Entries Tagged "academic papers"

Page 60 of 86

Stealing VM Keys from the Hardware Cache

Research into one VM stealing crypto keys from another VM running on the same hardware.

ABSTRACT: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized using a modern VMM (Xen). Such systems are very common today, ranging from desktops that use virtualization to sandbox application or OS compromises, to clouds that co-locate the workloads of mutually distrustful customers. Constructing such a side-channel requires overcoming challenges including core migration, numerous sources of channel noise, and the difficulty of preempting the victim with sufficient frequency to extract fine-grained information from it. This paper addresses these challenges and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victim using the most recent version of the libgcrypt cryptographic library.

Two articles.

Posted on November 16, 2012 at 6:13 AMView Comments

Risks of Data Portability

Peter Swire and Yianni Lagos have pre-published a law journal article on the risks of data portability. It specifically addresses an EU data protection regulation, but the security discussion is more general.

…Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person’s data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual’s lifetime of data must be exported ‘without hindrance,’ then one moment of identity fraud can turn into a lifetime breach of personal data.

They have a point. If you’re going to allow users to download all of their data with one command, you might want to double- and triple-check that command. Otherwise it’s going to become an attack vector for identity theft and other malfeasance.

Posted on October 24, 2012 at 1:27 PMView Comments

Analysis of How Bitcoin Is Actually Used

Quantitative Analysis of the Full Bitcoin Transaction Graph,” by Dorit Ron and Adi Shamir:

Abstract. The Bitcoin scheme is a rare example of a large scale global payment system in which all the transactions are publicly accessible (but in an anonymous way). We downloaded the full history of this scheme, and analyzed many statistical properties of its associated transaction graph. In this paper we answer for the rst time a variety of interesting questions about the typical behavior of account owners, how they acquire and how they spend their Bitcoins, the balance of Bitcoins they keep in their accounts, and how they move Bitcoins between their various accounts in order to better protect their privacy. In addition, we isolated all the large transactions in the system, and discovered that almost all of them are closely related to a single large transaction that took place in November 2010, even though the associated users apparently tried to hide this fact with many strange looking long chains and fork-merge structures in the transaction graph.

The paper has been submitted to the 2013 Financial Cryptography conference.

EDITED TO ADD (10/30): Some commentary.

Posted on October 18, 2012 at 6:11 AMView Comments

Studying Zero-Day Attacks

Interesting paper: “Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World,” by Leyla Bilge and Tudor Dumitras:

Abstract: Little is known about the duration and prevalence of zeroday attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing, while remaining undetected. Unfortunately, these serious threats are difficult to analyze, because, in general, data is not available until after an attack is discovered. Moreover, zero-day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments.

In this paper, we describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. We identify 18 vulnerabilities exploited before disclosure, of which 11 were not previously known to have been employed in zero-day attacks. We also find that a typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to 5 orders of magnitude.

Posted on October 16, 2012 at 6:12 AMView Comments

Using Agent-Based Simulations to Evaluate Security Systems

Kay Hamacher and Stefan Katzenbeisser, “Public Security: Simulations Need to Replace Conventional Wisdom,” New Security Paradigms Workshop, 2011.

Abstract: Is more always better? Is conventional wisdom always the right guideline in the development of security policies that have large opportunity costs? Is the evaluation of security measures after their introduction the best way? In the past, these questions were frequently left unasked before the introduction of many public security measures. In this paper we put forward the new paradigm that agent-based simulations are an effective and most likely the only sustainable way for the evaluation of public security measures in a complex environment. As a case-study we provide a critical assessment of the power of Telecommunications Data Retention (TDR), which was introduced in most European countries, despite its huge impact on privacy. Up to now it is unknown whether TDR has any benefits in the identification of terrorist dark nets in the period before an attack. The results of our agent-based simulations suggest, contrary to conventional wisdom, that the current practice of acquiring more data may not necessarily yield higher identification rates.

Both the methodology and the conclusions are interesting.

Posted on September 26, 2012 at 7:11 AMView Comments

Recent Developments in Password Cracking

A recent Ars Technica article made the point that password crackers are getting better, and therefore passwords are getting weaker. It’s not just computing speed; we now have many databases of actual passwords we can use to create dictionaries of common passwords, or common password-generation techniques. (Example: dictionary word plus a single digit.)

This really isn’t anything new. I wrote about it in 2007. Even so, the article has caused a bit of a stir since it was published. I didn’t blog about it then, because I was waiting for Joe Bonneau to comment. He has, in a twopart blog post that’s well worth reading.

Password cracking can be evaluated on two nearly independent axes: power (the ability to check a large number of guesses quickly and cheaply using optimized software, GPUs, FPGAs, and so on) and efficiency (the ability to generate large lists of candidate passwords accurately ranked by real-world likelihood using sophisticated models). It’s relatively simple to measure cracking power in units of hashes evaluated per second or hashes per second per unit cost. There are details to account for, like the complexity of the hash being evaluated, but this problem is generally similar to cryptographic brute force against unknown (random) keys and power is generally increasing exponentially in tune with Moore’s law. The move to hardware-based cracking has enabled well-documented orders-of-magnitude speedups.

