Papers tagged as NDSS
  1. HisTorε: Differentially Private and Robust Statistics Collection for Tor 2017 DifferentialPrivacy NDSS Tor ndss-symposium.org
    Akshaya Mani and Micah Sherr

    A large volume of existing research attempts to understand who uses Tor and how the network is used (and misused). However, conducting measurements on the live Tor network, if done improperly, can endanger the security and anonymity of the millions of users who depend on the network to enhance their online privacy. Indeed, several existing measurement studies of Tor have been heavily criticized for unsafe research practices.


    Tor needs privacy-preserving methods of gathering statistics. The recently proposed PrivEx system demonstrates how data can be safely collected on Tor using techniques from differential privacy. However, as we demonstrate in this paper, the integrity of the statistics reported by PrivEx is brittle under realistic deployment conditions. An adversary who operates even a single relay in the volunteer-operated anonymity network can arbitrarily influence the result of PrivEx queries. We argue that a safe and useful data collection mechanism must provide both privacy and integrity protections.


    This paper presents HisTor , a privacy-preserving statistics collection scheme based on ( ; )-differential privacy that is robust against adversarial manipulation. We formalize the security guarantees of HisTor and show using historical data from the Tor Project that HisTor provides useful data collection and reporting with low bandwidth and processing overheads.

  2. Pushing the Communication Barrier in Secure Computation using Lookup Tables 2017 2PC NDSS eprint.iacr.org
    Ghada Dessouky, Farinaz Koushanfar, Ahmad-Reza Sadeghi, Thomas Schneider, Shaza Zeitouni and Michael Zohner

    Secure two-party computation has witnessed significant efficiency improvements in the recent years. Current implementations of protocols with security against passive adversaries generate and process data much faster than it can be sent over the network, even with a single thread. This paper introduces novel methods to further reduce the communication bottleneck and round complexity of semi-honest secure two-party computation. Our new methodology creates a trade-off between communication and computation, and we show that the added computing cost for each party is still feasible and practicable in light of the new communication savings. We first improve communication for Boolean circuits with 2-input gates by factor 1.9x when evaluated with the protocol of Goldreich-Micali-Wigderson (GMW). As a further step, we change the conventional Boolean circuit representation from 2-input gates to multi-input/multi-output lookup tables (LUTs) which can be programmed to realize arbitrary functions. We construct two protocols for evaluating LUTs offering a trade-off between online communication and total communication. Our most efficient LUT-based protocol reduces the communication and round complexity by a factor 2-4x for several basic and complex operations. Our proposed scheme results in a significant overall runtime decrease of up to a factor of 3x on several benchmark functions.

  3. WireGuard: Next Generation Kernel Network Tunnel 2017 NDSS VPN ndss-symposium.org
    Jason A. Donenfeld

    WireGuard is a secure network tunnel, operating at layer 3, implemented as a kernel virtual network interface for Linux, which aims to replace both IPsec for most use cases, as well as popular user space and/or TLS-based solutions like OpenVPN, while being more secure, more performant, and easier to use. The virtual tunnel interface is based on a proposed fundamental principle of secure tunnels: an association between a peer public key and a tunnel source IP address. It uses a single round trip key exchange, based on NoiseIK, and handles all session creation transparently to the user using a novel timer state machine mechanism. Short pre-shared static keys Curve25519 points are used for mutual authentication in the style of OpenSSH. The protocol provides strong perfect forward secrecy in addition to a high degree of identity hiding. Transport speed is accomplished using ChaCha20Poly1305 authenticated-encryption for encapsulation of packets in UDP. An improved take on IP-binding cookies is used for mitigating denial of service attacks, improving greatly on IKEv2 and DTLS s cookie mechanisms to add encryption and authentication. The overall design allows for allocating no resources in response to received packets, and from a systems perspective, there are multiple interesting Linux implementation techniques for queues and parallelism. Finally, WireGuard can be simply implemented for Linux in less than 4,000 lines of code, making it easily audited and verified.

  4. SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks 2017 Blockchains NDSS Privacy eprint.iacr.org
    Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, and Matteo Maffei

    Credit networks model transitive trust (or credit) between users in a distributed environment and have recently seen a rapid increase of popularity due to their flexible design and robustness against intrusion. They serve today as a backbone of real-world IOweYou transaction settlement networks such as Ripple and Stellar, which are deployed by various banks worldwide, as well as several other systems, such as spam-resistant communication protocols and Sybil-tolerant social networks. Current solutions, however, raise serious privacy concerns, as the network topology as well as the credit value of the links are made public for apparent transparency purposes and any changes are logged. In payment scenarios, for instance, this means that all transactions have to be public and everybody knows who paid what to whom.


