 |
Sandboxing 2015 |
At a recent Lablet quarterly meeting and at the HotSoS 2015 Symposium and Bootcamp on the Science of Security, sandboxing was discussed as an important tool for the Science of Security community, particularly with regard to developing composable systems and policy-governed systems. To many researchers, it is a promising method for preventing and containing damage. Sandboxing, frequently used to test unverified programs that may contain malware, allows the software to run without harming the host device. The bibliographies cited here are of articles about sandboxing published in 2015.
Irazoqui, G.; Eisenbarth, T.; Sunar, B., “S$A: A Shared Cache Attack that Works Across Cores and Defies VM Sandboxing — and Its Application to AES,” in Security and Privacy (SP), 2015 IEEE Symposium on, vol., no., pp. 591–604, 17–21 May 2015. doi:10.1109/SP.2015.42
Abstract: The cloud computing infrastructure relies on virtualized servers that provide isolation across guest OS’s through sand boxing. This isolation was demonstrated to be imperfect in past work which exploited hardware level information leakages to gain access to sensitive information across co-located virtual machines (VMs). In response virtualization companies and cloud services providers have disabled features such as deduplication to prevent such attacks. In this work, we introduce a fine-grain cross-core cache attack that exploits access time variations on the last level cache. The attack exploits huge pages to work across VM boundaries without requiring deduplication. No configuration changes on the victim OS are needed, making the attack quite viable. Furthermore, only machine co-location is required, while the target and victim OS can still reside on different cores of the machine. Our new attack is a variation of the prime and probe cache attack whose applicability at the time is limited to L1 cache. In contrast, our attack works in the spirit of the flush and reload attack targeting the shared L3 cache instead. Indeed, by adjusting the huge page size our attack can be customized to work virtually at any cache level/size. We demonstrate the viability of the attack by targeting an Open SSL1.0.1f implementation of AES. The attack recovers AES keys in the cross-VM setting on Xen 4.1 with deduplication disabled, being only slightly less efficient than the flush and reload attack. Given that huge pages are a standard feature enabled in the memory management unit of OS’s and that besides co-location no additional assumptions are needed, the attack we present poses a significant risk to existing cloud servers.
Keywords: cache storage; cloud computing; security of data; virtual machines; AES keys; L1 cache; Open SSL1.0.1f implementation; S$A; VM sandboxing; cloud computing infrastructure; cloud servers; cloud services; probe cache attack; shared cache attack; virtual machines; virtualized servers; Cloud computing; Cryptography; Hardware; Monitoring; Program processors; Servers; Cross-VM; cache attacks; flush+reload; huge pages; memory deduplication; prime and probe (ID#: 15-7523)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7163049&isnumber=7163005
Reffett, C.; Fleck, D., “Securing Applications with Dyninst,” in Technologies for Homeland Security (HST), 2015 IEEE International Symposium on, vol., no., pp. 1–6, 14–16 April 2015. doi:10.1109/THS.2015.7225297
Abstract: While significant bodies of work exist for sandboxing potentially malicious software and for sanitizing input, there has been little investigation into using binary editing software to perform either of these tasks. However, because binary editors do not require source code and can modify the software, they can generate secure versions of arbitrary binaries and provide better control over the software than existing approaches. In this paper, we explore the application of the binary editing library Dyninst to both the sandboxing and sanitization problems. We also create a prototype of a more advanced graphical tool to perform these tasks. Finally, we lay the groundwork for more complex and functional tools to solve these problems.
Keywords: program diagnostics; security of data; software libraries; Dyninst; arbitrary binaries; binary editing library; binary editing software; binary editors; graphical tool; input sanitization; malicious software; sanitization problems; secure versions; securing applications; Graphical user interfaces; Instruments; Libraries; Memory management; Monitoring; Runtime; Software; binary instrumentation; dyninst; input sanitization; sandboxing (ID#: 15-7524)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7225297&isnumber=7190491
De Ryck, P.; Nikiforakis, N.; Desmet, L.; Piessens, F.; Joosen, W., “Protected Web Components: Hiding Sensitive Information in the Shadows,” in IT Professional, vol. 17, no.1, pp. 36–43, Jan.–Feb. 2015. doi:10.1109/MITP.2015.12
Abstract: Most modern Web applications depend on the integration of code from third-party providers, such as JavaScript libraries and advertisements. Because the included code runs within the page’s security context, it represents an attractive attack target, allowing the compromise of numerous Web applications through a single attack vector (such as a malicious advertisement). Such opportunistic attackers aim to execute low-profile, nontargeted, widely applicable data-gathering attacks, such as the silent extraction of user-specific data and authentication credentials. In this article, the authors show that third-party code inclusion is rampant, even in privacy-sensitive applications such as online password managers, thereby potentially exposing the user’s most sensitive data to attackers. They propose protected Web components, which leverage the newly proposed Web components, repurposing them to protect private data against opportunistic attacks, by hiding static data in the Document Object Model (DOM) and isolating sensitive interactive elements within a component. This article is part of a special issue on IT security.
