. In environments such as hardware components where patching and updates are difficult it may be even more dramatic, leading to long exposure times or even device recalls. In this talk we are going to go through a number of crypto bugs and weaknesses in various systems, from some well-known CVEs to examples of bugs we prevented by our internal security validation activities. These examples will illustrate different classes of deficiencies: algorithmic fragility, design mistakes, implementation errors and validation gaps. The key takeaway of this talk will be suggestions on how to design secure systems to minimize the chance of cryptographic failures.

Design Weaknesses in Recent Ultralightweight RFID Authentication Protocols

P. D'Arco and R. De Prisco
Dipartimento di Informatica Universita di Salerno Fisciano (SA), Italy

Abstract. In this paper we focus our attention on the design of several recently proposed ultralightweight authentication protocols and show that the underlying methodology is not sound. Indeed, the common fea- ture of these protocols lies in the use of transforms, which are the main building blocks. We analyze these transforms and show that all of them present some weaknesses, which can be essentially reduced to poor con- fusion and diffusion in the input-output mappings. Then, exploiting the weaknesses of the transforms, we describe impersonation attacks against the ultralightweight authentication protocols in which they are used: pre- cisely, RCIA, KMAP, SLAP, and SASI+. On average, an attack requires a constant number of interactions with the targeted tag, compared to the allegedly needed exponential number in the informal security analysis. Moreover, since the weaknesses are in the transforms, the attack strate- gies we describe can be used to subvert any other protocol that uses the same transforms or closely-related ones.

Attacking RO-PUFs with Enhanced Challenge-Response Pairs

Nils Wisiol and Marian Margraf
Freie Universität Berlin, Germany

Abstract. This paper studies the security of Ring Oscillator Physically Unclonable Function (PUF) with Enhanced Challenge-Response Pairs as proposed by Delavar et al. We present an attack that can predict all PUF responses after querying the PUF with n+2 attacker-chosen queries. This result renders the proposed RO-PUF with Enhanced Challenge-Response Pairs inapt for most typical PUF use cases, including all cases where an attacker has query access.

Hunting Password Leaks in Android Applications

Johannes Feichtner
Graz University of Technology

Abstract. Abstract. A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.
Keywords: Android Security, Password Input, Static Analysis

Assessing Privacy Policies of Internet of Things Services

Niklas Paul1, Welderufael B. Tesfay1, Dennis-Kenji Kipker2, Mattea Stelter2 and Sebastian Pape1
1 Goethe-University, Frankfurt, Germany
2 University of Bremen, Bremen, Germany

Abstract. Abstract. This paper provides an assessment framework for privacy policies of Internet of Things Services which is based on particular GDPR requirements. The objective of the framework is to serve as supportive tool for users to take privacy-related informed decisions. For example when buying a new fitness tracker, users could compare different models in respect to privacy friendliness or more particular aspects of the framework such as if data is given to a third party. The framework consists of 16 parameters with one to four yes-or-no-questions each and allows the users to bring in their own weights for the different parameters. We assessed 110 devices which had 94 different policies. Furthermore, we did a legal assessment for the parameters to deal with the case that there is no statement at all regarding a certain parameter. The results of this comparative study show that most of the examined privacy policies of IoT devices/services are insufficient to address particular GDPR requirements and beyond. We also found a correlation between the length of the policy and the privacy transparency score, respectively.
Keywords: Internet of Things, Privacy Policies, General Data Protec- tion Regulation, GDPR, ePrivacy Regulation, ePR

Usability Characteristics of Security and Privacy Tools: The User’s Perspective

Ioanna Topa and Maria Karyda
Department of Information and Communication Systems Engineering, University of the Aegean, Greece

Abstract. Use of security and privacy tools is still limited for various reasons, including usability issues. This paper analyses usability characteristics of security and privacy tools by drawing on relevant literature and employing scenario-based questionnaires and interviews with 150 users to capture their views. Based on users' feedback, we analyse the role of usability characteristics and identify critical issues such as transparency, control of personal data, design and accessibility and consistency. This paper provides insights into the multifaceted issue of usability of security tools from the users' perspective and a comprehensive picture of users' needs and expectations. Some of the findings of this study show that users regard as important that security and privacy tools incorporate usability characteristics relevant to installation, design and accessibility, control and automation, visible feedback, and locatable security settings. Furthermore, users encounter problems with understanding technical terms and report that the availability of tools among smartphones and operating systems is a usability issue.

