-
Open Problems in DAOs
Authors:
Joshua Tan,
Tara Merk,
Sarah Hubbard,
Eliza R. Oak,
Helena Rong,
Joni Pirovich,
Ellie Rennie,
Rolf Hoefer,
Michael Zargham,
Jason Potts,
Chris Berg,
Reuben Youngblom,
Primavera De Filippi,
Seth Frey,
Jeff Strnad,
Morshed Mannan,
Kelsie Nabben,
Silke Noa Elrifai,
Jake Hartnell,
Benjamin Mako Hill,
Tobin South,
Ryan L. Thomas,
Jonathan Dotan,
Ariana Spring,
Alexia Maddox
, et al. (4 additional authors not shown)
Abstract:
Decentralized autonomous organizations (DAOs) are a new, rapidly-growing class of organizations governed by smart contracts. Here we describe how researchers can contribute to the emerging science of DAOs and other digitally-constituted organizations. From granular privacy primitives to mechanism designs to model laws, we identify high-impact problems in the DAO ecosystem where existing gaps might…
▽ More
Decentralized autonomous organizations (DAOs) are a new, rapidly-growing class of organizations governed by smart contracts. Here we describe how researchers can contribute to the emerging science of DAOs and other digitally-constituted organizations. From granular privacy primitives to mechanism designs to model laws, we identify high-impact problems in the DAO ecosystem where existing gaps might be tackled through a new data set or by applying tools and ideas from existing research fields such as political science, computer science, economics, law, and organizational science. Our recommendations encompass exciting research questions as well as promising business opportunities. We call on the wider research community to join the global effort to invent the next generation of organizations.
△ Less
Submitted 12 June, 2024; v1 submitted 29 October, 2023;
originally announced October 2023.
-
Security Weaknesses in IoT Management Platforms
Authors:
Bhaskar Tejaswi,
Mohammad Mannan,
Amr Youssef
Abstract:
A diverse set of Internet of Things (IoT) devices are becoming an integrated part of daily lives, and playing an increasingly vital role in various industry, enterprise and agricultural settings. The current IoT ecosystem relies on several IoT management platforms to manage and operate a large number of IoT devices, their data, and their connectivity. Considering their key role, these platforms mu…
▽ More
A diverse set of Internet of Things (IoT) devices are becoming an integrated part of daily lives, and playing an increasingly vital role in various industry, enterprise and agricultural settings. The current IoT ecosystem relies on several IoT management platforms to manage and operate a large number of IoT devices, their data, and their connectivity. Considering their key role, these platforms must be properly secured against cyber attacks. In this work, we first explore the core operations/features of leading platforms to design a framework to perform a systematic security evaluation of these platforms. Subsequently, we use our framework to analyze a representative set of 52 IoT management platforms, including 42 web-hosted and 10 locally-deployable platforms. We discover a number of high severity unauthorized access vulnerabilities in 9/52 evaluated IoT management platforms, which could be abused to perform attacks such as remote IoT SIM deactivation, IoT SIM overcharging and IoT device data forgery. More seriously, we also uncover instances of broken authentication in 13/52 platforms, including complete account takeover on 8/52 platforms along with remote code execution on 2/52 platforms. In effect, 17/52 platforms were affected by vulnerabilities that could lead to platform-wide attacks. Overall, vulnerabilities were uncovered in 33 platforms, out of which 28 platforms responded to our responsible disclosure. We were also assigned 11 CVEs and awarded bounty for our findings.
△ Less
Submitted 26 July, 2023;
originally announced July 2023.
