Notes for NDSS'24#
Interested topics
- Session 1A: Firmware
- Session 2A: Fuzz-all-the-things!
- Session 4A: Leaks!
- Session 5A: Trusted Execution Environments
- Session 6B: Exploitation
- Session 9A: Fuzz-more-things!
- Session 11B: Reverse Engineering
- Session 12B: Application Security
Somewhat interested topics (Web/Network, Architecture, Mobile, IoT/Sensors, Antomotive)
- Session 2B: Tor and Mixed Networks
- Session 3A: Routing
- Session 3B: Android and Deserialization
- Session 6A: Network Protocols
- Session 6C: Architecture and Cybercrime
- Session 8A: Mobile Ecosystem
- Session 8B: Acoustic Sensor Security
- Session 9C: Occlusion and Vision
- Session 10A: Internet-of-Everything
- Session 11A: Visual Sensor Security
- Session 12A: Network Security
- Session 12C: Automotive Sensor Security
- Session 13A: Web Security
Uninterested topics (Cyrptography, Machine Learning/LLM, Blockchain, Human Factors, Usable Security)
- Session 1B: Censorship
- Session 1C: Applied Cryptography
- Session 2C: Resource PKI
- Session 3C: Federated Learning
- Session 4B: ML Security (1)
- Session 4C: Secrecy and Anonymity
- Session 5B: ML Attacks (1)
- Session 5C: Future Cryptography
- Session 7A: Blockchain Protocols
- Session 7B: ML Security (2)
- Session 7C: Human Factors
- Session 8C: Smart Contracts
- Session 9B: ML Security (3)
- Session 10B: Usable Security
- Session 10C: Membership Inference
- Session 11C: Prompt Engineering
- Session 13B: ML Attacks (2)
- Session 13C: ML Privacy
Session 1A: Firmware#
-
Decentralized Information-Flow Control for ROS2
- We present Picaros, a decentralized information-flow control (DIFC) system tailored for ROS2.
- paper
-
Facilitating Non-Intrusive In-Vivo Firmware Testing with Stateless Instrumentation
- Firmware fuzzing.
- We develop a decoupled firmware testing framework named IPEA, which shifts the overhead of resource-intensive analysis tasks from the microcontroller to the workstation.
- paper
- Comments: requires source-code.
-
LDR: Secure and Efficient Linux Driver Runtime for Embedded TEE Systems
- Zhen Ling
- Sandboxing Linux kernel drivers.
- In this paper, we propose a TEE driver execution environment—Linux driver runtime (LDR). The LDR reuses the existing TEE OS library functions whenever possible and redirects the kernel subsystem function calls to the Linux kernel in the normal world.
- paper
Session 2A: Fuzz-all-the-things#
-
REQSMINER: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing
- Haixin Duan and Jianjun Chen
- Network security.
- paper
-
Large Language Model guided Protocol Fuzzing
- Marcel Bohme and Abhik Roychoudhury
- Protocol fuzzing.
- We have developed an LLM-guided protocol implementation fuzzing engine. Our protocol fuzzer CHATAFL constructs grammars for each message type in a protocol, and then mutates messages or predicts the next messages in a message sequence via interactions with LLMs.
- paper
- Comments: Compares to AFLNet, NSFuzz aganist targets in ProFuzzBench. CHATAFL covers 47.60% and 42.69% more state transitions, 29.55% and 25.75% more states, but only 5.81% and 6.74% more code, respectively. Apart from enhanced coverage, CHATAFL discovered nine distinct and previously unknown vulnerabilities on the latest ProFuzzBench targets.
- Comments: No new insight is proposed but the usage of LLM.
- Comments: LLM stops us from thinking deeply.
-
SHAPFUZZ: Efficient Fuzzing via Shapley-Guided Byte Selection
- Xiao Xi
- New approach to prioritize input bytes during fuzzing.
- Some byte positions contribute more than others and this property often holds across different seeds. We propose a novel solution, called SHAPFUZZ, to guide byte selection and mutation in fuzzing processes. Specifically, SHAPFUZZ updates Shapley values (importance) of bytes when each input is tested during fuzzing with a low overhead. It utilizes contextual multiarmed bandit algorithm to make a trade off between mutating high Shapley value bytes and low-frequently chosen bytes.
