By Topic

Computer Security Applications Conference, 2009. ACSAC '09. Annual

Date 7-11 Dec. 2009

Filter Results

Displaying Results 1 - 25 of 62
  • [Front cover]

    Save to Project icon | Request Permissions | PDF file iconPDF (133 KB)  
    Freely Available from IEEE
  • [Title page i]

    Page(s): i
    Save to Project icon | Request Permissions | PDF file iconPDF (65 KB)  
    Freely Available from IEEE
  • [Title page iii]

    Page(s): iii
    Save to Project icon | Request Permissions | PDF file iconPDF (87 KB)  
    Freely Available from IEEE
  • [Copyright notice]

    Page(s): iv
    Save to Project icon | Request Permissions | PDF file iconPDF (112 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): v - viii
    Save to Project icon | Request Permissions | PDF file iconPDF (136 KB)  
    Freely Available from IEEE
  • Message from General Chair

    Page(s): ix - x
    Save to Project icon | Request Permissions | PDF file iconPDF (79 KB)  
    Freely Available from IEEE
  • Conference Committee

    Page(s): xi
    Save to Project icon | Request Permissions | PDF file iconPDF (68 KB)  
    Freely Available from IEEE
  • Program Committee

    Page(s): xii
    Save to Project icon | Request Permissions | PDF file iconPDF (70 KB)  
    Freely Available from IEEE
  • Additional reviewers

    Page(s): xiii
    Save to Project icon | Request Permissions | PDF file iconPDF (69 KB)  
    Freely Available from IEEE
  • Tutorial Reviewers/ACSAC Committee

    Page(s): xiv
    Save to Project icon | Request Permissions | PDF file iconPDF (64 KB)  
    Freely Available from IEEE
  • Sponsor: Applied Computer Security Associates

    Page(s): xv
    Save to Project icon | Request Permissions | PDF file iconPDF (60 KB)  
    Freely Available from IEEE
  • ACSA Committee

    Page(s): xvi
    Save to Project icon | Request Permissions | PDF file iconPDF (59 KB)  
    Freely Available from IEEE
  • A Network Access Control Mechanism Based on Behavior Profiles

    Page(s): 3 - 12
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (283 KB) |  | HTML iconHTML  

    Current network access control (NAC) technologies manage the access of new devices into a network to prevent rogue devices from attacking network hosts or services. Typically, new devices are checked against a set of manually defined policies (rules) before being granted access by the NAC enforcer. The main difficulty with this approach lies in the generation and update of new policies manually as time elapses and all devices have to reestablish their access rights. The BB-NAC mechanism was the first to introduce a novel behavior-based network access control architecture based on behavior profiles and not rules, where behavior-based access control policies were automatically generated. As originally presented, BB-NAC relied on manually pre-determined clusters of behavior which required human intervention and prevented the fully automation of the mechanism. In this paper, we present an enhanced BB-NAC mechanism that fully automatizes the creation of clusters of behavior. The access control is enhanced with the incorporation of automatic behavior clustering, which improves the intrusion detection capabilities by allowing for a more fine-grained definition of normal behavior. Apart from the lack of automatic clustering, the original BB-NAC overlooked the evolution of the mechanism as new behavior profiles were computed over time. As part of our enhancements, we also present an incremental-learning algorithm that automatically updates the behavior-based access control policies. We show that the algorithm is resilient to compromised or fabricated profiles trying to manipulate the policies. We provide extensive experiments with real user profiles computed with their network flows processed from Cisco NetFlow logs captured at our host institution. Our results show that behavior-based access control policies enhance conventional NAC technologies. Specifically, we achieve true rejection rates of 95% for anomalous user profiles separated by one standard deviation from the nor- mal user network behavior. In addition, we also show that the enhanced mechanism can differentiate between normal changes in the behavior profiles (concept drift) and attacks. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • RoleVAT: Visual Assessment of Practical Need for Role Based Access Control

    Page(s): 13 - 22
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (489 KB) |  | HTML iconHTML  

    Role based access control (RBAC) is a powerful security administration concept that can simplify permission assignment management. Migration to and maintenance of RBAC requires role engineering, the identification of a set of roles that offer administrative benefit. However, establishing that RBAC is desirable in a given enterprise is lacking in current role engineering processes. To help identify the practical need for RBAC, we propose RoleVAT, a Role engineering tool for the Visual Assessment of user and permission Tendencies. User and permission clusters can be visually identified as potential user groups or roles. The benefit and impact of this visual analysis in enterprise environments is discussed and demonstrated through testing on real life as well as synthetic datasets. Our experimental results show the effectiveness of RoleVAT as well as interesting user and role tendencies in real enterprise environments. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • How to Securely Break into RBAC: The BTG-RBAC Model

    Page(s): 23 - 31
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (661 KB) |  | HTML iconHTML  