-
Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case
Authors:
Supraja Baskaran,
Lianying Zhao,
Mohammad Mannan,
Amr Youssef
Abstract:
We conduct a large-scale measurement of developers' insecure practices leading to mini-app to super-app authentication bypass, among which hard-coding developer secrets for such authentication is a major contributor. We also analyze the exploitability and security consequences of developer secret leakage in mini-apps by examining individual super-app server-side APIs. We develop an analysis framew…
▽ More
We conduct a large-scale measurement of developers' insecure practices leading to mini-app to super-app authentication bypass, among which hard-coding developer secrets for such authentication is a major contributor. We also analyze the exploitability and security consequences of developer secret leakage in mini-apps by examining individual super-app server-side APIs. We develop an analysis framework for measuring such secret leakage, and primarily analyze 110,993 WeChat mini-apps, and 10,000 Baidu mini-apps (two of the most prominent super-app platforms), along with a few more datasets to test the evolution of developer practices and platform security enforcement over time. We found a large number of WeChat mini-apps (36,425, 32.8%) and a few Baidu mini-apps (112) leak their developer secrets, which can cause severe security and privacy problems for the users and developers of mini-apps. A network attacker who does not even have an account on the super-app platform, can effectively take down a mini-app, send malicious and phishing links to users, and access sensitive information of the mini-app developer and its users. We responsibly disclosed our findings and also put forward potential directions that could be considered to alleviate/eliminate the root causes of developers hard-coding the app secrets in the mini-app's front-end code.
△ Less
Submitted 18 July, 2023;
originally announced July 2023.
-
Watch the Gap: Making code more intelligible to users without sacrificing decentralization?
Authors:
Simona Ramos,
Morshed Mannan
Abstract:
The potential for blockchain technology to eliminate the middleman and replace the top down hierarchical model of governance with a system of distributed cooperation has opened up many new opportunities, as well as dilemmas. Surpassing the level of acceptance by early tech adopters, the market of smart contracts is now moving towards wider acceptance from regular (non tech) users. For this to happ…
▽ More
The potential for blockchain technology to eliminate the middleman and replace the top down hierarchical model of governance with a system of distributed cooperation has opened up many new opportunities, as well as dilemmas. Surpassing the level of acceptance by early tech adopters, the market of smart contracts is now moving towards wider acceptance from regular (non tech) users. For this to happen however, smart contract development will have to overcome certain technical and legal obstacles to bring the code and the user closer. Guided by notions from contract law and consumer protection we highlight the information gap that exists between users, legal bodies and the source code. We present a spectrum of low-code to no-code initiatives that aim at bridging this gap, promising the potential of higher regulatory acceptance. Nevertheless, this highlights the so called "Pitfall of the Trustless Dream", because arguably solutions to the information gap tend to make the system more centralized. In this article, we aim to make a practical contribution of relevance to the wide-spread adoption of smart contracts and their legal acceptance by analyzing the evolving practices that bring the user and the code closer.
△ Less
Submitted 10 March, 2023;
originally announced April 2023.
-
Hidden in Plain Sight: Exploring Encrypted Channels in Android apps
Authors:
Sajjad Pourali,
Nayanamana Samarasinghe,
Mohammad Mannan
Abstract:
As privacy features in Android operating system improve, privacy-invasive apps may gradually shift their focus to non-standard and covert channels for leaking private user/device information. Such leaks also remain largely undetected by state-of-the-art privacy analysis tools, which are very effective in uncovering privacy exposures via regular HTTP and HTTPS channels. In this study, we design and…
▽ More
As privacy features in Android operating system improve, privacy-invasive apps may gradually shift their focus to non-standard and covert channels for leaking private user/device information. Such leaks also remain largely undetected by state-of-the-art privacy analysis tools, which are very effective in uncovering privacy exposures via regular HTTP and HTTPS channels. In this study, we design and implement, ThirdEye, to significantly extend the visibility of current privacy analysis tools, in terms of the exposures that happen across various non-standard and covert channels, i.e., via any protocol over TCP/UDP (beyond HTTP/S), and using multi-layer custom encryption over HTTP/S and non-HTTP protocols. Besides network exposures, we also consider covert channels via storage media that also leverage custom encryption layers. Using ThirdEye, we analyzed 12,598 top-apps in various categories from Androidrank, and found that 2887/12,598 (22.92%) apps used custom encryption/decryption for network transmission and storing content in shared device storage, and 2465/2887 (85.38%) of those apps sent device information (e.g., advertising ID, list of installed apps) over the network that can fingerprint users. Besides, 299 apps transmitted insecure encrypted content over HTTP/non-HTTP protocols; 22 apps that used authentication tokens over HTTPS, happen to expose them over insecure (albeit custom encrypted) HTTP/non-HTTP channels. We found non-standard and covert channels with multiple levels of obfuscation (e.g., encrypted data over HTTPS, encryption at nested levels), and the use of vulnerable keys and cryptographic algorithms. Our findings can provide valuable insights into the evolving field of non-standard and covert channels, and help spur new countermeasures against such privacy leakage and security issues.
