By Topic

Computer Security Applications Conference, 2008. ACSAC 2008. Annual

Date 8-12 Dec. 2008

Filter Results

Displaying Results 1 - 25 of 59
  • [Front cover]

    Page(s): C1
    Save to Project icon | Request Permissions | PDF file iconPDF (144 KB)  
    Freely Available from IEEE
  • [Title page i]

    Page(s): i
    Save to Project icon | Request Permissions | PDF file iconPDF (153 KB)  
    Freely Available from IEEE
  • [Title page iii]

    Page(s): iii
    Save to Project icon | Request Permissions | PDF file iconPDF (83 KB)  
    Freely Available from IEEE
  • [Copyright notice]

    Page(s): iv
    Save to Project icon | Request Permissions | PDF file iconPDF (46 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): v - viii
    Save to Project icon | Request Permissions | PDF file iconPDF (255 KB)  
    Freely Available from IEEE
  • Welcome from the Conference Chair

    Page(s): ix
    Save to Project icon | Request Permissions | PDF file iconPDF (107 KB)  
    Freely Available from IEEE
  • Welcome from the Program Chairs

    Page(s): x
    Save to Project icon | Request Permissions | PDF file iconPDF (106 KB)  
    Freely Available from IEEE
  • Conference Committee

    Page(s): xi
    Save to Project icon | Request Permissions | PDF file iconPDF (107 KB)  
    Freely Available from IEEE
  • Program Committee

    Page(s): xii
    Save to Project icon | Request Permissions | PDF file iconPDF (116 KB)  
    Freely Available from IEEE
  • Additional Reviewers and Tutorial Reviewers

    Page(s): xiii
    Save to Project icon | Request Permissions | PDF file iconPDF (109 KB)  
    Freely Available from IEEE
  • ACSAC Steering Committee

    Page(s): xiv
    Save to Project icon | Request Permissions | PDF file iconPDF (106 KB)  
    Freely Available from IEEE
  • Sponsor: Applied Computer Security Associates

    Save to Project icon | Request Permissions | PDF file iconPDF (109 KB)  
    Freely Available from IEEE
  • Structuring for Strategic Cyber Defense: A Cyber Manhattan Project Blueprint

    Page(s): 3 - 10
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (258 KB) |  | HTML iconHTML  

    In February 2002, more than 50 leaders in the information assurance field warned the President of the United States of a national strategic vulnerability in the countrypsilas information infrastructure that could cause mortal damage. Six years later, some motion in the direction of a government strategic investment is beginning to get under way. This essay will address the key capabilities needed at a national scale and how those capabilities might drive a vigorous research and technology agenda. The text also addresses several imperative questions: How might we organize a government activity in which many agencies surely need to be involved yet must march in a coherent direction? What lessons can we learn from the post-Sputnik era to regain leadership in the space race? Has a cyber Sputnik already launched, and, if so, is the US already behind in the cyber space race? View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Practical Applications of Bloom Filters to the NIST RDS and Hard Drive Triage

    Page(s): 13 - 22
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (424 KB) |  | HTML iconHTML  

    Much effort has been expended in recent years to create large sets of hash codes from known files. Distributing these sets has become more difficult as these sets grow larger. Meanwhile the value of these sets for eliminating the need to analyze "known goods'' has decreased as hard drives have dramatically increased in storage capacity. This paper evaluates the use of bloom filters (BFs) to distribute the National Software Reference Library's (NSRL) Reference Data Set (RDS)version 2.19, with 13 million SHA-1 hashes. We present an open source reference BF implementation and validate it against a large collection of disk images. We discuss the tuning of the filters, evaluate discuss how they can be used to enable new forensic functionality, and present a novel attack against bloom filters. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Systematic Signature Engineering by Re-use of Snort Signatures

    Page(s): 23 - 32
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (467 KB) |  | HTML iconHTML  

    Most intrusion detection systems deployed today apply the misuse detection approach. Misuse detection compares recorded audit data with predefined patterns denoted as signatures. A signature is usually empirically engineered based on experience and expert knowledge. This induces relatively long development times for novel signatures causing inappropriate long vulnerability windows. Methods for a systematic engineering have been scarcely reported so far. Approaches for an automated re-use of design and modeling decisions of available signatures also do not exist. In this paper we present an approach for systematic engineering of signatures which is based on the re-use of existing signatures. It exploits similarities with known attacks for the engineering process. The method applies an iterative abstraction of signatures. Based on a weighted assessment of the abstractions the signature engineer can select the most appropriate signatures or fragments of signatures for the development of the signature for a new attack. We demonstrate the usefulness of the method using Snort signatures as example. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Window

