Internet Society Frontpage

Events Membership
About the Internet Standards
Publications  Public Policy
About ISOC Education

Events 

Sponsors
NDSS Sponsors
NDSS 2008 - The Network and Security Conference

NDSS Symposium 2008

The Catamaran Resort Hotel and Spa, San Diego, CA
8 - 11 February

16th Annual Network & Distributed System Security Symposium

Symposium Program

Symposium Schedule

Sunday, February 10
16:30 - 19:30 Registration
18:00 - 20:00 Welcome Reception
 
Monday, February 11
07:30 Registration
07:30 - 08:30 Continental Breakfast
08:30 - 09:00 Introductory Remarks
General Chair: Doug Szajda, University of Richmond
Program Chairs: Crispin Cowan, Mercenary Linux;
Giovanni Vigna, University of California, Santa Barbara
09:00 - 10:30 Keynote
Gary McGraw, CTO of Cigital, Inc. on Breaking Online Games
10:30 - 11:00 Break
11:00 - 12:30 Session 1: Large Scale Systems

A New Privacy-Enhanced Matchmaking Protocol
Ji Sun Shin, Virgil D. Gligor - University of Maryland

Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
David Dagon, Chris Lee, Wenke Lee - Georgia Institute of Technology; Niels Provos - Google Inc.

A Tune-up for Tor: Improving Security and Performance in the Tor Network
Robin Snader, Nikita Borisov - University of Illinois at Urbana-Champaign

12:30 - 13:30 Lunch
13:30 - 15:00 Session 2: Collaborative Systems

Halo-High Assurance Locate for Distributed Hash Tables
Apu Kapadia - Dartmouth College; Nikos Triandopoulos - University of Aarhus, Denmark

Robust Receipt-Free Election System with Ballot Secrecy and Verifiability
Sherman S.M. Chow - New York University; Joseph K. Liu - Institute for Infocomm Research, Singapore; Duncan S. Wong - City Univeristy of Hong Kong

Realizing Massive-Scale Conditional Access Systems Through Attribute-Based Cryptosystems
Patrick Traynor, Kevin Butler, William Enck and Patrick McDaniel - Penn State University

15:00 - 15:30 Break
15:30 - 17:00 Session 3: Privacy

Analyzing Privacy in Enterprise Packet Trace Anonymization
Bruno Ribeiro, Gerome Miklau, Don Towsley - UMass Amherst; Weifeng Chen -John Jay College of Criminal Justice

Taming the Devil: Techniques for Evaluating Anonymized Network Data
Scott Coull, Charles Wright, Fabian Monrose - Johns Hopkins University; Angelos Keromytis - Columbia University; Michael Reiter - University of North Carolina

Usable PIR
Peter Williams, Radu Sion - Stony Brook University

19:00 -22:00 Dinner
 
Tuesday, February 12
07:30 Registration
07:30 - 08:30 Continental Breakfast
08:30 - 10:00 Session 4: Software Hardening

Automated Whitebox Fuzz Testing
Patrice Godefroid – Microsoft Research; Michael Y. Levin - Microsoft Center for Software Excellence; David Molnar - UC Berkeley and Microsoft

Would Diversity Really Increase the Robustness of the Routing Infrastructure Against Software Defects?
Juan Caballero, Theocharis Kampouris – Carnegie Mellon University; Dawn Song - Carnegie Mellon University and UC Berkeley; Jia Wang - AT&T Labs-Research

PRECIP: Practical and Retrofittable Confidential Information Protection Against Spyware Surveillance
XiaoFeng Wang, Zhuowei Li, Jong Youl Choi - Indiana University; Ninghui Li - Purdue University

10:00 - 10:30 Break
10:30 - 12:00 Session 5: Reverse Engineering

Automatic Network Protocol Analysis
Gilbert Wondracek, Christopher Kruegel, Engin Kirda - Technical University Vienna; Paolo Milani – Scuola Superiore S. Anna, Italy

Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution
Zhiqiang Lin, Dongyan Xu, Xiangyu Zhang - Purdue University; Xuxian Jiang - George Mason University

HookFinder: Identifying and Understanding Malware Hooking Behaviors
Heng Yin, Zhenkai Liang - Carnegie Mellon University; Dawn Song - UC Berkeley

12:00 - 13:30 Lunch
13:30 - 15:00 Virtualization & Security Panel
15:00 - 15:30 Break
15:30 - 17:00 Session 6: Intrusive Prevention