Keywords: Internet; data encapsulation; data privacy; document handling; DOM; Document Object Model; IT security; Web applications; Web component protection; attack vector; code integration; data-gathering attacks; opportunistic attacks; page security context; privacy-sensitive applications; sensitive information hiding; sensitive interactive element isolation; static data hiding; third-party code inclusion; Browsers; Computer Security; Context modeling; Data models; Google; HTML; Information technology; Web services; Internet/Web technologies; Web components; information technology; privacy; sandboxing; script inclusion; security; shadow DOM (ID#: 15-7525)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7030138&isnumber=7030137
Thom, D.; Ertl, T., “TreeQueST: A Treemap-Based Query Sandbox for Microdocument Retrieval,” in System Sciences (HICSS), 2015 48th Hawaii International Conference on, vol., no., pp. 1714–1723, 5–8 Jan. 2015. doi:10.1109/HICSS.2015.206
Abstract: Scatter/Gather-browsing has been proposed as a technique for information retrieval that fosters understanding of textual data and identification of key documents by means of exploration and drill-down. It has been found that such approaches are more expensive but not more effective than less interactive search solutions for traditional retrieval tasks. In this paper, however, we show that the rise of online micro document platforms, such as Twitter, has brought new relevance to the technique for finding and understanding information about recent events. Our novel approach builds on hierarchical topic clustering combined with a tree map-based visualization to provide a highly interactive information management and query sandboxing space. Large volumes of data, only accessible through rate- and throughput-limited channels, can thus effectively be filtered and retrieved using iteratively optimized queries. We conducted a user study that demonstrates the performance of our approach compared to plain text search based on the Twitter engine.
Keywords: data visualisation; document handling; pattern clustering; query processing; search engines; social networking (online); trees (mathematics); TreeQueST; Twitter engine; hierarchical topic clustering; information retrieval; microdocument retrieval; tree map-based visualization; treemap-based query sandbox; Data visualization; Media; Navigation; Query processing; Twitter; Visualization; Hierarchical Topics; Twitter; Visual Analytics (ID#: 15-7526)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7070016&isnumber=7069647
Steven Van Acker, Daniel Hausknecht, Wouter Joosen, Andrei Sabelfeld; “Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right,” CODASPY ’15 Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, March 2015, Pages 253–262. doi:10.1145/2699026.2699118
Abstract: Web services heavily rely on passwords for user authentication. To help users chose stronger passwords, password meter and password generator facilities are becoming increasingly popular. Password meters estimate the strength of passwords provided by users. Password generators help users with generating stronger passwords. This paper turns the spotlight on the state of the art of password meters and generators on the web. Orthogonal to the large body of work on password metrics, we focus on getting password meters and generators right in the web setting. We report on the state of affairs via a large-scale empirical study of web password meters and generators. Our findings reveal pervasive trust to third-party code to have access to the passwords. We uncover three cases when this trust is abused to leak the passwords to third parties. Furthermore, we discover that often the passwords are sent out to the network, invisibly to users, and sometimes in clear. To improve the state of the art, we propose SandPass, a general web framework that allows secure and modular porting of password meter and generation modules. We demonstrate the usefulness of the framework by a reference implementation and a case study with a password meter by the Swedish Post and Telecommunication Agency.
Keywords: passwords, sandboxing, web security (ID#: 15-7527)
URL: http://doi.acm.org/10.1145/2699026.2699118
Niranjan Suri; “Java and Distributed Systems: Observations, Experiences, and ... a Wish List,” PPPJ ’15 Proceedings of the Principles and Practices of Programming on The Java Platform, September 2015, pages 1–1. doi:10.1145/2807426.2817927
Abstract: When Java was introduced to the world at large 20 years ago, it brought many interesting features and capabilities into the mainstream computing environment. A Virtual Machine based approach with a just-in-time compiler that supported sandboxing, dynamic class loading, and introspection enabled a number of novel and innovative network-based applications to be developed. While many of these capabilities existed in some fashion in other prototype and experimental languages, the combination of all of them in a popular general purpose language opened up the possibility of building real systems that could leverage these capabilities. Applets, Jini, JXTA, and many other innovative concepts were introduced over the course of time, building on top of the basic capabilities of Java. This talk will present some personal experiences with using Java in distributed computing environments ranging from mobile software agents to distributed resource sharing to process integrated mechanisms. The basis for many of these capabilities is the Aroma Virtual Machine, a custom Java compatible VM with state capture, migration, and resource control capabilities. Motivations behind the Aroma VM will be discussed, along with design choices and some results. Finally, the talk will discuss a wish list of features that would be nice to have in future versions of Java to enable many more novel applications to be developed.
Keywords: (not provided) (ID#: 15-7528)
URL: http://doi.acm.org/10.1145/2807426.2817927
Ben Niu, Gang Tan; “Per-Input Control-Flow Integrity,” CCS ’15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015, Pages 914–926. doi:10.1145/2810103.2813644
Abstract: Control-Flow Integrity (CFI) is an effective approach to mitigating control-flow hijacking attacks. Conventional CFI techniques statically extract a control-flow graph (CFG) from a program and instrument the program to enforce that CFG. The statically generated CFG includes all edges for all possible inputs; however, for a concrete input, the CFG may include many unnecessary edges. We present Per-Input Control-Flow Integrity (PICFI), which is a new CFI technique that can enforce a CFG computed for each concrete input. PICFI starts executing a program with the empty CFG and lets the program itself lazily add edges to the enforced CFG if such edges are required for the concrete input. The edge addition is performed by PICFI-inserted instrumentation code. To prevent attackers from arbitrarily adding edges, PICFI uses a statically computed all-input CFG to constrain what edges can be added at runtime. To minimize performance overhead, operations for adding edges are designed to be idempotent, so they can be patched to no-ops after their first execution. As our evaluation shows, PICFI provides better security than conventional fine-grained CFI with comparable performance overhead.
