Researchers, students and faculty from the Georgia Institute of Technology present their latest cybersecurity advances at the IEEE Symposium on Security and Privacy, one of the information security community's premier international events.
Three research papers by Georgia Tech researchers, students and faculty were accepted into the peer-reviewed conference, including a fourth in which a Georgia Tech student collaborated in a study led by Tsinghua University in Beijing, China. The conference solicits previously unpublished papers offering novel research contributions in any aspect of security or privacy. Accepted papers signify advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems.
The Symposium -- held on May 23-25, 2016 in San Jose, Calif. -- is sponsored by the IEEE Computer Society Technical Committee on Security and Privacy in cooperation with the International Association for Cryptologic Research.
Research by Georgia Tech
Any individual that re-registers an expired domain implicitly inherits the residual trust associated with the domain's prior use. We find that adversaries can, and do, use malicious re-registration to exploit domain ownership changes -- undermining the security of both users and systems. In fact, we find that many seemingly disparate security problems share a root cause in residual domain trust abuse. With this study, we shed light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years. During this time, we identified 27,758 domains from public blacklists and 238,279 domains resolved by malware that expired and then were maliciously re-registered. To help address this problem, we propose a technical remedy and discuss several policy remedies. For the former, we develop Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes. We identify several instances of residual trust abuse using this algorithm, including an expired APT domain that could be used to revive existing infections.
Chengyu Song (Georgia Institute of Technology), Hyungon Moon (Seoul National University), Monjur Alam, Insu Yun, Byoungyoung Lee, Taesoo Kim, and Wenke Lee (Georgia Institute of Technology), and Yunheung Paek (Seoul National University)
Memory corruption vulnerabilities are the root cause of many modern attacks. Existing defense mechanisms are inadequate. In general, the software-based approaches are not efficient and the hardware-based approaches are not flexible. In this paper, we present hardware-assisted data-flow isolation, or, HDFI, a new fine-grained data isolation mechanism that is broadly applicable and very efficient. HDFI enforces isolation at the machine word granularity by virtually extending each memory unit with an additional tag that is defined by dataflow. This capability allows HDFI to enforce a variety of security models such as the Biba Integrity Model and the Bell-LaPadula Model. We implemented HDFI by extending the RISC-V instruction set architecture (ISA) and instantiating it on the Xilinx Zynq ZC706 evaluation board. We ran several benchmarks including the SPEC CINT 2000 benchmark suite. Evaluation results show that the performance overhead caused by our modification to the hardware is low.
Xiaojing Liao (Georgia Institute of Technology), Kan Yuan and XiaoFeng Wang (Indiana University at Bloomington), Zhongyu Pei, Hao Yang, Jianjun Chen, Haixin Duan, and Kun Du (Tsinghua University), Eihal Alowaisheq, Sumayah Alrwais, and Luyi Xing (Indiana University at Bloomington), and Raheem Beyah (Georgia Institute of Technology)
Promotional infection is an attack in which the adversary exploits a website's weakness to inject illicit advertising content. Detection of such an infection is challenging due to its similarity to legitimate advertising activities. An interesting observation we make in our research is that such an attack almost always incurs a great semantic gap between the infected domain (e.g., a university site) and the content it promotes (e.g., selling cheap viagra). Exploiting this gap, we developed a semantic-based technique, called Semantic Inconsistency Search (SEISE), for efficient and accurate detection of the promotional injections on sponsored top-level domains (sTLD) with explicit semantic meanings. Our approach utilizes Natural Language Processing (NLP) to identify the bad terms (those related to illicit activities like fake drug selling, etc.) most irrelevant to an sTLD's semantics. These terms, which we call irrelevant bad terms (IBTs), are used to query search engines under the sTLD for suspicious domains. Through a semantic analysis on the results page returned by the search engines, SEISE is able to detect those truly infected sites and automatically collect new IBTs from the titles/URLs/snippets of their search result items for finding new infections. Running on 403 sTLDs with an initial 30 seed IBTs, SEISE analyzed 100K fully qualified domain names (FQDN), and along the way automatically gathered nearly 600 IBTs. In the end, our approach detected 11K infected FQDN with a false detection rate of 1.5% and over 90% coverage. Our study shows that by effective detection of infected sTLDs, the bar to promotion infections can be substantially raised, since other non-sTLD vulnerable domains typically have much lower Alexa ranks and are therefore much less attractive for underground advertising. Our findings further bring to light the stunning impacts of such promotional attacks, which compromise FQDNs under 3% of .edu, .gov domains and over one thousand gov.cn domains, including those of leading universities such as stanford.edu, mit.edu, princeton.edu, havard.edu and government institutes such as nsf.gov and nih.gov. We further demonstrate the potential to extend our current technique to protect generic domains such as .com and .org.
