This week I’ve been to Denver, Colorado, to attend the CCS 2015 and present our work SeCage, which is a hypervisor-enforced approach for intra-domain isolation.
The main conference lasted for 3 days (10.13 ~ 10.15). There are 3 parallel tracks for 36 sessions, for specific reasons, I have only listened to 6 sessions.
Following are some of the notes about what I’ve learned from these sessions.
This is a very interesting session that shows the security of iOS/Mac OS. There are 2 papers in this session.
The first is presented by Luyi Xing from Indiana Univercity Bloomington. As he shows, from 2010 to yesterday, in the 4 top security conferences (S&P, Usenix securiy, CCS, NDSS), there are 0 session with 3 papers discussing about iOS security, compared to the 17 sessions with 88 papers about Android security.
The paper presented by Xing is titled Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS. This is an attack paper that shows several ways to attack iOS/Mac OS with full protection (e.g., sandboxing isolating, indirect interaction, direct communication, vetting), and result in the leakage of private data like passwords, tokens, cookies, etc.
This presentation only shows 2 kinds of so-called Unauthorized cross-app resource access (XARA) approaches. the first one is to crack keychain and steal password, while the second one is to intercept IPC using the bugs in distributed objects mechanism, and steal the tokens from Evernote server.
The details can be found in the paper, it shows many interesting points, like the lessons of unclear boundary of responsibilities between developer and Apple, etc. This paper is also armed with 3 Apple CVEs (CVE-2015-3786, CVE-2015-5835, CVE-2015-5836). Thus it is a very typical security paper. I’m going to read it later.
The second presentation is from Brendan Saltaformaggio, Purdue University. It is noted that Brendan have 3 papers in this year’s CCS, one of which wins the best paper award!.
In this presentation, he starts with a very interesting statistics:
As Apple claimed, all applications will be protected by the vetting mechanism. However how well is the vetting performed is under question. In 2015 till now, there are 1.5 million new applications created in apple store, which means 556 application vetting per day! Therefore it is reasonable to say that the vetting process is fast, lightweight, ‘almost’ automatic and may use static program analysis.
This paper is targeted at solving the problem of finding private API abuse in the application. Private API is supposed only used by apple internal. However since the function call in Objective-C can be called sending a message to object, e.g.,
1
| |
can be used to invoke a function foo of object obj. Thus following trick can alse be leveraged to invoke foo function:
1 2 3 4 | |
So it is really hard for static analysis to detect such private API abuse (if foo is a private API).
This this paper, they use static analyssi + Guided forced exection (dynamic analysis) to solve such problem. For static analysis, they use backward slicing, which is vulnerable for obfuscation. Then they use an approach called force execution, to complete the analysis. During force execution, in every branch, the condition is flipped, so that every branch can be reached.
Since I’m not familiar with program analysis, it is a little hard for me to fully understand. More details can be found in the paper.
Honestly speaking, I’m not quite interested in papers of this session, just have a simple note for each of the paper:
Monte Carlo Strength Evaluation: Fast and Reliable Password Checking, is to use the probabilistic password models to design a scientifically sound password strength meter.Surpass: System-initiated user-replaceable passwords, the motivation is that random passwords are secure, but hard to memorized. Thus they design a mechanism that user can replace password initialized by system randomly for memorable. They have done many surveys on the tradeoff between entropy and memorability, and provide some statistic conclusion. Some interesting points is that they use large-scale amazone mechanical turk for recruiting 5312 anticipator, and use hashcat for cracking passwords.Optimal Distributed Password Verification, the problem it wants to solve is the single server/point of failure, which may cause the whole data of password stolen, and offline dictionary attacks can be conducted. In this paper, it proposes a distributed password verification mechanism, so that even one server is under attack, the password is still safe.In this session, I only listen to 3 presentations.
The first one is titled It's a TRAP: Table Randomization and Protection against Function Reuse Attacks. This is a paper targeted at solving Counterfeit OOP (COOP), shamefully I’m not familiar with this attack! I can only tell that this paper proposes to randomize vtable. But I’m not quite clear about the challenges and solution, since I’m newbie for C++.