Keywords: control-flow integrity, dynamic CFI (ID#: 15-7529)
URL: http://doi.acm.org/10.1145/2810103.2813644
Meng Xu, Yeongjin Jang, Xinyu Xing, Taesoo Kim, Wenke Lee; “UCognito: Private Browsing Without Tears,” CCS ’15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015, Pages 438–449. doi:10.1145/2810103.2813716
Abstract: While private browsing is a standard feature, its implementation has been inconsistent among the major browsers. More seriously, it often fails to provide the adequate or even the intended privacy protection. For example, as shown in prior research, browser extensions and add-ons often undermine the goals of private browsing. In this paper, we first present our systematic study of private browsing. We developed a technical approach to identify browser traces left behind by a private browsing session, and showed that Chrome and Firefox do not correctly clear some of these traces. We analyzed the source code of these browsers and discovered that the current implementation approach is to decide the behaviors of a browser based on the current browsing mode (i.e., private or public); but such decision points are scattered throughout the code base. This implementation approach is very problematic because developers are prone to make mistakes given the complexities of browser components (including extensions and add-ons). Based on this observation, we propose a new and general approach to implement private browsing. The main idea is to overlay the actual filesystem with a sandbox filesystem when the browser is in private browsing mode, so that no unintended leakage is allowed and no persistent modification is stored. This approach requires no change to browsers and the OS kernel because the layered sandbox filesystem is implemented by interposing system calls. We have implemented a prototype system called Ucognito on Linux. Our evaluations show that Ucognito, when applied to Chrome and Firefox, stops all known privacy leaks identified by prior work and our current study. More importantly, Ucognito incurs only negligible performance overhead: e.g., 0%–2.5% in benchmarks for standard JavaScript and webpage loading.
Keywords: browser implementation, filesystem sandbox, private browsing (ID#: 15-7530)
URL: http://doi.acm.org/10.1145/2810103.2813716
Minjia Zhang, Jipeng Huang, Man Cao, Michael D. Bond; “Low-Overhead Software Transactional Memory with Progress Guarantees and Strong Semantics,” PPoPP 2015 Proceedings of the 20th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming, January 2015, Pages 97–108. doi:10.1145/2688500.2688510
Abstract: Software transactional memory offers an appealing alternative to locks by improving programmability, reliability, and scalability. However, existing STMs are impractical because they add high instrumentation costs and often provide weak progress guarantees and/or semantics. This paper introduces a novel STM called LarkTM that provides three significant features. (1) Its instrumentation adds low overhead except when accesses actually conflict, enabling low single-thread overhead and scaling well on low-contention workloads. (2) It uses eager concurrency control mechanisms, yet naturally supports flexible conflict resolution, enabling strong progress guarantees. (3) It naturally provides strong atomicity semantics at low cost. LarkTM’s design works well for low-contention workloads, but adds significant overhead under higher contention, so we design an adaptive version of LarkTM that uses alternative concurrency control for high-contention objects. An implementation and evaluation in a Java virtual machine show that the basic and adaptive versions of LarkTM not only provide low single-thread overhead, but their multithreaded performance compares favorably with existing high-performance STMs.
Keywords: Software transactional memory, biased reader-writer locks, concurrency control, managed languages, strong atomicity (ID#: 15-7531)
URL: http://doi.acm.org/10.1145/2688500.2688510
Sophia Drossopoulou, James Noble, Mark S. Miller; “Swapsies on the Internet: First Steps Towards Reasoning About Risk and Trust in an Open World,” PLAS’15 Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security, July 2015, Pages 2–15. doi:10.1145/2786558.2786564
Abstract: Contemporary open systems use components developed by many different parties, linked together dynamically in unforeseen constellations. Code needs to live up to strict security specifications: it has to ensure the correct functioning of its objects when they collaborate with external objects which may be malicious. In this paper we propose specifications that model risk and trust in such open systems. We specify Miller, Van Cutsem, and Tulloh’s escrow exchange example, and discuss the meaning of such a specification. We argue informally that the code satisfies its specification.
