52 research outputs found
Undermining User Privacy on Mobile Devices Using AI
Over the past years, literature has shown that attacks exploiting the
microarchitecture of modern processors pose a serious threat to the privacy of
mobile phone users. This is because applications leave distinct footprints in
the processor, which can be used by malware to infer user activities. In this
work, we show that these inference attacks are considerably more practical when
combined with advanced AI techniques. In particular, we focus on profiling the
activity in the last-level cache (LLC) of ARM processors. We employ a simple
Prime+Probe based monitoring technique to obtain cache traces, which we
classify with Deep Learning methods including Convolutional Neural Networks. We
demonstrate our approach on an off-the-shelf Android phone by launching a
successful attack from an unprivileged, zeropermission App in well under a
minute. The App thereby detects running applications with an accuracy of 98%
and reveals opened websites and streaming videos by monitoring the LLC for at
most 6 seconds. This is possible, since Deep Learning compensates measurement
disturbances stemming from the inherently noisy LLC monitoring and unfavorable
cache characteristics such as random line replacement policies. In summary, our
results show that thanks to advanced AI techniques, inference attacks are
becoming alarmingly easy to implement and execute in practice. This once more
calls for countermeasures that confine microarchitectural leakage and protect
mobile phone applications, especially those valuing the privacy of their users
Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality
Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function's basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function's branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows usto identify three authentication backdoors - two of which previously un-documented. Moreover, we show our method is effective in aiding therecovery of both previously known and proprietary text-based protocols.We have developed a tool, Stringer which implements our technique; wedemonstrate the effectiveness of our approach as well as its applicabilityto lightweight analysis by running it on a data set of 2,451,532 binariesfrom 30 different COTS device vendors
Cutting Through the Complexity of Reverse Engineering Embedded Devices
Performing security analysis of embedded devices is a challenging task. They present many difficulties not usually found when analyzing commodity systems: undocumented peripherals, esoteric instruction sets, and limited tool support. Thus, a significant amount of reverse engineering is almost always required to analyze such devices. In this paper, we present Incision, an architecture and operating-system agnostic reverse engineering framework. Incision tackles the problem of reducing the upfront effort to analyze complex end-user devices. It combines static and dynamic analyses in a feedback loop, enabling information from each to be used in tandem to improve our overall understanding of the firmware analyzed. We use Incision to analyze a variety of devices and firmware. Our evaluation spans firmware based on three RTOSes, an automotive ECU, and a 4G/LTE baseband. We demonstrate that Incision does not introduce significant complexity to the standard reverse engineering process and requires little manual effort to use. Moreover, its analyses produce correct results with high confidence and are robust across different OSes and ISAs
VFCFinder: Seamlessly Pairing Security Advisories and Patches
Security advisories are the primary channel of communication for discovered
vulnerabilities in open-source software, but they often lack crucial
information. Specifically, 63% of vulnerability database reports are missing
their patch links, also referred to as vulnerability fixing commits (VFCs).
This paper introduces VFCFinder, a tool that generates the top-five ranked set
of VFCs for a given security advisory using Natural Language Programming
Language (NL-PL) models. VFCFinder yields a 96.6% recall for finding the
correct VFC within the Top-5 commits, and an 80.0% recall for the Top-1 ranked
commit. VFCFinder generalizes to nine different programming languages and
outperforms state-of-the-art approaches by 36 percentage points in terms of
Top-1 recall. As a practical contribution, we used VFCFinder to backfill over
300 missing VFCs in the GitHub Security Advisory (GHSA) database. All of the
VFCs were accepted and merged into the GHSA database. In addition to
demonstrating a practical pairing of security advisories to VFCs, our general
open-source implementation will allow vulnerability database maintainers to
drastically improve data quality, supporting efforts to secure the software
supply chain
Efficient noninteractive certification of RSA moduli and beyond
In many applications, it is important to verify that an RSA public key (N; e) speci es a
permutation over the entire space ZN, in order to prevent attacks due to adversarially-generated
public keys. We design and implement a simple and e cient noninteractive zero-knowledge
protocol (in the random oracle model) for this task. Applications concerned about adversarial
key generation can just append our proof to the RSA public key without any other modi cations
to existing code or cryptographic libraries. Users need only perform a one-time veri cation of
the proof to ensure that raising to the power e is a permutation of the integers modulo N. For
typical parameter settings, the proof consists of nine integers modulo N; generating the proof
and verifying it both require about nine modular exponentiations.
We extend our results beyond RSA keys and also provide e cient noninteractive zero-
knowledge proofs for other properties of N, which can be used to certify that N is suitable
for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to
the recent work of Auerbach and Poettering (PKC 2018), who provide two-message protocols for
similar languages, our protocols are more e cient and do not require interaction, which enables
a broader class of applications.https://eprint.iacr.org/2018/057First author draf
- …