More about this work: SEISE Tool Uses Semantic Gaps to Detect Website Promotional Attacks (news release, May 19, 2016)
Download the Paper
"Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf"
Xiaolong Bai (TNList, Tsinghua University, Beijing), Luyi Xing, Nan Zhang, and XiaoFeng Wang (Indiana University Bloomington), Xiaojing Liao (Georgia Institute of Technology), Tongxin Li (Peking University), and Shi-Min Hu (Tsinghua University)
With the popularity of today's usability-oriented designs, dubbed Zero Configuration or ZeroConf, unclear are the security implications of these automatic service discovery, "plug-and-play" techniques. In this paper, we report the first systematic study on this issue, focusing on the security features of the systems related to Apple, the major proponent of ZeroConf techniques. Our research brings to light a disturbing lack of security consideration in these systems' designs: major ZeroConf frameworks on the Apple platforms, including the Core Bluetooth Framework, Multipeer Connectivity and Bonjour, are mostly unprotected and popular apps and system services, such as Tencent QQ, Apple Handoff, printer discovery and AirDrop, turn out to be completely vulnerable to an impersonation or Man-in-the-Middle (MitM) attack, even though attempts have been made to protect them against such threats. The consequences are serious, allowing a malicious device to steal the user's SMS messages, email notifications, documents to be printed out or transferred to another device. Most importantly, our study highlights the fundamental security challenges underlying ZeroConf techniques: in the absence of any pre-configured secret across different devices, authentication has to rely on Apple-issued public-key certificate, which however cannot be properly verified due to the difficulty in finding a unique, nonsensitive and widely known identity of a human user to bind her to her certificate. To address this issue, we developed a suite of new techniques, including a conflict detection approach and a biometric technique that enables the user to speak out her certificate through 6 distinct, rare but pronounceable words to let those who know her voice verify her certificate. We performed a security analysis on the new protection and evaluated its usability and effectiveness using two user studies involving 60 participants. Our research shows that the new protection fits well with the existing ZeroConf systems such as AirDrop. It is well received by users and also providing effective defense even against recently proposed speech synthesis attacks.
About Cybersecurity at Georgia Tech
Information security and privacy research at the Georgia Institute of Technology is a broad, interdisciplinary effort, spanning nine cybersecurity labs across four academic colleges and the Georgia Tech Research Institute, more than 460 researchers, and 200,000 square feet of secured, classified research space. Core research thrusts include cyber defense, policy, consumer-facing privacy, risk, trust, attribution and cyber-physical systems. Research is coordinated by the Institute for Information Security & Privacy (IISP), which leverages intellectual capital from across Georgia Tech and its external partners to address vital solutions for national security, economic continuity, and individual safety. The IISP provides a gateway to faculty, students, and scientists and a central location for national and international collaboration. Unbound by system rigidity or over-inflated egos, the IISP exists to help academia, industry and government discover new solutions together that close the innovation gap with immediate application in the real world.
Tara La Bouff
Marketing Communications Manager