Keywords: (not provided) (ID#: 15-7532)
URL: http://doi.acm.org/10.1145/2786558.2786564
Minh Ngo, Fabio Massacci, Dimiter Milushev, Frank Piessens; “Runtime Enforcement of Security Policies on Black Box Reactive Programs,” POPL ’15 Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, January 2015, Pages 43–54. doi:10.1145/2676726.2676978
Abstract: Security enforcement mechanisms like execution monitors are used to make sure that some untrusted program complies with a policy. Different enforcement mechanisms have different strengths and weaknesses and hence it is important to understand the qualities of various enforcement mechanisms. This paper studies runtime enforcement mechanisms for reactive programs. We study the impact of two important constraints that many practical enforcement mechanisms satisfy: (1) the enforcement mechanism must handle each input/output event in finite time and on occurrence of the event (as opposed to for instance Ligatti’s edit automata that have the power to buffer events for an arbitrary amount of time), and (2) the enforcement mechanism treats the untrusted program as a black box: it can monitor and/or edit the input/output events that the program exhibits on execution and it can explore alternative executions of the program by running additional copies of the program and providing these different inputs. It cannot inspect the source or machine code of the untrusted program. Such enforcement mechanisms are important in practice: they include for instance many execution monitors, virtual machine monitors, and secure multi-execution or shadow executions. We establish upper and lower bounds for the class of policies that are enforceable by such black box mechanisms, and we propose a generic enforcement mechanism that works for a wide range of policies. We also show how our generic enforcement mechanism can be instantiated to enforce specific classes of policies, at the same time showing that many existing enforcement mechanisms are optimized instances of our construction.
Keywords: black box mechanism, hypersafety policy, reactive program, runtime enforcement (ID#: 15-7533)
URL: http://doi.acm.org/10.1145/2676726.2676978
Kavita Agarwal, Bhushan Jain, Donald E. Porter; “Containing the Hype,” APSys ’15 Proceedings of the 6th Asia-Pacific Workshop on Systems, July 2015, Article No. 8. doi:10.1145/2797022.2797029
Abstract: Containers, or OS-based virtualization, have seen a recent resurgence in deployment. The term “container” is nearly synonymous with “lightweight virtualization”, despite a remarkable dearth of careful measurements supporting this notion. This paper contributes comparative measurements and analysis of both containers and hardware virtual machines where the functionality of both technologies intersects. This paper focuses on two important issues for cloud computing: density (guests per physical host) and start-up latency (for responding to load spikes). We conclude that the overall density is highly dependent on the most demanded resource. In many dimensions there are no significant differences, and in other dimensions VMs have significantly higher overheads. A particular contribution is the first detailed analysis of the biggest difference—memory footprint—and opportunities to significantly reduce this overhead.
Keywords: (not provided) (ID#: 15-7534)
URL: http://doi.acm.org/10.1145/2797022.2797029
Andrey Chudnov, David A. Naumann; “Inlined Information Flow Monitoring for JavaScript,” CCS ’15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015, Pages 629–643. doi:10.1145/2810103.2813684
Abstract: Extant security mechanisms for web apps, notably the “same-origin policy”, are not sufficient to achieve confidentiality and integrity goals for the many apps that manipulate sensitive information. The trend in web apps is “mashups” which integrate JavaScript code from multiple providers in ways that can undercut existing security mechanisms. Researchers are exploring dynamic information flow controls (IFC) for JavaScript, but there are many challenges to achieving strong IFC without excessive performance cost or impractical browser modifications. This paper presents an inlined IFC monitor for ECMAScript 5 with web support, using the no-sensitive-upgrade (NSU) technique, together with experimental evaluation using synthetic mashups and performance benchmarks. On this basis it should be possible to conduct experiments at scale to evaluate feasibility of both NSU and inlined monitoring.
Keywords: inlined monitoring, javascript, run-time monitoring, web applications (ID#: 15-7535)
URL: http://doi.acm.org/10.1145/2810103.2813684
Tobias Holstein, Joachim Wietzke; “Contradiction of Separation through Virtualization and Inter Virtual Machine Communication in Automotive Scenarios,” ECSAW ’15 Proceedings of the 2015 European Conference on Software Architecture Workshops, September 2015, Article No. 4. doi:10.1145/2797433.2797437
Abstract: A trend in automotive infotainment software is to create a separation of components based on different domains (e.g. Navigation, Radio, etc.). This intends to limit susceptibility to errors, simplify maintainability and to organize development based on domains. Multi-OS environments create another layer of separation through hardware/software virtualization. Using a hypervisor for virtualization allows the development of mixed critical systems. However, we see a contradiction in current architectures, which on one side aim to separate everything into virtual machines (VMs), while on the other side allow inter-VM-connectivity. In the end all applications are composited into one homogeneous UI and the previous intent of separation is disregarded. In this paper we investigate current architectures for in-vehicle infotainment systems (IVIS), i.e. mixed critical systems for automotive purposes, and show that regulations and/or requirements break the previous intents of the architecture.
Keywords: Composition, Heterogeneous Platforms, Hypervisor, Ubiquitous Interoperability, User Interface, Virtualization
(ID#: 15-7536)
URL: http://doi.acm.org/10.1145/2797433.2797437
Petr Hosek, Cristian Cadar; “VARAN the Unbelievable: An Efficient N-version Execution Framework,” ASPLOS ’15 Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, March 2015, Pages 339–353. doi:10.1145/2775054.2694390
Abstract: With the widespread availability of multi-core processors, running multiple diversified variants or several different versions of an application in parallel is becoming a viable approach for increasing the reliability and security of software systems. The key component of such N-version execution (NVX) systems is a runtime monitor that enables the execution of multiple versions in parallel. Unfortunately, existing monitors impose either a large performance overhead or rely on intrusive kernel-level changes. Moreover, none of the existing solutions scales well with the number of versions, since the runtime monitor acts as a performance bottleneck. In this paper, we introduce Varan, an NVX framework that combines selective binary rewriting with a novel event-streaming architecture to significantly reduce performance overhead and scale well with the number of versions, without relying on intrusive kernel modifications. Our evaluation shows that Varan can run NVX systems based on popular C10k network servers with only a modest performance overhead, and can be effectively used to increase software reliability using techniques such as transparent failover, live sanitization and multi-revision execution.
