Note: This article was jointly produced by GPT4 and Claude.
161、Secure Auctions in the Presence of Rational Adversaries
Sealed-bid auctions are used to allocate resources among a group of interested participants. Traditionally, auctions require the presence of a trusted auctioneer to whom bidders provide their private bids. However, it is difficult to implement such a trusted third party in practice. Generic secure computing protocols can be used to remove trusted third parties. However, general techniques lead to inefficient agreements that often fail to provide fairness—that is, a corrupt party can learn about the output and suspend the agreement, preventing other parties from learning about the output. At CRYPTO 2009, Miltersen, Nielsen, and Triandopoulos (~\citeC:MilNieTri09) addressed the problem of constructing secure auctions for rational bidders. Such actors are modeled as selfish agents who are more concerned with improving their own utility than with information about other agents' bids. To achieve this goal, they propose a novel concept of information utility and introduce a game-theoretic framework that helps to consider both information utility and monetary utility when analyzing protocols. Unfortunately, their construction uses a general multi-party computation protocol, thus, the authors did not analyze the specific efficiency of their protocol. In this work, we construct the first concretely efficient and provably secure first-price auction protocol in rational settings. Our protocol guarantees privacy, public verifiability, and fairness. Inspired by ~\citeC:MilNieTri09, we propose a solution concept that we call a "weakly dominant strategy equilibrium for privacy-enhanced computing" that encompasses the parties' privacy and monetary concerns in a game-theoretic context , and show that our protocol achieves this. We believe this concept has independent interest. Our protocol is designed specifically for auction usage scenarios, is easy to use, and uses off-the-shelf encryption components. Executing our auction protocol on commodity hardware with 30 bidders and a bid length of 10, our protocol completes in 0.429 seconds with a total communication volume of 82KB.
Paper link: https://doi.org/10.1145/3548606.3560706
162、Secure Parallel Computation on Privately Partitioned Data and Applications
Parallel computing is an important aspect of multi-party computing, not only to improve efficiency, but also to provide privacy protection for conditional branch computing based on private data. Applying multiparty computations in parallel on multiple sets of input data is straightforward if the partition of the input data is publicly partitioned into several sets, but the problem becomes more challenging when such partitioning is private. This setup is relevant to a large class of secure computing, especially in secure graph and database analytics where the underlying data (graph or database) is private. In this paper, we consider a class of functions that can be represented by iterative evaluation of binary associative operations, and propose an efficient protocol for evaluating these functions in parallel on privately partitioned input data. Our protocol is optimal in terms of the number of evaluations of the basic binary operation required (i.e., N-1 evaluations for a total input size N), while achieving a round complexity that is only logarithmic in the total size of the input data. degrees (ie O(log N)).
Applying our protocol to specific functions yields specific improvements over dedicated protocols in previous work. For example, we improve on the best previously known protocols for simple functions such as (grouped) sums and (grouped) maxima, and Nayak et al.'s secure graph analysis protocol (S&P'15), which require O(N log N) evaluations for a round complexity of O(log N). While our protocol is asymptotically performance identical to the shortest path algorithm of Anagreh et al. (Cryptography'21), we achieve better concrete performance. Finally, by considering the shortest path computation on weighted graphs via the Bellman-Ford algorithm, we reduce the communication complexity by 2.4~ 5.4 times. Furthermore, we implement efficient protocols for previously unconsidered features, such as ArgMax, first/last projections, and list joins.
Paper link: https://doi.org/10.1145/3548606.3560695
163、Securing Reset Operations in NISQ Quantum Computers
The safe reset operation can be used as an enabling technique to allow quantum computers to be shared between different users or different quantum programs of the same user. Today, the dominant method of erasing the state of a qubit is a system-wide erase, which resets all qubits simultaneously. For example, in today's IBM superconducting qubit machines, a full system erase takes up to 1000 μs and completely erases all information in the system. However, a full system wipe cannot be achieved by wiping only a few qubits and assigning them to new users or programs; everything has to be wiped at the same time. The secure reset operation could allow only a portion of the qubits to be reset, and could build on the reset operation provided by existing (insecure) IBM superconducting qubit machines. There are (unsafe) reset operations that can be used to reset the qubit state within 10 μs to 1 μs. Therefore, a reset operation is much faster than a full system wipe. However, as this paper shows, some information can be leaked through the (unsafe) reset operation, since it does not perfectly reset the qubit state between two users or programs that use the same qubit in succession. In addition, crosstalk-like effects were observed, where the reset behavior of one qubit could be inferred from neighboring qubits. This article analyzes the existing (insecure) reset operation to understand how to build a secure reset operation on top of it. The paper then describes the design, implementation, and evaluation of the proposed secure reset operation, which can reset qubits without revealing information and maintain a 300-fold speedup over full-system erase.
Paper link: https://doi.org/10.1145/3548606.3559380
164、Selective MPC: Distributed Computation of Differentially Private Key-Value Statistics
Key-value data is a naturally occurring data type that has been understudied in native trust models. Existing local differential privacy (LDP) solutions for computing statistics on key-value data are limited by the inherent accuracy of each user adding their own noise. The accuracy of multi-party computing (MPC) is better than that of LDP, and it also does not require a trusted central party. However, applying MPC directly to key-value data results in prohibitive computational costs. In this paper, we propose a selective multi-party computation method, a distributed computing method that exploits DP leaks to efficiently and accurately compute statistics on key-value data. By providing each party with a view of a random subset of the data, we can capture subtractive noise. We show that our protocol satisfies pure DP and is provably secure in the combined DP/MPC model. Our empirical evaluation shows that we can compute statistics for 10,000 keys in 20 seconds, and scale up to 30 servers while obtaining results for a single key in under a second.
Paper link: https://doi.org/10.1145/3548606.3560559
165、Server-Aided Continuous Group Key Agreement
Continuous Group Key Agreement (CGKA) -- or group trigger mechanism -- is at the heart of a new generation of scalable end-to-end secure (E2E) cryptographic multiparty applications. One of the most important (and first deployed) CGKAs is ITK, which is the cornerstone of the IETF's upcoming standard for end-to-end secure group messaging. To scale beyond the group sizes supported by earlier E2E protocols, a core goal of the CGKA protocol design is to minimize bandwidth requirements (ie, communication complexity). In this work, we advance the theory and design of CGKA, which achieves extremely high bandwidth efficiency. To this end, we first generalize the standard CGKA communication model by introducing server-assisted CGKA (saCGKA), which generalizes CGKA and more accurately describes how most E2E protocols are deployed in reality. Next, we introduce the SAIK protocol; a modified version of ITK designed for practical applications, taking advantage of the new capabilities provided by saCGKA to greatly reduce its communication (and computation) complexity. Furthermore, we introduce an intuitive and precise security model for saCGKA. It improves the existing CGKA security model in several ways. It more directly captures the intuitive security goals of CGKA. Formally, however, it also relaxes certain requirements, allowing us to take full advantage of the saCGKA communication model. Finally, it's more simplified, making working with it more manageable and easier to build intuition. Therefore, the security proof of SAIK is also simpler and modular. Finally, we present empirical data comparing the (sometimes dramatically improved) complexity profiles of SAIK with state-of-the-art CGKAs. For example, in a newly created group with 10000 members, to change the group status (eg add/remove parties), ITK requires a 1.38MB download per group member. However, with SAIK, members only need to download a maximum of 2.7KB.
Paper link: https://doi.org/10.1145/3548606.3560632
166、Sharp: Short Relaxed Range Proofs
We provide proofs of optimized ranges in discrete logarithms and hidden order groups based on quadratic factorization, called Sharp. In the former setting, we build on the paradigm of Couteau et al. (Eurocrypt '21) and optimize their range proofs (from now on, CKLR for short): (1) we pass vector commitments and adapted ∑; - Protocol introduces batching. (2) We introduce a new group switching strategy to reduce communication. (3) Due to the need to repeatedly instantiate CKLR in the standard population, we provide a novel batch phrase test that enables cheaper repetition. The analysis of our tests is tedious and is the core technical contribution of our work. For example, for N = 1 (N = 8 respectively) proofs for λ = 128-bit security and B = 64-bit range, we reduce the proof size for any group by 34% (75% respectively), and reduce the 256-bit The order group proof size is reduced by 66% (88% respectively), compared to CKLR. Since Sharp and CKLR prove to satisfy a "relaxed" notion of security, we show how their security can be enhanced using an additional hidden order group element. In the RSA swarm, this reduces the size of state-of-the-art range proofs (Couteau et al., Eurocrypt '17) by 77% (λ = 128, B = 64, N = 1). Finally, we implement our optimized range proof. Our benchmarks show very significant runtime improvements compared to state-of-the-art Bulletproofs (Bünz et al., S&P 2018). Finally, we briefly describe some applications of our new range proofs.
Paper link: https://doi.org/10.1145/3548606.3560628
167、Shifted Inverse: A General Mechanism for Monotonic Functions under User Differential Privacy
Although most research on differential privacy has focused on preserving the privacy of tuples, it has been realized that this simple model cannot capture the complex user-tuple relationships found in many real-world applications. Therefore, user differential privacy (user-DP) has recently received more attention, including node differential privacy (node-DP) for graph data as a special case. Most of the existing research on user differential privacy only studies the sum estimation problem. In this work, we design a general differentially private mechanism for any monotonic function with strong optimization guarantees under user differential privacy. While our general mechanism may run in hyperpolynomial time, we show how to instantiate an approximate polynomial-time version on some common monotonic functions, including summation, k-choice, maximum frequency, and distinct count. Finally, we conduct experiments on all these functions and show that our framework is more general and achieves better results in many cases.