    In this work, we question the necessity of a privacy-invasive transaction ledger. In particular, we present SilentWhispers, the first distributed, privacy-preserving credit network that does not require any ledger to protect the integrity of transactions. Yet, SilentWhispers guarantees integrity and privacy of link values and transactions even in the presence of distrustful users and malicious neighbors, whose misbehavior in changing link values is detected and such users can be held accountable. We formalize these properties as ideal functionalities in the universal composability framework and present a secure realization based on a novel combination of secret-sharing-based multiparty computation and digital signature chains. SilentWhispers can handle network churn, and it is efficient as demonstrated with a prototype implementation evaluated using payments data extracted from the currently deployed Ripple payment system.

  5. OBFUSCURO: A Commodity Obfuscation Engine on Intel SGX 2019 IntelSGX NDSS Obfuscation ORAM ndss-symposium.org
    Adil Ahmad and Byunggill Joe and Yuan Xiao and Yinqian Zhang and Insik Shin and Byoungyoung Lee

    Program obfuscation is a popular cryptographic construct with a wide range of uses such as IP theft prevention. Although cryptographic solutions for program obfuscation impose impractically high overheads, a recent breakthrough leveraging trusted hardware has shown promise. However, the existing solution is based on special-purpose trusted hardware, restricting its use-cases to a limited few.


    In this paper, we first study if such obfuscation is feasible based on commodity trusted hardware, Intel SGX, and we observe that certain important security considerations are not afforded by commodity hardware. In particular, we found that existing obfuscation/obliviousness schemes are insecure if directly applied to Intel SGX primarily due to side-channel limitations. To this end, we present OBFUSCURO, the first system providing program obfuscation using commodity trusted hardware, Intel SGX. The key idea is to leverage ORAM operations to perform secure code execution and data access. Initially, OBFUSCURO transforms the regular program layout into a side-channel-secure and ORAM-compatible layout. Then, OBFUSCURO ensures that its ORAM controller performs data oblivious accesses in order to protect itself from all memory-based side-channels. Furthermore, OBFUSCURO ensures that the program is secure from timing attacks by ensuring that the program always runs for a pre-configured time interval. Along the way, OBFUSCURO also introduces a systematic optimization such as register-based ORAM stash. We provide a thorough security analysis of OBFUSCURO along with empirical attack evaluations showing that OBFUSCURO can protect the SGX program execution from being leaked by access pattern-based and timing-based channels. We also provide a detailed performance benchmark results in order to show the practical aspects of OBFUSCURO.

  6. Constructing an Adversary Solver for Equihash 2019 Blockchains NDSS ProofOfWork ndss-symposium.org
    Xiaofei Bai and Jian Gao and Chenglong Hu and Liang Zhang

    Blockchain networks, especially cryptocurrencies, rely heavily on proof-of-work (PoW) systems, often as a basis to distribute rewards. These systems require solving specific puzzles, where Application Specific Integrated Circuits (ASICs) can be designed for performance or efficiency. Either way, ASICs surpass CPUs and GPUs by orders of magnitude, and may harm blockchain networks. Recently, Equihash is developed to resist ASIC solving with heavy memory usage. Although commercial ASIC solvers exist for its most popular parameter set, such solvers do not work under better ones, and are considered impossible under optimal parameters. In this paper, we inspect the ASIC resistance of Equihash by constructing a parameter-independent adversary solver design. We evaluate the product, and project at least 10x efficiency advantage for resourceful adversaries. We contribute to the security community in two ways: (1) by revealing the limitation of Equihash and raising awareness about its algorithmic factors, and (2) by demonstrating that security inspection is practical and useful on PoW systems, serving as a start point for future research and development.

  7. Anonymous Multi-Hop Locks for Blockchain Scalability and Interoperability 2019 Blockchains NDSS PaymentChannels Privacy ndss-symposium.org
    Giulio Malavolta and Pedro Moreno Sanchez and Clara Schneidewind and Aniket Kate and Matteo Maffei

    Tremendous growth in cryptocurrency usage is exposing the inherent scalability issues with permissionless blockchain technology. Payment-channel networks (PCNs) have emerged as the most widely deployed solution to mitigate the scalability issues, allowing the bulk of payments between two users to be carried out off-chain. Unfortunately, as reported in the literature and further demonstrated in this paper, current PCNs do not provide meaningful security and privacy guarantees [30], [40].