Keywords: Usability Characteristics, Security Tools, Privacy Tools.

JonDonym Users' Information Privacy Concerns

David Harborth, Sebastian Pape
Chair of Mobile Business and Multilateral Security Goethe University, Frankfurt, Germany

Abstract. Privacy concerns as well as trust and risk beliefs are important factors that can influence users' decision to use a service. One popular model that integrates these factors is relating the Internet Users Information Privacy Concerns (IUIPC) construct to trust and risk beliefs. However, studies haven't yet applied it to a privacy enhancing technology (PET) such as an anonymization service. Therefore, we conducted a survey among 416 users of the anonymization service JonDonym [1] and collected 141 complete questionnaires. We rely on the IUIPC construct and the related trust-risk model and show that it needs to be adapted for the case of PETs. In addition, we extend the original causal model by including trust beliefs in the anonymization service provider and show that they have a significant effect on the actual use behavior of the PET.

Keywords: Internet Users’ Information Privacy Concerns, IUIPC, Anonymity Services, Privacy Concerns, Trust Beliefs, Risk Beliefs

The Tweet Advantage: An Empirical Analysis of 0-Day Vulnerability Information Shared on Twitter

Clemens Sauerwein, Christian Sillaber, Michael M. Huber, Andrea Mussmann, and Ruth Breu
University of Innsbruck, Department of Computer Science, Austria

Abstract. In the last couple of years, the number of software vulnerabilities and corresponding incidents increased significantly. In order to stay up-to-date about these new emerging threats, organizations have demonstrated an increased willingness to exchange information and knowl- edge about vulnerabilities, threats, incidents and countermeasures. Apart from dedicated sharing platforms or databases, information on vulnerabilities is frequently shared on Twitter and other social media platforms. So far, little is known about the obtainable time advantage of vulnerability information shared on social media platforms. To close this gap, we identified 709,880 relevant Tweets and subsequently analyzed them. We found that information with high relevance for affected organizations is shared on Twitter often long before any official announcement or patch has been made available by vendors. Twitter is used as a crowdsourcing platform by security experts aggregating vulnerability information and referencing a multitude of public available webpages in their Tweets. Vulnerability information shared on Twitter can improve organizations reaction to newly discovered vulnerabilities and therefore help mitigating threats.

Keywords: Information Security, Shared Cyber Security Information, Social Networks, Data Mining, Twitter, Security Incidents

A Security Analysis of FirstCoin

Alexander Marsalek1, Christian Kollmann2 , and Thomas Zefferer2
1 Graz University of Technology, IAIK, Austria
2 A-SIT Plus GmbH

Abstract. Supported by the current hype on Bitcoin, the number of available cryptocurrencies has steadily increased over the past years. Currently, relevant portals list more than 1.500 cryptocurrencies. Many of them slightly deviate from approved and tested technical concepts and realize security-related functionality in different ways. While the security of major cryptocurrencies has already been studied in more detail, security properties of less popular cryptocurrencies that deviate from approved technical concepts often remain unclear. This is a problem, as users run the risk of losing invested money in case the respective cryptocurrency is unable to provide sufficient security. In this paper, we underpin this statement by means of a detailed analysis of the cryptocurrency FirstCoin. We identify and discuss vulnerabilities of FirstCoin, which lead to a low network hash rate and allow for 51% attacks. We propose a double-spending attack that exploits these vulnerabilities and demonstrate the proposed attack's feasibility by running it in an isolated evaluation environment. This way, we show FirstCoin to be insecure and provide a real-world example that underpins the general problem of cryptocurrencies deviating from approved security concepts and relying on weak security designs.

