S&P Session 9: Web
NDSS Session 1A: IoT
NDSS Session 3B: Authentication
USENIX Session: Understanding How Humans Authenticate
S&P Session 9: Web
https://dblp.uni-trier.de/db/conf/sp/sp2018.html
FP-STALKER: Tracking Browser Fingerprint Evolutions.
Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications.
Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities.
Enumerating Active IPv6 Hosts for Large-Scale Security Scans via DNSSEC-Signed Reverse Zones.
Tracking Certificate Misissuance in the Wild.
A Formal Treatment of Accountable Proxying Over TLS.
NDSS Session 1A: IoT
https://dblp.uni-trier.de/db/conf/ndss/ndss2018.html
IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing.
Gunter: Fear and Logging in the Internet of Things.
Decentralized Action Integrity for Trigger-Action IoT Platforms.
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices.
NDSS Session 3B: Authentication
Broken Fingers: On the Usage of the Fingerprint API in Android.
K-means++ vs. Behavioral Biometrics: One Loop to Rule Them All.
ABC: Enabling Smartphone Authentication with Built-in Camera.
Device Pairing at the Touch of an Electrode.
Face Flashing: a Secure Liveness Detection Protocol based on Light Reflections.
USENIX Session: Understanding How Humans Authenticate
https://dblp.uni-trier.de/db/conf/uss/uss2018.html
Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse.
Forgetting of Passwords: Ecological Theory and Data.
The Rewards and Costs of Stronger Passwords in a University: Linking Password Lifetime to Strength.
Rethinking Access Control and Authentication for the Home Internet of Things (IoT).
1. FP-STALKER: Tracking Browser Fingerprint Evolutions
【Browser fingerprint】
- 与cookie不同,不需要在浏览器上存信息
- 但浏览器指纹易变
- 设计FP-STALKER,带两变体,一种是rule-based运行更快,一种混合ML精度更高,可以track浏览器信息for更长时间
2. Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications.
【HTML5 postMessage漏洞】
- 移动端中的内嵌浏览器常用postMessage实现从new frame到web frame的通信,此时原始信息可能未被完全保留(?),在webview中注入代码可监视/访问移动端中的信息/数据/功能
- 该漏洞被命名为“Origin Stripping Vulnerability”(OSV)
- 设计了新的postMessage API,OSV-Free
3. Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities.
【Web-to-Mobile中移动端的输入验证、API业务逻辑漏洞】
- 当web服务不能完全复制输入验证时,容易产生问题
- 开发新途径自动侦测静态分析input validation logic between apps and their respective web API services, WARDroid
4. Enumerating Active IPv6 Hosts for Large-Scale Security Scans via DNSSEC-Signed Reverse Zones.
【Ipv6活跃host枚举及Ipv6安全问题】
- 通过DNSSEC签名的反向区域枚举Ipv6活跃主机
- 发现有些主机管理员设置了全局routable的Ipv6地址,导致敏感信息暴露/对主机错误的控制访问等安全问题
5. Tracking Certificate Misissuance in the Wild.
【证书错误】
- 使用Zlint分析Certificate Authorities (CAs)发布的证书有没有问题
- non-conformant的证书比率虽小但很多是小CA发的,可能在其他方面的管理上都有些问题
6. A Formal Treatment of Accountable Proxying Over TLS.
【安全传输层协议TLS】
- 安全传输层协议(TLS)用于在两个通信应用程序之间提供保密性和数据完整性
- 使用代理后修改了TLS导致安全漏洞,有些middlebox对终端不可见导致lack of accountability,最近新出的mcTLS打算解决这个问题
- 然而它也有安全漏洞,可以有middlebox-confusion attacks
- 我们把它补好了
7. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing.
【物联网设备内存损坏漏洞侦测】
- 通过移动端的控制app来侦测该漏洞,无需访问固件映像
- IOTFUZZER,使用fuzzing,protocol-guided fuzzing without protocol specifications
8. Fear and Logging in the Internet of Things.
【以平台为中心的物联网审计】
- 物联网审计日志audit logs孤立在某个设备上时很难确定真正的错误原因
- ProvThings,platform-centric的集中audit法
9. Decentralized Action Integrity for Trigger-Action IoT Platforms.
【触发动作物联网平台的分散动作完整性(……)】
- 有些平台可以联合各种物联网设备提供自动化规则(比如,如果侦测到室内有烟雾,就关闭烤炉)(If-This-Then-That, IFTTT),这些平台使用OAuth令牌,当攻击者compromise平台时可以远程劫持设备,另外有些OAuth令牌滥用权限
- 设计支持Decentralized Action Integrity的平台Decentralized Trigger-Action Platform (DTAP)解决这一问题
10. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices.