Session 4A: Leaks (Side-Channel Attacks)#
-
Acoustic Keystroke Leakage on Smart Televisions
- This work develops and demonstrates a new side-channel attack that exposes keystrokes from the audio of two popular Smart TVs: Apple and Samsung.
- paper
-
IdleLeak: Exploiting Idle State Side Effects for Information Leakage
- Daniel Gruss
- Specifically, we exploit the processor idle state C0.2 to monitor system activity and for novel means of data exfiltration, and the idle state C0.1 to monitor system activity on logical sibling cores.
- paper
-
TEE-SHirT: Scalable Leakage-Free Cache Hierarchies for TEEs
- Yu David Liu
- Efficient and correct partitioning requires careful design. Towards this goal, TEE-SHirT makes three contributions: 1) we demonstrate how the hardware structures used for holding cache partitioning metadata can be effectively virtualized to avoid flushing of cache partition content on context switches and system calls; 2) we show how to support multi-threaded enclaves in TEESHirT, addressing the issues of coherency and consistency that arise with both intra-core and inter-core data sharing; 3) we develop a formal security model for TEE-SHirT to rigorously reason about the security of our design.
- paper
-
Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks
- Network security.
- In this paper, we uncover a new side-channel vulnerability in the widely used NAT port preservation strategy and an insufficient reverse path validation strategy of Wi-Fi routers, which allows an off-path attacker to infer if there is one victim client in the same network communicating with another host on the Internet using TCP.
- paper
Session 5A: Trusted Execution Environments#
-
SENSE: Enhancing Microarchitectural Awareness for TEEs via Subscription-Based Notification
- We propose SENSE, a solution that actively exposes underlying microarchitectural information to userspace TEEs. SENSE enables userspace software in TEEs to subscribe to fine-grained microarchitectural events and utilize the events as a means to contextualize the ongoing microarchitectural states. We initially demonstrate SENSE’s capability by applying it to defeat the state-of-the-art cache-based side-channel attacks.
- paper
-
EnclaveFuzz: Finding Vulnerabilities in SGX Applications
- Chao Zhang
- Vulnerability detection of TEE.
- In this paper, we propose EnclaveFuzz, a multi-dimension structure-aware fuzzing framework that analyzes enclave sources to extract input structures and correlations, then generates fuzz harnesses that can produce valid inputs to pass sanity checks. To conduct multi-dimensional fuzzing, EnclaveFuzz creates data for all three input dimensions of an enclave, including both parameters and return values that enter an enclave, as well as direct untrusted memory access from within an enclave. To detect more types of vulnerabilities, we design a new sanitizer to detect both SGX-specific vulnerabilities and typical memory corruption vulnerabilities. Lastly, we provide a custom SDK to accelerate the fuzzing process and execute the enclave without the need for special hardware.
- paper
-
Faults in Our Bus: Novel Bus Fault Attack to Break ARM TrustZone
- Debdeep Mukhopadhyay
- Fault injection.
- In this work, we present the first practical implications of targeting an orthogonal aspect of SoC’s architecture: the system bus. We inject electromagnetic pulses onto the system bus during the execution of instructions involving processor-memory interaction. We show how address bus faults compromise software implementations of masked implementations of ciphers, illustrated using implementations of state-of-theart post-quantum cryptography (PQC) schemes, leaking entire secret keys with a single fault. We also demonstrate that data bus faults can be controlled and exploited to launch Differential Fault Analysis (DFA) attacks on table-based implementation of the Advanced Encryption Standard (AES). Furthermore, we demonstrate that the impact of such bus faults can be farreaching and mislead the security guarantees of the popular and widely used ARM TrustZone.
Session 6B: Exploitation#
-
UntrustIDE: Exploiting Weaknesses in VS Code Extensions
- SoK of VS code extensions.
