Interactive energy minimizing segmentation frameworks

[no abstract

Count Me If You Can: Enumerating QUIC Servers Behind Load Balancers

QUIC is a new transport protocol over UDP which is recently became an IETF RFC. Our security analysis of the Connection ID mechanism in QUIC reveals that the protocol is underspecified. This allows an attacker  to count the number of server instances behind a middlebox, e.g., a  load balancer. We found 4/15 (~25%) implementations vulnerable to  our enumeration attack. We then concretely describe how an attacker  can count the number of instances behind a load balancer that either uses Round Robin or Hashing

Report Dagstuhl Seminar 10402 - Working Group on Fundamental Limits and Opportunities

This working group investigated first steps towards finding a theoretical foundation for inter-vehicle communication. The main outcome is a sketch of a roadmap for future work in this direction

P2KMV: A Privacy-preserving Counting Sketch for Efficient and Accurate Set Intersection Cardinality Estimations

In this paper, we propose P2KMV, a novel privacy-preserving counting sketch, based on the k minimum values algorithm. With P2KMV, we offer a versatile privacy-enhanced technology for obtaining statistics, following the principle of data minimization, and aiming for the sweet spot between privacy, accuracy, and computational efficiency. As our main contribution, we develop methods to perform set operations, which facilitate cardinality estimates under strong privacy requirements. Most notably, we propose an efficient, privacy-preserving algorithm to estimate the set intersection cardinality. P2KMV provides plausible deniability for all data items contained in the sketch. We discuss the algorithm's privacy guarantees as well as the accuracy of the obtained estimates. An experimental evaluation confirms our analytical expectations and provides insights regarding parameter choices

Eclipsing Ethereum Peers with False Friends

Ethereum is a decentralized Blockchain system that supports the execution of Turing-complete smart contracts. Although the security of the Ethereum ecosystem has been studied in the past, the network layer has been mostly neglected. We show that Go Ethereum (Geth), the most widely used Ethereum implementation, is vulnerable to eclipse attacks, effectively circumventing recently introduced (Geth v1.8.0) security enhancements. We responsibly disclosed the vulnerability to core Ethereum developers; the corresponding countermeasures to our attack where incorporated into the v1.9.0 release of Geth. Our false friends attack exploits the Kademlia-inspired peer discovery logic used by Geth and enables a low-resource eclipsing of long-running, remote victim nodes. An adversary only needs two hosts in distinct /24 subnets to launch the eclipse, which can then be leveraged to filter the victim's view of the Blockchain. We discuss fundamental properties of Geth's node discovery logic that enable the false friends attack, as well as proposed and implemented countermeasures.Comment: Extended version of the original publication in: 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW

Trau, SCHAU, wem? - V-IDS oder eine andere Sicht der Dinge

Die ständig wachsende Flut der in einem Netzwerk anfallenden sicherheitsrelevanten Daten macht in zunehmendem Maße neue Darstellungsformen notwendig. Nur so können diese Daten ausreichend schnell und in angemessenem Umfang erfassbar und beherrschbar bleiben. Wesentlich schneller und intuitiver als reinen Text können wir den Inhalt von Bildern erfassen, grafische Darstellungen machen Geschehnisse in der Regel leichter erfassbar. Informationen können zusätzlich stärker verdichtet dargestellt werden, ohne dass der transportierte Inhalt darunter leidet. Die Darstellung von Sicherheitsdaten in grafischer Form steht derzeit noch sehr am Anfang, es gibt wenig Erfahrung, welche Darstellungen mehr und welche weniger geeignet sind. V-IDS soll Grundlagen legen für eine dynamische, dreidimensionale Darstellung solcher Daten. Es soll ein einfaches Experimentieren mit verschiedenen und neuartigen Darstellungen ermöglichen. Damit können dann vorhandene und zukünftige Ideen einfach und ohne längere Entwicklungszeit prototypisch umgesetzt und bewertet werden

Tech Report: Inerial HSMs Thwart Advanced Physical Attacks

In this tech report, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules (iHSMs). Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by rotating the security mesh or sensor at high speed—thereby presenting a moving target to an attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is comparable to commercial HSMs