Paper link: https://doi.org/10.1145/3548606.3560567
168、Sigstore: Software Signing for Everybody
Software supply chain threats are on the rise. From XCodeGhost to the impact of SolarWinds, hackers have learned that by attacking weak links in the supply chain, they can penetrate high-value targets such as US government agencies and corporate targets such as Google and Microsoft. Although software signing is a powerful means of countering these attacks, its adoption remains limited in the open source and enterprise ecosystems. In this paper, we propose Sigstore, a system that provides extensive software signing capabilities. To this end, we designed the system to provide a baseline artifact signing capability that minimizes the barriers to developer adoption. To achieve this, Sigstore employs three different mechanisms: First, it uses an ACME-like protocol to authenticate developers via OIDC, binding signatures to existing and widely used identities. Second, it allows developers to sign their artifacts with ephemeral keys, reducing the inconvenience and risk of key management. Finally, Sigstore enables user authentication through artifact and identity logs, bringing transparency to software signing. Sigstore is fast becoming a critical part of the internet infrastructure, with over 2.2 million signatures on critical software such as Kubernetes and Distroless.
Paper link: https://doi.org/10.1145/3548606.3560596
169、Sleepy Channels: Bi-directional Payment Channels without Watchtowers
Payment Corridors (PCs) are a promising solution to the scalability problem of cryptocurrencies, allowing users to perform most transactions off-chain without posting everything on the blockchain. However, many payment channel proposals have a serious limitation: Both parties need to constantly monitor the blockchain to ensure that the other party is not publishing stale transactions. If this happens, the honest party needs to react quickly and engage in the punishment process. This means that malicious users may take advantage of longer periods of absence (e.g., power outages). As a mitigation measure, the community introduced watchtowers, a type of third party that monitors the blockchain on behalf of offline users. Unfortunately, watchtowers are either trusted, which is critical from a security standpoint, or they have to lock up a certain amount of coins, called a stake, for each monitored payment channel in order to be held accountable, which for large networks Said, this is not financially feasible. We propose Sleepy Channels, the first two-way payment channel protocol that does not require a watchtower (or any other third party), supports an unlimited number of payments, and does not require parties to be constantly online. The key idea is to limit the time during which payment channel updates can be verified on-chain to a short, predetermined window of time during which payment channel participants must be online. This behavior is incentivized by having parties lock collateral in payment channels that can be adjusted based on mutual trust between them, allowing them to get their collateral back earlier if they are online within this time window. Our protocol is compatible with any blockchain (such as Bitcoin) capable of verifying digital signatures, as demonstrated in our proof of concept. Furthermore, our experimental results show that Sleepy Channels have similar communication and computation overheads to state-of-the-art payment channel protocols, while eliminating watchtower staking and monitoring service fees.
Paper link: https://doi.org/10.1145/3548606.3559370
170、SortingHat: Efficient Private Decision Tree Evaluation via Homomorphic Encryption and Transciphering
Machine learning as a service scenarios often require clients to trust the server and provide sensitive data in clear text. However, with recent improvements in fully homomorphic encryption (FHE) schemes, many such applications can be designed in a privacy-preserving manner. In this work, we focus on the problem of Private Decision Tree Evaluation (PDTE) - where the server holds a decision tree classification model and the client wishes to use this model to classify its private data without revealing the data to the server or classification results. We propose an efficient non-interactive PDTE design based on the FHE technique, called SortingHat. As part of our design, we address multiple cryptography issues related to FHE: (1) we propose a fast homomorphic comparison function where one input can be in plaintext format; devised an efficient binary decision tree evaluation technique, called homomorphic traversal, and applied it to our homomorphic comparison to evaluate private decision tree classifiers, obtaining runtimes orders of magnitude faster than state-of-the-art;( 3) We improve the communication cost and time complexity of transcryption by applying homomorphic comparison to FiLIP stream cipher. Through a prototype implementation, we demonstrate that our improved deciphering solution is about 400 times faster than previous work. Finally, we offer an alternative in terms of PDTE design: we propose a version of SortingHat that does not require transcryption and achieves a significant improvement in computational cost compared to previous work; another version t-SortingHat uses transcryption, The communication cost is about 20,000 times smaller, but the running time is comparable.
Paper link: https://doi.org/10.1145/3548606.3560702
171、SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities
Transient execution vulnerabilities have serious security implications for software systems because they violate fundamental security assumptions guaranteed by CPUs. Detecting these critical bugs during the RTL development phase is especially important as it provides an opportunity to fix the bugs before going to the chip manufacturing phase. This paper presents SpecDoctor, an automated RTL fuzzing tool for discovering transient execution vulnerabilities in CPUs. Specifically, SpecDoctor designed a fuzzing template that enables it to test all different scenarios for transient execution vulnerabilities (e.g., Meltdown, Specter, ForeShadow, etc.) using a single template. SpecDoctor then performs multi-stage fuzzing, with each stage dedicated to solving a single vulnerability constraint in an RTL context, effectively finding vulnerabilities. We implemented and evaluated SpecDoctor on two out-of-order RISC-V CPUs (Boom and NutShell-Argo). During the evaluation, SpecDoctor discovered transient execution vulnerabilities that shared similar attack vectors with previous work. Additionally, SpecDoctor found two interesting variants that exploit unique attack vectors: Boombard and Birgus. Boombard exploits an unknown implementation bug in RISC-V Boom, degrading it into a critical transient execution vulnerability. Birgus launched a Specter-style attack through a port contention side-channel in the NutShell CPU that was constructed using a unique combination of instructions. We reported these vulnerabilities and received acknowledgment from the developers, demonstrating the strong real-world impact of SpecDoctor.
Paper link: https://doi.org/10.1145/3548606.3560578
172、Squirrel: Efficient Synchronized Multi-Signatures from Lattices
This research focuses on multi-signature schemes in a synchronous environment. Multi-signature schemes allow the signatures of multiple independent signers of the same message to be compressed to form a short aggregate signature so that all signatures can be verified simultaneously. In a synchronous setting, the signature algorithm takes the current time step as additional input. Assuming no signer signs multiple messages per time step, our goal is to aggregate signatures for the same message and the same time step. This setup is especially useful in the context of blockchains, since validators are naturally synchronized through the blocks they sign. We propose Squirrel, a specific and efficient lattice-based multi-signature scheme for synchronous environments that works within a limited 2τ time step and allows the aggregation of up to ρ signatures in each step. where τ and ρ are common parameters that affect the efficiency of our scheme. Squirrel allows non-interactive aggregation of independent signatures and proves its security against malicious key attacks in the random oracle model, provided that the short-integer solution problem in polynomial rings is hard. We performed a careful analysis of all parameters and showed that Squirrel can have good specific efficiency. For τ = 24 and ρ = 4096, the signer can sign new messages every 10 seconds for 5 years without interruption. Assuming the signer has a cache of 112 MB, it takes 68ms to sign and 36ms to verify an aggregated signature. The size of the public key is 1 KB, the size of a single signature is 52 KB, and the size of an aggregated signature is 771 KB.
Paper link: https://doi.org/10.1145/3548606.3560655
173、StolenEncoder: Stealing Pre-trained Encoders in Self-supervised Learning
Pretrained encoders are general-purpose feature extractors that can be used for many downstream tasks. Recent advances in self-supervised learning can pre-train efficient encoders using large amounts of unlabeled data, leading to the rise of encoders as a service (EaaS). Pre-trained encoders may be considered confidential because their training typically requires large amounts of data and computing resources, while their public release could facilitate misuse of AI, such as for generating deepfakes. In this paper, we propose the first attack named StolenEncoder for stealing pretrained image encoders. We evaluated the effect of StolenEncoder on multiple our own pre-trained target encoders and three real target encoders, including the ImageNet encoder pre-trained by Google, the CLIP encoder pre-trained by OpenAI and deployed as a paid EaaS Clarifai's generic embedded encoder. Our results show that the encoder stolen by StolenEncoder has similar features to the target encoder. In particular, the downstream classifiers built on the target and stolen encoders achieve similar accuracies. Furthermore, using StolenEncoder to steal the target encoder requires far less data and computational resources than pretraining it from scratch. We also explore three defensive methods for perturbing the feature vectors produced by the target encoder. Our evaluation shows that these defenses are insufficient to mitigate the impact of StolenEncoder.
Paper link: https://doi.org/10.1145/3548606.3560586
174、Strengthening Order Preserving Encryption with Differential Privacy
The ciphertext of an order preserving encryption (OPE) scheme preserves the order of the corresponding plaintext. However, OPE is vulnerable to inference attacks that exploit this order preservation. Differential privacy (DP) has become the de-facto standard for data privacy. One of the most attractive properties of DP is that any post-processing calculations (such as inference attacks) performed on the noisy output of the DP algorithm will not reduce its privacy guarantee. In this work, we propose a novel order-preserving encryption scheme, OP ε, with differential privacy properties. Under OP ε, sequential leakage in ciphertext has differential privacy. Therefore, OP ε can ensure a formal guarantee (a relaxed DP guarantee), at least in the face of inference attacks. To the best of our knowledge, this is the first work that combines DP with OPE. OPε is based on a novel differentially private order-preserving coding scheme, OPεc, which may be of independent interest in the local DP setting. We demonstrate the utility of OP ε in answering range queries through empirical evaluation on four real-world datasets. For example, on a dataset with a size of about 732K, an attribute domain size of about 18K, and ε=1, OP ε only misses about 4 correct records per 10K on average.