    In this work, we study and design secure and privacy-preserving PCNs. We start with a security analysis of existing PCNs, reporting a new attack that applies to all major PCNs, including the Lightning Network, and allows an attacker to steal the fees from honest intermediaries in the same payment path. We then formally define anonymous multi-hop locks (AMHLs), a novel cryptographic primitive that serves as a cornerstone for the design of secure and privacy-preserving PCNs. We present several provably secure cryptographic instantiations that make AMHLs compatible with the vast majority of cryptocurrencies. In particular, we show that (linear) homomorphic one-way functions suffice to construct AMHLs for PCNs supporting a script language (e.g., Ethereum). We also propose a construction based on ECDSA signatures that does not require scripts, thus solving a prominent open problem in the field.


    AMHLs constitute a generic primitive whose usefulness goes beyond multi-hop payments in a single PCN and we show how to realize atomic swaps and interoperable PCNs from this primitive. Finally, our performance evaluation on a commodity machine finds that AMHL operations can be performed in less than 100 milliseconds and require less than 500 bytes of communication overhead, even in the worst case. In fact, after acknowledging our attack, the Lightning Network developers have implemented our ECDSA-based AMHLs into their PCN. This demonstrates the practicality of our approach and its impact on the security, privacy, interoperability, and scalability of today’s cryptocurrencies.

  8. Vault: Fast Bootstrapping for the Algorand Cryptocurrency 2019 Blockchains Consensus NDSS ndss-symposium.org
    Derek Leung and Adam Suhl and Yossi Gilad and Nickolai Zeldovich

    Decentralized cryptocurrencies rely on participants to keep track of the state of the system in order to verify new transactions. As the number of users and transactions grows, this requirement becomes a significant burden, requiring users to download, verify, and store a large amount of data to participate.


    Vault is a new cryptocurrency design based on Algorand that minimizes these storage and bootstrapping costs for participants. Vault’s design is based on Algorand’s proof-of-stake consensus protocol and uses several techniques to achieve its goals. First, Vault decouples the storage of recent transactions from the storage of account balances, which enables Vault to delete old account state. Second, Vault allows sharding state across participants in a way that preserves strong security guarantees. Finally, Vault introduces the notion of stamping certificates, which allow a new client to catch up securely and efficiently in a proof-of-stake system without having to verify every single block.


    Experiments with a prototype implementation of Vault’s data structures show that Vault’s design reduces the bandwidth cost of joining the network as a full client by 99.7% compared to Bitcoin and 90.5% compared to Ethereum when downloading a ledger containing 500 million transactions.

  9. rORAM: Efficient Range ORAM with O(log2 N) Locality 2019 NDSS ORAM ndss-symposium.org
    Anrin Chakraborti and Adam J. Aviv and Seung Geol Choi and Travis Mayberry and Daniel S. Roche and Radu Sion

    Oblivious RAM protocols (ORAMs) allow a client to access data from an
    untrusted storage device without revealing to that device any information
    about their access pattern. Typically this is accomplished through random
    shuffling of the data such that the storage device cannot determine where
    individual blocks are located, resulting in a highly randomized access
    pattern. Storage devices however, are typically optimized for
    sequential access. A large number of random disk seeks
    during standard ORAM operation induce a substantial overhead.
    In this paper, we introduce rORAM, an ORAM specifically suited for
    accessing ranges of sequentially logical blocks while minimizing
    the number of random physical disk seeks. rORAM obtains significantly better asymptotic efficiency than prior designs (Asharov et al., ePrint 2017, Demertzis et al., CRYPTO 2018)
    reducing both the number of seeks and communication complexity by a multiplicative factor of $mathbb{O}(log N)$. An rORAM prototype is 30-50x times faster than Path ORAM for similar range-query workloads on local HDDs, 30x faster for local SSDs, and 10x
    faster for network block devices.


    rORAM’s novel disk layout can also speed up standard ORAM constructions, e.g., resulting in a 2x faster Path ORAM variant. Importantly, experiments demonstrate suitability for real world applications – rORAM is up to 5x faster running a file server and up to 11x faster running a range-query intensive video server workloads compared to standard Path ORAM.