△ Less
Submitted 29 September, 2022;
originally announced September 2022.
-
"My Privacy for their Security": Employees' Privacy Perspectives and Expectations when using Enterprise Security Software
Authors:
Jonah Stegman,
Patrick J. Trottier,
Caroline Hillier,
Hassan Khan,
Mohammad Mannan
Abstract:
Employees are often required to use Enterprise Security Software ("ESS") on corporate and personal devices. ESS products collect users' activity data including users' location, applications used, and websites visited - operating from employees' device to the cloud. To the best of our knowledge, the privacy implications of this data collection have yet to be explored. We conduct an online survey (n…
▽ More
Employees are often required to use Enterprise Security Software ("ESS") on corporate and personal devices. ESS products collect users' activity data including users' location, applications used, and websites visited - operating from employees' device to the cloud. To the best of our knowledge, the privacy implications of this data collection have yet to be explored. We conduct an online survey (n=258) and a semi-structured interview (n=22) with ESS users to understand their privacy perceptions, the challenges they face when using ESS, and the ways they try to overcome those challenges. We found that while many participants reported receiving no information about what data their ESS collected, those who received some information often underestimated what was collected. Employees reported lack of communication about various data collection aspects including: the entities with access to the data and the scope of the data collected. We use the interviews to uncover several sources of misconceptions among the participants. Our findings show that while employees understand the need for data collection for security, the lack of communication and ambiguous data collection practices result in the erosion of employees' trust on the ESS and employers. We obtain suggestions from participants on how to mitigate these misconceptions and collect feedback on our design mockups of a privacy notice and privacy indicators for ESS. Our work will benefit researchers, employers, and ESS developers to protect users' privacy in the growing ESS market.
△ Less
Submitted 23 September, 2022;
originally announced September 2022.
-
Blindfold: Kee** Private Keys in PKIs and CDNs out of Sight
Authors:
Hisham Galal,
Mohammad Mannan,
Amr Youssef
Abstract:
Public key infrastructure (PKI) is a certificate-based technology that helps in authenticating systems identities. HTTPS/TLS relies mainly on PKI to minimize fraud over the Internet. Nowadays, websites utilize CDNs to improve user experience, performance, and resilience against cyber attacks. However, combining HTTPS/TLS with CDNs has raised new security challenges. In any PKI system, kee** priv…
▽ More
Public key infrastructure (PKI) is a certificate-based technology that helps in authenticating systems identities. HTTPS/TLS relies mainly on PKI to minimize fraud over the Internet. Nowadays, websites utilize CDNs to improve user experience, performance, and resilience against cyber attacks. However, combining HTTPS/TLS with CDNs has raised new security challenges. In any PKI system, kee** private keys private is of utmost importance. However, it has become the norm for CDN-powered websites to violate that fundamental assumption. Several solutions have been proposed to make HTTPS CDN-friendly. However, protection of private keys from the very instance of generation; and how they can be made secure against exposure by malicious (CDN) administrators and malware remain unexplored. We utilize trusted execution environments to protect private keys by never exposing them to human operators or untrusted software. We design Blindfold to protect private keys in HTTPS/TLS infrastructures, including CAs, website on-premise servers, and CDNs. We implemented a prototype to assess Blindfold's performance and performed several experiments on both the micro and macro levels. We found that Blindfold slightly outperforms SoftHSM in key generation by 1% while lagging by 0.01% for certificate issuance operations.