Paper link: https://doi.org/10.1145/3548606.3560610
175、StrongBox: A GPU TEE on Arm Endpoints
Many Arm endpoints leverage integrated and discrete GPUs to accelerate computing, such as image processing and numerical processing applications. However, despite these important use cases, Arm GPU security has not received much attention from the community. By exploiting vulnerabilities in the kernel, attackers can directly access sensitive data used during GPU computations, such as personally identifiable image data in computer vision tasks. Existing works address GPU security on Intel-based platforms using Trusted Execution Environments (TEEs), while there are many architectural differences in deploying TEEs on Arm GPUs, leading to new technical challenges. Furthermore, existing Arm-based GPU defenses are mainly for secure machine learning and lack generalizability. There is a need for general and efficient Arm-based GPU security mechanisms. To address these issues, we propose StrongBox, the first GPU TEE for secure general-purpose computing on Arm endpoints. When performing confidential computing on Arm GPUs, StrongBox provides an isolated execution environment by ensuring exclusive access to the GPU. Our approach is partly based on a dynamic, fine-grained memory protection strategy, since Arm-based GPUs typically share a unified memory with the CPU, in contrast to Intel-based platforms. Furthermore, by dividing GPU buffers into safe and non-safe, StrongBox reduces redundant safe introspection operations to control access to sensitive data used by the GPU, which ultimately reduces runtime overhead. Our design leverages the widely deployed Arm TrustZone and common Arm capabilities without requiring hardware modifications or architectural changes. We implement StrongBox using an existing Arm Mali GPU prototype and perform extensive evaluations. Our results show that StrongBox successfully secures GPU computation with a runtime overhead of only 4.70% - 15.26% on several indicative benchmarks.
Paper link: https://doi.org/10.1145/3548606.3560627
176、Succinct Zero Knowledge for Floating Point Computations
We study the problem of building succinct zero-knowledge proof systems to handle floating-point computations. The standard way to handle floating-point calculations requires converting them to binary circuits, following the IEEE-754 floating-point standard. This approach leads to polynomial (w) overhead in prover efficiency for computations with w-bit precision, leading to very high prover runtimes—already a critical bottleneck in succinct argument design. We make the following contributions:
- We propose a new model for validating floating-point computations that guarantees approximate correctness with respect to relative error bounds. This model is inspired by numerical analysis and is very interesting for applications such as machine learning and scientific computing.
- Using this model, we propose a general approach to construct succinct zero-knowledge proofs for floating-point computations from existing public coin "commit and prove" systems. For computations with w-bit precision, our method incurs only log(w) overhead in prover runtime. Our compiler nearly preserves the communication complexity of the underlying protocol (by up to a factor of 2) and requires sublinear verification time. Generated proofs can be made non-interactive in the random oracle model. Specifically, our scheme is about 57 times faster in 32-bit floating-point calculations than the IEEE standard-compliant method [35]. Central to our main result, and of independent interest, is a new batch range proof system in standard prime order groups that does not rely on bit factorization.
Paper link: https://doi.org/10.1145/3548606.3560653
177、Succinct Zero-Knowledge Batch Proofs for Set Accumulators
Cryptographic accumulators are a common solution for proving information about large sets S. They allow computing short digests of S and short certificates of certain fundamental properties, in particular membership of an element. Accumulators also allow tracking of collection updates: new accumulators are obtained by inserting/removing a given element. In this work, we consider the problem of generating membership and update proofs for a batch of elements such that we can succinctly prove additional properties of elements (i.e., the size of the proof is independent of the batch size) and we can preserve privacy. Solving this problem will allow to obtain blockchain systems with better privacy and scalability.
The state-of-the-art way to achieve this is to combine accumulators (usually Merkle trees) with zkSNARKs. However, this solution is expensive for the prover and is not suitable for large batches of elements. In particular, when we need zero-knowledge (the standard definition of a privacy-preserving protocol), there is no scalable bulk proof-of-membership solution.
In this work, we propose new techniques to efficiently use zkSNARKs in RSA accumulators. We design and implement two main schemes: 1) \harisa, which proves batch membership in zero-knowledge, and 2) \insarisa, which proves batch updates. For bulk membership, the prover in \harisa is several orders of magnitude faster (depending on the hash function) than existing methods based on Merkle trees. For batch updates, we achieve similar cost savings compared to Merkle tree-based methods; we also improve on the recent solution of Ozdemir et al. [USENIX'20].
Paper link: https://doi.org/10.1145/3548606.3560677
178、SymLM: Predicting Function Names in Stripped Binaries via Context-Sensitive Execution-Aware Code Embeddings
Predicting function names in desymbolized binaries is a very useful but challenging task as it requires summarizing the execution behavior and semantics of functions in human language. Recently, machine learning has made significant progress in this direction. However, existing methods fail to exhaustively model functional behavior, resulting in poor generalization to unseen binaries. To advance research in this area, we propose a Function Symbolic Name Prediction and Binary Language Modeling (SymLM) framework, which employs a novel neural architecture to jointly model the calling context and the execution behavior of instructions, with the help of a Novel fused encoders to learn comprehensive function semantics. We evaluate SymLM using 1,431,169 binary functions from 27 popular open source projects compiled for 4 different architectures (i.e., x64, x86, ARM, and MIPS) using 4 optimizations (O0-O3), And carried out 4 kinds of obfuscation. SymLM achieves 15.4%, 59.6% and 35.0% improvement over existing state-of-the-art function name prediction tools in terms of precision, recall and F1-score, with significantly better generalization and anti-aliasing. Ablation studies also show that our design choices, such as fusing components of calling context and execution behavior, greatly improve the performance of function name prediction. Finally, our case study further demonstrates the practical application of SymLMM in analyzing firmware images.
Paper link: https://doi.org/10.1145/3548606.3560612
179、TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications
PHP applications provide a variety of interactive interfaces for Web-side users. As such, they are susceptible to taint-style vulnerabilities such as SQL injection and cross-site scripting. Due to its high efficiency, static taint analysis is widely adopted to detect taint-style vulnerabilities before application deployment. Unfortunately, due to the high complexity of the PHP language, achieving accurate static taint analysis becomes difficult. Existing taint analysis solutions suffer from high rates of false positives and false negatives in terms of comprehensive inter-procedural analysis and various implementation issues. In this work, we propose TChecker, a context-sensitive inter-program static taint analysis tool for detecting taint-style vulnerabilities in PHP applications. We found support for object and type systems to be critical for the static analysis of programs written in the dynamic language PHP. We start by carefully modeling PHP objects and their associated object-oriented programming features in TChecker. It then iteratively performs inter-program data flow analysis on PHP objects to refine object types so that call targets can be precisely identified. We've also put a lot of effort into supporting other dynamic features of PHP, such as dynamic includes. We comprehensively evaluate TChecker on a diverse set of modern PHP applications and demonstrate its effectiveness in vulnerability detection. Specifically, TChecker successfully detected 18 previously unknown vulnerabilities in these PHP applications. We compared TChecker with related static analysis tools and found that it significantly outperformed them in detecting more vulnerabilities. TChecker can also find all vulnerabilities detected by existing tools with relatively good accuracy. We release the source code of our prototype implementation to facilitate future research.
Paper link: https://doi.org/10.1145/3548606.3559391
180、TRACER: Signature-based Static Analysis for Detecting Recurring Vulnerabilities
Similar software vulnerabilities recur because developers reuse existing vulnerable code, or make similar mistakes in implementing the same logic. Recently, various analysis techniques have been proposed to find syntactically recurring vulnerabilities through code reuse. However, less attention has been paid to semantically recurring vulnerabilities with the same vulnerable behavior in different code structures. In this paper, we propose a general analysis framework, called TRACER, for detecting such recurring vulnerabilities. TRACER is based on a taint analysis that can detect various types of vulnerabilities. For a given set of known vulnerabilities, taint analysis extracts vulnerable traces and builds a database of their signatures. When analyzing a new, unknown program, TRACER compares all possible vulnerable traces in the analysis report to known vulnerability signatures. TRACER then ranks and reports potential vulnerabilities based on similarity scores. We evaluate TRACER on 273 Debian packages in C/C++. Experimental results show that TRACER was able to find 281 previously unknown vulnerabilities and assigned 6 CVE identifiers.
Paper link: https://doi.org/10.1145/3548606.3560664
181、The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning
We propose a novel method for inferring state machine models from protocol implementations. Our new tool, StateInspector, learns protocol state by combining observations of runtime memory and I/O using novel program analysis. It does not require access to source code, only lightweight execution monitoring of the implementation under test. We demonstrate and evaluate the effectiveness of StateInspector on a number of TLS and WPA/2 implementations. In the process, we show that StateInspector enables deeper state discovery, improved learning efficiency, and more insight than existing methods. Our approach led us to uncover a number of worrying deviations from standards and vulnerabilities in IWD and WolfSSL, both of which were assigned CVEs.