Keywords: Blockchain, double spending, proof-of-work, FirstCoin, cryptocurrency, 51% attack

EMPower : Detecting Malicious Power Line Networks from EM Emissions

Richard Baker and Ivan Martinovic
Department of Computer Science, University of Oxford

Abstract. Power line communication (PLC) networks are commonplace today, particularly within consumer home environments. They permit simple plug-and-play networking by leveraging the existing electrical wiring in buildings to transmit data as well as power. However, the ubiquity of this networking opportunity is often overlooked and permits an attacker, with only one-time access to an environment, to establish free, unmonitored and high-bandwidth network connectivity to the victim. However, the unsuitability of power wiring for high-frequency signalling means that PLC leaks radiated emissions. We demonstrate the detectability of this phenomenon in a real-world setting and introduce EMPower; a system that identifies the presence of hidden power line networking from analysis of the characteristic EM emissions in the frequency and time domains. We demonstrate the effectiveness of EMPower using a COTS radio receiver - identifying the presence of a network near-perfectly within the same room, even when idle, and with 74.6% accuracy two rooms away and on a different floor. Thus realising the capability to monitor an environment for unwanted power line networks.

CPMap: Design of Click-Points Map-based Graphical Password Authentication

Weizhi Meng1, Fei Fei2, Lijun Jiang2, Zhe Liu3, Chunhua Su4, and Jinguang Han5
1 Department of Applied Mathematics and Computer Science, Technical University of Denmark, Denmark,
2 Department of Computer Science, City University of Hong Kong, Hong Kong SAR
3 Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg, Luxembourg
4 Division of Computer Science, University of Aizu, Japan
5 Department of Computer Science, University of Surrey, UK

Abstract. As traditional textual passwords suffer from many known limitations, graphical passwords (GPs) are proposed as one promising alternative to complement the existing authentication systems. To obtain a large password space, map-based GPs (geographical passwords) have been developed that allow users to choose one or more places on a map for authentication. For example, PassMap requires users to choose two places as their credentials, and GeoPass enables users to click only one place for authentication. Some research studies have reported that choosing only one place as a password may be not secure enough, whereas selecting two places may decrease the system usability. In this work, we first conducted a study to learn how users would choose two places under PassMap, and found that users may choose two similar locations due to time consideration. Motivated by this observation, we then design CPMap, a click-points map-based GP scheme that allows users to choose one place on a world map at first and then click a point or an object on an image relating to the previously selected location. To investigate the performance of CPMap, we conducted another user study with up to 50 participants. It is found that users could achieve promising results with our scheme in the aspects of both security and usability.

Keywords: User Authentication, Graphical Passwords, Map-based Passwords, Geographic Authentication, Security and Usability.

The Influence of Native Language on Password Composition and Security: A Socioculture Theoretical View

Pardon Blessings Maoneke, Stephen Flowerday and Naomi Isabirye
University of Fort Hare, Information Systems Department, East London, South Africa

Abstract. This study investigates the influence of native languages on password composition and security. The socioculture theory’s psychological development principles were used to argue the influence of language on passwords. 107 Namibian and South African university students were asked to generate a new pass- word for the study using a web based experiment. Levenshtein’s edit distance, language experts and a password guessing algorithm were used for data analysis. Results showed that users generated passwords that were oriented towards both English and native languages. English is the first language of instruction while native languages are typically the first spoken languages of the participants. These passwords were based on names and words. A difference in character distribution confirmed the disparity in character preferences among researched groups. These findings suggest the influence of psychological development according to the socioculture theory. Password guessing shows that English oriented passwords are weaker than those oriented in native languages. The study shows that choices of password generation policy design should be informed by contextual factors if they are to be effective.

Keywords: passwords, password characteristics, socioculture theory, native language, security.

A Hypergame Analysis for ErsatzPasswords

Christopher N. Gutierrez1, Mohammed H. Almeshekah2, Saurabh Bagchi1, and Eugene H. Spafford1
1 Purdue University, Center for Education and Research in Information Assurance and Security (CERIAS), West Lafayette, USA, 2 King Saud University, Department of Computer Science, Riyadh, Saudi Arabia

Abstract. A hypergame is a game theoretic model capturing the decisions of rational players in a conflict where misperceptions, from deception or information asymmetry, are present. We demonstrate how hypergames can model an actual security mechanism: ErsatzPassword, a defense mechanism to protect password hashes from offline brute-force attacks. Two ErsatzPassword defensive strategies are considered: to block the attacker and trigger an alarm, or to redirect the attacker into a honeynet for attack analysis. We consider the scenario where there is information asymmetry in the system and one side under-estimates or over-estimates the risk tolerance of the other side. We analyze plausible strategies for both attacker and defender and then solve 57,600 hyper-game configurations to determine the optimal 1st line defense strategies under various levels of risk tolerance and misperceptions.

