Workshops on Tuesday, September 7

• 
  Co-Located: CACOE: Cyberange Technologies Workshop & WACCO: Workshop on Attackers and Cyber-Crime Operations
  Zoom Room A ¦ 10:00 AM - 5:45 PM CEST ¦ Program
• 
  COnSeNT: 1st International Workshop on Consent Mangement in Online Services, Networks and Things
  Zoom Room B ¦ 10:00 AM - 4:15 PM CEST ¦ Program
• 
  IWPE: 2021 International Workshop on Privacy Engineering
  Zoom Room C ¦ 2:00 - 8:10 PM CEST ¦ Program
• 
  S&B: Workshop on Security & Privacy on the Blockchain
  Zoom Room D ¦ 2:00 - 5:20 PM CEST ¦ Program

The detailed program of the workshops can be found on the respective websites.

Understanding microarchitectural vulnerabilities and countermeasures
Speaker: Frank Piessens, KU Leuven, Belgium

Abstract: It has been known for quite a while that processor optimization features like caches or branch predictors can leak secret information to attackers executing code on the same processor as the victim. With the recent discovery of transient execution attacks like Spectre, Meltdown, and their many variants, it has become clear that these information leaks can be significantly worse than previously expected.

As a consequence, the last four years have seen very intense activity in this area, both in academia and in industry. It is now well-understood that some insight into processor microarchitecture, i.e. the way in which a processor implementation is organized and what performance optimization techniques it uses, is important to evaluate the security properties of software executing on that processor.
One of the key research challenges is to design adequate models of processor behavior, detailed enough to capture relevant attacks, but simple enough to enable the verification of security claims and the evaluation of the benefits and costs of countermeasures.

This talk will provide an overview of the current understanding of microarchitectural vulnerabilities and countermeasures, with a focus on how the language-based security community is trying to build adequate processor models that can be used to evaluate countermeasure designs, and to prove the security of software running on these processors.

Frank Piessens is a professor in the research group DistriNet (Distributed Systems and Computer Networks) at the Computer Science department of the Katholieke Universiteit Leuven. His main research interests are in the field of software security, where he focuses on the development of high-assurance techniques to deal with implementation-level software vulnerabilities and bugs, including techniques such as software verification, run-time monitoring, type systems, language based security and hardware-software co-design for security. These techniques are relevant for many types of software systems, including web applications, embedded software, mobile applications and so forth.

An Investigation of Online Reverse Engineering Community Discussions in the Context of Ghidra
Daniel Votipka (Tufts University); Mary Nicole Punzalan, Seth Rabin, Yla Tausczik and Michelle Mazurek (University of Maryland)

Countering Concurrent Login Attacks in "Just Tap" Push-based Authentication: A Redesign and Usability Evaluations
Jay Prakash, Clarice Chua Qing Yu, Tanvi Ravindra Thombre and Andrei Bytes (Singapore University of Technology and Design); Mohammed Jubur and Nitesh Saxena (University of Alabama at Birmingham); Lucienne Blessing, Jianying Zhou and Tony Q. S Quek (Singapore University of Technology and Design)

SoK: Context Sensing for Access Control in the Adversarial Home IoT
Weijia He, Valerie Zhao, Olivia Morkved and Sabeeka Siddiqui (University of Chicago); Earlence Fernandes (University of Wisconsin-Madison); Josiah Hester (Northwestern University); Blase Ur (University of Chicago)

Secure Messaging Authentication against Active Man-in-the-Middle Attacks
Benjamin Dowling (ETH Zürich); Britta Hale (Naval Postgraduate School (NPS))

Press @$@$ to Login: Strong Wearable Second Factor Authentication via Short Memorywise Effortless Typing Gestures
Prakash Shrestha (Equifax Inc.); Nitesh Saxena (University of Alabama at Birmingham); Diksha Shukla (University of Wyoming); Vir V. Phoha (Syracuse University)

Fully Distributed Verifiable Random Functions and their Application to Decentralised Random Beacons
David Galindo (Fetch.ai and University of Birmingham); Jia Liu (Fetch.ai); Mihai Ordean (University of Birmingham); Jin-Mann Wong (British Antarctic Survey)

ConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts
Christof Ferreira Torres and Antonio Ken Iannillo (University of Luxembourg); Arthur Gervais (Imperial College London); Radu State (University of Luxembourg)