    Page(s): 33 - 42
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (417 KB) |  | HTML iconHTML  

    In this paper we present a novel approach of using mathematical models and stochastic simulations to guide and inform security investment and policy change decisions. In particular, we investigate vulnerability management policies, and explore how effective standard patch management and emergency escalation based policies are, and how they can be combined with earlier, pre-patch mitigation measures to reduce the potential exposure window. The paper describes the model we constructed to represent typical vulnerability management processes in large organizations, which captures the external threat environment and the internal security processes and decision points. We also present the results from the experimental simulations, and show how changes in security solutions and policies, such as speeding up patch deployment and investing in early mitigation measures, affect the overall exposure window in terms of the time it takes to reduce the potential risk. We believe that this type of mathematical modelling and simulation-based approach provides a novel and useful way of considering security investment decisions, which is quite distinct from traditional risk analysis. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • New Side Channels Targeted at Passwords

    Page(s): 45 - 54
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (328 KB) |  | HTML iconHTML  

    Side channels are typically viewed as attacks that leak cryptographic keys during cryptographic algorithm processing, by observation of system side effects. In this paper, we present new side channels that leak password information during X Windows keyboard processing of password input. Keylogging is one approach for stealing passwords, but current keylogging techniques require special hardware or privileged processes. However, we have found that the unprivileged operation of modifying the user key mappings for X Windows clients enables a side channel sufficient for unprivileged processes to steal that user's passwords, even enabling the attacker to gain root access via sudo. We successfully tested one version on Linux 2.6; we were able to obtain a high degree of control over the scheduler, and thus we can obtain accurate timing information. A second version (logon detection) works without depending on accurate clocks or cache effects. Thus, in addition to demonstrating new side channels, we show that (a) side channels cannot be eliminated by removing accurate clocks or hardware cache mechanisms (b) side channels are of continued concern for computer security as well as cryptographic processing. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • PinUP: Pinning User Files to Known Applications

    Page(s): 55 - 64
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (456 KB) |  | HTML iconHTML  

    Users commonly download, patch, and use applications such as email clients, office applications, and media-players from the Internet. Such applications are run with the user's full permissions. Because system protections do not differentiate applications, any malcode present in the downloaded software can compromise or otherwise leak all user data. Interestingly, our investigations indicate that common applications often adhere to recognizable workflows on user data. In this paper, we take advantage of this reality by developing protection mechanisms that "pin'' user files to the applications that may use them. These mechanisms restrict access to user data to explicitly stated workflows--thus preventing malcode from exploiting user data not associated with that application. We describe our implementation of PinUP on the Linux Security Modules framework, explore its performance, and study several practical use cases. Through these activities, we show that user data can be protected from untrusted applications while retaining the ability to receive the benefits of those applications. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Defending Against Attacks on Main Memory Persistence

    Page(s): 65 - 74
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2198 KB) |  | HTML iconHTML  

    Main memory contains transient information for all resident applications. However, if memory chip contents survives power-off, e.g., via freezing DRAM chips, sensitive data such as passwords and keys can be extracted. Main memory persistence will soon be the norm as recent advancements in MRAM and FeRAM position non-volatile memory technologies for widespread deployment in laptop, desktop, and embedded system main memory. Unfortunately, the same properties that provide energy efficiency, tolerance against power failure, and "instant-on'' power-up also subject systems to offline memory scanning. In this paper, we propose a memory encryption control unit (MECU) that provides memory confidentiality during system suspend and across reboots. The MECU encrypts all memory transfers between the processor-local level 2 cache and main memory to ensure plaintext data is never written to the persistent medium. The MECU design is outlined and performance and security trade-offs considered. We evaluate a MECU-enhanced architecture using the SimpleScalar hardware simulation framework on several hardware benchmarks. This analysis shows the majority of memory accesses are delayed by less than 1 ns, with higher access latencies (caused by resume state reconstruction) subsiding within 0.25 seconds of a system resume. In effect, the MECU provides zero-cost steady state memory confidentiality for non-volatile main memory. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Automatic Inference and Enforcement of Kernel Data Structure Invariants

    Page(s): 77 - 86
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (354 KB) |  | HTML iconHTML  