Keywords: Computer Security, Deception, Game Theory

Formal Analysis of Sneak-Peek: A Data Centre Attack and its Mitigations

Wei Chen 1, Yuhui Lin1, Vashti Galpin1, Vivek Nigam2, Myungjin Lee1, and David Aspinall1,3
1 University of Edinburgh, UK 2 Fortiss GmbH, Germany 3 Alan Turing Institute, UK

Abstract. Attackers can exploit covert channels, such as timing side-channels, to transmit information without data owners or network administrators being aware. Sneak-Peek is a recently considered data centre attack, where, in a multi-tenant setting, an insider attacker can communicate with colluding outsiders by intentionally adding delays to traffic on logically isolated but physically shared links. Timing attack mitigations typically introduce delays or randomness which can make it difficult to understand the trade-off between level of security (bandwidth of the covert channel) and performance loss. We demonstrate that formal methods can help. We analyse the impacts of two Sneak-Peek mitigations, namely, noise addition and path hopping. We provide a precise mathematical model of the attack and of the effectiveness these defences. This mathematical analysis is extended by two tool-based stochastic formal models, one formalized in UPPAAL and the other in CARMA. The formal models can capture more general and larger networks than a paper-based analysis, can be used to check properties and make measurements, and are more easily modifiable than conventional network simulations. With U PPAAL, we can analyse the effectiveness of mitigations and with C ARMA, we can analyse how these mitigations affect latencies in typical data centre topologies. As results, we show that using a selective strategy for path hopping is better than a random strategy, that using the two defences in conjunction may actually be worse than using a single defence, and we show the connection between hop frequency and network latency.

Practical Cryptographic Data Integrity Protection with Full Disk Encryption

Milan Brož1,2, Mikuláš Patočka1 and Vashek Matyáš 2.
1 Red Hat Czech, Brno, Czech Republic
2 Masaryk University, Faculty of Informatics, Brno, Czech Republic

Abstract. Full Disk Encryption (FDE) has become a widely used secuity feature. Although FDE can provide confidentiality, it generally does not provide cryptographic data integrity protection. We introduce an algorithm-agnostic solution that provides both data integrity and confidentiality protection at the disk sector layer. Our open-source solution is intended for drives without any special hardware extensions and is based on per-sector metadata fields implemented in software. Our implemenation has been included in the Linux kernel since the version 4.12.

Detection and Response to Data Exfiltration from Internet of Things Android Devices

Mariem Graa1, Ivan Marco Lobe Kome1,2, Nora Cuppens-Boulahia1, Frédéric Cuppens1 and Vincent Frey2
1 IMT Atlantique, France
2 Orange Labs, Cesson-Svign, France

Abstract. Hackers can exfiltrate sensitive data stored in an IoT device such as Android smartphones. He/She abuses the Android pairing mode and targets a personal computer system previously trusted by the device user. The existing protocols that allow file transfer from Android IoT devices to the computer cannot detect this attack. In this paper, we propose an approach to detect attacks exploiting trusted relationship between a third party system such as personal computer and an Android device to exfiltrate user data from the victim device to an attacker. We implement a protocol to secure communication between IoT Android device and third party system. Our approach has been proved to be effective in detecting these category of attacks with reasonable performance overheads.