SoK: Cryptojacking Malware
Ege Tekiner, Abbas Acar and A. Selcuk Uluagac (Florida International University); Engin Kirda (Northeastern University); Ali Aydin Selcuk (TOBB University of Economics and Technology)

Cryptocurrencies with Security Policies and Two-Factor Authentication
Florian Breuer (KIT); Vipul Goyal (CMU and NTT); Giulio Malavolta (MPI-SP)

Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability
Hojjat Aghakhani, Dongyu Meng, Yu-Xiang Wang, Christopher Kruegel and Giovanni Vigna (University of California, Santa Barbara)

Trojaning Language Models for Fun and Profit
Xinyang Zhang and Zheng Zhang (Pennsylvania State University); Shouling Ji (Zhejiang University); Ting Wang (Pennsylvania State University)

Fall of Giants: How popular text-based MLaaS fall against a simple evasion attack
Luca Pajola and Mauro Conti (University of Padua)

Sponge Examples: Energy-Latency Attacks on Neural Networks
Ilia Shumailov, Yiren Zhao and Daniel Bates (University of Cambridge); Nicolas Papernot (University of Toronto and Vector Institute); Robert Mullins and Ross Anderson (University of Cambridge)

On the (In)Feasibility of Attribute Inference Attacks on Machine Learning Models
Benjamin Zi Hao Zhao (University of New South Wales & Data61-CSIRO); Aviral Agrawal (BITS Pilani K.K.Birla Goa campus & Macquarie University & Data61-CSIRO); Catisha Coburn (Defence Science and Technology Group); Hassan Jameel Asghar (Macquarie University & Data61-CSIRO); Raghav Bhaskar (Data61-CSIRO); Mohamed Ali Kaafar (Macquarie University & Data61-CSIRO); Darren Webb and Peter Dickinson (Defence Science and Technology Group)

Privacy of DNS-over-HTTPS: Requiem for a Dream?
Levente Csikor (National University of Singapore); Himanshu Singh (IIIT); Min Suk Kang (KAIST); Dinil Mon Divakaran (Trustwave)

Epoque: Practical End-to-End Verifiable Post-Quantum-Secure E-Voting
Xavier Boyen (Queensland University of Technology); Thomas Haines (NTNU Trondheim); Johannes Mueller (University of Luxembourg)

On the Privacy Risks of Algorithmic Fairness
Hongyan Chang and Reza Shokri (National University of Singapore)

Compression Boosts Differentially Private Federated Learning
Raouf Kerkouche (Privatics team, Univ. Grenoble Alpes, Inria, 38000 Grenoble, France); Gergely Ács (Crysys Lab, BME-HIT Budapest); Claude Castelluccia (Privatics team, Univ. Grenoble Alpes, Inria, 38000 Grenoble, France) and Pierre Genevès (Tyrex team, Univ. Grenoble Alpes, CNRS, Inria, Grenoble INP, LIG, 38000 Grenoble)

We Built This Circuit: Exploring Threat Vectors in Circuit Establishment in Tor
Theodor Schnitzler (Ruhr-Universität Bochum); Christina Pöpper (New York University Abu Dhabi); Markus Dürmuth (Ruhr-Universität Bochum); Katharina Kohls (Radboud University)

Can ISPs Help Mitigate IoT Malware? A Longitudinal Study of Broadband ISP Security Efforts
Arman Noroozian and Elsa Turcios Rodriguez (TU-Delft); Elmer Lastdrager (SIDN Labs); Takahiro Kasama (NICT); Michel van Eeten and Carlos H. Ganan (TU-Delft)

Prognosis Negative: Evaluating Real-Time Behavioral Ransomware Detectors
Abhinav Gupta, Aditi Prakash and Nolen Scaife (University of Colorado Boulder)

Remote Non-Intrusive Malware Detection for PLCs based on Chain of Trust Rooted in Hardware
Prashant Hari Narayan Rajput, Esha Sarkar and Dimitrios Tychalas (NYU Tandon School of Engineering); Michail Maniatakos (New York University Abu Dhabi)

Sok: Attacks on Industrial Control Logic and Formal Verification-Based Defenses
Ruimin Sun, Alejandro Mera, Long Lu and David Choffnes (Northeastern University)