△ Less
Submitted 19 July, 2022;
originally announced July 2022.
-
Not so immutable: Upgradeability of Smart Contracts on Ethereum
Authors:
Mehdi Salehi,
Jeremy Clark,
Mohammad Mannan
Abstract:
A smart contract that is deployed to a blockchain system like Ethereum is, under reasonable circumstances, expected to be immutable and tamper-proof. This is both a feature (promoting integrity and transparency) and a bug (preventing security patches and feature updates). Modern smart contracts use software tricks to enable upgradeability, raising the research questions of how upgradeability is ac…
▽ More
A smart contract that is deployed to a blockchain system like Ethereum is, under reasonable circumstances, expected to be immutable and tamper-proof. This is both a feature (promoting integrity and transparency) and a bug (preventing security patches and feature updates). Modern smart contracts use software tricks to enable upgradeability, raising the research questions of how upgradeability is achieved and who is authorized to make changes. In this paper, we summarize and evaluate six upgradeability patterns. We develop a measurement framework for finding how many upgradeable contracts are on Ethereum that use certain prominent upgrade patters. We find 1.4 million proxy contracts which 8,225 of them are unique upgradeable proxy contracts. We also measure how they implement access control over their upgradeability: about 50% are controlled by a single Externally Owned Address (EOA), and about 14% are controlled by multi-signature wallets in which a limited number of persons can change the whole logic of the contract.
△ Less
Submitted 1 June, 2022;
originally announced June 2022.
-
SAUSAGE: Security Analysis of Unix domain Socket Usage in Android
Authors:
Mounir Elgharabawy,
Blas Kojusner,
Mohammad Mannan,
Kevin R. B. Butler,
Byron Williams,
Amr Youssef
Abstract:
The Android operating system is currently the most popular mobile operating system in the world. Android is based on Linux and therefore inherits its features including its Inter-Process Communication (IPC) mechanisms. These mechanisms are used by processes to communicate with one another and are extensively used in Android. While Android-specific IPC mechanisms have been studied extensively, Unix…
▽ More
The Android operating system is currently the most popular mobile operating system in the world. Android is based on Linux and therefore inherits its features including its Inter-Process Communication (IPC) mechanisms. These mechanisms are used by processes to communicate with one another and are extensively used in Android. While Android-specific IPC mechanisms have been studied extensively, Unix domain sockets have not been examined comprehensively, despite playing a crucial role in the IPC of highly privileged system daemons. In this paper, we propose SAUSAGE, an efficient novel static analysis framework to study the security properties of these sockets. SAUSAGE considers access control policies implemented in the Android security model, as well as authentication checks implemented by the daemon binaries. It is a fully static analysis framework, specifically designed to analyze Unix domain socket usage in Android system daemons, at scale. We use this framework to analyze 200 Android images across eight popular smartphone vendors spanning Android versions 7-9. As a result, we uncover multiple access control misconfigurations and insecure authentication checks. Our notable findings include a permission bypass in highly privileged Qualcomm system daemons and an unprotected socket that allows an untrusted app to set the scheduling priority of other processes running on the system, despite the implementation of mandatory SELinux policies. Ultimately, the results of our analysis are worrisome; all vendors except the Android Open Source Project (AOSP) have access control issues, allowing an untrusted app to communicate to highly privileged daemons through Unix domain sockets introduced by hardware manufacturer or vendor customization.
△ Less
Submitted 4 April, 2022;
originally announced April 2022.