The second one is very interesting, it is called Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads. It uses a technique called destructive code read to solve the problem of code disclosure attack for ASLR, e.g., JIT-ROP. The main idea is that for systems where data/code are mixed, all memory can be read, but executale memory should be mediated after reading. So different with previous solution like XnR, this paper thinks, we do not need to prohibit the executable memory read, since it is not compatible for systems especially like Windows. We only need to take care if we found the executable memory is read. Therefore, they use the EPT mechanism, because EPT seperate read permission with executable permission, to mediate the executable memory after reading.
The third one is titled Timely Rerandomization for Mitigating Memory Disclosures, it is also relate to attacks like JIT-ROP, the core idea is to synchronize with the attacker, more specifically:
which means, if we know when the code memory is leaked, we can rerandomize the memory, so that the JIT-ROP is prevented. Therefore, they choose to rerandomize after some I/O system calls, since attackers must leak the memory from network I/O.
There are 2 papers in this session.
The 1st one Towards Automatic Generation of Security-Centric Descriptions for Android Apps is done by Mu Zhang from NEC Laboratories America. The authors list also includes Heng Yin from Syracuse University. The motivation of this paper is that in Android there are 2 mechanisms to describe the application, permission and textual description. However, permission is not inadequate and hard to understand, while textual decription is devated with permission, and not related to security. So the goal of this paper is to automatically generate the textual description by analyse the whole program, and to help to understand security risk for average user in semantic level. The technique they use is
behavior graph generation -> subgraph mining & graph compression -> natural language generation
The 2nd paper is called AUTOREB: Automatically Understanding the Review-to- Behavior Fidelity in Android Applications, by Deguang Kong from Samsung Research America. This paper is quite simple, it just focus on user comments and app behaviors, and infer security issue from user reviews. They need to solve some challenges:
More details can be found in the paper if you are interested in it.
CFI is still popular in this year, there are totally 5 presentations in this session, the 1st one is to show the problems of current static analysis for CFG generation; The 2nd one is to generate CFG per input, to reduce the number of edges for the CFG; The 3rd one is called Practical Context-Sensitive CFI, it uses LBR to enforece context-sensitive CFI during runtime; The 4th one is CCFI: Cryptographically Enforced Control Flow Integrity, and the last is Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks.
This is the session where my presentation is in, though I don’t know why my paper is located in this session.
There are 4 papers in total, I’ve listened for 2, except my own.
The 1st is titled Mitigating Storage Side Channels Using Statistical Privacy Mechanisms. It is by Qiuyu Xiao from University of North Carolina and Yinqian Zhang from The Ohio State University. This paper leverages differntial privacy to solve the side channle attack by revealing private information (e.g., which website you are scanning) from procfs (like memory/cpu states). It adds some noise to procfs, while remaining most of the correctness.
The 2nd one is Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration by Soo-Jin Moon from Carnegie Mellon University. The goal of this paper is realize a general deployable system to defend against cloud side-channel attack. It simply use migration to mitigate such attacks, make sure the VMs not share the same physical machine for long time.
My prenstation is the last one in the last session. I should say it is OK with the talk (though still a little nervous), but for Q/A, it is quite embarrassed, 4 people ask 5 questions. However many of them are not clearly understood.
3 about static analysis:
1 about VMFUNC security by prateek
1 about selective plaintext attack? Not quite understand.
The good thing is though I’m the last presentor, there are still a lot of questions, which means lots of people are interested in my work. The bad things is I’m quite awkful!
In CCS, I find myself not quite active in socializing with others. Most people I met and talked with are Chinese, either professors like Yan Huang, Kun Sun, Li Depeng, Yinqian Zhang, Yin Heng, Dongyan Xu, Long Lu, Prateek, Xiapu Luo, or students like Guoxing Chen, Jian Liu, Xiaokuan Zhang, Qiuyu Xiao, Yaohui Chen.