232 research outputs found
Interpretable Probabilistic Password Strength Meters via Deep Learning
Probabilistic password strength meters have been proved to be the most
accurate tools to measure password strength. Unfortunately, by construction,
they are limited to solely produce an opaque security estimation that fails to
fully support the user during the password composition. In the present work, we
move the first steps towards cracking the intelligibility barrier of this
compelling class of meters. We show that probabilistic password meters
inherently own the capability of describing the latent relation occurring
between password strength and password structure. In our approach, the security
contribution of each character composing a password is disentangled and used to
provide explicit fine-grained feedback for the user. Furthermore, unlike
existing heuristic constructions, our method is free from any human bias, and,
more importantly, its feedback has a clear probabilistic interpretation. In our
contribution: (1) we formulate the theoretical foundations of interpretable
probabilistic password strength meters; (2) we describe how they can be
implemented via an efficient and lightweight deep learning framework suitable
for client-side operability.Comment: An abridged version of this paper appears in the proceedings of the
25th European Symposium on Research in Computer Security (ESORICS) 202
Undermining User Privacy on Mobile Devices Using AI
Over the past years, literature has shown that attacks exploiting the
microarchitecture of modern processors pose a serious threat to the privacy of
mobile phone users. This is because applications leave distinct footprints in
the processor, which can be used by malware to infer user activities. In this
work, we show that these inference attacks are considerably more practical when
combined with advanced AI techniques. In particular, we focus on profiling the
activity in the last-level cache (LLC) of ARM processors. We employ a simple
Prime+Probe based monitoring technique to obtain cache traces, which we
classify with Deep Learning methods including Convolutional Neural Networks. We
demonstrate our approach on an off-the-shelf Android phone by launching a
successful attack from an unprivileged, zeropermission App in well under a
minute. The App thereby detects running applications with an accuracy of 98%
and reveals opened websites and streaming videos by monitoring the LLC for at
most 6 seconds. This is possible, since Deep Learning compensates measurement
disturbances stemming from the inherently noisy LLC monitoring and unfavorable
cache characteristics such as random line replacement policies. In summary, our
results show that thanks to advanced AI techniques, inference attacks are
becoming alarmingly easy to implement and execute in practice. This once more
calls for countermeasures that confine microarchitectural leakage and protect
mobile phone applications, especially those valuing the privacy of their users
- …