Conference notes: Usenix Security 2016

Technology preview: Memory encryption in AMD processors (by AMD tech guys)

  • Physically separate chip inside CPU handling crypto functionality
  • C-bit indicating that memory page is encrypted
  • Transparent SME enables memory encryption without OS modification
    • transparent, only additional latency related to encryption
  • enhanced version of AMD-V

Paper: Lock it and still loose it (unlocking cars)

  • History cars locks:
    • 1. Fixed keys - can be replayed
    • 2. Rolling code (counter based) - robust if done correctly (attack crypto, attacks keys)
  • Nice video demo with unlocking car
  • Attack against Hitag2, 1 minute computation, 4 to 8 legitimate traces from car owner are necessary

Paper: Fingerprint MCU in cars to detect attackers device

  • Solution: detectable time skew in time, ability to detect connected attacker devices

Paper: In-depth analysis of disassembly on full-scale x86/x64 binaries

  • Detailed survey how different disassemblers work on real binaries compiled by wide range of compilers
  • Hard survey work
  • Analysis of reversing appers in usenix, CCS, NDSS conferences 2013-2015 wrt their expectation on disassembling accuracy

Paper: DRAMA: exploiting DRAM addressing for cross-cpu attacks

  • cloud computing environment, collocated VMs, no shared cache or shared memory is assumed (disabled)
  • open-source tool for mapping RAM memory structures https://github.com/IAIK/drama

Paper: Cache timing attacks on mobile devices

  • Problem: cache side-channel still present on ARM processors
  • Able to distinguish swipes (including length), taps on screen
  • Able to learn AES keys if Bouncy Castle library is used (implementation based on pre-computed T-Tables ⇒ cache patterns visible)
  • Leakage from ARM TrustZone (RSA signatures)

Paper: Trusted browsers for uncertain times

  • Problem: timing atcak against browser crypto
  • Time measurement inproved, introduction of fuzzy time (degraded clocks) component for JavaScript
  • All calls to clock are replaced by fuzzy clock
  • Fuzzyfox - prototype on Firefox with applied defense, performing well

Paper: On ommiting commits and commiting omissions

  • Problem: Git didn't signed some parts of metadata - so it can be forged by attacker resulting in code with omitted security patches, incorrect parts of code merged etc.

Paper: APISan: Sanitizing API usages throw semantic cross checking

  • Problem: Lack of tools for automatric help to programmers (wrt API security)
  • Idea: inspect how different programs uses library. Uses that are very common are considered valid, unusual are possible incorrect
  • Challenges: subtle differences, large complex code using api…
  • Most arguments are integers ⇒ error can be encoded as range and clang supports that
  • 76 new bugs in linux kernel, openssl, php, python…
  • No manual annotation is required
  • Nice result! github.com/sslab-gatech
  • Q: Can it be used to identify wrongly designed APIs? (yes)

Paper: Automatically detecting error handling bugs using error specification

  • Problem: hard to do proper error handling in C programs due to missing support in language.
  • Solution: inspect code and find parts that do not contain logging or passing of code to upper function or termination.
  • Error specifications for most common
  • CLang checker, detect error paths, checks logging, check error propagation
  • 12 open-source libraries inspected, 130 bugs found, 78% real bugs
  • Faster than standard CLang checker (order of minutes)

Invited talk: Cybersecurity talk (Microsoft)😘* * Making predictions on encrypted data (open question how to) * FHE on activation function of machine learning algorithms * performance: NN on image data: both 4096 predictions in 5 minutes (paralelizable). SEAL library (sealcrypto.codeplex.com) * Challenge: How can mutually distrusting parties share data? * use secure multiparty computation or secure hardware * Q: Problem is that millions of ordinary programmers simply will not use davanced tool - we need extremelly simply tools for masses * A: We need better teaching on universities. (I don't think this will solve the issue - we need simple secure tools) * We need to add way more room for error for designers/programmers when using protocols/tools. Cyberphysical is more serious than BSOD of PC * Problem: moral dilemas for AI - whne to break rules for higher good? * What to do with security of legacy code? * Evolution of security products in time. Paper: Hammering a Needle in the Stack * OpenSSH compromise, no software bug * Novel exploitation structire (hardware glitch + memory massaging) * Easy to make glitches = precise + reliable * Assumptions: Co-hosted VMs, meory duplication, rowhammer, RSA * Mem. deduplication: same data for victim and attacker's memory is stored only once. * Rowhammer: behaviour of ordinary DRAM - bit error after frequent bit flips ⇒ data for victim are corrupted * OpenSSH attack: attack on authorized_keys files - injection of attacker's public key * Attacks against GPG/APT update (Ubuntu) * Solution: disable memory dedupliction * Q: what about DH? Harder to do do but possible. * Q: What can cloud client do right now? Checksums on memory of critical files. Paper: One bit flips, one cloud flops * Based on rowhammering attack * Double-sided row hammering attacks * Reverse engineer of DRAM mapping using timming channel of different read times in DRAM * Knowledge of rows in particular DRAM ⇒ running of row hammering attack against para-virtualized Xen in public hosting * ⇒ page table replacement attack succesfully mounted * Example: bypass OpenSSH server authentication - replacement of critical ASM instruction in authentication chcek * Countermeasures: ECC, DDR4 (TTR target row refresh), HVM (hardware-assisted virtualization) Paper: PIkit: A New Kerel-Independent Processor-INterconnect Rootkit * Low level. hardware rootkit * No code modification required * x86 CPU interconnect instruction (this causes vulnerability) * If DRAM address maping table for interconnect instruction is modified ⇒ packet can be send to other CPU * Issue: no integrity checks on DRAM maping table * Implemented for AMD architecture, work on extension on Intel * Solutions: AMD's LockDramCfg feature (not available for Intel) * Software-based solutions: DRAM adress mapping monitor should be protected by CGX, TrusteZone… Paper: Low budget password strength estimator (Dropbox) * nice presentation style, guy from DRopbox * problem: inconssitent estimation of password strength * Solution: client-side password strength estimator ⇒ how many guesses are expected * Based on lists, keyboard patterns, multipattern matching * Guide to Internet password research (Usenix Lisa'14) * Tested on real leaks (linkedin…) * Estimators studies: zxcvbn, KeePas, NIST entropy * Nice graphs on different passwords entropy estimated by different estimators wrt overestimation (security problem, weak password accepted) and underestimation (usability issue, good password rejected) of password entropy. Horizontal lines in graph - why? * Conclusions: highly sensitive to learning data * Adopted by coinbase, stripe, intel, dropbox… - nice practical impact Paper: Modeling password guessability using Neural Networks * Best paper award * How to generate training dataset - * Design space * tried different model sizes to fit within different devices (3MB browser, 60MB GPU) * Transference learning.. * Test data: MTurn studies * Tuning training Paper: An Empirical Study of Textual Key-Fingerprint Representations**

  • study if users verify fingerprints (NO)
  • fingeprints include key and metadata, multiple versions how to present fingerprint to user
  • Study via MTurk to verify how schemes work
  • Study design:
    • 40 comparison in randomized order
    • attention tests (obviously mismatched) - if fail ⇒ excluded from results
    • language variations
  • No parameters testing like color, text font…
  • 1047 MTurk participants