"Should I Worry?" A Cross-Cultural Examination of Account Security Incident Response
Elissa M. Redmiles (University of Maryland)
Digital security technology is able to identify and prevent many threats to users accounts. However, some threats remain that, to provide reliable security, require human intervention: e.g., through users paying attention to warning messages or completing secondary authentication procedures. While prior work has broadly explored people's mental models of digital security threats, we know little about users' precise, in-the-moment response process to in-the-wild threats. In this work, we conduct a series of qualitative interviews (n=67) with users who had recently experienced suspicious login incidents on their real Facebook accounts in order to explore this process of account security incident response. We find a common process across participants from five countries -- with differing online and offline cultures -- allowing us to identify areas for future technical development to best support user security. We provide additional insights on the unique nature of incident-response information seeking, known attacker threat models, and lessons learned from a large, cross-cultural qualitative study of digital security.
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash?
Yujin Kwon (KAIST), Hyoungshick Kim (Sungkyunkwan University), Jinwoo Shin (KAIST), Yongdae Kim (KAIST)
Bitcoin has become the most popular cryptocurrency based on a peer-to-peer network. In Aug. 2017, Bitcoin was split into the original Bitcoin (BTC) and Bitcoin Cash (BCH). Since then, miners have had a choice between BTC and BCH mining because they have compatible proof-of-work algorithms. Therefore, they can freely choose which coin to mine for higher profit, where the profitability depends on both the coin price and mining difficulty. Some miners can immediately switch the coin to mine only when mining difficulty changes because the difficulty changes are more predictable than that for the coin price, and we call this behavior fickle mining.
In this paper, we study the effects of fickle mining by modeling a game between two coins. To do this, we consider both fickle miners and some factions (e.g., BITMAIN for BCH mining) that stick to mining one coin to maintain that chain. In this model, we show that fickle mining leads to a Nash equilibrium in which only a faction sticking to its coin mining remains as a loyal miner to the less valued coin (e.g., BCH), where loyal miners refer to those who conduct mining even after coin mining difficulty increases. This situation would cause severe centralization, weakening the security of the coin system.
To determine which equilibrium the competing coin systems (e.g., BTC vs. BCH) are moving toward, we traced the historical changes of mining power for BTC and BCH and found that BCH often lacked loyal miners until Nov. 13, 2017, when the difficulty adjustment algorithm of BCH mining was changed. However, the change in difficulty adjustment algorithm of BCH mining led to a state close to the stable coexistence of BTC and BCH. We also demonstrate that the lack of BCH loyal miners may still be reached when a fraction of miners automatically and repeatedly switches to the most profitable coin to mine (i.e., automatic
mining). According to our analysis, as of Dec. 2018, loyal miners to BCH would leave if more than about 5% of the total mining capacity for BTC and BCH has engaged in the automatic mining. In addition, we analyze the recent “hash war” between Bitcoin ABC and SV, which confirms our theoretical analysis. Finally, we note that our results can be applied to any competing cryptocurrency systems in which the same hardware (e.g., ASICs or GPUs) can be used for mining. Therefore, our study brings new and important angles in competitive coin markets: a coin can intentionally weaken the security and decentralization level of the other rival coin when mining hardware is shared between them, allowing for automatic mining.
Stealthy Porn: Understanding Real-World Adversarial Images for Illicit Online Promotion
Kan Yuan (Indiana University Bloomington), Di Tang (Chinese University of Hong Kong), Xiaojing Liao (Indiana University Bloomington), XiaoFeng Wang (Indiana University Bloomington), Xuan Feng (Indiana University Bloomington/Chinese Academy of Sciences), Yi Chen (Indiana University Bloomington/Chinese Academy of Sciences), Menghan Sun (Chinese University of Hong Kong), Haoran Lu (Indiana University Bloomington), Kehuan Zhang (Chinese University of Hong Kong)
Recent years have witnessed the rapid progress in deep learning (DP), which also brings their potential weaknesses to the spotlights of security and machine learning studies. With important discoveries made by adversarial learning research, surprisingly little attention, however, has been paid to the real-world adversarial techniques deployed by the cybercriminal to evade image-based detection. Unlike the adversarial examples that induce misclassification using nearly imperceivable perturbation, real-world adversarial images tend to be less optimal yet equally effective. As a first step to understand the threat, we report in the paper a study on adversarial promotional porn images (APPIs) that are extensively used in underground advertising. We show that the adversary today’s strategically constructs the APPIs to evade explicit content detection while still preserving their sexual appeal, even though the distortions and noise introduced are clearly observable to humans. To understand such real-world adversarial images and the underground business behind them, we develop a novel DP-based methodology called Male`na, which focuses on the regions of an image where sexual content is least obfuscated and therefore visible to the target audience of a promotion. Using this technique, we have discovered over 4,000 APPIs from 4,042,690 images crawled from popular social media, and further brought to light the unique techniques they use to evade popular explicit content detectors (e.g., Google Cloud Vision API, Yahoo Open NSFW model), and the reason that these techniques work. Also studied are the ecosystem of such illicit promotions, including the obfuscated contacts advertised through those images, compromised accounts used to disseminate them, and large APPI campaigns involving thousands of images. Another interesting finding is the apparent attempt made by cybercriminals to steal others’ images for their advertising. The study highlights the importance of the research on real-world adversarial learning and makes the first step towards mitigating the threats it poses.