Ephemeral Astroturfing Attacks: The Case of Fake Twitter Trends
Tugrulcan Elmas, Rebekah Overdorf, Ahmed Furkan Özkalay and Karl Aberer (EPFL)

BGPeek-a-Boo: Active BGP-based Traceback for Amplification DDoS Attacks
Johannes Krupp and Christian Rossow (CISPA Helmholtz Center for Information Security)

SoK: A Framework for Asset Discovery: Systematizing Advances in Network Measurements for Protecting Organizations
Mathew Vermeer (Delft University of Technology); Jonathan West (University of Tulsa); Alejandro Cuevas (Carnegie Mellon University); Shuonan Niu (University of Tulsa); Nicolas Christin (Carnegie Mellon University); Michel van Eeten, Tobias Fiebig and Carlos Gañán (Delft University of Technology); Tyler Moore (University of Tulsa)

AppJitsu: Investigating the Resiliency of Android Applications
Onur Zungur (Boston University); Antonio Bianchi (Purdue University); Gianluca Stringhini and Manuel Egele (Boston University)

SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers
Thomas Rokicki (Univ Rennes, CNRS, IRISA); Clémentine Maurice and Pierre Laperdrix (Univ Lille, CNRS, Inria)

The mentoring session will include both small 2-on-2 chats as well as round tables discussing a topic.

SoK: Secure FPGA Multi-Tenancy in the Cloud: Challenges and Opportunities
Shaza Zeitouni, Ghada Dessouky and Ahmad-Reza Sadeghi (Technische Universität Darmstadt)

Nonce@Once: A Single-Trace EM Side Channel Attack on Several Constant-Time Elliptic Curve Implementations in Mobile Platforms
Monjur Alam, Baki Yilmaz and Frank Werner (Georgia Tech); Niels Samwel (Radboud University); Alenka Zajic (Georgia tech); Daniel Genkin (University of Michigan); Yuval Yarom (University of Adelaide and Data61); Milos Prvulovic (Georgia Tech)

DY*: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code
Karthikeyan Bhargavan (INRIA); Abhishek Bichhawat (Carnegie Mellon University and IIT Gandhinagar); Quoc Huy Do, Pedram Hosseyni, Ralf Küsters, Guido Schmitz and Tim Würtele (University of Stuttgart)

Nontransitive Policies Transpiled
Mohammad M. Ahmadpanah (Chalmers University of Technology); Aslan Askarov (Aarhus University); Andrei Sabelfeld (Chalmers University of Technology)

After the Attack: Security through Resilience and Recovery
Speaker: Susan McGregor, Columbia University, US

Abstract: While a main focus of security research is on identifying, mitigating and preventing attacks, the reality is that security failures always have - and always will - continue to happen. What's more, as computing continues to become more distributed and attack surfaces increase, the possibility of truly "securing" real-world computational systems diminishes. Given this environment of persistent attacks and security failures, this talk will explore the question of whether security research should begin to look beyond prevention and begin to concern itself more actively with questions of resilience and recovery when security failures inevitably happen.

Susan McGregor an Associate Research Scholar at Columbia University’s Data Science Institute, where she also co-chairs its Center for Data, Media & Society. McGregor’s research is centered on security and privacy issues affecting journalists and media organizations. Her current projects include NSF-funded work to provide readers with stronger guarantees about digital media by integrating cryptographic signatures into digital publishing workflows, an effort to develop novel classifiers for detecting abusive and harassing speech targeting journalists on Twitter, and using artificial intelligence and computer vision to help journalists recognize unfamiliar political graphics when reporting in the field.

Angry Birding: Evaluating Application Exceptions as Attack Canaries
Tolga Ünlü (Abertay University), Lynsay Shepherd (Abertay University), Natalie Coull (University of Abertay Dundee) and Colin Mclean (University of Abertay Dundee)

Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions
Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan, Amr Youssef (Concordia University, Montreal, Canada)
received the Distinguished Paper Award @ ACSAC 2020

DyPolDroid: User-Centered Counter-Policies Against Android Permission-Abuse Attacks
Matthew Hill (Texas A&M Corpus Christi), Carlos Rubio-Medrano (Texas A&M Corpus Christi), Luis Claramunt (Arizona State University) and Jaejong Baek (Arizona State University)