Paper link: https://doi.org/10.1145/3548606.3559365
182、The Generals' Scuttlebutt: Byzantine-Resilient Gossip Protocols
One of the most successful applications of peer-to-peer communication networks is in the context of blockchain protocols, relying, in Satoshi Nakamoto's own words, on "the property that information is easy to spread but hard to contain." In the past decade, a lot of effort has been devoted to analyzing the security of these protocols, and the security arguments for the longest chain Nakamoto-style consensus are almost all based on an idealization of this principle. Unfortunately, real-world implementations of peer-to-peer gossip-style networks used by blockchain protocols rely on many ad-hoc attack mitigation strategies, which make the gap between the idealized communication layer assumed in formal security arguments for blockchains and the real world There is a huge gap between them, while in the real world, various attacks have been demonstrated.
In this work, we bridge this gap by proposing a Byzantine fault-tolerant network layer applicable to blockchain protocols. For the first time, we quantify the network-layer attack problem in the context of a blockchain security model and develop a design that is resistant to resource-constrained adversaries. Notably, we focus on the Proof-of-Stake setup because it is vulnerable to Denial of Service (DoS) attacks, stemming from the well-known flaw relative to the Proof-of-Work setup, where there is nothing to stake.
We propose a Byzantine-fault-tolerant gossip protocol and analyze it in a general compositional framework. To demonstrate security, we show novel results on properties of random graph expanders. Importantly, our gossip protocol can be based on any given bilateral function, which determines the desired interaction between two "neighboring" peers in the network layer, and shows how the application layer information can be used to make the network layer able to resist attack. Although seemingly circular, we show how to prove the security of the Nakamoto-style longest chain protocol given the functionality of our gossip network, thus, we constructively show how to obtain provable The security of , only needs a basic peer-to-peer network, a majority of honest shares and a verifiable random function.
Paper link: https://doi.org/10.1145/3548606.3560638
183、The Multi-User Security of Triple Encryption, Revisited: Exact Security, Strengthening, and Application to TDES
We study triple encryption security in a multi-user environment, and its application to Triple DES (TDES). Although the depreciation of TDES is a global trend, migration will take the next decade considering the billions of TDES hardware the industry has invested so far. Multi-user security captures the reality of real systems with multiple users, has a significant impact on security, and has been considered in real protocols like TLS 1.3. The optimal multiuser lower bound for TDES is 43-(3/2) \cdot log_2 u bits, where u is the number of users, which is tractable on a standard PC, but unacceptably low in security. We design a new proof to improve multi-user security and show its tightness by giving a concrete attack. The new bounds and TDES parameters are 79-(1/2) \cdot log_2 u bits. We also propose TEFX, which enforces triple encryption through FX constructs while retaining compatibility with legacy hardware. TDES and TEFX achieve multi-user security of 114-(1/2) \cdot log_2 q bits, where q is the number of TEFX calls: for each user with 2^40 users and 2^21 TEFX calls, its security The performance reaches 84.5 bits, which is equivalent to AES (128-40=88 bits).
Paper link: https://doi.org/10.1145/3548606.3560674
184、Themis: An On-Site Voting System with Systematic Cast-as-intended Verification and Partial Accountability
We propose Themis, a live voting system that aims to increase security when local governments are not fully trustworthy. Voters vote using voting forms and smart cards, which generate encrypted ballots. Electronic ballots will be systematically audited without compromising privacy. In addition, the system includes a sophisticated dispute resolution process that identifies parties to misconduct in most cases. We perform a complete formal analysis of Themis using ProVerif and employ a novel approach to cover the modulo operations required in our protocol. To evaluate the usability of our system, we organized a voting experiment among a (small) group of voters.
Paper link: https://doi.org/10.1145/3548606.3560563
185、Thora: Atomic and Privacy-Preserving Multi-Channel Updates
Most blockchain-based cryptocurrencies suffer from severely limited transaction throughput issues, which has become an obstacle to their widespread adoption. Payment channel networks (PCNs) are one of the promising solutions to this problem. PCNs reduce the burden of on-chain transactions and increase throughput by processing a large number of payments off-chain. In fact, any two users connected via a payment channel path (i.e. a joint address between two channel endpoints) can make a payment, and the underlying blockchain is only required when there is a dispute between users. Unfortunately, payments in PCNs can only be made securely along paths, which limits the design of many interesting applications. Additionally, the most widely used implementation, the Lightning Network in Bitcoin, suffers from collateral lock times with linearly growing path lengths, suffers from security concerns, and relies on a specific scripting function called hashed timelock contracts, which Limits the applicability of the underlying protocol in other blockchains. In this work, we propose Thora, the first Bitcoin-compatible off-chain protocol that atomically updates arbitrary channels (i.e., does not necessarily form paths). This enables the design of many new off-chain applications, such as payments between different PCNs using the same blockchain, secure and trustless crowdfunding, and channel balancing. Our construction only requires specific scripting features like digital signatures and timelocks, and thus is applicable to a wider range of blockchains. We formally define security and privacy within a general composability framework and prove that our cryptographic protocol is its implementation. In our performance evaluation, we show that our construction requires only constant collateral independent of the number of channels, with moderate off-chain communication and computation overhead.
Paper link: https://doi.org/10.1145/3548606.3560556
186、Threshold Cryptography as a Service (in the Multiserver and YOSO Models)
We consider deploying a large number of threshold cryptographic services in both traditional multi-server setups and larger-scale blockchain environments. We propose a set of techniques to improve performance and meet the needs of settings with a large number of servers and high threshold operation rates. More fundamentally, our technique enables threshold cryptographic applications to run in more challenging decentralized permissionless systems, such as modern blockchains. In particular, we design and implement a novel thresholding solution for the recently introduced YOSO (You Only Speak Once) model. The model is built on ever-changing, unpredictable committees that perform temporary roles in a way that evades targeted attacks by attackers and enables virtually unlimited scalability in very large networks. Our solution allows for the maintenance of system-wide keys that can be generated, used and actively secured on demand. The specific technique is based on an optimized protocol for multi-key multi-issuer verifiable secret sharing and its adaptation in the YOSO model. We demonstrate the utility of our solution by reporting an end-to-end active re-sharing protocol implementation in the YOSO model, and present benchmark results for committees of up to 500 nodes.
For traditional multi-server setups, we obtain significant speedups in settings where processors simultaneously process multiple secrets (e.g., generate or actively protect multiple keys simultaneously), e.g., we show that relative to classical Pedersen VSS, for For 15 servers and 50 secrets, our optimization can improve efficiency by 5 times; for 500 servers and 1000 secrets, our optimization can improve efficiency by 48 times.
Paper link: https://doi.org/10.1145/3548606.3559397
187、TickTock: Detecting Microphone Status in Laptops Leveraging Electromagnetic Leakage of Clock Signals
We are witnessing a high surge in attacks that remotely violate the privacy of laptops. These attacks often use malware to remotely gain access to cameras and microphones in order to spy on the victim user. While widely used commercial camera privacy masks can provide some protection against camera attacks, unfortunately, despite recent industry efforts, there are still insufficient solutions to prevent attacks on microphones. To counter such attacks on laptop microphones, we first propose TickTock, a novel microphone on/off state detection system. To achieve this, TickTock performs external probing of electromagnetic (EM) emissions from connectors and cables from the notebook circuitry carrying the microphone clock signal. This is because the microphone clock signal is only input when the microphone is recording, resulting in corresponding radiation. We designed and implemented a proof-of-concept system to demonstrate the viability of TickTock. Furthermore, we comprehensively evaluate TickTock on 30 popular laptops executing various applications, successfully detecting microphone status on 27 laptops. Among these computers, TickTock was consistently able to identify microphone recordings with high true positive and true negative rates.
Paper link: https://doi.org/10.1145/3548606.3560698
188、Tidy: Symbolic Verification of Timed Cryptographic Protocols
Temporal cryptography refers to cryptographic primitives designed to satisfy short-term (polynomial) security goals. Popular examples include timed promises and verifiable delay functions. Such primitives are often used to ensure the fairness of multiparty protocols ("all parties get the protocol's output") without relying on any trusted parties. Despite the rise in popularity of time-sequential cryptographic protocols in recent years, they are still outside the coverage of current symbolic verification tools, which idealize cryptographic primitives as algebraic operations and thus do not take into account the fine-grained notion of time. In this paper, we develop, implement, and evaluate a symbolic method for reasoning about protocols built from sequential cryptographic primitives. First, we introduce a temporal extension that applies the π-calculus, a commonly used formalism for specifying cryptographic protocols. Next, we develop a logic for the temporal superproperty that captures many properties of interest, such as temporality or temporal indistinguishability. We demonstrate the utility of our approach by modeling various cryptographic protocols, such as distributed random number generation, sealed auctions, and contract signing. We also study the decidability of temporal security properties. On the theoretical side, we simplify the decision-making of superproperties represented by our logic as a form of constraint solving, generalize standard concepts in protocol analysis, and show, via complexity lower bounds, that the problem is more efficient than similar mature logics. high complexity. On the automation side, we rely on the Tamarin tool as a backend, a popular symbolic protocol analyzer, to enable mechanized proofs of timing safety properties and verify several examples with our approach.