Keywords: N-version execution, event streaming, live sanitization, multi-revision execution, record-replay, selective binary rewriting, transparent failover (ID#: 15-7537)
URL: http://doi.acm.org/10.1145/2775054.2694390
Swarnendu Biswas, Minjia Zhang, Michael D. Bond, Brandon Lucia; “Valor: Efficient, Software-only Region Conflict Exceptions,” OOPSLA 2015 Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, October 2015, Pages 241–259. doi:10.1145/2814270.2814292
Abstract: Data races complicate programming language semantics, and a data race is often a bug. Existing techniques detect data races and define their semantics by detecting conflicts between synchronization-free regions (SFRs). However, such techniques either modify hardware or slow programs dramatically, preventing always-on use today. This paper describes Valor, a sound, precise, software-only region conflict detection analysis that achieves high performance by eliminating the costly analysis on each read operation that prior approaches require. Valor instead logs a region’s reads and lazily detects conflicts for logged reads when the region ends. As a comparison, we have also developed FastRCD, a conflict detector that leverages the epoch optimization strategy of the FastTrack data race detector. We evaluate Valor, FastRCD, and FastTrack, showing that Valor dramatically outperforms FastRCD and FastTrack. Valor is the first region conflict detector to provide strong semantic guarantees for racy program executions with under 2X slowdown. Overall, Valor advances the state of the art in always-on support for strong behavioral guarantees for data races.
Keywords: conflict exceptions, data races, dynamic analysis, region serializability (ID#: 15-7538)
URL: http://doi.acm.org/10.1145/2814270.2814292
Ben Hermann, Michael Reif, Michael Eichberg, Mira Mezini; “Getting to Know You: Towards a Capability Model for Java,” ESEC/FSE 2015 Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, August 2015,
Pages 758–769. doi:10.1145/2786805.2786829
Abstract: Developing software from reusable libraries lets developers face a security dilemma: either be efficient and reuse libraries as they are or inspect them, know about their resource usage, but possibly miss deadlines as reviews are a time consuming process. In this paper, we propose a novel capability inference mechanism for libraries written in Java. It uses a coarse-grained capability model for system resources that can be presented to developers. We found that the capability inference agrees by 86.81% on expectations towards capabilities that can be derived from project documentation. Moreover, our approach can find capabilities that cannot be discovered using project documentation. It is thus a helpful tool for developers mitigating the aforementioned dilemma.
Keywords: analysis, capability, library, reuse, security (ID#: 15-7539)
URL: http://doi.acm.org/10.1145/2786805.2786829
Daejun Park, Andrei Stefănescu, Grigore Roşu; “KJS: A Complete Formal Semantics of JavaScript,” PLDI 2015 Proceedings
of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2015, Pages 346–356. doi:10.1145/2737924.2737991
Abstract: This paper presents KJS, the most complete and throughly tested formal semantics of JavaScript to date. Being executable, KJS has been tested against the ECMAScript 5.1 conformance test suite, and passes all 2,782 core language tests. Among the existing implementations of JavaScript, only Chrome V8’s passes all the tests, and no other semantics passes more than 90%. In addition to a reference implementation for JavaScript, KJS also yields a simple coverage metric for a test suite: the set of semantic rules it exercises. Our semantics revealed that the ECMAScript 5.1 conformance test suite fails to cover several semantic rules. Guided by the semantics, we wrote tests to exercise those rules. The new tests revealed bugs both in production JavaScript engines (Chrome V8, Safari WebKit, Firefox SpiderMonkey) and in other semantics. KJS is symbolically executable, thus it can be used for formal analysis and verification of JavaScript programs. We verified non-trivial programs and found a known security vulnerability.
Keywords: JavaScript, K framework, mechanized semantics (ID#: 15-7540)
URL: http://doi.acm.org/10.1145/2737924.2737991
Junjie Wang, Yinxing Xue, Yang Liu, Tian Huat Tan; “JSDC: A Hybrid Approach for JavaScript Malware Detection and Classification,” ASIA CCS ’15 Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, April 2015, Pages 109–120. doi:10.1145/2714576.2714620
Abstract: Malicious JavaScript is one of the biggest threats in cyber security. Existing research and anti-virus products mainly focus on detection of JavaScript malware rather than classification. Usually, the detection will simply report the malware family name without elaborating details about attacks conducted by the malware. Worse yet, the reported family name may differ from one tool to another due to the different naming conventions. In this paper, we propose a hybrid approach to perform JavaScript malware detection and classification in an accurate and efficient way, which could not only explain the attack model but also potentially discover new malware variants and new vulnerabilities. Our approach starts with machine learning techniques to detect JavaScript malware using predicative features of textual information, program structures and risky function calls. For the detected malware, we classify them into eight known attack types according to their attack feature vector or dynamic execution traces by using machine learning and dynamic program analysis respectively. We implement our approach in a tool named JSDC, and conduct large-scale evaluations to show its effectiveness. The controlled experiments (with 942 malware) show that JSDC gives low false positive rate (0.2123%) and low false negative rate (0.8492%), compared with other tools. We further apply JSDC on 1,400,000 real-world JavaScript with over 1,500 malware reported, for which many anti-virus tools failed. Lastly, JSDC can effectively and accurately classify these detected malwares into either attack types.