Cracking efficiency, by contrast, is rarely measured well.

Finally, there are two basic schemes for choosing secure passwords: the Schneier scheme and the XKCD scheme.

Posted on September 19, 2012 at 4:41 AMView Comments

New Attack Against Chip-and-Pin Systems

Well, new to us:

You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It’s called a “pre-play” attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.

Paper here. And news article.

Posted on September 11, 2012 at 12:38 PMView Comments

Hacking Brain-Computer Interfaces

In this fascinating piece of research, the question is asked: can we surreptitiously collect secret information from the brains of people using brain-computer interface devices? One article:

A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal information by presenting 30 headset-wearing subjects with images of ATM machines, debit cards, maps, people, and random numbers in a series of experiments. The paper, titled “On the Feasibility of Side-Channel Attacks with Brain Computer Interfaces,” represents the first major attempt to uncover potential security risks in the use of the headsets.

This is a new development in spyware.

EDITED TO ADD (9/6): More articles. And here’s a discussion of the pros and cons of this sort of technology.

Posted on September 5, 2012 at 6:06 AMView Comments

Measuring Cooperation and Defection using Shipwreck Data

In Liars and Outliers, I talk a lot about social norms and when people follow them. This research uses survival data from shipwrecks to measure it.

The authors argue that shipwrecks can actually tell us a fair bit about human behavior, since everyone stuck on a sinking ship has to do a bit of cost-benefit analysis. People will weigh their options—which will generally involve helping others at great risk to themselves—amidst a backdrop of social norms and, at least in case of the Titanic, direct orders from authority figures. “This cost-benefit logic is fundamental in economic models of human behavior,” the authors write, suggesting that a shipwreck could provide a real-world test of ideas derived from controlled experiments.

Eight ideas, to be precise. That’s how many hypotheses the authors lay out, ranging from “women have a survival advantage in shipwrecks” to “women are more likely to survive on British ships, given the UK’s strong sense of gentility.” They tested them using a database of ship sinkings that encompasses over 15,000 passengers and crew, and provides information on everything from age and sex to whether the passenger had a first-class ticket.

For the most part, the lessons provided by the Titanic simply don’t hold. Excluding the two disasters mentioned above, crew members had a survival rate of over 60 percent, far higher than any other group analyzed. (Although they didn’t consistently survive well—in about half the wrecks, there was no statistical difference between crew and passengers). Rather than going down with the ship, captains ended up coming in second, with just under half surviving. The authors offer a number of plausible reasons for crew survival, including better fitness, a thorough knowledge of the ship that’s sinking, and better training for how to handle emergencies. In any case, however, they’re not clearly or consistently sacrificing themselves to save their passengers.

At the other end of the spectrum, nearly half the children on the Titanic survived, but figures for the rest of the shipwrecks were down near 15 percent. About a quarter of women survived other sinkings, but roughly three times that made it through the Titanic alive. If you exclude the Titanic, female survival was 18 percent, or about half the rate at which males came through alive.

What about social factors? Having the captain order “women and children first” did boost female survival, but only by about 10 percentage points. Most of the other ideas didn’t pan out. For example, the speed of sinking, which might give the crew more time to get vulnerable passengers off first, made no difference whatsoever to female survival. Neither did the length of voyage, which might give passengers more time to get to know both the boat and each other. The fraction of passengers that were female didn’t seem to make a difference either.

One social factor that did play a role was price of ticket: “there is a class gradient in survival benefitting first class passengers.” Another is the being on a British ship, where (except with the Titanic), women actually had lower rates of survival.

Paper here (behind a paywall):

Abstract: Since the sinking of the Titanic, there has been a widespread belief that the social norm of “women and children first” (WCF) give women a survival advantage over men in maritime disasters, and that captains and crew members give priority to passengers. We analyze a database of 18 maritime disasters spanning three centuries, covering the fate of over 15,000 individuals of more than 30 nationalities. Our results provide a unique picture of maritime disasters. Women have a distinct survival disadvantage compared with men. Captains and crew survive at a significantly higher rate than passengers. We also find that: the captain has the power to enforce normative behavior; there seems to be no association between duration of a disaster and the impact of social norms; women fare no better when they constitute a small share of the ship’s complement; the length of the voyage before the disaster appears to have no impact on women’s relative survival rate; the sex gap in survival rates has declined since World War I; and women have a larger disadvantage in British shipwrecks. Taken together, our findings show that human behavior in life-and-death situations is best captured by the expression “every man for himself.”

Posted on August 14, 2012 at 1:16 PMView Comments

1 58 59 60 61 62 86

Sidebar photo of Bruce Schneier by Joe MacInnis.