Paper link: https://doi.org/10.1145/3548606.3559343
189、Towards Automated Safety Vetting of Smart Contracts in Decentralized Applications
We propose a novel user interface-driven, program analysis-guided model checking technique named VetSC, which can automatically extract contract semantics in DApps for targeted security review. To facilitate model checking, we extract the business model diagram from the contract code, capturing its inherent business and security logic. To automatically determine which security specifications to check, we derive textual semantics from the DApp UI. To rule out untrusted UI text, we also verify UI-logic consistency and detect any discrepancies. We have implemented VetSC and applied it to 34 real-world DApps. Experiments demonstrate that VetSC can accurately interpret smart contract codes, enable autonomous security reviews, and discover security risks in real-world Dapps. Using our tools, we have successfully discovered 19 new security risks in the wild, such as expired lottery tickets and double voting.
Paper link: https://doi.org/10.1145/3548606.3559384
190、Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets
We introduce a novel class of attacks against machine learning models. We show that an adversary that can poison a training dataset can cause a model trained on this dataset to leak important private details of other parties' training data points. Our active inference attack ties together two separate research directions for the integrity and privacy of machine learning training data. Our attacks are highly effective in membership inference, attribute inference, and data extraction. For example, our targeted attack can improve the performance of inference attacks by 1 to 2 orders of magnitude by poisoning <0.1% of the training dataset. Furthermore, an adversary controlling a large amount of training data (e.g., 50%) can launch an untargeted attack, enabling an 8x increase in the ability to make more accurate inferences on otherwise private data points of all other users. Our results call into question the relevance of cryptographic privacy guarantees for machine learning in multiparty computing protocols, if parties can arbitrarily choose their shares of training data.
Paper link: https://doi.org/10.1145/3548606.3560554
191、TurboPack: Honest Majority MPC with Constant Online Communication
We propose a novel approach for honest-majority-secure multiparty computation with information-theoretic security in a preprocessing model that achieves optimal online communication complexity. The online stage of our protocol requires a total of 12 elements per multiply gate (with circuit-dependent preprocessing), or a total of 20 elements (with circuit-independent preprocessing). Previous work achieved linear online communication complexity in n (number of parties), with the best existing solution involving 1.5n elements per multiplication gate. Only one recent packaging work [28] achieves constant online communication complexity, but with a large constant (108 elements for passive security and twice that for active security). Nonetheless, our protocol provides a very efficient information-theoretic online phase for any number of parties. The total end-to-end communication cost of the preprocessing stage is linear in n, that is, 10n + 44, which is larger than the 4n complexity of the state-of-the-art protocols. The gap is not significant when the online phase must be prioritized for optimization and involves a considerable number of parties. Unlike previous work based on packed secret sharing, we further reduce communication by avoiding complex and expensive network routing or permutation tools. Additionally, we allow for a maximum honest majority adversary, whereas most prior work requires that the set of honest parties be strictly larger than the majority. Our protocol is simple and practically efficient. To illustrate this point, we present a full implementation along with experimental results showing that the online phase runtime improvement reaches a factor of 5 on some setups (e.g. 45 parties, local area network, 10 circuits with a depth of 1 million gates).
Paper link: https://doi.org/10.1145/3548606.3560633
192、Two-Client Inner-Product Functional Encryption with an Application to Money-Laundering Detection
In this paper, we extend Inner Product Functional Encryption (IPFE) to two clients' ciphertexts. More specifically, our two-client functional encryption scheme has two data providers who can independently encrypt vectors x and y for a data consumer, who can decrypt the key from the function associated with vector α Calculate ∑αi xiyi = x ⋅ Diag(α) ⋅ yT in . The ciphertext is linear in the dimensionality of the vector, while the size of the functional decryption key is constant. We study two interesting special cases:
1. 2-square inner product functional encryption, where α = (1,…,1). There is a unique function decryption key which allows a third party to compute x ⋅ xT, where x and y are provided by two separate clients.
2. Inner product functional encryption selector, where x = x0 II x1 and y = bn II bn ∈ {1n || 0n, 0n II 1n}, for a certain bit b, and public coefficient α = α0 II α1 in functional decryption key, resulting in xb ⋅ αbT, where x and b are provided by two independent clients.
This result, based on the fundamental product-preserving lemma, is of independent interest. It utilizes dual pairing vector spaces (DPVS) for security proofs under the assumption of SXDH. We present two practical applications for the IPFE after the selector: medical diagnosis and money laundering detection of the former 2-party IPFE, both of which have strong privacy properties, adaptive security, and multi-client functional encryption using label-granted encryption ( MCFE) scheme security, so that it can be used in practical situations.
Paper link: https://doi.org/10.1145/3548606.3559374
193、Uncovering Intent based Leak of Sensitive Data in Android Framework
To prevent unauthorized applications from obtaining sensitive data, the Android framework implements permission-based access control. However, it is known that in order to bypass access controls, unauthorized applications can intercept Intent objects sent by authorized applications and carrying retrieved sensitive data. We discovered that there is a new (previously unknown) attack surface in the Android framework that can be exploited by unauthorized applications to subvert access controls. Specifically, we found that some Intent objects carrying sensitive data sent by the Android framework can be received by unauthorized applications, resulting in the leakage of sensitive data. In this paper, we conduct the first systematic study of a new attack surface for Intent-based sensitive data disclosure in the Android framework. To automatically discover such vulnerabilities in the Android framework, we designed and developed a new tool called LeakDetector to find Intent objects sent by the Android framework that can be received by unauthorized applications and carry sensitive data. Applying LeakDetector to 10 commercial Android systems, we find that it can effectively reveal Intent-based sensitive data leaks in the Android framework. Specifically, we identified 36 exploitable data breach cases that could be abused by unauthorized applications to steal sensitive data and violate access controls. At the time of writing, Google, Samsung, and Xiaomi have confirmed 16 of them and offered us bug bounty rewards from these phone manufacturers.
Paper link: https://doi.org/10.1145/3548606.3560601
194、Understanding IoT Security from a Market-Scale Perspective
Consumer Internet of Things (IoT) products and services are ubiquitous; however, proper characterization of consumer IoT security is not feasible without an understanding of IoT products in the market, ie, a market size perspective. This paper attempts to fill this gap by developing the IoTSpotter framework, which automatically constructs a market-sized snapshot of mobile IoT applications, i.e., mobile applications used as IoT device companions or automation providers. IoTSpotter also extracts artifacts that allow us to examine the security of this snapshot in an IoT context (eg, application-supported devices, IoT-specific libraries). Using IoTSpotter, we identified 37,783 mobile IoT applications from Google Play, the largest set of mobile IoT applications to date, and revealed 7 key results (ℛ1-ℛ7) in the process. We leverage this dataset for three key security analyses, resulting in 10 impactful security findings (F1-F10) that demonstrate the current state of mobile IoT applications. Our analysis revealed 94.11% (863/917) of mobile IoT apps with over 1 million installs to have serious cryptographic violations, 65 vulnerable IoT-specific libraries affected by 79 unique CVEs, and 40 Popular apps used, and 7,887 apps affected by the Janus vulnerability. Finally, a case study of 18 popular mobile IoT applications reveals the critical impact of vulnerabilities in them on important IoT artifacts and functions, motivating the development of mobile security analytics in the context of IoT.
Paper link: https://doi.org/10.1145/3548606.3560640
195、Understanding Real-world Threats to Deep Learning Models in Android Apps
Known for its remarkable performance, deep learning (DL) has been widely used in many applications, while also attracting various threats against the models. One of the main threats comes from adversarial attacks. Researchers have intensively studied this threat for many years and proposed dozens of methods to generate adversarial examples (AEs). However, most methods are only evaluated on limited models and datasets (e.g., MNIST, CIFAR-10). Therefore, the effectiveness of attacking real-world DL models is not yet very clear. In this paper, we conduct the first systematic study of adversarial attacks against real-world DNN models and provide a dataset of real-world models named RWM. In particular, we design a set of methods to adapt current AE generation algorithms to different real-world DL models, including automatically extracting DL models from Android applications, capturing the input and output of DL models in applications, generating AE and passing Observe the execution of the applications to verify them. For black-box DL models, we design a semantic-based approach to construct suitable datasets and use them to train surrogate models when performing transfer-based attacks. After analyzing 245 DL models from 62,583 real-world applications, we have a unique opportunity to understand the gap between real-world DL models and contemporary AE generative algorithms. To our surprise, the current AE generation algorithm can only directly attack 6.53% of the models. Benefiting from our method, the success rate increases to 47.35%.
Paper link: https://doi.org/10.1145/3548606.3559388
196、Understanding Security Issues in the NFT Ecosystem
Non-Fungible Tokens (NFTs) have become a way to collect digital art as well as an investment vehicle. Although they have only recently become popular, the NFT market has seen several high-profile (and high-value) asset sales and a tremendous increase in trading volume over the past year. Sadly, these marketplaces haven't received much security scrutiny. Instead, most academic research has focused on attacks against decentralized finance (DeFi) protocols and automated techniques for detecting smart contract vulnerabilities. To our knowledge, we are the first team to study the market dynamics and security issues of the multi-billion dollar NFT ecosystem. In this paper, we first provide a systematic overview of how the NFT ecosystem works and identify three main players: marketplaces, external entities, and users. Next, we did an in-depth analysis of the top 8 markets by volume and found many potential issues that could lead to huge financial losses. We also collect a wealth of asset and event data related to NFTs traded in the markets studied. We automatically analyze this data to understand how entities outside the blockchain can intervene in the NFT market with serious consequences, and to quantify malicious transactions conducted by users under the cover of anonymity.