When George Clooney is not George Clooney: Using GenAttack to Deceive Amazon's and Naver's Celebrity Recognition APIs

Keeyoung Kim1,2,3 and Simon S. Woo1,2
1 The State University of New York, Korea (SUNY-Korea), Incheon, S. Korea
2 Stony Brook University, Stony Brook, NY, USA
3 Artificial Intelligence Research Institute (AIRI), Seongnam, S. Korea

Abstract. In recent years, significant advancements have been made in detecting and recognizing contents of images using Deep Neural Networks (DNNs). As a result, many companies offer image recognition APIs for use in diverse applications. However, image classification algorithms trained with DNNs can misclassify adversarial examples, posing a significant threat to critical applications. In this work, we present a novel way to generate adversarial example images using an evolutionary genetic algorithm (GA). Our algorithm builds adversarial images by iteratively adding noise to the original images. Unlike DNN based adversarial example generations by other researchers, our approach does not require GPU resources and access to the target DNNs' parameters. We design, GenAttack, a simple yet powerful attack algorithm to create adversarial examples using complex celebrity images and evaluate those with real-world celebrity recognition APIs from Amazon and Naver. With our attack, we successfully deceive Amazon's and Naver's APIs with a success probability of 86.6% and 100%, respectively. Our work demonstrates the practicability of generating adversarial examples and successfully fooling the state-of-the-art commercial image recognition systems.

Keywords: Adversarial Example, Black-box attack, Genetic Algorithm

When Your Browser Becomes The Paper Boy: An Anonymous Browser Network

Juan D. Parra Rodriguez, Eduard Brehm, and Joachim Posegga
University of Passau, Germany

Abstract. University of Passau, Germany {dp,eb,jp}@sec.uni-passau.de Abstract. We present a scenario where browsers’ network and computation capabilities are used by an attacker without the user’s knowledge. For this kind of abuse, an attacker needs to trigger JavaScript code on the browser, e.g. through an advertisement. However, unlike other Web attacks, e.g. cross-site scripting, the attack can be executed isolated from the Origin of the site visited by the user. We demonstrate this by forcing common browsers to join an overlay network and perform onion routing for other peers in the network. An attacker can create and tear down such browser networks whenever needed and use them to avoid detection, complicate forensic analysis, and protect his identity. Based on a performance evaluation with real browsers, we ascertain that the network delivers messages in a timely manner under load while remaining unnoticed. From a more constructive point of view, we discuss how the current CSP specification and other mechanisms under discussion can help to protect users against this attack.

Keywords: Keywords: Web Security, Browser Abuse, Content Security Policy (CSP)

On the Integrity of Cross-Origin JavaScripts

Jukka Ruohonen, Joonas Salovaara, and Ville Leppänen
Department of Future Technologies, University of Turku, Finland

Abstract. The same-origin policy is a fundamental part of the Web. Despite the restrictions imposed by the policy, embedding of third-party JavaScript code is allowed and commonly used. Nothing is guaranteed about the integrity of such code. To tackle this deficiency, solutions such as the subresource integrity standard have been recently introduced. Given this background, this paper presents the first empirical study on the temporal integrity of cross-origin JavaScript code. According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites, (i) temporal integrity changes are relatively common; (ii) the adoption of the subresource integrity standard is still in its infancy; and (iii) it is possible to statistically predict whether a temporal integrity change is likely to occur. With these results and the accompanying discussion, the paper contributes to the ongoing attempts to better understand security and privacy in the current Web.

Keywords: same-origin, cross-domain, remote inclusion, subresource integrity

Smashing the Stack Protector for Fun and Profit

Julian Kirsch1, Thomas Kittel1, Aurélien Francillon2 and Apostolis Zarras3
1 Technical University of Munich, Munich, Germany
2 EURECOM, Sophia Antipolis, France
3 Maastricht University, Maastricht, Netherlands

Abstract. Software exploitation has been proven to be a lucrative business for cybercriminals. Unfortunately, protecting software against attacks is a long-lasting endeavor that is still under active research. However, certain software-hardening schemes are already incorporated into current compilers and are actively used to make software exploitation a complicated procedure for the adversaries. Stack canaries are such a protection mechanism. Stack canaries aim to prevent control flow hijack by detecting corruption of a specific value on the program's stack. Careful design and implementation of this conceptually straightforward mechanism is crucial to defeat stack-based control flow detours. In this paper, we examine 17 different stack canary implementations across multiple versions of the most popular Operating Systems running on various architectures. We systematically compare critical implementation details and introduce one new generic attack vector which allows bypassing stack canaries on current Linux systems running up-to-date multi-threaded software altogether. We release an open-source framework (CookieCrumbler ) that identifies the characteristics of stack canaries on any platform it is compiled on and we propose mitigation techniques against stack-based attacks. Although stack canaries may appear obsolete, we show that when they are used correctly, they can prevent intrusions which even the more sophisticated solutions may potentially fail to block.