  10. ConcurORAM: High-Throughput Stateless Parallel Multi-Client ORAM 2019 NDSS ORAM ndss-symposium.org
    Anrin Chakraborti and Radu Sion

    ConcurORAM is a parallel, multi-client oblivious RAM (ORAM) that
    eliminates waiting for concurrent stateless clients and allows over-
    all throughput to scale gracefully, without requiring trusted third
    party components (proxies) or direct inter-client coordination.
    A key insight behind ConcurORAM is the fact that, during
    multi-client data access, only a subset of the concurrently-
    accessed server-hosted data structures require access privacy
    guarantees. Everything else can be safely implemented as oblivi-
    ous data structures that are later synced securely and efficiently
    during an ORAM “eviction”.


    Further, since a major contributor to latency is the eviction
    – in which client-resident data is reshuffled and reinserted back
    encrypted into the main server database – ConcurORAM also
    enables multiple concurrent clients to evict asynchronously, in
    parallel (without compromising consistency), and in the back-
    ground without having to block ongoing queries.
    As a result, throughput scales well with increasing number of
    concurrent clients and is not significantly impacted by evictions.
    For example, about 65 queries per second can be executed in
    parallel by 30 concurrent clients, a 2x speedup over the state-of-
    the-art. The query access time for individual clients increases
    by only 2x when compared to a single-client deployment.

  11. Balancing Image Privacy and Usability with Thumbnail-Preserving Encryption 2019 FPE NDSS Privacy ndss-symposium.org
    Kimia Tajik and Akshith Gunasekaran and Rhea Dutta and Brandon Ellis and Rakesh B. Bobba and Mike Rosulek and Charles V. Wright and Wu-Chi Feng

    In this paper, we motivate the need for image encryption techniques that preserve certain visual features in images and hide all other information, to balance privacy and usability in the context of cloud-based image storage services. In particular, we introduce the concept of ideal or exact Thumbnail-Preserving Encryption (TPE), a special case of format-preserving encryption, and present a concrete construction. In TPE, a ciphertext is itself an image that has the same thumbnail as the plaintext (unecrypted) image, but that provably leaks nothing about the plaintext beyond its thumbnail. We provide a formal security analysis for the construction, and a prototype implementation to demonstrate compatibility with existing services. We also study the ability of users to distinguish between thumbnail images preserved by TPE. Our findings indicate that TPE is an efficient and promising approach to balance usability and privacy concerns for images. Our code and a demo are available at: http://photoencryption.org.

  12. Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion 2019 5G CellularProtocols FormalVerification NDSS ndss-symposium.org
    Cas Cremers and Martin Dehnel-Wild

    The 5G mobile telephony standards are nearing completion; upon adoption these will be used by billions across the globe. Ensuring the security of 5G communication is of the utmost importance, building trust in a critical component of everyday life and national infrastructure.


    We perform a fine-grained formal analysis of 5G’s main authentication and key agreement protocol (5G-AKA), and provide the first models that explicitly consider all parties defined by the protocol specification. Our formal analysis reveals that the security of 5G-AKA critically relies on unstated assumptions on the inner workings of the underlying channels. In practice this means that following the 5G-AKA specification, a provider can easily and ‘correctly’ implement the standard insecurely, leaving the protocol vulnerable to a security-critical race condition. We then provide the first models and analysis considering component and channel compromise in 5G, the results of which further demonstrate the fragility and subtle trust assumptions of the 5G-AKA protocol.


    We propose formally verified fixes to the encountered issues, and we have worked with 3GPP to ensure that these fixes are adopted.

  13. Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers 2019 AnonymousCredentials Blockchains NDSS Privacy ndss-symposium.org
    Alberto Sonnino and Mustafa Al-Bassam and Shehar Bano and Sarah Meiklejohn and George Danezis

    Coconut is a novel selective disclosure credential scheme supporting distributed threshold issuance, public and private attributes, re-randomization, and multiple unlinkable selective attribute revelations. Coconut integrates with Blockchains to ensure confidentiality, authenticity and availability even when a subset of credential issuing authorities are malicious or offline. We implement and evaluate a generic Coconut smart contract library for Chainspace and Ethereum; and present three applications related to anonymous payments, electronic petitions, and distribution of proxies for censorship resistance.


    Coconut uses short and computationally efficient credentials, and our evaluation shows that most Coconut cryptographic primitives take just a few milliseconds on average, with verification taking the longest time (10 milliseconds).