Keywords: (not provided) (ID#: 15- 7541)
URL: http://doi.acm.org/10.1145/2714576.2714620
Soo-Jin Moon, Vyas Sekar, Michael K. Reiter; “Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration,” CCS ’15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015, Pages 1595–1606. doi:10.1145/2810103.2813706
Abstract: Recent studies have shown a range of co-residency side channels that can be used to extract private information from cloud clients. Unfortunately, addressing these side channels often requires detailed attack-specific fixes that require significant modifications to hardware, client virtual machines (VM), or hypervisors. Furthermore, these solutions cannot be generalized to future side channels. Barring extreme solutions such as single tenancy which sacrifices the multiplexing benefits of cloud computing, such side channels will continue to affect critical services. In this work, we present Nomad, a system that offers vector-agnostic defense against known and future side channels. Nomad envisions a provider-assisted VM migration service, applying the moving target defense philosophy to bound the information leakage due to side channels. In designing Nomad, we make four key contributions: (1) a formal model to capture information leakage via side channels in shared cloud deployments; (2) identifying provider-assisted VM migration as a robust defense for arbitrary side channels; (3) a scalable online VM migration heuristic that can handle large datacenter workloads; and (4) a practical implementation in OpenStack. We show that Nomad is scalable to large cloud deployments, achieves near-optimal information leakage subject to constraints on migration overhead, and imposes minimal performance degradation for typical cloud applications such as web services and Hadoop MapReduce.
Keywords: VM migration, Cloud computing, Cross-VM side-channel attacks (ID#: 15-7542)
URL: http://doi.acm.org/10.1145/2810103.2813706
Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, Stelios Sidiroglou-Douskos; “Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity,” CCS ’15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015, Pages 901–913. doi:10.1145/2810103.2813646
Abstract: Control flow integrity (CFI) has been proposed as an approach to defend against control-hijacking memory corruption attacks. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of CFI that use a small number of tags to improve the performance overhead have been shown to be ineffective. As a result, a number of recent efforts have focused on fine-grained enforcement of CFI as it was originally proposed. In this work, we show that even a fine-grained form of CFI with unlimited number of tags and a shadow stack (to check calls and returns) is ineffective in protecting against malicious attacks. We show that many popular code bases such as Apache and Nginx use coding practices that create flexibility in their intended control flow graph (CFG) even when a strong static analyzer is used to construct the CFG. These flexibilities allow an attacker to gain control of the execution while strictly adhering to a fine-grained CFI. We then construct two proof-of-concept exploits that attack an unlimited tag CFI system with a shadow stack. We also evaluate the difficulties of generating a precise CFG using scalable static analysis for real-world applications. Finally, we perform an analysis on a number of popular applications that highlights the availability of such attacks.
Keywords: code reuse, control flow integrity, memory corruption, return-oriented programming (ID#: 15-7543)
URL: http://doi.acm.org/10.1145/2810103.2813646
Khilan Gudka, Robert N.M. Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G. Neumann, Alex Richardson; “Clean Application Compartmentalization with SOAAP,” CCS ’15 Proceedings of the 22nd
ACM SIGSAC Conference on Computer and Communications Security, October 2015, Pages 1016—1031. doi:10.1145/2810103.2813611
Abstract: Application compartmentalization, a vulnerability mitigation technique employed in programs such as OpenSSH and the Chromium web browser, decomposes software into isolated components to limit privileges leaked or otherwise available to attackers. However, compartmentalizing applications — and maintaining that compartmentalization — is hindered by ad hoc methodologies and significantly increased programming effort. In practice, programmers stumble through (rather than overtly reason about) compartmentalization spaces of possible decompositions, unknowingly trading off correctness, security, complexity, and performance. We present a new conceptual framework embodied in an LLVM-based tool: the Security-Oriented Analysis of Application Programs (SOAAP) that allows programmers to reason about compartmentalization using source-code annotations (compartmentalization hypotheses). We demonstrate considerable benefit when creating new compartmentalizations for complex applications, and analyze existing compartmentalized applications to discover design faults and maintenance issues arising from application evolution.
Keywords: compartmentalization, security, vulnerability mitigation (ID#: 15-7544)
URL: http://doi.acm.org/10.1145/2810103.2813611
Radu Stoenescu, Vladimir Olteanu, Matei Popovici, Mohamed Ahmed, Joao Martins, Roberto Bifulco, Filipe Manco, Felipe Huici, Georgios Smaragdakis, Mark Handley, Costin Raiciu; “In-Net: In-Network Processing for the Masses,” EuroSys ’15 Proceedings of the Tenth European Conference on Computer Systems, April 2015, Article No. 23. doi:10.1145/2741948.2741961
Abstract: Network Function Virtualization is pushing network operators to deploy commodity hardware that will be used to run middlebox functionality and processing on behalf of third parties: in effect, network operators are slowly but surely becoming in-network cloud providers. The market for innetwork clouds is large, ranging from content providers, mobile applications and even end-users. We show in this paper that blindly adopting cloud technologies in the context of in-network clouds is not feasible from both the security and scalability points of view. Instead we propose In-Net, an architecture that allows untrusted endpoints as well as content-providers to deploy custom in-network processing to be run on platforms owned by network operators. In-Net relies on static analysis to allow platforms to check whether the requested processing is safe, and whether it contradicts the operator’s policies. We have implemented In-Net and tested it in the wide-area, supporting a range of use-cases that are difficult to deploy today. Our experience shows that In-Net is secure, scales to many users (thousands of clients on a single inexpensive server), allows for a wide-range of functionality, and offers benefits to end-users, network operators and content providers alike.