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection

Sergej Proskurin1 , Julian Kirsch1, and Apostolis Zarras2
1 Technical University of Munich
2 Maastricht University

Abstract. The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a running Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit's on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.

Anti-forensic = Suspicious: Detection of Stealthy Malware that Hides its Network Traffic

Mayank Agarwal1, Rami Puzis1 Jawad Haj-Yahya2, Polina Zilberman1, and Yuval Elovici1
1 Telekom Innovation Labs, Ben-Gurion University of the Negev, Israel 2 School of Computer Science and Engineering, Nanyang Technological University, Singapore

Abstract. Stealthy malware hides its presence from the users of a sys- tem by hooking the relevant libraries, drivers, system calls or manipulating the services commonly used to monitor system behaviour. Tampering the network sensors of host-based intrusion detection systems (HIDS) may impair their ability to detect malware and significantly hinders subsequent forensic investigations. Nevertheless, the mere attempt to hide the traffic indicates malicious intentions. In this paper we show how comparison of the data collected by multiple sensors at different levels of resilience may reveal these intentions. At the lowest level of resilience, information from untrusted sensors such as netstat and process lists are used. At the highest resilience level, we analyse mirrored traffic using a secured hardware device. This technique can be considered as fully trusted. The detection of a discrepancy between what is reported by these common tools and what is observed on a trusted system operating at a different level is a good way to force a dilemma on malware writers: either apply hiding techniques, with the risk that the discrepancy is detected, or keep the status of network connections untouched, with a greater ability for the administrator to recognize the presence and to understand the behaviour of malware. The proposed method was implemented on an evaluation testbed and is able to detect stealthy malware that hides its communication from the HIDS. The false positive rate is 0.01% of the total traffic analysed, and barring a few exceptions that can easily be white-listed, there are no legitimate processes which raise false alerts.

Keywords: Stealthy, Malware, Command & Control, Trusted Network Monitor, Security

PRETT: Protocol Reverse Engineering Using Binary Tokens and Network Traces

Choongin Lee, Jeonghan Bae, Heejo Lee
Korea University, Seoul, Republic of Korea

Abstract. Protocol reverse engineering is the process of extracting application-level protocol specifications. The specifications are a useful source of knowledge about network protocols and can be used for various purposes. Despite the successful results of prior works, their methods primarily result in the inference of a limited number of message types. We herein propose a novel approach that infers a minimized state machine while having a rich amount of information. The combined input of tokens extracted from the network protocol binary executables and network traces enables the inference of new message types and protocol behaviors which had not been found in previous works. In addition, we propose a state minimization algorithm that can be applied to real-time black-box inference. The experimental results show that our approach can infer the largest number of message types for file-transfer protocol (FTP) and simple mail-transfer protocol (SMTP) compared to eight prior arts. Moreover, we found unexpected behaviors in two protocol implementations using the inferred state machines.

Keywords: Protocol reverse engineering, State machine reconstruction, Automatic protocol analysis

Walking Through the Deep: Gait Analysis for User Authentication through Deep Learning

Giacomo Giorgi, Fabio Martinelli, Andrea Saracino, Mina Sheikhalishahi
Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche

Abstract. Seamless authentication is a desired feature which is becoming more and more relevant, due to the distribution of personal and wearable mobile devices. With seamless authentication, biometric features such as human gait, become a way to control authorized access on mobile devices, without actually requiring user interaction. However, this analysis is a challenging task, prone to errors, with the need to dynamic adapt to new conditions and requirements, brought by the dynamic change of biometric parameters. In this paper we present a novel deep-learning based framework for gait-based authentication. The paper presents an in depth study of the building and training of a Recurrent Convolutional Neural Network with a real dataset based on gait reading performed through five body sensors. We introduce methodologies to further increase the classification accuracy based on data augmentation and selective filtering. Finally we will present a complete experimental evaluation performed on more than 150 different identities.