-
On Securing Cloud-hosted Cyber-physical Systems Using Trusted Execution Environments
Authors:
Amir Mohammad Naseri,
Walter Lucia,
Mohammad Mannan,
Amr Youssef
Abstract:
Recently, cloud control systems have gained increasing attention from the research community as a solution to implement networked cyber-physical systems (CPSs). Such an architecture can reduce deployment and maintenance costs albeit at the expense of additional security and privacy concerns. In this paper, first, we discuss state-of-the-art security solutions for cloud control systems and their li…
▽ More
Recently, cloud control systems have gained increasing attention from the research community as a solution to implement networked cyber-physical systems (CPSs). Such an architecture can reduce deployment and maintenance costs albeit at the expense of additional security and privacy concerns. In this paper, first, we discuss state-of-the-art security solutions for cloud control systems and their limitations. Then, we propose a novel control architecture based on Trusted Execution Environments (TEE). We show that such an approach can potentially address major security and privacy issues for cloud-hosted control systems. Finally, we present an implementation setup based on Intel Software Guard Extensions (SGX) and validate its effectiveness on a testbed system.
△ Less
Submitted 31 March, 2021;
originally announced April 2021.
-
Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions
Authors:
S. Ali,
M. Elgharabawy,
Q. Duchaussoy,
M. Mannan,
A. Youssef
Abstract:
For parents of young children and adolescents, the digital age has introduced many new challenges, including excessive screen time, inappropriate online content, cyber predators, and cyberbullying. To address these challenges, many parents rely on numerous parental control solutions on different platforms, including parental control network devices (e.g., WiFi routers) and software applications on…
▽ More
For parents of young children and adolescents, the digital age has introduced many new challenges, including excessive screen time, inappropriate online content, cyber predators, and cyberbullying. To address these challenges, many parents rely on numerous parental control solutions on different platforms, including parental control network devices (e.g., WiFi routers) and software applications on mobile devices and laptops. While these parental control solutions may help digital parenting, they may also introduce serious security and privacy risks to children and parents, due to their elevated privileges and having access to a significant amount of privacy-sensitive data. In this paper, we present an experimental framework for systematically evaluating security and privacy issues in parental control software and hardware solutions. Using the developed framework, we provide the first comprehensive study of parental control tools on multiple platforms including network devices, Windows applications, Chrome extensions and Android apps. Our analysis uncovers pervasive security and privacy issues that can lead to leakage of private information, and/or allow an adversary to fully control the parental control solution, and thereby may directly aid cyberbullying and cyber predators.
△ Less
Submitted 11 December, 2020;
originally announced December 2020.
-
On Privacy Risks of Public WiFi Captive Portals
Authors:
Suzan Ali,
Tousif Osman,
Mohammad Mannan,
Amr Youssef
Abstract:
Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shop** malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing website…
▽ More
Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shop** malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing websites. In this paper, we present a comprehensive privacy analysis of 67 unique public WiFi hotspots located in Montreal, Canada, and shed some light on the web tracking and data collection behaviors of these hotspots. Our study reveals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot's privacy and terms of service policies. Most hotspots use persistent third-party tracking cookies within their captive portal site; these cookies can be used to follow the user's browsing behavior long after the user leaves the hotspots, e.g., up to 20 years. Additionally, several hotspots explicitly share (sometimes via HTTP) the collected personal and unique device information with many third-party tracking domains.
△ Less
Submitted 3 July, 2019;
originally announced July 2019.