Faulty Point Unit: ABI Poisoning Attacks on Trusted Execution Environments
Fritz Alder, Jo Van Bulck (KU Leuven, Belgium), Jesse Spielman, David Oswald (University of Birmingham, UK), Frank Piessens (KU Leuven, Belgium)
received the Distinguished Paper Award @ ACSAC 2020

FLATEE -- Federated Learning Across Trusted Execution Environments
Arup Mondal (Ashoka University), Yash More (Ashoka University), Ruthu Rooparaghunath (Ashoka University) and Debayan Gupta (Ashoka University)

Obfuscation Revealed - Electromagnetic obfuscated malware classification
Duy-Phuc Pham (Univ Rennes, CNRS, IRISA), Damien Marion (Univ Rennes, CNRS, IRISA) and Annelie Heuser (Univ Rennes, CNRS, IRISA)

Preventing Spatial and Privacy Attacks in Mobile Augmented Reality Technologies
Luis Claramunt (Arizona State University), Larissa Pokam Epse (Arizona State University), Carlos Rubio-Medrano (Texas A&M University - Corpus Christi), Jaejong Baek (Arizona State University) and Gail-Joon Ahn (Arizona State University & Samsung Research)

Reducing Data Leakage on Personal Data Management Systems
Robin Carpentier (Université de Versailles Saint-Quentin-en-Yvelines), Iulian Sandu Popa (Université de Versailles Saint-Quentin-en-Yvelines) and Nicolas Anciaux (INRIA)

RLBox: Retrofitting Fine Grain Isolation in the Firefox Renderer
Shravan Narayan (UC San Diego), Craig Disselkoen (UC San Diego), Tal Garfinkel (Independent), Sorin Lerner (UC San Diego), Hovav Shacham (UT Austin), Deian Stefan (UC San Diego)
received the Distinguished Paper Award @ USENIX Security 2020

The Need for a Collaborative Approach to Cyber Security Education
Gregor Langner (AIT Austrian Institute of Technology), Jerry Andriessen (Wise & Munro), Gerald Quirchmayr (University of Vienna), Steven Furnell (University of Nottingham), Vittorio Scarano (Universit`a degli Studi di Salerno) and Teemu Johannes Tokola (University of Oulu)

The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs
Maik Ender, Amir Moradi (Ruhr University Bochum, Germany), Christof Paar (Max Planck Institute for Security and Privacy, Germany)
received the Distinguished Paper Award @ USENIX Security 2020

Towards Verifiable Mutability for Blockchains
Erik Daniel (Technische Universität Berlin) and Florian Tschorsch (Technische Universität Berlin)

ANDRUSPEX: Leveraging Graph Representation Learning to Predict Harmful App Installations on Mobile Devices
Yun Shen (NortonLifeLock Research Group); Gianluca Stringhini (Boston University)

D-Fence: A Flexible, Efficient, and Comprehensive Phishing Email Detection System
Jehyun Lee, Farren Tang, Pingxiao Ye, Fahim Abbasi, Phil Hay and Dinil Mon Divakaran (Trustwave)

Extractor: Extracting Attack Behavior from Threat Reports
Kiavash Satvat, Rigel Gjomemo and V.N. Venkatakrishnan (University of Illinois at Chicago)

FastSpec: Scalable Generation and Detection of Spectre Gadgets Using Neural Embeddings
M. Caner Tol (Worcester Polytechnic Institute); Berk Gulmezoglu (Iowa State University); Koray Yurtseven and Berk Sunar (Worcester Polytechnic Institute)

Bypassing memory safety mechanisms through speculative control flow hijacks
Andrea Mambretti (Northeastern University); Alexandra Sandulescu and Alessandro Sorniotti (IBM Research - Zurich); William Robertson and Engin Kirda (Northeastern University); Anil Kurmus (IBM Research - Zurich)

NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking
Markus Bauer and Christian Rossow (CISPA − Helmholtz Center for Information Security)

Compiler-Assisted Hardening of Embedded Software Against Interrupt Latency Side-Channel Attacks
Hans Winderix, Jan Tobias Mühlberg and Frank Piessens (KU Leuven)

Aim, Wait, Shoot: How the CACHESNIPER Technique Improves Unprivileged Cache Attacks
Samira Briongos (NEC Laboratories Europe); Ida Bruhns (Universität zu Lübeck); Pedro Malagón (Universidad Politécnica de Madrid); Thomas Eisenbarth (Universität zu Lübeck); José Moya (Universidad Politécnica de Madrid)