Paper link: https://doi.org/10.1145/3548606.3559342
197、Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem
JavaScript cross-platform frameworks are becoming increasingly popular. They help developers easily and quickly build cross-platform applications, requiring only a JavaScript code base. Recent security reports have revealed that some well-known cross-platform apps such as Slack, Microsoft Teams, and Github Atom suffer from injection issues, often caused by cross-site scripting (XSS) or embedded untrusted remote content such as adverts ) introduced. These injections open security holes for remote cyber attackers and lead to serious security risks, such as allowing injected malicious code to run arbitrary local executables on victim devices (known as XRCE attacks). However, until now, XRCE attack vectors, behaviors, and root causes have been poorly studied and understood. Although cross-platform framework developers and the community have been quick to provide multiple security features and recommendations, the effectiveness of these mitigations remains unknown. In this paper, we conduct the first systematic study of the XRCE vulnerability class in a cross-platform ecosystem. We first build a general model for different cross-platform applications to reduce the semantic and behavioral gaps between them. We leverage this model to (1) study XRCE by comprehensively defining its attack scenarios, surfaces, and behaviors; and (2) study and explore state-of-the-art defenses and verify their weaknesses against XRCE attacks. Our study of 640 real-world cross-platform applications shows that XRCE broadly affects cross-platform ecosystems, although existing defenses can be used. 75% of applications can be affected by XRCE, including Microsoft Teams. (3) Finally, we propose a novel defense technique called XGuard, which can automatically mitigate all XRCE variants derived from our summarized XRCE behaviors.
Paper link: https://doi.org/10.1145/3548606.3559340
198、Understanding the How and the Why: Exploring Secure Development Practices through a Course Competition
This paper presents the results of an in-depth study of the development process of 14 teams during a secure coding competition in a three-week undergraduate course. Competition participants need to first build code according to the specification, emphasizing correctness, performance and security, and then find vulnerabilities in other teams' code while fixing the vulnerabilities found in their own code. Our research seeks to understand why developers introduce different vulnerabilities, how they evaluate vulnerable programs, and why different vulnerabilities are (or are not) found and/or fixed. We systematically analyzed competition data, including codes, submissions, and team design documents, using an iterative open-coding approach. Our findings suggest that existing secure development best practices, use of secure tools, and organization of development teams are important for secure coding.
Paper link: https://doi.org/10.1145/3548606.3560569
199、Updatable Public Key Encryption from DCR: Efficient Constructions With Stronger Security
Forward Secure Encryption (FS-PKE) is a critical evolution of the public-key paradigm that protects the confidentiality of past encryptions in the event of key exposure. Updatable Public Key Encryption (UPKE) is a natural relaxation of FS-PKE, introduced by Jost et al. (Eurocrypt'19), motivated by its application to secure messaging. In UPKE, any sender willing to enforce forward secrecy on its encrypted messages can trigger a key update via a special update ciphertext. So far, the only really efficient UPKE candidate (relying on the random oracle idealization) offers only fairly weak security guarantees against passive attackers because they are volatile. Furthermore, they provide insufficient protection against malicious senders willing to hinder honest users' ability to decrypt. A recent study by Dodis et al. (TCC'21) describes UPKE systems in the Standard Model against maliciously generated update messages in the chosen ciphertext setting (the attacker is equipped with a decryption oracle). While these constructions have achieved important gains in feasibility, they still lag behind random oracle candidates in terms of efficiency.
In this paper, we first provide a much more efficient implementation of UPKE in the Standard Model using Paillier's composite residual class (DCR) assumption. In the random oracle model, we then extend our initial scheme to achieve chosen-ciphertext security even in models that account for maliciously generated update ciphertexts. Under DCR and strong RSA assumptions, we thus obtain the first practical UPKE system that satisfies the strongest security concept proposed by Dodis et al.
Paper link: https://doi.org/10.1145/3548606.3559376
200、VOProof: Efficient zkSNARKs from Vector Oracle Compilers
The design of zero-knowledge succinct non-interactive proofs (zkSNARKs) is increasingly complex, requiring familiarity with a wide range of cryptographic and algebraic tools. This complexity also increases the difficulty of zkSNARK implementation, analysis and optimization. To address this issue, we developed a new workflow for designing and implementing zkSNARKs, called VOProof. In VOProof, designers only need to build an intuitive and easy-to-design vector oracle (VO) protocol, and then feed the protocol into our VO compiler to convert it into a fully functional zkSNARK. This new workflow hides most algebraic and cryptographic operations inside the compiler, eliminating the need for designers to understand these tedious and error-prone processes. Furthermore, our compiler can be fine-tuned to compile one VO protocol into multiple zkSNARKs with different tradeoffs. We apply VOProof to construct three general zkSNARKs for three popular representations of arithmetic circuits: rank-1 constrained systems (R1CS), Hadamard product relations (HPR), and PLONK circuits. Compared with previous work, these zkSNARKs have shorter and more intuitive descriptions, and thus are easier to implement and optimize.
To evaluate their performance, we implemented a Python framework for zkSNARKs that describe VO protocols and compile them into valid Rust code. Our evaluations show that VOProof-based zkSNARKs are competitive in performance, especially in terms of proof size and verification time, e.g., about 50% reduction in both metrics compared to Marlin (Chiesa et al., EUROCRYPT 2020) %. These improvements make VOProof-based zkSNARKs more advantageous in blockchain scenarios where proof size and verification time are critical.
Paper link: https://doi.org/10.1145/3548606.3559387
201、VRust: Automated Vulnerability Detection for Solana Smart Contracts
Solana is a fast-growing high-performance blockchain powered by Proof of History (PoH) consensus mechanism and a new stateless programming model that decouples code from data. By parallelizing execution on the PoH Sealevel runtime (instead of PoW), it achieves a 100x to 1000x speedup over Ethereum in terms of transactions per second. With the new programming model, new constraints (owners, signers, keys, bump seeds) and vulnerabilities (missing checks, overflows, type confusion, etc.) must be carefully verified to ensure the security of Solana smart contracts. This paper presents VRust, the first automated smart contract vulnerability detection framework for Solana. One of the key technical innovations is a set of static analysis rules for validating unique untrusted input accounts in the Solana programming model. We developed a total of eight different vulnerability types, all of which can be checked fully automatically by VRust by converting source code into Rust MIR-based inference rules (without any code annotations). After evaluating on more than one hundred Solana projects, VRust revealed 12 previously unknown vulnerabilities, including 3 critical vulnerabilities in Solana's official programming library that have been confirmed by core developers.
Paper link: https://doi.org/10.1145/3548606.3560552
202、VeRSA: Verifiable Registries with Efficient Client Audits from RSA Authenticated Dictionaries
A verifiable registry allows clients to securely access key-value maps maintained by untrusted servers. The registry must be audited to ensure that global invariants are preserved, allowing the owner of the entry to effectively monitor individual registry entries. To this end, existing proposals either assume the existence of trusted third-party verifiers, or rely on incrementally verifiable computation (IVC) via expensive recursive SNARKs to make the registry available for client auditing. In this work, we present new client-side auditable verifiable registries that achieve up to 100x throughput over baseline IVC solutions. Our approach relies on RSA accumulator-based authentication dictionaries, for which we develop a new constant-size invariant proof. We use it as an alternative to Merkle trees to optimize baseline IVC methods, but also provide a novel construction that does away with SNARKs entirely. The latter employs a new checkpointing method to ensure a consistent client view.
Paper link: https://doi.org/10.1145/3548606.3560605
203、Victory by KO: Attacking OpenPGP Using Key Overwriting
We propose a set of attacks against the OpenPGP specification and its implementations that lead to full recovery of user private keys. The attack exploits the lack of cryptographic binding between different fields within the encrypted private key packet, including the key algorithm identifier, plaintext public parameters, and encrypted private parameters. This allows an attacker who can override certain fields in the OpenPGP key packet to perform a cross-algorithm attack, causing the user's software to mistake the ECC private key for a DSA key. It also allows an attacker to replace legitimate public parameters with parameters chosen by an adversary, for example allowing them to choose a DSA group. We refer to this type of attack as a key overlay (KO) attack. We provide a detailed analysis of the vulnerability of different OpenPGP libraries to KO attacks, in particular in some cases where an extra key verification step performed by a library that should prevent an attack actually allows a variant attack. We also evaluate the applicability of the KO attack in specific OpenPGP-based application contexts reflecting different threat models. Finally, we explain how KO attacks can be fully prevented at the OpenPGP specification level (and make key authentication obsolete).