    Access control models describe frameworks that dictate how subjects (e.g. users) access resources. In the role-based access control (RBAC) model access to resources is based on the role the user holds within the organization. RBAC is a rigid model where access control decisions have only two output options: grant or deny. break the glass (BTG) policies on the other hand are flexible and allow users to break or override the access controls in a controlled and justifiable manner. The main objective of this paper is to integrate BTG within the NIST/ANSI RBAC model in a transparent and secure way so that it can be adopted generically in any domain where unanticipated or emergency situations may occur. The new proposed model, called BTG-RBAC, provides a third decision option BTG, which grants authorized users permission to break the glass rather than be denied access. This can easily be implemented in any application without major changes to either the application code or the RBAC authorization infrastructure, apart from the decision engine. Finally, in order to validate the model, we discuss how the BTG-RBAC model is being introduced within a Portuguese healthcare institution where the legislation requires that genetic information must be accessed by a restricted group of healthcare professionals. These professionals, advised by the ethical committee, have required and asked for the implementation of the BTG concept in order to comply with the said legislation. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Computer-Related Risk Futures

    Page(s): 35 - 40
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (174 KB) |  | HTML iconHTML  

    This paper reflects on many risks in the development and use of computer-related systems. It considers past and future alternatives, suggests some remedial approaches, and offers a few broad conclusions. Various long-touted common-sense approaches that are holistic and proactive are more urgently needed now than ever before. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Evaluation of a DPA-Resistant Prototype Chip

    Page(s): 43 - 50
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (657 KB) |  | HTML iconHTML  

    The recently proposed masked logic style iMDPL seems to eradicate many of the latest points of criticism against masked logic styles in general. By means of a prototype chip containing different implementations we analyze the DPA resistance of iMDPL. Furthermore we compare the results with the logic styles' predecessor MDPL, which verifiably suffers from an effect called early propagation. We also investigate iMDPL regarding an advanced attack approach that claims to be able to almost completely remove the effect of masking in masked logic styles. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • FPValidator: Validating Type Equivalence of Function Pointers on the Fly

    Page(s): 51 - 59
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (306 KB) |  | HTML iconHTML  

    Validating function pointers dynamically is very useful for intrusion detection since many runtime attacks exploit function pointer vulnerabilities. Most current solutions tackle this problem through checking whether function pointers target the addresses within the code segment or, more strictly, valid function entries. However, they cannot detect function entry attacks that manipulate function pointers to target valid function entries but invoke them maliciously. This paper proposes FPValidator, a new solution capable of dynamically validating the type equivalence between function pointers and target functions, which can detect all function entry attacks that violate type equivalence. An effective and efficient type matching approach based on labeled type signature is proposed to perform fast type equivalence checking. The validation code and necessary type information are inserted by a compilation-stage instrumentation mechanism, bringing no extra burden to developers. We integrate FPValidator into GCC and evaluation shows that its performance overhead is only about 2%. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Surgically Returning to Randomized lib(c)

    Page(s): 60 - 69
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (267 KB) |  | HTML iconHTML  

    To strengthen systems against code injection attacks, the write or execute only policy (W¿X) and address space layout randomization (ASLR) are typically used in combination. The former separates data and code, while the latter randomizes the layout of a process. In this paper we present a new attack to bypass W¿X and ASLR. The state-of-the-art attack against this combination of protections is based on brute-force, while ours is based on the leakage of sensitive information about the memory layout of the process. Using our attack an attacker can exploit the majority of programs vulnerable to stack-based buffer overflows surgically, i.e., in a single attempt. We have estimated that our attack is feasible on 95.6% and 61.8% executables (of medium size) for Intel x86 and x86-64 architectures, respectively. We also analyze the effectiveness of other existing protections at preventing our attack. We conclude that position independent executables (PIE) are essential to complement ASLR and to prevent our attack. However, PIE requires recompilation, it is often not adopted even when supported, and it is not available on all ASLR-capable operating systems. To overcome these limitations, we propose a new protection that is as effective as PIE, does not require recompilation, and introduces only a minimal overhead. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • SecureMR: A Service Integrity Assurance Framework for MapReduce

    Page(s): 73 - 82
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (739 KB) |  | HTML iconHTML  

    MapReduce has become increasingly popular as a powerful parallel data processing model. To deploy MapReduce as a data processing service over open systems such as service oriented architecture, cloud computing, and volunteer computing, we must provide necessary security mechanisms to protect the integrity of MapReduce data processing services. In this paper, we present SecureMR, a practical service integrity assurance framework for MapReduce. SecureMR consists of five security components, which provide a set of practical security mechanisms that not only ensure MapReduce service integrity as well as to prevent replay and denial of service (DoS) attacks, but also preserve the simplicity, applicability and scalability of MapReduce. We have implemented a prototype of SecureMR based on Hadoop, an open source MapReduce implementation. Our analytical study and experimental results show that SecureMR can ensure data processing service integrity while imposing low performance overhead. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Justifying Integrity Using a Virtual Machine Verifier

    Page(s): 83 - 92
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (330 KB) |  | HTML iconHTML  