Keywords: (not provided) (ID#: 15-7545)
URL: http://doi.acm.org/10.1145/2741948.2741961
Anil Saini, Manoj Singh Gaur, Vijay Laxmi, Priyadarsi Nanda; “sandFOX: Secure Sandboxed and Isolated Environment for Firefox Browser,” SIN ’15 Proceedings of the 8th International Conference on Security of Information and Networks, September 2015, Pages 20–27. doi:10.1145/2799979.2800000
Abstract: Browser functionalities can be widely extended by browser extensions. One of the key features that makes browser extensions so powerful is that they run with “high” privileges. As a consequence, a vulnerable or malicious extension might expose browser, and operating system (OS) resources to possible attacks such as privilege escalation, information stealing, and session hijacking. The resources are referred as browser as well as OS components accessed through browser extension such as accessing information on the web application, executing arbitrary processes, and even access files from a host file system. This paper presents sandFOX (secure sandbox and isolated environment), a client-side browser policies for constructing sandbox environment. sandFOX allows the browser extension to express fine-grained OS specific security policies that are enforced at runtime. In particular, our proposed policies provide the protection to OS resources (e.g., host file system, network and processes) from the browser attacks. We use Security-Enhanced Linux (SELinux) to tune OS and build a sandbox that helps in reducing potential damage from attacks on the OS resources. To show the practicality of sandFOX in a range of settings, we compute the effectiveness of sandFOX for various browser attacks on OS resources. We also show that sandFOX enabled browser experiences low overhead on loading pages and utilizes negligible memory when running with sandbox environment.
Keywords: browser attacks, browser policies, browser security, extension-based attacks (ID#: 15-7546)
URL: http://doi.acm.org/10.1145/2799979.2800000
Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, Berk Sunar; “Lucky 13 Strikes Back,” ASIA CCS ’15 Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, April 2015, Pages 85–96. doi:10.1145/2714576.2714625
Abstract: In this work we show how the Lucky 13 attack can be resurrected in the cloud by gaining access to a virtual machine co-located with the target. Our version of the attack exploits distinguishable cache access times enabled by VM deduplication to detect dummy function calls that only happen in case of an incorrectly CBC-padded TLS packet. Thereby, we gain back a new covert channel not considered in the original paper that enables the Lucky 13 attack. In fact, the new side channel is significantly more accurate, thus yielding a much more effective attack. We briefly survey prominent cryptographic libraries for this vulnerability. The attack currently succeeds to compromise PolarSSL, GnuTLS and CyaSSL on deduplication enabled platforms while the Lucky 13 patches in OpenSSL, Mozilla NSS and MatrixSSL are immune to this vulnerability. We conclude that, any program that follows secret data dependent execution flow is exploitable by side-channel attacks as shown in (but not limited to) our version of the Lucky 13 attack.
Keywords: cross-vm attacks, deduplication, lucky 13 attack, virtualization (ID#: 15-7547)
URL: http://doi.acm.org/10.1145/2714576.2714625
Vera Zaychik Moffitt, Julia Stoyanovich, Serge Abiteboul, Gerome Miklau; “Collaborative Access Control in WebdamLog,” SIGMOD ’15 Proceedings of the 2015 ACM SIGMOD International Conference on Management of Data, May 2015,
Pages 197–211. doi:10.1145/2723372.2749433
Abstract: The management of Web users’ personal information is increasingly distributed across a broad array of applications and systems, including online social networks and cloud-based services. Users wish to share data using these systems, but avoiding the risks of unintended disclosures or unauthorized access by applications has become a major challenge. We propose a novel access control model that operates within a distributed data management framework based on datalog. Using this model, users can control access to data they own and control applications they run. They can conveniently specify access control policies providing flexible tuple-level control derived using provenance information. We present a formal specification of the model, an implementation built using an open-source distributed datalog engine, and an extensive experimental evaluation showing that the computational cost of access control is modest.
Keywords: collaborative access control, distributed datalog, personal information management, provenance (ID#: 15-7548)
URL: http://doi.acm.org/10.1145/2723372.2749433
Charlie Hothersall-Thomas, Sergio Maffeis, Chris Novakovic; “BrowserAudit: Automated Testing of Browser Security Features,” ISSTA 2015 Proceedings of the 2015 International Symposium on Software Testing and Analysis, July 2015,
Pages 37–47. doi:10.1145/2771783.2771789
Abstract: The security of the client side of a web application relies on browser features such as cookies, the same-origin policy and HTTPS. As the client side grows increasingly powerful and sophisticated, browser vendors have stepped up their offering of security mechanisms which can be leveraged to protect it. These are often introduced experimentally and informally and, as adoption increases, gradually become standardised (e.g., CSP, CORS and HSTS). Considering the diverse landscape of browser vendors, releases, and customised versions for mobile and embedded devices, there is a compelling need for a systematic assessment of browser security. We present BrowserAudit, a tool for testing that a deployed browser enforces the guarantees implied by the main standardised and experimental security mechanisms. It includes more than 400 fully-automated tests that exercise a broad range of security features, helping web users, application developers and security researchers to make an informed security assessment of a deployed browser. We validate BrowserAudit by discovering both fresh and known security-related bugs in major browsers.
