Mctrain's Blog

What I learned in IT, as well as thought about life

Notes in CCS 2015 (Denver)

| Comments

This week I’ve been to Denver, Colorado, to attend the CCS 2015 and present our work SeCage, which is a hypervisor-enforced approach for intra-domain isolation.

The main conference lasts for 3 days (10.13 ~ 10.15). There are 3 parallel tracks for 36 sessions, for specific reasons, I have only attended 6 sessions.

Following are some of the notes about what I’ve heard from these sessions.

Session 1B: iOS and MAC OS Security

This is a very interesting session that shows the security of iOS/Mac OS. There are 2 papers in this session.

The first is presented by Luyi Xing from Indiana Univercity Bloomington. As he shows, from 2010 to yesterday, in the 4 top security conferences (S&P, Usenix securiy, CCS, NDSS), there were 0 session with 3 papers discussing about iOS security, compared to the 17 sessions with 88 papers about Android security.

The paper presented by Xing is titled “Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS”. This is an attack paper that shows several ways to attack iOS/Mac OS with full protection (e.g., sandboxing isolating, indirect interaction, direct communication, vetting), and results in the leakage of private data like passwords, tokens, cookies, etc.

This presentation only shows 2 kinds of so-called Unauthorized cross-app resource access (XARA) approaches. the first one is to crack keychain and steal password, while the second one is to intercept IPC using the bugs in distributed objects mechanism, and steal the tokens from Evernote server.

The details can be found in the paper, it shows many interesting points, like the lessons of unclear boundary of responsibilities between developer and Apple, etc. This paper is also armed with 3 Apple CVEs (CVE-2015-3786, CVE-2015-5835, CVE-2015-5836). Thus it is a very typical security paper. I’m going to read it later.

The second presentation is from Brendan Saltaformaggio, Purdue University. It is noted that Brendan have 3 papers in this year’s CCS, one of which wins the best paper award!

In this presentation, he starts with a very interesting statistics:

As Apple claimed, all applications will be protected by the vetting mechanism. However how well is the vetting performed is under question. In 2015 till now, there are 1.5 million new applications created in apple store, which means 556 application vetting per day! Therefore it is reasonable to say that the vetting process is fast, lightweight, ‘almost’ automatic and may use static program analysis.

This paper is targeted at solving the problem of finding private API abuse in the application. Private API is supposed only used by Apple Internal. However since the function call in Objective-C can be called by sending a message to object, e.g.,

object_msgSend(obj, foo, param);

can be used to invoke a function foo of object obj. Thus following trick can alse be leveraged to invoke foo function:

char sel[3];
strcpy (sel, f);
strcat (sel, oo)
object_msgSend(obj, sel, param);

So it is really hard for static analysis to detect such private API abuse (if foo is a private API).

This this paper, they use static analyssi + Guided forced exection (dynamic analysis) to solve such problem. For static analysis, they use backward slicing, which is vulnerable for obfuscation. Then they use an approach called force execution, to complete the analysis. During force execution, in every branch, the condition is flipped, so that every branch can be reached.

Since I’m not familiar with program analysis, it is a little hard for me to fully understand it. More details can be found in the paper.

Session 2C: Password Security

Honestly speaking, I’m not quite interested in papers of this session, just have a simple note for each of the paper:

  • The 1st one is titled “Monte Carlo Strength Evaluation: Fast and Reliable Password Checking”, is to use the probabilistic password models to design a scientifically sound password strength meter.
  • The 2nd one is titled “Surpass: System-initiated user-replaceable passwords”, the motivation is that random passwords are secure, but hard to memorized. Thus they design a mechanism that user can replace password initialized by system randomly for memorable. They have done many surveys on the tradeoff between entropy and memorability, and provide some statistic conclusion. Some interesting points is that they use large-scale amazone mechanical turk for recruiting 5312 anticipator, and use hashcat for cracking passwords.
  • The 3rd paper is titled “Optimal Distributed Password Verification”, the problem it wants to solve is the single server/point of failure, which may cause the whole data of password stolen, and offline dictionary attacks can be conducted. In this paper, it proposes a distributed password verification mechanism, so that even one server is under attack, the password data are still safe.

Session 3B: Memory Randomization

In this session, I only listen to 3 presentations.

The first one is titled “It’s a TRAP: Table Randomization and Protection against Function Reuse Attacks”. This is a paper targeted at solving Counterfeit OOP (COOP), shamefully I’m not familiar with this attack! I can only tell that this paper proposes to randomize vtable. But I’m not quite clear about the challenges and solution, since I’m newbie for C++.

The second one is very interesting, it is called “Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads”. It uses a technique called destructive code read to solve the problem of code disclosure attack for ASLR, e.g., JIT-ROP. The main idea is that for systems where data/code are mixed, all memory can be read, but executale memory should be mediated after reading. So different with previous solutions like XnR, this paper thinks, we do not need to prohibit the executable memory read, since it is not compatible for systems especially like Windows. We only need to take care if we found the executable memory is read. Therefore, they use the EPT mechanism, because EPT seperate read permission with executable permission, to mediate the executable memory after reading.