Paper link: https://doi.org/10.1145/3548606.3559363
204、Vizard: A Metadata-hiding Data Analytic System with End-to-End Policy Controls
Owner-centric control is a widely adopted approach to allay data owners' concerns about data misuse and incentivize them to share data for collective knowledge. However, although many control enforcement techniques have been proposed, the privacy threats posed by the resulting metadata leakage have been mostly ignored in existing work. Unfortunately, a savvy attacker can infer very sensitive information based on the data owner's control policies or their history of participation in analytics tasks (such as participation in mental illness or cancer research that may reveal their health status). To address this, we introduce Vizard, an analytics system that hides metadata and enables data owners to achieve privacy-hardening and enforceable controls. Vizard leverages a set of tailor-made lightweight encryption tools and design builds to help us efficiently process analytical queries on real-time incoming encrypted data streams such as heart rate. We propose an extended design that further enables advanced owner-centric control (using AND, OR, NOT operators) and provides release controls for owners to additionally specify how results should be protected before delivery. We developed a prototype of Vizard that interacts with Apache Kafka, and the evaluation results demonstrate the utility of Vizard for data stream analysis at scale and with hidden metadata.
Paper link: https://doi.org/10.1145/3548606.3559349
205、WINK: Wireless Inference of Numerical Keystrokes via Zero-Training Spatiotemporal Analysis
Sensitive numbers play an unparalleled role in identification and authentication. Recent research has revealed many methods for inferring keystrokes via side-channel attacks that require a training phase or a dictionary to establish the relationship between observed signal disturbances and keystrokes. However, training-based methods are impractical due to the difficulty of obtaining training data of victims; while dictionary-based methods cannot infer numbers that do not follow the linguistic rules. We observe that inputting a number produces not only a certain number of observed disturbances in space (one per disturbance corresponding to a number), but also a sequence of time intervals between each disturbance. Building on existing work on inferring keystrokes using inter-keystroke time, we construct a novel technique called WINK that combines spatial and temporal domain information into a space-time feature for processing keystroke-jamming wireless signals. With this space-time feature, WINK can infer the input digits without any training. Experimental results on a software-defined radio platform show that WINK can significantly reduce the number of guesses required to crack certain 6-digit PINs from 1 million to a minimum of 16, and in less than 100 attempts, it is possible to deduce that The 6-digit PIN chosen by over 52% of users.
Paper link: https://doi.org/10.1145/3548606.3559339
206、Watch Out for Race Condition Attacks When Using Android External Storage
Currently, in the Android system, application programs (apps for short) heavily rely on external storage when providing services. Improper file manipulation can introduce race conditions. Race conditions allow malicious applications to manipulate file content and trick victim applications into performing unexpected actions, which we refer to as race condition attacks. Race condition attacks can lead to a series of security problems, some of which have been implemented in previous work. Starting from Android 10, Google introduced scoped storage to defend against attacks based on external storage. However, considering the market share of different Android versions, there is still a long way to go before deploying scoped storage on every device. In order to protect current users from this type of attack, it is critical to increase the security awareness of application developers. Therefore, we conducted a comprehensive investigation of race condition attacks to understand their current status in Android applications. We propose an analysis engine named RECAST, which collects file operation events on external storage and infers the related file operation process. With RECAST, we collected 5,359,339 file manipulation events involving 105,963 files. From the analysis results, a limited number of events constitute a large number of unique file operation patterns (1,977 types). Time windows are very common in these file manipulation patterns and can be used to launch a range of attacks (94.26% of the tested files were vulnerable to this issue). As a result, race condition attacks have become a problem that cannot be ignored for developers using applications on Android external storage.
Paper link: https://doi.org/10.1145/3548606.3560666
207、Watch Your Back: Identifying Cybercrime Financial Relationships in Bitcoin through Back-and-Forth Exploration
Cybercriminals often use Bitcoin for their illegal activities. In this work, we propose a new automated bitcoin transaction tracking technique called round-trip detection to identify financial relationships for cybercrime. Given a seed address belonging to a cybercriminal activity, it outputs a transaction graph and identifies paths to relationships with the campaign being studied, external services, and other cybercriminal activity. Round-trip probing provides two key contributions. First, it probes not only forwards but also backwards, unlike previous studies that only probe forwards, which makes it possible to discover relationships that cannot be found by forward probing alone (e.g., deposits from mixer customers). Second, it prevents graph explosion by combining a database of labels with a machine learning classifier for identifying exchange addresses. We performed a round-trip detection evaluation on 30 malware families. We construct criteria for 4 families using Bitcoin for C&C and use them to demonstrate that round-trip probing identified 13 C&C signaling addresses that were missed by previous studies, 8 of which were not found by forward probing. Our approach revealed a large number of services used by the malware, including 44 exchanges, 11 gambling sites, 5 payment service providers, 4 underground markets, 4 mining pools, and 2 coin mixers. In 4 families, relationships included new attribution points missed by forward detection. It also identified relationships between malware families and other cybercriminal activities, highlighting the fact that some malware operators are involved in multiple cybercriminal activities.
Paper link: https://doi.org/10.1145/3548606.3560587
208、What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation
Simulating the firmware of a microcontroller is challenging due to the lack of peripheral models. Existing work analyzes target firmware to find out how to respond to peripheral reads. This is problematic because firmware sometimes does not contain enough clues to support a simulation, or even misleading information (e.g., defective firmware). In this work, we propose a novel approach to construct peripheral models from peripheral specifications. Using NLP, we translate peripheral behaviors in human language (documented in chip manuals) into a structured set of condition-action rules. By inspecting, executing, and connecting them at runtime, we can dynamically generate a peripheral model for each firmware execution. Extracted condition-action rules may be incomplete or even wrong. Therefore, we recommend combining symbolic execution to quickly locate the root cause. This helps us manually correct problematic rules. We have implemented our idea for five popular MCU boards, covering three different chip suppliers. Using a novel edit distance-based algorithm to compute tracking differences, our evaluation on a large firmware corpus confirms that our prototype achieves higher fidelity compared to existing state-of-the-art solutions. Benefiting from accurate simulations, our simulator effectively avoids the false positives observed in existing fuzzing efforts. We also design a new dynamic analysis method to perform compliance checks of driver code against the specification. We found some non-compliance, which later turned out to be a bug caused by a race condition.
Paper link: https://doi.org/10.1145/3548606.3559386
209、When Evil Calls: Targeted Adversarial Voice over IP Network
As the COVID-19 pandemic fundamentally reshapes how remote living and working are done, Voice over IP (VoIP) telephony and video conferencing have become the primary ways to connect with communities. However, little research has been done on the feasibility and limitations of transmitting adversarial speech samples over such communication channels. In this paper, we propose TAINT - Targeted Adversarial Voice over IP Networks, the first targeted, query-efficient, hard-labeled black-box adversarial attack on a commercial speech recognition platform over VoIP. The unique channel characteristics of VoIP bring about important challenges such as signal attenuation, random channel noise, frequency selectivity, etc. To address these challenges, we systematically analyze the structure and channel characteristics of VoIP through reverse engineering. Then a noise-resistant and efficient gradient estimation method is developed to ensure the stability and fast convergence of the adversarial sample generation process.
We demonstrate our attacks in over-the-air and online settings on four commercial Automatic Speech Recognition (ASR) systems with five of the most popular VoIP conferencing software (VCS). We demonstrate that TAINT's performance is comparable to existing methods with an increase in VoIP channels. Even in the most challenging scenarios, such as with active speakers in Zoom, TAINT can still succeed within 10 attempts without becoming the focus of the video conference.
Paper link: https://doi.org/10.1145/3548606.3560671
210、When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer
In this work, we recover the private key material of the FrodoKEM key exchange mechanism submitted to the NIST Post-Quantum Cryptography (PQC) standardization process via a Rowhammer-assisted attack. This new mechanism allows us to subvert the FrodoKEM key generation (KeyGen) process via the Rowhammer attack. A Rowhammer side-channel is a hardware-based security vulnerability that flips bits in DRAM through repeated memory accesses to rows adjacent to a targeted victim memory location. Using Rowhammer, we guide the FrodoKEM software to output a higher-error public key (PK), (\matA, \matB = \matA \matS + \vec\widetildeE), where the error \widetilde\vecE is modified by Rowhammer. We then performed a decryption failure attack using a large number of publicly accessible supercomputing resources, running in just 200,000 core hours. We finely tune the decryption failure rate to ensure that an attacker's attack actually succeeds, but honest users cannot easily detect this manipulation.
Achieving this kind of "poisoning" of the public key required significant engineering effort, as FrodoKEM's KeyGen runtime is on the order of 8 milliseconds. (Previous Rowhammer-assisted attack encryption techniques required up to 8 hours of continuous access.) To deal with this realistic time condition, we need a lot of previous and new low-level engineering techniques, including for example memory adjustment algorithms-aka "feng shui" — and a precisely targeted performance-degradation attack against the scalable output function SHAKE. We explore the application of our technique to other lattice-based KEMs in the NIST PQC Round 3 candidate pool, such as Kyber, Saber, etc., and the difficulties that arise in various settings. Finally, we discuss various simple countermeasures to protect implementations from this and similar attacks.