Keywords: Content Security Policy, Cross-Origin Resource Sharing, Same-Origin Policy, Web security, click-jacking, cookies, web browser testing (ID#: 15-7549)
URL: http://doi.acm.org/10.1145/2771783.2771789
Håvard D. Johansen, Eleanor Birrell, Robbert van Renesse, Fred B. Schneider, Magnus Stenhaug, Dag Johansen; “Enforcing Privacy Policies with Meta-Code,” APSys ’15 Proceedings of the 6th Asia-Pacific Workshop on Systems, July 2015, Article
No. 16. doi:10.1145/2797022.2797040
Abstract: This paper proposes a mechanism for expressing and enforcing security policies for shared data. Security policies are expressed as stateful meta-code operations; meta-code can express a broad class of policies, including access-based policies, use-based policies, obligations, and sticky policies with declassification. The meta-code is interposed in the filesystem access path to ensure policy compliance. The generality and feasibility of our approach is demonstrated using a sports analytics prototype system.
Keywords: (not provided) (ID#: 15- 7550)
URL: http://doi.acm.org/10.1145/2797022.2797040
Gary T. Leavens; “JML: Expressive Contracts, Specification Inheritance, and Behavioral Subtyping,” PPPJ ’15 Proceedings of the Principles and Practices of Programming on the Java Platform, September 2015, pages 1–1. doi:10.1145/2807426.2817926
Abstract: JML, the Java Modeling Language, is a formal specification language tailored to the specification of sequential Java classes and interfaces. It features contracts in the style of design by contract (as in Eiffel), as well as more sophisticated features that allow it to be used with a variety of tools from dynamic assertion checking to static verification. The talk will explain JML using some small examples. JML also features a notion of “specification inheritance,” which forces all subtypes to be “behavioral subtypes.” Behavioral subtyping allows client code to validly reason about objects using “supertype abstraction”; for example, when calling a method on an object, the specification for that method in the object’s static type can be used, even though the method call may dynamically dispatch to an overriding method in some subtype. Specification inheritance makes this valid by forcing each such overriding method to obey the specification of that method given in each of its supertypes. Specification inheritance, and thus supertype abstraction, also apply to JML’s invariants, history constraints, and initially clauses. These features make reasoning about object-oriented programs modular. Work on JML has been supported in part by NSF grants CCF0916350, CCF0916715, CCF1017262, and CNS1228695.
Keywords: (not provided) (ID#: 15-7551)
URL: http://doi.acm.org/10.1145/2807426.2817926
David Chisnall, Colin Rothwell, Robert N.M. Watson, Jonathan Woodruff, Munraj Vadera, Simon W. Moore, Michael Roe, Brooks Davis, Peter G. Neumann; “Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine,” ASPLOS ’15 Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, April 2015, Pages 117–130. doi:10.1145/2786763.2694367
Abstract: We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary implementations of C have converged on a memory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite well-documented impacts on security and reliability. Attempts to change this model are often hampered by assumptions embedded in a large body of existing C code, dating back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI experimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their interaction with existing memory safety schemes and the assumptions that they make beyond the requirements of the C specification. Finally, we refine the CHERI ISA and abstract model for C, by combining elements of the CHERI capability model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees.
Keywords: C language, bounds checking, capabilities, compilers, memory protection, memory safety, processor design, security (ID#: 15-7552)
URL: http://doi.acm.org/10.1145/2786763.2694367
Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, Angelos D. Keromytis; “The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications,” CCS ’15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015, Pages 1406–1418. doi:10.1145/2810103.2813708
Abstract: We present a micro-architectural side-channel attack that runs entirely in the browser. In contrast to previous work in this genre, our attack does not require the attacker to install software on the victim’s machine; to facilitate the attack, the victim needs only to browse to an untrusted webpage that contains attacker-controlled content. This makes our attack model highly scalable, and extremely relevant and practical to today’s Web, as most desktop browsers currently used to access the Internet are affected by such side channel threats. Our attack, which is an extension to the last-level cache attacks of Liu et al., allows a remote adversary to recover information belonging to other processes, users, and even virtual machines running on the same physical host with the victim web browser. We describe the fundamentals behind our attack, and evaluate its performance characteristics. In addition, we show how it can be used to compromise user privacy in a common setting, letting an attacker spy after a victim that uses private browsing. Defending against this side channel is possible, but the required countermeasures can exact an impractical cost on benign uses of the browser.
Keywords: cache-timing attacks, covert channel, javascript-based cache attacks, side-channel attacks, user tracking
(ID#: 15-7553)
URL: http://doi.acm.org/10.1145/2810103.2813708
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.