-
One-Time Programs made Practical
Authors:
Lianying Zhao,
Joseph I. Choi,
Didem Demirag,
Kevin R. B. Butler,
Mohammad Mannan,
Erman Ayday,
Jeremy Clark
Abstract:
A one-time program (OTP) works as follows: Alice provides Bob with the implementation of some function. Bob can have the function evaluated exclusively on a single input of his choosing. Once executed, the program will fail to evaluate on any other input. State-of-the-art one-time programs have remained theoretical, requiring custom hardware that is cost-ineffective/unavailable, or confined to adh…
▽ More
A one-time program (OTP) works as follows: Alice provides Bob with the implementation of some function. Bob can have the function evaluated exclusively on a single input of his choosing. Once executed, the program will fail to evaluate on any other input. State-of-the-art one-time programs have remained theoretical, requiring custom hardware that is cost-ineffective/unavailable, or confined to adhoc/unrealistic assumptions. To bridge this gap, we explore how the Trusted Execution Environment (TEE) of modern CPUs can realize the OTP functionality. Specifically, we build two flavours of such a system: in the first, the TEE directly enforces the one-timeness of the program; in the second, the program is represented with a garbled circuit and the TEE ensures Bob's input can only be wired into the circuit once, equivalent to a smaller cryptographic primitive called one-time memory. These have different performance profiles: the first is best when Alice's input is small and Bob's is large, and the second for the converse.
△ Less
Submitted 1 July, 2019;
originally announced July 2019.
-
TEE-aided Write Protection Against Privileged Data Tampering
Authors:
Lianying Zhao,
Mohammad Mannan
Abstract:
Unauthorized data alteration has been a longstanding threat since the emergence of malware. System and application software can be reinstalled and hardware can be replaced, but user data is priceless in many cases. Especially in recent years, ransomware has become high-impact due to its direct monetization model. State-of-the-art defenses are mostly based on known signature or behavior analysis, a…
▽ More
Unauthorized data alteration has been a longstanding threat since the emergence of malware. System and application software can be reinstalled and hardware can be replaced, but user data is priceless in many cases. Especially in recent years, ransomware has become high-impact due to its direct monetization model. State-of-the-art defenses are mostly based on known signature or behavior analysis, and more importantly, require an uncompromised OS kernel. However, malware with the highest software privileges has shown its obvious existence. We propose to move from current detection/recovery based mechanisms to data loss prevention, where the focus is on armoring data instead of counteracting malware. Our solution, Inuksuk, relies on today's Trusted Execution Environments (TEEs), as available both on the CPU and storage device, to achieve programmable write protection. We back up a copy of user-selected files as write-protected at all times, and subsequent updates are written as new versions securely through TEE. We implement Inuksuk on Windows 7 and 10, and Linux (Ubuntu); our core design is OS and application agnostic, and incurs no run-time performance penalty for applications. File transfer disruption can be eliminated or alleviated through access modes and customizable update policies (e.g., interval, granularity). For Inuksuk's adoptability in modern OSes, we have also ported Flicker (EuroSys 2008), a defacto standard tool for in-OS privileged TEE management, to the latest 64-bit Windows.
△ Less
Submitted 26 May, 2019;
originally announced May 2019.
-
Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case
Authors:
Xavier de Carné de Carnavalet,
Mohammad Mannan
Abstract:
Comprehensive case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, and ransomware. However, adware seldom receives such attention. Previous studies on "unwanted" Windows applications, including adware, favored breadth of analysis, uncovering ties between different actors and d…
▽ More
Comprehensive case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, and ransomware. However, adware seldom receives such attention. Previous studies on "unwanted" Windows applications, including adware, favored breadth of analysis, uncovering ties between different actors and distribution methods. In this paper, we demonstrate the capabilities, privacy and security risks, and prevalence of a particularly successful and active adware business: Wajam, by tracking its evolution over nearly six years. We first study its multi-layer antivirus evasion capabilities, a combination of known and newly adapted techniques, that ensure low detection rates of its daily variants, along with prominent features, e.g., traffic interception and browser process injection. Then, we look at the privacy and security implications for infected users, including plaintext leaks of browser histories and keyword searches on highly popular websites, along with arbitrary content injection on HTTPS webpages and remote code execution vulnerabilities. Finally, we study Wajam's prevalence through the popularity of its domains. Once considered as seriously as spyware, adware is now merely called "not-a-virus", "optional" or "unwanted" although its negative impact is growing. We emphasize that the adware problem has been overlooked for too long, which can reach (or even surplus) the complexity and impact of regular malware, and pose both privacy and security risks to users, more so than many well-known and thoroughly-analyzed malware families.