    Emerging distributed computing architectures, such as grid and cloud computing, depend on the high integrity execution of each system in the computation. While integrity measurement enables systems to generate proofs of their integrity to remote parties, we find that current integrity measurement approaches are insufficient to prove runtime integrity for systems in these architectures. Integrity measurement approaches that are flexible enough have an incomplete view of runtime integrity, possibly leading to false integrity claims, and approaches that provide comprehensive integrity do so only for computing environments that are too restrictive. In this paper, we propose an architecture for building comprehensive runtime integrity proofs for general purpose systems in distributed computing architectures. In this architecture, we strive for classical integrity, using an approximation of the Clark-Wilson integrity model as our target. Key to building such integrity proofs is a carefully crafted host system whose long-term integrity can be justified easily using current techniques and a new component, called a VM verifier, which comprehensively enforces our integrity target on VMs. We have built a prototype based on the Xen virtual machine system for SELinux VMs, and find that distributed compilation can be implemented, providing accurate proofs of our integrity target with less than 4% overhead. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Scalable Web Content Attestation

    Page(s): 95 - 104
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (449 KB) |  | HTML iconHTML  

    The Web is a primary means of information sharing for most organizations and people. Currently, a recipient of Web content knows nothing about the environment in which that information was generated other than the specific server from whence it came (and even that information can be unreliable). In this paper, we develop and evaluate the Spork system that uses the trusted platform module (TPM) to tie the Web server integrity state to the Web content delivered to browsers, thus allowing a client to verify that the origin of the content was functioning properly when the received content was generated and/or delivered. We discuss the design and implementation of the Spork service and its browser-side Firefox validation extension. In particular, we explore the challenges and solutions of scaling the delivery of mixed static and dynamic content using exceptionally slow TPM hardware. We perform an in-depth empirical analysis of the Spork system within Apache Web servers. This analysis shows Spork can deliver nearly 8,000 static or over 7,000 dynamic integrity-measured Web objects per-second. More broadly, we identify how TPM-based content Web services can scale with manageable overheads and deliver integrity-measured content with manageable overhead. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A Study of User-Friendly Hash Comparison Schemes

    Page(s): 105 - 114
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1047 KB) |  | HTML iconHTML  

    Several security protocols require a human to compare two hash values to ensure successful completion. When the hash values are represented as long sequences of numbers, humans may make a mistake or require significant time and patience to accurately compare the hash values. To improve usability during comparison, a number of researchers have proposed various hash representations that use words, sentences, or images rather than numbers. This is the first work to perform a comparative study of these hash comparison schemes to determine which scheme allows the fastest and most accurate comparison. To evaluate the schemes, we performed an online user study with more than 400 participants. Our findings indicate that only a small number of schemes allow quick and accurate comparison across a wide range of subjects from varying backgrounds. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Modeling Modern Network Attacks and Countermeasures Using Attack Graphs

    Page(s): 117 - 126
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (625 KB) |  | HTML iconHTML  

    By accurately measuring risk for enterprise networks, attack graphs allow network defenders to understand the most critical threats and select the most effective countermeasures. This paper describes substantial enhancements to the NetSPA attack graph system required to model additional present-day threats (zero-day exploits and client-side attacks) and countermeasures (intrusion prevention systems, proxy firewalls, personal firewalls, and host-based vulnerability scans). Point-to-point reachability algorithms and structures were extensively redesigned to support "reverse" reachability computations and personal firewalls. Host-based vulnerability scans are imported and analyzed. Analysis of an operational network with 84 hosts demonstrates that client-side attacks pose a serious threat. Experiments on larger simulated networks demonstrated that NetSPA's previous excellent scaling is maintained. Less than two minutes are required to completely analyze a four-enclave simulated network with more than 40,000 hosts protected by personal firewalls. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Evaluating Network Security With Two-Layer Attack Graphs

    Page(s): 127 - 136
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1013 KB) |  | HTML iconHTML  

    Attack graphs play important roles in analyzing network security vulnerabilities, and previous works have provided meaningful conclusions on the generation and security measurement of attack graphs. However, it is still hard for us to understand attack graphs in a large network, and few suggestions have been proposed to prevent inside malicious attackers from attacking networks. To address these problems, we propose a novel approach to generate and describe attack graphs. Firstly, we construct a two-layer attack graph, where the upper layer is a hosts access graph and the lower layer is composed of some host-pair attack graphs. Compared with previous works, our attack graph has simpler structures, and reaches the best upper bound of computation cost in O(N2). Furthermore, we introduce the adjacency matrix to efficiently evaluate network security, with overall evaluation results presented by gray scale images vividly. Thirdly, by applying prospective damage and important weight factors on key hosts with crucial resources, we can create prioritized lists of potential threatening hosts and stepping stones, both of which can help network administrators to harden network security. Analysis on computation cost shows that the upper bound computation cost of our measurement methodology is O(N3), which could also be completed in real time. Finally, we give some examples to show how to put our methods in practice. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.