  14. Analyzing Semantic Correctness with Symbolic Execution: A Case Study on PKCS#1 v1.5 Signature Verification 2019 FormalVerification NDSS Signatures ndss-symposium.org
    Sze Yiu Chau and Moosa Yahyazadeh and Omar Chowdhury and Aniket Kate and Ninghui Li

    We discuss how symbolic execution can be used to not only find low-level errors but also analyze the semantic correctness of protocol implementations. To avoid manually crafting test cases, we propose a strategy of meta-level search, which leverages constraints stemmed from the input formats to automatically generate concolic test cases. Additionally, to aid root-cause analysis, we develop constraint provenance tracking (CPT), a mechanism that associates atomic sub-formulas of path constraints with their corresponding source level origins. We demonstrate the power of symbolic analysis with a case study on PKCS#1 v1.5 signature verification. Leveraging meta-level search and CPT, we analyzed 15 recent open-source implementations using symbolic execution and found semantic flaws in 6 of them. Further analysis of these flaws showed that 4 implementations are susceptible to new variants of the Bleichenbacher low- exponent RSA signature forgery. One implementation suffers from potential denial of service attacks with purposefully crafted signatures. All our findings have been responsibly shared with the affected vendors. Among the flaws discovered, 6 new CVEs have been assigned to the immediately exploitable ones.

  15. The use of TLS in Censorship Circumvention 2019 Censorship Measurement NDSS TLS ndss-symposium.org
    Sergey Frolov and Eric Wustrow

    TLS, the Transport Layer Security protocol, has
    quickly become the most popular protocol on the Internet, already
    used to load over 70% of web pages in Mozilla Firefox. Due
    to its ubiquity, TLS is also a popular protocol for censorship
    circumvention tools, including Tor and Signal, among others.


    However, the wide range of features supported in TLS makes
    it possible to distinguish implementations from one another by
    what set of cipher suites, elliptic curves, signature algorithms, and
    other extensions they support. Already, censors have used deep
    packet inspection (DPI) to identify and block popular circumven-
    tion tools based on the fingerprint of their TLS implementation.


    In response, many circumvention tools have attempted to
    mimic popular TLS implementations such as browsers, but this
    technique has several challenges. First, it is burdensome to keep
    up with the rapidly-changing browser TLS implementations, and
    know what fingerprints would be good candidates to mimic.
    Second, TLS implementations can be difficult to mimic correctly,
    as they offer many features that may not be supported by the
    relatively lightweight libraries used in typical circumvention tools.
    Finally, dependency changes and updates to the underlying li-
    braries can silently impact what an application’s TLS fingerprint
    looks like, making it difficult for tools to control.


    In this paper, we collect and analyze real-world TLS traffic
    from over 11.8 billion TLS connections over 9 months to identify
    a wide range of TLS client implementations actually used on
    the Internet. We use our data to analyze TLS implementations
    of several popular censorship circumvention tools, including
    Lantern, Psiphon, Signal, Outline, Tapdance, and Tor (Snowflake
    and meek). We find that the many of these tools use TLS
    configurations that are easily distinguishable from the real-world
    traffic they attempt to mimic, even when these tools have put
    effort into parroting popular TLS implementations.


    To address this problem, we have developed a library, uTLS,
    that enables tool maintainers to automatically mimic other pop-
    ular TLS implementations. Using our real-world traffic dataset,
    we observe many popular TLS implementations we are able to
    correctly mimic with uTLS, and we describe ways our tool can
    more flexibly adopt to the dynamic TLS ecosystem with minimal
    manual effort.

  16. SABRE: Protecting Bitcoin against Routing Attacks 2019 Bitcoin Blockchains NDSS ndss-symposium.org
    Maria Apostolaki and Gian Marti and Jan Müller and Laurent Vanbever

    Nowadays Internet routing attacks remain practi- cally effective as existing countermeasures either fail to provide protection guarantees or are not easily deployable. Blockchain systems are particularly vulnerable to such attacks as they rely on Internet-wide communications to reach consensus. In particular, Bitcoin—the most widely-used cryptocurrency—can be split in half by any AS-level adversary using BGP hijacking.


    In this paper, we present SABRE, a secure and scalable Bitcoin relay network which relays blocks worldwide through a set of connections that are resilient to routing attacks. SABRE runs alongside the existing peer-to-peer network and is easily deployable. As a critical system, SABRE design is highly resilient and can efficiently handle high bandwidth loads, including Denial of Service attacks.