The third one is titled “Timely Rerandomization for Mitigating Memory Disclosures”, it is also relate to attacks like JIT-ROP, the core idea is to synchronize with the attacker, more specifically, it is to

  • identify disclosure time
  • identify memory corruption time
  • and rerandomize in between.

which means, if we know when the code memory is leaked, we can rerandomize the memory, so that the JIT-ROP is prevented. Therefore, they choose to rerandomize after some I/O system calls, since attackers must leak the memory from network I/O.

Session 5B Understanding Android Apps

There are 2 papers in this session.

The 1st one “Towards Automatic Generation of Security-Centric Descriptions for Android Apps” is done by Mu Zhang from NEC Laboratories America. The authors list also includes Heng Yin from Syracuse University. The motivation of this paper is that in Android there are 2 mechanisms to describe the application, permission and textual description. However, permission is not inadequate and hard to understand, while textual decription is devated with permission, and not related to security. So the goal of this paper is to automatically generate the textual description by analyse the whole program, and to help average users to understand security risk in semantic level. The techniques they use are

  • behavior graph generation
  • subgraph mining & graph compression
  • natural language generation

The 2nd paper is called “AUTOREB: Automatically Understanding the Review-to-Behavior Fidelity in Android Applications”, by Deguang Kong from Samsung Research America. This paper is quite simple, it just focus on user comments and app behaviors, and infer security issues from user reviews. They need to solve some challenges by some approaches:

  • review semantic (appraoches: featuer augmentation, relevance feedback, co-occurrenc, feature correlation)
  • security concern (approaches: security feature extraction, machine learning)
  • credibility of users (approach: crowdsourcing)

More details can be found in the paper if you are interested in it.

Session 8B: Control Flow Integrity

CFI is still popular in this year, there are totally 5 presentations in this session, the 1st one is to show the problems of current static analysis for CFG generation; The 2nd one is to generate CFG per input, to reduce the number of edges for the CFG; The 3rd one is named “Practical Context-Sensitive CFI”, it uses LBR to enforece context-sensitive CFI during runtime; The 4th one is “CCFI: Cryptographically Enforced Control Flow Integrity”, which uses some MAC mechanism to protect the control flow; And the last is “Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attack”, it shows one stack-based attak, though I’m not quite convinced why it is stack-based.

Session 12C: Side Channel

This is the session including my presentation, though I’m quite confused why my paper is located in this session, in my paper, we claimed that we don’t consider about DoS and side-channel attacks.

There are 4 papers in total, I’ve listened for 2, except my own.

The 1st is titled “Mitigating Storage Side Channels Using Statistical Privacy Mechanisms”. It is by Qiuyu Xiao from University of North Carolina and Yinqian Zhang from The Ohio State University. This paper leverages differential privacy to solve the side channle attack by revealing private information (e.g., which website you are scanning) from procfs (like memory/cpu states). It adds some noise to procfs, while remaining most of the correctness.

The 2nd one is “Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration” by Soo-Jin Moon from Carnegie Mellon University. The goal of this paper is realize a general deployable system to defend against cloud side-channel attack. It simply use migration to mitigate such attacks, make sure the VMs not share the same physical machine for long time.

My prenstation is the last one in the last session. I should say it is OK with the talk (though still a little nervous), but for Q/A, it is quite embarrassed, 4 people ask 5 questions. However many of them are not clearly understood by myself.

3 about static analysis:

  • OpenSSL complicated, how to analysis it.
  • Prateek ask about whether do we consider about control dependence.
  • Why static is useful according to our mechanism

1 about VMFUNC security by prateek

1 about selective plaintext attack? Not quite understand.

The good thing is though I’m the last presentor, there are still a lot of questions, which means lots of people are interested in my work. The bad things is I’m quite awkful!

Other topics and papers

There are some other papers I’m quite interested in but failed to listen to for some specific reasons. Simply list them here, and I’m going to read the paper later.

Session 1B: MAC OS and iOS Security
  • Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS by Luyi Xing (from Indiana University Bloomington)
Session 3B: Memory Randomization
  • Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads by Adrian Tang (from Columbia University)
  • ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks by Kangjie Lu (from Georgia Institute of Technology)
Session 4B: Software Vulnerabilities
  • Unearthing Stealthy Program Attacks Buried in Extremely Long Execution Paths by Xiaokui Shu (from Virginia Tech)
  • From Collision to Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel by Wen Xu (from SJTU)
Session 8C: Enhancing Trust
  • TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens by Kun Sun (from College of William and Mary)
  • Clean Application Compartmentalization with SOAAP by Khilan Gudka (from University of Cambridge)
Session 10B: Mobile Device Attacks
  • From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App by Heqing Huang (from The Pennsylvania State University)
  • When Good Becomes Evil: Keystroke Inference with Smartwatch by Xiangyu Liu (from The Chinese University of Hong Kong)

People meet in CCS

In CCS, I find myself not quite active in socializing with others. Most people I met and talked with are Chinese, either professors like Yan Huang, Kun Sun, Li Depeng, Yinqian Zhang, Yin Heng, Dongyan Xu, Long Lu, Xiapu Luo, or students like Guoxing Chen, Jian Liu, Xiaokuan Zhang, Qiuyu Xiao, Yaohui Chen.

I find there are so many Chinese in this community, this is the first time for me to step into this community, I hope there are other oppotunities in the future.