LBM: A Security Framework for Peripherals within the Linux Kernel
Dave (Jing) Tian (University of Florida), Grant Hernandez (University of Florida), Joseph Choi (University of Florida), Vanessa Frost (University of Florida), Peter Johnson (Middlebury College), Kevin Butler (University of Florida)
Modern computer peripherals are diverse in their capabilities and functionality, ranging from keyboards and print- ers to smartphones and external GPUs. In recent years, periph- erals increasingly connect over a small number of standardized communication protocols, including USB, Bluetooth, and NFC. The host operating system is responsible for managing these devices; however, malicious peripherals can request additional functionality from the OS resulting in system compromise, or can craft data packets to exploit vulnerabilities within OS software stacks. Defenses against malicious peripherals to date only partially cover the peripheral attack surface and are limited to specific protocols (e.g., USB). In this paper, we propose Linux (e)BPF Modules (LBM), a general security framework that provides a unified API for enforcing protection against malicious peripherals within the Linux kernel. LBM leverages the eBPF packet filtering mechanism for performance and extensibility and we provide a high-level language to facilitate the development of powerful filtering functionality. We demonstrate how LBM can provide host protection against malicious USB, Bluetooth, and NFC devices; we also instantiate and unify existing defenses under the LBM framework. Our evaluation shows that the overhead introduced by LBM is within 1 μs per packet in most cases, application and system overhead is negligible, and LBM outperforms other state-of-the-art solutions. To our knowledge, LBM is the first security framework designed to provide comprehensive protection against malicious peripherals within the Linux kernel.
SoK: Shining Light on Shadow Stacks
Nathan Burow (Purdue University), Xinping Zhang (Purdue University), Mathias Payer (EPFL)
Control-Flow Hijacking attacks are the dominant
attack vector against C/C++ programs. Control-Flow Integrity
(CFI) solutions mitigate these attacks on the forward edge,
i.e., indirect calls through function pointers and virtual calls.
Protecting the backward edge is left to stack canaries, which are
easily bypassed through information leaks. Shadow Stacks are
a fully precise mechanism for protecting backwards edges, and
should be deployed with CFI mitigations.
We present a comprehensive analysis of all possible shadow
stack mechanisms along three axes: performance, compatibil-
ity, and security. For performance comparisons we use SPEC
CPU2006, while security and compatibility are qualitatively
analyzed. Based on our study, we renew calls for a shadow
stack design that leverages a dedicated register, resulting in
low performance overhead, and minimal memory overhead,
but sacrifices compatibility. We present case studies of our
implementation of such a design, Shadesmar, on Phoronix and
Apache to demonstrate the feasibility of dedicating a general
purpose register to a security monitor on modern architectures,
and Shadesmar’s deployability. Our comprehensive analysis,
including detailed case studies for our novel design, allows
compiler designers and practitioners to select the correct shadow
stack design for different usage scenarios.
Shadow stacks belong to the class of defense mechanisms
that require metadata about the program’s state to enforce
their defense policies. Protecting this metadata for deployed
mitigations requires in-process isolation of a segment of the
virtual address space. Prior work on defenses in this class has
relied on information hiding to protect metadata. We show that
stronger guarantees are possible by repurposing two new Intel
x86 extensions for memory protection (MPX), and page table
control (MPK). Building on our isolation efforts with MPX
and MPK, we present the design requirements for a dedicated
hardware mechanism to support intra-process memory isolation,
and discuss how such a mechanism can empower the next wave of
highly precise software security mitigations that rely on partially
isolated information in a process.
Kiss from a Rogue: Evaluating Detectability of Pay-at-the-Pump Card Skimmers
Nolen Scaife (University of Florida), Jasmine Bowers (University of Florida), Christian Peeters (University of Florida), Grant Hernandez (University of Florida), Imani N. Sherman (University of Florida), Patrick Traynor (University of Florida), Lisa Anthony (University of Florida)
Credit and debit cards enable ﬁnancial transactions at unattended "pay-at-the-pump" gas station terminals across North America. Attackers discreetly open these pumps and install skimmers, which copy sensitive card data. While EMV (“chip-and-PIN”) has made substantial inroads in traditional retailers, such systems have virtually no deployment at pay-at-the-pump terminals due to dramatically higher costs and logistical/regulatory constraints, leaving consumers vulnerable in these contexts. In an effort to improve security, station owners have deployed security indicators such as low-cost tamper-evident seals, and technologists have developed skimmer detection apps for mobile phones. Not only do these solutions put the onus on consumers to notice and react to security concerns at the pump, but the efﬁcacy of these solutions has not been measured. In this paper, we evaluate the indicators available to consumers to detect skimmers. We perform a comprehensive teardown of all known skimmer detection apps for iOS and Android devices, and then conduct a forensic analysis of real-world gas pump skimmer hardware recovered by multiple law enforcement agencies. Finally, we analyze anti-skimmer mechanisms deployed by pump owners/operators, and augment this investigation with an analysis of skimmer reports and accompanying security measures collected by the Florida Department of Agriculture and Consumer Services over four years, making this the most comprehensive long-term study of such devices. Our results show that common gas pump security indicators are not only ineffective at empowering consumers to detect tampering, but may be providing a false sense of security. Accordingly, stronger, reliable, inexpensive measures must be developed to protect consumers and merchants from fraud.