    We built SABRE around two key technical insights. First, we leverage fundamental properties of inter-domain routing (BGP) policies to host relay nodes: (i) in networks that are inherently protected against routing attacks; and (ii) on paths that are economically-preferred by the majority of Bitcoin clients. These properties are generic and can be used to protect other Blockchain-based systems. Second, we leverage the fact that relaying blocks is communication-heavy, not computation-heavy. This enables us to offload most of the relay operations to programmable network hardware (using the P4 programming language). Thanks to this hardware/software co-design, SABRE nodes operate seamlessly under high load while mitigating the effects of malicious clients.


    We present a complete implementation of SABRE together with an extensive evaluation. Our results demonstrate that SABRE is effective at securing Bitcoin against routing attacks, even with deployments of as few as 6 nodes.

  17. MBeacon: Privacy-Preserving Beacons for DNA Methylation Data 2019 DataAnalysis Genomics NDSS Privacy ndss-symposium.org
    I. Hagestedt and Y. Zhang and M. Humbert and P. Berrang and H. Tang and X. Wang and M. Backes

    The advancement of molecular profiling techniques fuels biomedical research with a deluge of data. To facilitate data sharing, the Global Alliance for Genomics and Health established the Beacon system, a search engine designed to help researchers find datasets of interest. While the current Beacon system only supports genomic data, other types of biomedical data, such as DNA methylation, are also essential for advancing our understanding in the field. In this paper, we propose the first Beacon system for DNA methylation data sharing: MBeacon. As the current genomic Beacon is vulnerable to privacy attacks, such as membership inference, and DNA methylation data is highly sensitive, we take a privacy-by-design approach to construct MBeacon. First, we demonstrate the privacy threat, by proposing a membership inference attack tailored specifically to unprotected methylation Beacons. Our experimental results show that 100 queries are sufficient to achieve a successful attack with AUC (area under the ROC curve) above 0.9. To remedy this situation, we propose a novel differential privacy mechanism, namely SVT^2, which is the core component of MBeacon. Extensive experiments over multiple datasets show that SVT^2 can successfully mitigate membership privacy risks without significantly harming utility. We further implement a fully functional prototype of MBeacon which we make available to the research community.

  18. Fine-Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone Attribute-Based 2019 Blockchains NDSS ndss-symposium.org
    David Derler and Kai Samelin and Daniel Slamanig and Christoph Striecks

    Blockchain technologies recently received a considerable amount of attention. While the initial focus was mainly on the use of blockchains in the context of cryptocurrencies such as Bitcoin, application scenarios now go far beyond this. Most blockchains have the property that once some object, e.g., a block or a transaction, has been registered to be included into the blockchain, it is persisted and there are no means to modify it again. While this is an essential feature of most blockchain scenarios, it is still often desirable—at times it may be even legally required–to allow for breaking this immutability in a controlled way.


    Only recently, Ateniese et al. (EuroS&P 2017) proposed an elegant solution to this problem on the block level. Thereby, the authors replace standard hash functions with so-called chameleon-hashes (Krawczyk and Rabin, NDSS 2000). While their work seems to offer a suited solution to the problem of controlled re-writing of blockchains, their approach is too coarse-grained in that it only offers an all-or-nothing solution. We revisit this idea and introduce the novel concept of policy-based chameleon-hashes (PBCH). PBCHs generalize the notion of chameleon-hashes by giving the party computing a hash the ability to associate access policies to the generated hashes. Anyone who possesses enough privileges to satisfy the policy can then find arbitrary collisions for a given hash. We then apply this concept to transaction-level rewriting within blockchains, and thus support fine-grained and controlled modifiability of blockchain objects.


    Besides modeling PBCHs, we present a generic construction of PBCHs (using a strengthened version of chameleon-hashes with ephemeral trapdoors which we also introduce), rigorously prove its security, and instantiate it with efficient building blocks. We report first implementation results.

  19. maTLS: How to Make TLS middlebox-aware? 2019 NDSS TLS ndss-symposium.org
    Hyunwoo Lee and Zachary Smith and Junghwan Lim and Gyeongjae Choi and Selin Chun and Taejoong Chung and Ted "Taekyoung" Kwon

    Middleboxes (MBs) are widely deployed in order to enhance security and performance in networking. However, as the communications over the TLS become increasingly common, the end-to-end channel model of the TLS undermines the efficacy of MBs. Existing solutions, such as `split TLS’ that intercepts TLS sessions, often introduce significant security risks by installing a custom root certificate or sharing a private key. Many studies have confirmed the vulnerabilities of combining the TLS with MBs, which include certificate validation failures, unwanted content modification, and using obsolete ciphersuites. To address the above issues, we introduce an MB-aware TLS protocol, dubbed maTLS, that allows MBs to participate in the TLS in a visible and accountable fashion. Every participating MB now splits a session into two segments with its own security parameters in collaboration with the two endpoints. However, the session is still secure as the maTLS protocol is designed to achieve the authentication of MBs, the audit of MBs’ operations, and the verification of security parameters of segments. We carry out testbed-based experiments to show that maTLS achieves the above security goals with marginal overhead. We also prove the security model of maTLS by using Tamarin, a security verification tool.