- This paper seeks to systematically understand the landscape of vulnerabilities in VS Code’s extension marketplace. We identify a set of four sources of untrusted input and three code targets that can be used for code injection and file integrity attacks and use them to design taint analysis rules in CodeQL. We then perform an ecosystemlevel analysis of the VS Code extension marketplace, studying 25,402 extensions that contain code. Our results show that while vulnerabilities are not pervasive, they exist and impact millions of users. Specifically, we find 21 extensions with verified proof of concept exploits of code injection attacks impacting a total of over 6 million installations.
- paper
-
SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem
- Zhiyun Qian
- Post-fuzzing and vulnerability assessment.
- We developed SyzBridge, a fully automated system that adapts upstream PoCs to downstream kernels.
- paper
-
File Hijacking Vulnerability: The Elephant in the Room
- SoK and detection of file hijacking vulnerabilities.
- We developed a dynamic analysis tool, JERRY, which effectively detects FHVulns at runtime by simulating hijacking actions during program execution.
- paper
-
Phoenix: Surviving Unpatched Vulnerabilities via Accurate and Efficient Filtering of Syscall Sequences
- Provanence.
- We propose Phoenix, a solution for preventing exploits of unpatched vulnerabilities by accurately and efficiently filtering sequences of system calls identified through provenance analysis.
- paper
Session 9A: Fuzz-more-things!#
-
DeepGo: Predictive Directed Greybox Fuzzing
- NUDT
- AI for fuzzing.
- In this paper, we propose DeepGo, a predictive directed greybox fuzzer that can combine historical and predicted information to steer DGF to reach the target site via an optimal pat
- paper
-
MOCK: Optimizing Kernel Fuzzing Mutation with Context-aware Dependency
- Shouling Ji
- AI for kernel fuzzing.
- In this paper, we present a practical and effective kernel fuzzing framework, called MOCK, which is capable of learning the contextual dependencies in syscall sequences and then generating context-aware syscall sequences
- paper
-
Predictive Context-sensitive Fuzzing
- VUSec
- In this paper, we show that a much more effective approach to context-sensitive fuzzing is possible. First, we propose function cloning as a backward-compatible instrumentation primitive to enable precise (i.e., collision-free) context-sensitive coverage tracking. Then, to tame the state explosion problem, we argue to account for contextual information only when a fuzzer explores contexts selected as promising. We propose a prediction scheme to identify one pool of such contexts: we analyze the data-flow diversity of the incoming argument values at call sites, exposing to the fuzzer a contextually refined clone of the callee if the latter sees incoming abstract objects that its uses at other sites do not.
- paper
- Comments: calling-context -> hash -> collision -> function cloning (For instance, if contextual information is represented only by the caller of a function, the analysis may produce separate results for the unique clones of the callee devised for each possible caller.)
Session 11B: Reverse Engineering#
-
SIGMADIFF: Semantics-Aware Deep Graph Matching for Pseudocode Diffing
- Heng Yin
- AI for diffing.
- To address the limitations, in this paper, we propose a semantics-aware, deep neural network-based model called SIGMADIFF for pseudocode diffing.
- paper
-
DeGPT: Optimizing Decompiler Output with LLM
- Kai Chen
- AI for decompilation.
- paper
-
DYNPRE: Protocol Reverse Engineering via Dynamic Inference
- Yu Jiang
- Protocol/model inference.
- This paper introduces DYNPRE, a protocol reverse engineering tool that exploits the interactive capabilities of protocol servers to obtain more semantic information and additional traffic for dynamic inference. This paper presents DYNPRE, a network trace based protocol reverse engineering tool that introduces dynamic inference for more accurate analysis. Unlike traditional methods that require high-quality static network traces for comprehensive statistical analysis, DYNPRE establishes active communication with the server using carefully constructed probe messages to extract insightful information and acquire additional samples as needed, making it well-suited for input traces with limited information.
- paper
-
Gradient Shaping: Enhancing Backdoor Attack Against Reverse Engineering
- AI model reverse engineering.
- paper
Session 12B: Application Security#
- Efficient Use-After-Free Prevention with Opportunistic Page-Level Sweeping
- UNIST
- Introduction of new allocator against UAF
- This study proposes HUSHVAC, an allocator that performs delayed reuse in such a way that the distribution of heap chunks becomes more friendly to such workloads. A
- paper