Paper link: https://doi.org/10.1145/3548606.3560673
211、When Good Becomes Evil: Tracking Bluetooth Low Energy Devices via Allowlist-based Side Channel and Its Countermeasure
Today, Bluetooth Low Energy (BLE) is ubiquitous. To prevent BLE devices such as smartphones from being connected by unknown devices, it uses an allow list to only allow connections from identified devices. However, we found that this allowlist feature actually introduces a side-channel for device tracking, since even with randomized MAC addresses, devices with an allowlist still behave differently. To make matters worse, we also found that the MAC address randomization scheme specified in the current Bluetooth protocol is flawed and vulnerable to replay attacks. An attacker can replay a sniffed MAC address and judge whether the device is based on the allowed list of the target device. will respond. We validated our allow-list-based side-channel attack with 43 BLE peripherals, 11 central devices, and 4 development boards, and found that none of these devices were immune to the proposed attack once the allow-list was configured. We advocate the use of an unpredictable interval, central and peripheral synchronized randomized MAC address randomization scheme to eliminate passive device tracking (introducing 1% power overhead for central, 6.75% power overhead for central, 6.75% for central introduces a performance overhead of 88.49 microseconds for devices and 94.46 microseconds for peripherals), and uses timestamps to generate random MAC addresses so that attackers can no longer replay them to eliminate active device tracking (3.04% for peripherals , introducing a performance overhead of 63.58 microseconds and 20.54 microseconds for the central and peripheral devices). We disclosed our findings to the Bluetooth SIG and many other stakeholders in October 2020. The Bluetooth SIG assigned CVE-2020-35473 to track this logic-level protocol vulnerability. Google classified our discovery as a high-severity design flaw and awarded us a bug bounty.
Paper link: https://doi.org/10.1145/3548606.3559372
212、Why So Toxic?: Measuring and Triggering Toxic Behavior in Open-Domain Chatbots
Chatbots are widely used in many applications such as automated agents, smart home assistants, interactive characters in online games, etc. Therefore, it is crucial to ensure that they do not behave in a bad way and avoid providing offensive or toxic responses to users. This is no easy task, as current state-of-the-art chatbot models are trained on large public datasets publicly collected from the Internet. This paper presents a first-of-its-kind approach to measuring chatbot toxicity at scale. We found that publicly available chatbots are prone to toxic responses when receiving toxic queries. Even more worrisome, some non-poisonous queries may also trigger poisonous responses. We then design and experiment with an attack method called ToxicBuddy, which relies on fine-tuning GPT-2 to generate non-toxic queries that make chatbots respond in toxic ways. Our extensive experimental evaluation demonstrates that our attack method is effective against public chatbot models and outperforms hand-crafted malicious queries proposed in previous work. We also evaluate three defense mechanisms against ToxicBuddy and show that they either degrade the attack performance while affecting the chatbot's usefulness, or mitigate only part of the attack. This highlights the need for more research in the computer security and online safety communities to ensure chatbot models do not harm users. Overall, we believe that ToxicBuddy can serve as an auditing tool, and our work will pave the way for designing more effective chatbot security defenses.
Paper link: https://doi.org/10.1145/3548606.3560599
213、Widespread Underestimation of Sensitivity in Differentially Private Libraries and How to Fix It
We discover vulnerabilities in a new class of differential privacy implementations. Specifically, they arise when computing fundamental statistics such as sums, due to the difference between arithmetic implemented under finite data types (i.e. integers or floating point numbers) and ideal integer or real arithmetic. These differences lead to a much greater sensitivity of the realized statistic (i.e., the degree to which individual data influences the outcome) than we expected. As a result, almost all differential privacy libraries fail to introduce enough noise to hide individual-level information, which is required for differential privacy. We also show how to exploit this vulnerability in a differentially private query system for real-world attacks. In addition to introducing these vulnerabilities, we also provide some solutions by modifying or constraining the implementation of summation to restore idealized or near-idealized sensitivity bounds.
Paper link: https://doi.org/10.1145/3548606.3560708
214、Zapper: Smart Contracts with Data and Identity Privacy
Privacy concerns hinder the application of smart contracts in sensitive areas that are incompatible with the public properties of shared ledgers. We present Zapper, a privacy-centric smart contract system that allows developers to express contracts in an intuitive front end. Zapper not only hides the identities of users, but also who they access—the latter crucial to preventing deanonymization attacks. Specifically, Zapper compiles the contract into an assembly language that is executed by a non-interactive zero-knowledge processor, and hides the accessed objects through an agnostic Merkle tree structure. We implemented Zapper on an idealized ledger and evaluated it in real-world applications, showing that it allows generating new transactions in 22 seconds and validating them in 0.03 seconds (not including the time). This performance is comparable to the smart contract system ZEXE (Bowe et al., 2020), which provides similar data and identity privacy guarantees but suffers from multiple flaws that affect security and usability.
Paper link: https://doi.org/10.1145/3548606.3560622
215、i-TiRE: Incremental Timed-Release Encryption or How to use Timed-Release Encryption on Blockchains?
Timed decryption encryption encrypts information until some future time so that it cannot be decrypted until after that time. Potential applications include closed auctions, scheduled confidential transactions, and digital time capsules. In order to realize the application of these decentralized smart contracts, we explore how to use timed decryption encryption on the blockchain. Practical constructions in the literature rely on a trusted server (or multiple servers in threshold settings) that periodically issues epoch-specific decryption keys based on long-term secrets. Their main idea is to treat time periods or epochs as identities in identity-based encryption schemes. However, these schemes suffer from a fatal flaw: a key from one epoch does not allow us to decrypt ciphertext locked in a previous epoch. Paterson and Quaglia [SCN'10] solve this problem by specifying at the time of encryption the range of epochs within which decryption is allowed. However, we face an efficiency problem: at each epoch, the server must issue a decryption key logarithmically related to the lifetime (total number of epochs) via a smart contract transaction. For example, on Ethereum, for a modest lifespan covering 2 years with epoch length of 1 minute, a server must spend more than $6 per minute in gas; this cost scales with the number of servers in the threshold setting multiplied. We propose a novel timed decryption encryption scheme, where the size of the decryption key is logarithmically related to the lifetime and can be updated incrementally, where a short update key (a single group element) is sufficient to compute subsequent decryption keys ; our decryption key allows the client to decrypt the ciphertext locked at any previous epoch. This results in a significant reduction in gas bills, for example, only $0.30 in the above setup. Furthermore, ciphertexts are also compact (logarithmically related to the total lifetime), with encryption and decryption times on the order of milliseconds. Additionally, we spread trust across multiple servers to tolerate up to a threshold amount of malicious damage.
Our construction is based on bilinear pairings, borrowing ideas from Canetti et al.'s binary tree encryption [Eurocypt 2003] and Naor et al.'s distributed pseudorandom functions [Eurocrypt 1999].
Paper link: https://doi.org/10.1145/3548606.3560704
216、pMPL: A Robust Multi-Party Learning Framework with a Privileged Party
In order to perform machine learning among multiple parties while preserving the privacy of raw data, privacy-preserving machine learning (MPL) based on secure multi-party computation has become a hot topic in recent years. The configuration of the MPL generally follows a peer-to-peer architecture, where each party has an equal chance of revealing the output. However, typical business scenarios often follow a layered architecture, where a powerful, often privileged party, leads the machine learning task. Only the privileged party can reveal the final model, even if other auxiliary parties collude with each other. There is even a need to avoid machine learning aborts when part of the helpers drop out, to ensure that tasks are completed as planned and/or to save computing resources.
Inspired by the above scenarios, we propose \pmpl, a powerful MPL framework with privileged parties. \pmpl supports three-party (the typical number of parties in the MPL framework) training in a semi-honest setting. By setting alternating shares for the privileged party, \pmpl can tolerate the dropout of one of the remaining two parties during training. Based on the above settings, we design a series of \pmpl efficient protocols based on vector space secret sharing to bridge the gap between vector space secret sharing and machine learning. Finally, experimental results show that \pmpl performs satisfactorily compared to state-of-the-art MPL frameworks. In particular, in the LAN setting, \pmpl is 16x and 5x faster than \textttTF-encrypted (with \textttABY3 as the backend framework) for linear regression and logistic regression, respectively. In addition, the accuracy of linear regression, logistic regression and BP neural network trained on the MNIST dataset can reach about 97%, 99% and 96%, respectively.
Paper link: https://doi.org/10.1145/3548606.3560697
217、zkBridge: Trustless Cross-chain Bridges Made Practical
Blockchain is gaining traction at a time when the cryptocurrency market cap exceeds $1 trillion, major institutional investors are showing interest, and there are global implications for governments, businesses and individuals. The heterogeneity of the ecosystem is also growing significantly, with various blockchains co-existing. In this multi-chain ecosystem, cross-chain bridges are an essential building block. However, existing solutions either suffer from performance issues or rely on substantially reduced security on the assumption of committee honesty. Ongoing attacks on bridges have cost users more than $1.5 billion. In this paper, we introduce zkBridge, an efficient cross-chain bridge that guarantees strong security without additional trust assumptions. With concise proofs, zkBridge not only guarantees correctness, but also greatly reduces the cost of on-chain verification. We propose a novel succinct proof protocol that is orders of magnitude faster than existing solutions for workloads in zkBridge. Through modular design, zkBridge implements some useful functions, including message passing, token transfer, and other computational logic operations on state changes from different chains. We fully implement zkBridge between Cosmos and Ethereum and evaluate the end-to-end performance. Experiments show that zkBridge has practical performance: it can generate a block header proof within 2 minutes, and the cost of verifying the proof on the chain is less than 220K gas (same as Groth16). Relaying a transaction from Cosmos to Ethereum costs 210K gas.
Paper link: https://doi.org/10.1145/3548606.3560652