  20. TLS-N: Non-repudiation over TLS Enabling Ubiquitous Content Signing 2018 NDSS TLS eprint.iacr.org
    Hubert Ritzdorf and Karl Wüst and Arthur Gervais and Guillaume Felley and Srdjan Capkun

    An internet user wanting to share observed content is typically restricted to primitive techniques such as screenshots, web caches or share button-like solutions. These acclaimed proofs, however, are either trivial to falsify or require trust in centralized entities (e.g., search engine caches).


    This motivates the need for a seamless and standardized internet-wide non-repudiation mechanism, allowing users to share data from news sources, social websites or financial data feeds in a provably secure manner.


    Additionally, blockchain oracles that enable data-rich smart contracts typically rely on a trusted third party (e.g., TLSNotary or Intel SGX). A decentralized method to transfer web-based content into a permissionless blockchain without additional trusted third party would allow for smart contract applications to flourish.


    In this work, we present TLS-N, the first TLS extension that provides secure non-repudiation and solves both of the mentioned challenges. TLS-N generates non-interactive proofs about the content of a TLS session that can be efficiently verified by third parties and blockchain based smart contracts. As such, TLS-N increases the accountability for content provided on the web and enables a practical and decentralized blockchain oracle for web content. TLS-N is compatible with TLS 1.3 and adds a minor overhead to a typical TLS session. When a proof is generated, parts of the TLS session (e.g., passwords, cookies) can be hidden for privacy reasons, while the remaining content can be verified.


    Practical demonstrations can be found at https://tls-n.org/.

  21. OBLIVIATE: A Data Oblivious Filesystem for Intel SGX 2018 IntelSGX NDSS ORAM lifeasageek.github.io
    Adil Ahmad and Kyungtae Kim and Muhammad Ihsanulhaq Sarfaraz and Byoungyoung Lee

    Intel SGX provides confidentiality and integrity of a program running within the con nes of an enclave, and is expected to enable valuable security applications such as private information retrieval. This paper is concerned with the security aspects of SGX in accessing a key system resource, les. Through concrete attack scenarios, we show that all existing SGX lesystems are vulnerable to either system call snooping, page fault, or cache based side-channel attacks. To address this security limitations in current SGX lesystems, we present OBLIVIATE, a data oblivious lesystem for Intel SGX. The key idea behind OBLIVIATE is in adapting the ORAM protocol to read and write data from a le within an SGX enclave. OBLIVIATE redesigns the conceptual components of ORAM for SGX environments, and it seamlessly supports an SGX program without requiring any changes in the application layer. OBLIVIATE also employs SGX-speci c defenses and optimizations in order to ensure complete security with acceptable overhead. The evaluation of the prototype of OBLIVIATE demonstrated its practical effectiveness in running popular server applications such as SQLite and Lighttpd, while also achieving a throughput improvement of 2×- 8× over a baseline ORAM-based solution, and less than 2× overhead over an in-memory SGX lesystem.

  22. ZeroTrace: Oblivious Memory Primitives from Intel SGX 2018 IntelSGX NDSS ORAM TEE eprint.iacr.org
    Sajin Sasy and Sergey Gorbunov and Christopher W. Fletcher

    We are witnessing a confluence between applied cryptography and secure hardware systems in enabling secure cloud computing. On one hand, work in applied cryptography has enabled efficient, oblivious data-structures and memory primitives. On the other, secure hardware and the emergence of Intel SGX has enabled a low-overhead and mass market mechanism for isolated execution. By themselves these technologies have their disadvantages. Oblivious memory primitives carry high performance overheads, especially when run non-interactively. Intel SGX, while more efficient, suffers from numerous software-based side-channel attacks, high context switching costs, and bounded memory size.