△ Less
Submitted 17 May, 2019; v1 submitted 13 May, 2019;
originally announced May 2019.
-
The Sorry State of TLS Security in Enterprise Interception Appliances
Authors:
Louis Waked,
Mohammad Mannan,
Amr Youssef
Abstract:
Network traffic inspection, including TLS traffic, in enterprise environments is widely practiced. Reasons for doing so are primarily related to improving enterprise security (e.g., malware detection) and meeting legal requirements. To analyze TLS-encrypted data, network appliances implement a Man-in-the-Middle TLS proxy, by acting as the intended web server to a requesting client (e.g., a browser…
▽ More
Network traffic inspection, including TLS traffic, in enterprise environments is widely practiced. Reasons for doing so are primarily related to improving enterprise security (e.g., malware detection) and meeting legal requirements. To analyze TLS-encrypted data, network appliances implement a Man-in-the-Middle TLS proxy, by acting as the intended web server to a requesting client (e.g., a browser), and acting as the client to the outside web server. As such, the TLS proxy must implement both a TLS client and a server, and handle a large amount of traffic, preferably, in real-time. However, as protocol and implementation layer vulnerabilities in TLS/HTTPS are quite frequent, these proxies must be, at least, as secure as a modern, up-to-date web browser, and a properly configured web server. As opposed to client-end TLS proxies (e.g., as in several anti-virus products), the proxies in network appliances may serve hundreds to thousands of clients, and any vulnerability in their TLS implementations can significantly downgrade enterprise security.
To analyze TLS security of network appliances, we develop a comprehensive framework, by combining and extending tests from existing work on client-end and network-based interception studies. We analyze thirteen representative network appliances over a period of more than a year (including versions before and after notifying affected vendors, a total of 17 versions), and uncover several security issues. For instance, we found that four appliances perform no certificate validation at all, three use pre-generated certificates, and eleven accept certificates signed using MD5, exposing their clients to MITM attacks. Our goal is to highlight the risks introduced by widely-used TLS proxies in enterprise and government environments, potentially affecting many systems hosting security, privacy, and financially sensitive data.
△ Less
Submitted 23 September, 2018;
originally announced September 2018.
-
Playing With Danger: A Taxonomy and Evaluation of Threats to Smart Toys
Authors:
Sharon Shasha,
Moustafa Mahmoud,
Mohammad Mannan,
Amr Youssef
Abstract:
Smart toys have captured an increasing share of the toy market, and are growing ubiquitous in households with children. Smart toys are a subset of Internet of Things (IoT) devices, containing sensors, actuators, and/or artificial intelligence capabilities. They frequently have internet connectivity, directly or indirectly through companion apps, and collect information about their users and enviro…
▽ More
Smart toys have captured an increasing share of the toy market, and are growing ubiquitous in households with children. Smart toys are a subset of Internet of Things (IoT) devices, containing sensors, actuators, and/or artificial intelligence capabilities. They frequently have internet connectivity, directly or indirectly through companion apps, and collect information about their users and environments. Recent studies have found security flaws in many smart toys that have led to serious privacy leaks, or allowed tracking a child's physical location. Some well-publicized discoveries of this nature have prompted actions from governments around the world to ban some of these toys. Compared to other IoT devices, smart toys pose unique risks because of their easily-vulnerable user base, and our work is intended to define these risks and assess a subset of toys against them. We provide a classification of threats specific to smart toys in order to unite and complement existing adhoc analyses, and help comprehensive evaluation of other smart toys. Our threat classification framework addresses the potential security and privacy flaws that can lead to leakage of private information or allow an adversary to control the toy to lure, harm, or distress a child. Using this framework, we perform a thorough experimental analysis of eleven smart toys and their companion apps. Our systematic analysis has uncovered that several current toys still expose children to multiple threats for attackers with physical, nearby, or remote access to the toy.