【嵌入式设备中检测内存损坏】
- 桌面系统通常从崩溃中发现bug,然而嵌入式设备中由于编程错误导致的内存损坏并不一定触发崩溃,这使得传统动态测试技术比如fuzzing的效果不好
- 分析了嵌入式设备内存损坏后的表现区别,做了个能在运行时检测未发现的内存损坏的简单算法
11. Broken Fingers: On the Usage of the Fingerprint API in Android.
【安卓指纹识别API的错误使用】
- two-factor authentications (2FA),二次验证,指纹识别是手机二次验证的重要途径
- Trusted Execution Environments (TEE) :hardware-enforced isolated execution environment,不会泄露指纹密钥和相应操作
- 假设有强攻击者compromise untrusted OS,有些app的指纹验证api调用得并不安全,可以被强攻击者(root attacker)绕过指纹检验
- case study 中有把用户指纹存储下来重用的支付类app……
12. K-means++ vs. Behavioral Biometrics: One Loop to Rule Them All.
【用K-means++攻击行为生物识别Behavioral Biometrics】
- keystroke dynamics,最常研究的行为生物识别方法,用于在密码之外的用户身份验证
- 作者收集targeted与general样本并用k-means++,发现有~30%概率能搞定Behavioral Biometrics
13. ABC: Enabling Smartphone Authentication with Built-in Camera.
【hardware fingerprint】
- 利用Photo-response non-uniformity(PRNU) of the Built-in Camera,拍摄两张 time-variant QR codes 并传至服务器比对
- 以前的一般用传感器指纹,但不满足Fingerprint Leakage Resilience 和 Fingerprint Forgery Resilience
- 以前PRNU用来确定相机(如:拍照看噪音识别),作者将其拓展为手机认证的一种方式
- 发明ABC(Authentication with Built-in Camera),一种看了前面的表述后
你意想不到合情合理的验证方式:用户要拿起手机拍摄二维码图片上传到服务器来进行认证
14. Device Pairing at the Touch of an Electrode.
【用人体channal进行设备配对】
- 设备配对:process of bootstrapping securecommunication between two devices that do not share anycommon secrets
- 适用场景:不好配置平面触摸屏的物件,比如耳机话筒
- 最大程度降低远程attack成功率
- 可能和传感器有点关系……体内通信
15. Face Flashing: a Secure Liveness Detection Protocol based on Light Reflections.
【面部识别辅助:用Face Flashing做活体检测】
- 面部识别易受攻击,一般结合Liveness detection(常用challenge-response protocol,眨眼转头etc)抵御攻击,但一样有bug而且Timing Verification也没用
- Media-based facial forgery (MFF) attacks模拟速度足够快,无法在时间响应上分辨出来
- Face flashing:(屏幕随机闪特定图片,利用面部反光确定时延)randomly flash well-designed pictures on a screen, analyze the reflected light, cooperating with working mechanism of the screen and digitalcameras =>(验证双因素:时间与形状) leverage physical characteristics of human faces: reflection processing atthe speed of light, unique textual features, and uneven 3D shapes
- 作者强调了一波3D dynamic attacks昂贵且不切实际(3d打印材料里并没有人皮)
- 1)model of light reflection, 2)algorithm for extracting faces from video frames, 3)verifications on time and face
- 1)公式:相机照出来的rbg值比率 = 外部光源值 * (面部)反射率
- 2)使用迭代提取人脸矩形(这一步运算开销很大) -> face alignment algorithm -> 矩阵乘法算
- 3)分析相机和屏幕的更新方式(pixel、row/column)
- limitations: 有硅胶面具 -> 不同光波长反射率或许可以抵御
- 超高速摄像头超高速显示屏超高速运算模型有可能攻击 -> we can mitigate this threat, to some extent, by flashing more finely striped challenges (or chessboard-like patterns), but, with better screen and camera
16. Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse.
【password manager 对用户密码习惯影响】
- 做调查:使用password manager存储密码后是否有助于用户生成强密码?减少重用密码?
17. Forgetting of Passwords: Ecological Theory and Data.
【何时遗忘密码】
- 调查人类忘记密码的记忆曲线
- our finding points to a new understanding of password forgetting: instead of looking at the password itself (e.g. password complexity), we need to consider the environment in which it is used and how memory functions over time.
18. The Rewards and Costs of Stronger Passwords in a University: Linking Password Lifetime to Strength.
【密码强度与密码使用期限关联后对用户设置密码强度的影响】
- encourage stronger passwords by varying password lifetime according to password strength,which was measured through Shannon entropy
- 100+天后开始有用(100天是最短的使用期限),但好多人不得不经常重置自己密码。。。用强密码的也有忘记密码然后重置成更弱的密码
19. Rethinking Access Control and Authentication for the Home Internet of Things (IoT).
【多用户的访问控制和认证】
- While access control in smart homes is currently often device-centric, our user study demonstrated that a capability-and relationship-centric model more closely fits user expectations.