    In this work we build a new library of oblivious memory primitives, which we call ZeroTrace. ZeroTrace is designed to carefully combine state-of-the-art oblivious RAM techniques and SGX, while mitigating individual disadvantages of these technologies. To the best of our knowledge, ZeroTrace represents the first oblivious memory primitives running on a real secure hardware platform. ZeroTrace simultaneously enables a dramatic speed-up over pure cryptography and protection from software-based side-channel attacks. The core of our design is an efficient and flexible block-level memory controller that provides oblivious execution against any active software adversary, and across asynchronous SGX enclave terminations. Performance-wise, the memory controller can service requests for 4B blocks in 1.2ms and 1KB blocks in 3.4ms (given a 10~GB dataset). On top of our memory controller, we evaluate Set/Dictionary/List interfaces which can all perform basic operations (e.g., get/put/insert).

  23. Revisiting Private Stream Aggregation: Lattice-Based PSA 2018 Lattices MPC NDSS Privacy ndss-symposium.org
    Daniela Becker and Jorge Guajardo and Karl-Heinz Zimmermann

    In this age of massive data gathering for purposes of personalization, targeted ads, etc. there is an increased need for technology that allows for data analysis in a privacy-preserving manner. Private Stream Aggregation as introduced by Shi et al. (NDSS 2011) allows for the execution of aggregation operations over privacy-critical data from multiple data sources without placing trust in the aggregator and while maintaining differential privacy guarantees. We propose a generic PSA scheme, LaPS, based on the Learning With Error problem, which allows for a flexible choice of the utilized privacy-preserving mechanism while maintaining post-quantum security. We overcome the limitations of earlier schemes by relaxing previous assumptions in the security model and provide an efficient and compact scheme with high scalability. Our scheme is practical, for a plaintext space of 216 and 1000 participants we achieve a performance gain in decryption of roughly 150 times compared to previous results in Shi et al. (NDSS 2011).

  24. A Security Analysis of Honeywords 2018 NDSS Passwords ndss-symposium.org
    Ding Wang and Haibo Cheng and Ping Wang and Jeff Yan and Xinyi Huang

    Honeywords are decoy passwords associated with each user account, and they contribute a promising approach to detecting password leakage. This approach was first proposed by Juels and Rivest at CCS’13, and has been covered by hundreds of medias and also adopted in various research domains. The idea of honeywords looks deceptively simple, but it is a deep and sophisticated challenge to automatically generate honeywords that are hard to differentiate from real passwords. In JuelsRivest’s work, four main honeyword-generation methods are suggested but only justified by heuristic security arguments. In this work, we for the first time develop a series of practical experiments using 10 large-scale datasets, a total of 104 million real-world passwords, to quantitatively evaluate the security that these four methods can provide. Our results reveal that they all fail to provide the expected security: real passwords can be distinguished with a success rate of 29.29%∼32.62% by our basic trawling-guessing attacker, but not the expected 5%, with just one guess (when each user account is associated with 19 honeywords as recommended). This figure reaches 34.21%∼49.02% under the advanced trawling-guessing attackers who make use of various state-of-the-art probabilistic password models. We further evaluate the security of Juels-Rivest’s methods under a targeted-guessing attacker who can exploit the victim’ personal information, and the results are even more alarming: 56.81%∼67.98%. Overall, our work resolves three open problems in honeyword research, as defined by Juels and Rivest.

  25. Removing Secrets from Android’s TLS 2018 Android Implementation NDSS TLS ndss-symposium.org
    Jaeho Lee and Dan S. Wallach

    Cryptographic libraries that implement Transport Layer Security (TLS) have a responsibility to delete cryptographic keys once they’re no longer in use. Any key that’s left in memory can potentially be recovered through the actions of an attacker, up to and including the physical capture and forensic analysis of a device’s memory. This paper describes an analysis of the TLS library stack used in recent Android distributions, combining a C language core (BoringSSL) with multiple layers of Java code (Conscrypt, OkHttp, and Java Secure Sockets). We first conducted a black-box analysis of virtual machine images, allowing us to discover keys that might remain recoverable. After identifying several such keys, we subsequently pinpointed undesirable interactions across these layers, where the higherlevel use of BoringSSL’s reference counting features, from Java code, prevented BoringSSL from cleaning up its keys. This interaction poses a threat to all Android applications built on standard HTTPS libraries, exposing master secrets to memory disclosure attacks. We found all versions we investigated from Android 4 to the latest Android 8 are vulnerable, showing that this problem has been long overlooked. The Android Chrome application is proven to be particularly problematic. We suggest modest changes to the Android codebase to mitigate these issues, and have reported these to Google to help them patch the vulnerability in future Android systems.