Keywords: Gait recognition, Behavioral analysis, Seamless continuos authentication, Deep learning

Optimal security configuration for cyber insurance

Fabio Martinelli1, Ganbayar Uuganbayar1,2 , and Artsiom Yautsiukhin1
1 Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa, Italy, 2 Department of Information Engineering and Computer Science (DISI), University of Trento, Italy

Abstract. Losses due to cyber security incidents could be very significant for organisations. This fact forces managers to consider cyber security risks at the highest management level. Cyber risks are usually either mitigated by technical means (countermeasures) or transferred to another party (i.e., insurer). Both options require significant investments and organisations face the problem of optimal distribution of cyber security budget between these risk treatment options. In this paper, we propose an approach for optimal distribution of investments between self-protection and cyber insurance. The key difference of our paper with respect to others in the field is that our model helps to identify the required security controls, rather than implicitly assuming a relation between security investments, security configuration and expected probability of attack. Our approach exploits a discrete model of investment in self-protection, which is more challenging for analysis but is more realistic and convenient for the application. Our model further considers several threats and allows threats to occur more than once.

Keywords: security investment, optimal investment, knapsack problem, cyber insurance, risk management

Efficient Identification of Applications in Co-resident VMs via a Memory Side-Channel

Jens Lindemann and Mathias Fischer
Department of Computer Science, University of Hamburg, Germany

Abstract. Memory deduplication opens a side-channel that enables attackers to detect if there is a second copy of a memory page on a host their Virtual Machine (VM) is running on, and thus to gain information about co-resident VMs. In former work, we presented a practical side-channel attack that can even detect which specific versions of applications are being executed in co-resident VMs. In this paper, we enhance this attack by testing for representative groups of pages for certain groups of application versions, so-called page signatures, instead of testing for a single application version only. As a result, our new attack is significantly more efficient. Our results indicate that the attack duration can be reduced from several hours to minutes at the cost of a small loss in precision only.

Performance Improvements in Behavior Based Malware Detection Solutions

Gheorghe Hăjmăşan1,2, Alexandra Mondoc1,3, Radu Portase1,2, and Octavian Creț2
1 Bitdefender, Cluj-Napoca, Romania, 2 Technical University of Cluj-Napoca, Cluj-Napoca, Romania, 3 Babeş-Bolyai University, Cluj-Napoca, Romania

Abstract. The constant evolution of malware, both in number and complexity, represents a severe threat to individual users and organizations. This is increasing the need for more advanced security solutions, such as dynamic behavior-based malware detection, that monitor and analyze actions performed on a system in real time. However, this approach comes with an intuitive downfall, the performance overhead. For this issue we propose two solutions that can be used separately or combined. The first approach takes advantage of the advances in hardware and uses asynchronous processing, thus reducing the impact on the monitored applications. The second approach relies on a dynamic reputation system, based on which different monitoring levels for applications can be defined. The differential monitoring of processes according to their dynamic reputation leads to a diminished general performance impact and also a lower false positive rate.

An Evaluation of Bucketing in Systems with Non-Deterministic Timing Behavior

Yuri Gil Dantas, Richard Gay, Tobias Hamann, Heiko Mantel, and Johannes Schickel
Department of Computer Science, TU Darmstadt, Germany

Abstract. Timing side-channel vulnerabilities constitute a serious threat against privacy and confidentiality of data. In this article, we study the effects of bucketing, a previously proposed mitigation technique against timing side channels. We present two implementations of bucketing that reside at the application and at the kernel level, respectively. We experimentally evaluate the effectiveness of these implementations in a setting with non-deterministic timing behavior, a practically relevant setting that has not been studied before. Our results show that the impact of non-deterministic timing behavior is substantial. The bucket boundaries cannot be established sharply and this reduces the effectiveness of bucketing. Nevertheless, bucketing still provides a significant reduction of side-channel capacity.