    Kernel-level rootkits affect system security by modifying key kernel data structures to achieve a variety of malicious goals. While early rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated rootkits that maliciously modify non-control data. Prior techniques for rootkit detection fail to identify such rootkits either because they focus solely on detecting control data modifications or because they require elaborate, manually-supplied specifications to detect modifications of non-control data. This paper presents a novel rootkit detection technique that automatically detects rootkits that modify both control and non-control data. The key idea is to externally observe the execution of the kernel during a training period and hypothesize invariants on kernel data structures. These invariants are used as specifications of data structure integrity during an enforcement phase; violation of these invariants indicates the presence of a rootkit. We present the design and implementation of Gibraltar, a tool that uses the above approach to infer and enforce invariants. In our experiments, we found that Gibraltar can detect rootkits that modify both control and non-control data structures, and that its false positive rate and monitoring overheads are negligible. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • VICI Virtual Machine Introspection for Cognitive Immunity

    Page(s): 87 - 96
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (239 KB) |  | HTML iconHTML  

    When systems are under constant attack, there is no time to restore those infected with malware to health manually--repair of infected systems must be fully automated and must occur within milliseconds. After detecting kernel-modifying rootkit infections using Virtual Machine Introspection, the VICI Agent applies a collection of novel repair techniques to automatically restore infected kernels to a healthy state. The VICI Agent operates without manual intervention and uses a form of automated reasoning borrowed from robotics to choose its best repair technique based on its assessment of the current situation, its memory of past engagements, and the potential cost of each technique. Its repairs have proven effective in tests against a collection of common kernel-modifying rootkit techniques. Virtualized systems monitored by the VICI Agent experience a decrease in application performance of roughly 5%. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

    Page(s): 97 - 107
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (503 KB) |  | HTML iconHTML  

    A new class of stealthy kernel-level malware, called transient kernel control flow attacks, uses dynamic soft timers to achieve significant work while avoiding any persistent changes to kernel code or data. We demonstrate that soft timers can be used to implement attacks such as a stealthy key logger and a CPU cycle stealer. To defend against these attacks, we propose an approach based on static analysis of the entire kernel, which identifies and catalogs all legitimate soft timer interrupt requests (STIR) in a database. At run-time, a reference monitor in a trusted virtual machine compares each STIR with the database, only allowing the execution of known good STIRs. Our defensive technique has no false negatives because it mediates every STIR execution and prevents execution of all unknown, illegitimate STIRs, and no false positives because the relevant kernel code analyzed was unambiguous. The overhead for this additional security is less than 7% for each of our benchmarks. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • On Purely Automated Attacks and Click-Based Graphical Passwords

    Page(s): 111 - 120
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (483 KB) |  | HTML iconHTML  

    We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method results in a significantly better automated attack than previous work, guessing 8-15% of passwords for two representative images using dictionaries of less than 224.6 entries, and about 16% of passwords on each of these images using dictionaries of less than 231.4 entries (where the full password space is 243). Relaxing our click-order pattern substantially increased the efficacy of our attack albeit with larger dictionaries of 234.7 entries, allowing attacks that guessed 48-54% of passwords (compared to previous results of 0.9% and 9.1% on the same two images with 235 guesses). These latter automated attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • YAGP: Yet Another Graphical Password Strategy

    Page(s): 121 - 129
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (402 KB) |  | HTML iconHTML  

    Alphanumeric passwords are widely used in computer and network authentication to protect users' privacy. However, it is well known that long, text-based passwords are hard for people to remember, while shorter ones are susceptible to attack. Graphical password is a promising solution to this problem. Draw-A-Secret (DAS) is a typical implementation based on the user drawing on a grid canvas. Currently, too many constraints result in reduction in user experience and prevent its popularity. A novel graphical password strategy Yet Another Graphical Password (YAGP) inspired by DAS is proposed in this paper. The proposal has the advantages of free drawing positions, strong shoulder surfing resistance and large password space. Experiments illustrate the effectiveness of YAGP. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Privacy-Aware Biometrics: Design and Implementation of a Multimodal Verification System

    Page(s): 130 - 139
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (348 KB) |  | HTML iconHTML  

    A serious concern in the design and use of biometric authentication systems is the privacy protection of the information derived from human biometric traits, especially since such traits cannot be replaced. Combining cryptography and biometrics, several recent works proposed to build the protection in the biometric templates themselves. While these solutions can increase the confidence in biometric systems when biometric information is stored for verification, they have been shown difficult to apply to real biometrics. In this work we present a biometric authentication technique that exploits multiple biometric traits. It is privacy-aware as it ensures privacy protection and allows the extraction of secure identifiers by means of cryptographic primitives. We also discuss the implementation of our approach by considering, as a significant example, the combination of iris and fingerprint biometrics and present experimental results obtained from real data. The implementation shows the feasibility of the scheme in practical applications. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.