△ Less
Submitted 25 October, 2018; v1 submitted 14 September, 2018;
originally announced September 2018.
-
Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials
Authors:
Arseny Kurnikov,
Andrew Paverd,
Mohammad Mannan,
N. Asokan
Abstract:
Personal cryptographic keys are the foundation of many secure services, but storing these keys securely is a challenge, especially if they are used from multiple devices. Storing keys in a centralized location, like an Internet-accessible server, raises serious security concerns (e.g. server compromise). Hardware-based Trusted Execution Environments (TEEs) are a well-known solution for protecting…
▽ More
Personal cryptographic keys are the foundation of many secure services, but storing these keys securely is a challenge, especially if they are used from multiple devices. Storing keys in a centralized location, like an Internet-accessible server, raises serious security concerns (e.g. server compromise). Hardware-based Trusted Execution Environments (TEEs) are a well-known solution for protecting sensitive data in untrusted environments, and are now becoming available on commodity server platforms.
Although the idea of protecting keys using a server-side TEE is straight-forward, in this paper we validate this approach and show that it enables new desirable functionality. We describe the design, implementation, and evaluation of a TEE-based Cloud Key Store (CKS), an online service for securely generating, storing, and using personal cryptographic keys. Using remote attestation, users receive strong assurance about the behaviour of the CKS, and can authenticate themselves using passwords while avoiding typical risks of password-based authentication like password theft or phishing. In addition, this design allows users to i) define policy-based access controls for keys; ii) delegate keys to other CKS users for a specified time and/or a limited number of uses; and iii) audit all key usages via a secure audit log. We have implemented a proof of concept CKS using Intel SGX and integrated this into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation performs approximately 6,000 signature operations per second on a single desktop PC. The latency is in the same order of magnitude as using locally-stored keys, and 20x faster than smart cards.
△ Less
Submitted 1 June, 2018; v1 submitted 23 April, 2018;
originally announced April 2018.
-
SafeKeeper: Protecting Web Passwords using Trusted Execution Environments
Authors:
Klaudia Krawiecka,
Arseny Kurnikov,
Andrew Paverd,
Mohammad Mannan,
N. Asokan
Abstract:
Passwords are undoubtedly the most dominant user authentication mechanism on the web today. Although they are inexpensive and easy-to-use, security concerns of password-based authentication are serious. Phishing and theft of password databases are two critical concerns. The tendency of users to re-use passwords across different services exacerbates the impact of these two concerns. Current solutio…
▽ More
Passwords are undoubtedly the most dominant user authentication mechanism on the web today. Although they are inexpensive and easy-to-use, security concerns of password-based authentication are serious. Phishing and theft of password databases are two critical concerns. The tendency of users to re-use passwords across different services exacerbates the impact of these two concerns. Current solutions addressing these concerns are not fully satisfactory: they typically address only one of the two concerns; they do not protect passwords from rogue servers; they do not provide any verifiable evidence of their (server-side) adoption to users; and they face deployability challenges in terms of the cost for service providers and/or ease-of-use for end users.
We present SafeKeeper, a comprehensive approach to protect the confidentiality of passwords in web authentication systems. Unlike previous approaches, SafeKeeper protects user passwords against very strong adversaries, including rogue servers and sophisticated external phishers. It is relatively inexpensive to deploy as it (i) uses widely available hardware security mechanisms like Intel SGX, (ii) is integrated into popular web platforms like WordPress, and (iii) has small performance overhead. We describe a variety of challenges in designing and implementing such a system, and how we overcome them. Through an 86-participant user study, and systematic analysis and experiments, we demonstrate the usability, security and deployability of SafeKeeper, which is available as open-source.
△ Less
Submitted 23 April, 2018; v1 submitted 5 September, 2017;
originally announced September 2017.