Detection and Mitigation of Fast-Flux Service Networks
Thorsten Holz, Christian Gorecki, Felix Freiling – University Mannheim, Germany; Konrad Rieck - Fraunhofer FIRST, Germany

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
Guofei Gu, Junjie Zhang, Wenke Lee - Gerogia Institute of Technology

Limits of Learning-based Signature Generation with Adversaries
Shobha Venkataraman, Avrim Blum, Dawn Song - Carnegie Mellon University

19:00 - 22:00 Dinner
 
Wednesday, February 13
08:00 Registration
08:00 - 09:00 Continental Breakfast
09:00 - 10:30 Invited Talk
Security and Usability: Mind the Gap
Paul Van Oorschot, Carleton University (Canada)
10:30 - 11:00 Break
11:00 - 12:30 Session 7: Malware

Impeding Malware Analysis using Conditional Code Obfuscation
Monirul Sharif, Jonathon Giffin, Wenke Lee - Gerogia Institute of Technology; Andrea Lanzi - Universita’ degli Studi di Milano, Italy

Analysis-Resistant Malware
John Bethencourt, Dawn Song - UC Berkeley/Carnegie Mellon University; Brent Waters - SRI International

Exploiting Opportunistic Scheduling in Cellular Data Networks
Radmilo Racic, Hao Chen, Xin Liu - University of California, Davis; Denys Ma - McAfee

12:30 -13:30 Lunch
13:30 - 15:00 Gong Show
15:00 - 15:30 Parting Remarks

*Paper Presentations

NDSS ’08 will focus on practical aspects of network and distributed system security, with emphasis on actual system design and implementation rather than theory. A major goal of the Symposium is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Presentations on the following papers are planned.

Security and Usability: Mind the Gap
Paul Van Oorschot, Carleton University (Canada)
We consider the question: Is the Internet suitable for use by ordinary people for applications requiring security and/or protection of privacy? We draw on three case studies - online banking (commercial offerings), an anonymous browsing application (Tor freeware), and some proposed password managers (academic proposals with software available). We seek to stimulate discussion, and ask what the role of security specialists should be in improving upon the read-world gap between security and usability in today's Internet software.

Exploiting Opportunistic Scheduling In Cellular Data Networks
Radmilo Racic, Hao Chen and Xin Liu, University of California
Davis Denys Ma, McAfee

Rogue cellular devices within a 3G network relying on opportunistic scheduling algorithms, namely Proportional Fair (PF) and its variants, can exploit PF's as well 3G's vulnerabilities allowing them to usurp the majority of all time slots. Our simulations show that only one rogue device per cell that has 50 users can use up to 90% of the time slots, and can cause a 1.11-second end-to-end inter-packet transmission delay on VoIP applications of every other user in the same cell, effectively rendering the VoIP service useless. To defend against the attacks, we explore a set of attack detection schemes, discuss a variety of modifications to the PF scheduler and their resilience to the attacks, and propose a novel robust handoff algorithm that manages to mitigate the aforementioned attacks.
Read complete paper...

A Tune-up for Tor: Improving Security and Performance in the Tor Network
Robin Snader and Nikita Borisov, University of Illinois at Urbana-Champaign
The Tor anonymous communication network uses self-reported bandwidth values to select routers for building tunnels. Since tunnels are allocated in proportion to this bandwidth, this allows a malicious router operator to attract tunnels for compromise. We propose an opportunistic bandwidth measurement algorithm to replace self-reported values and address both of these problems. We also propose a mechanism to let users tune Tor performance to achieve higher performance or higher anonymity. Our mechanism effectively blends the traffic from users of different preferences, making partitioning attacks difficult.

HookFinder: Identifying and Understanding Malware Hooking Behaviors
Heng Yin and Zhenkai Liang, Carnegie Mellon University
Dawn Song, UC Berkeley

Installing various hooks into the victim system is an important attacking strategy used by malware, including spyware, rootkits, stealth backdoors, and others. In this paper, we propose the first systematic approach to automatically identifying hooks and extracting the hook implanting mechanisms. We propose fine-grained impact analysis, as a unified approach to identify hooking behaviors of malicious code. We have developed a prototype, HookFinder, and conducted extensive experiments using representative malware samples from various categories.

Would Diversity Really Increase the Robustness of the Routing Infrastructure against Software Defects?
Juan Caballero and Theocharis Kampouris, Carnegie Mellon University
Dawn Song, Carnegie Mellon University and UC Berkeley
Jia Wang, AT&T Labs-Research

Network diversity has been proposed as a solution to increase the resilience to software defects, but the benefits have not been clearly studied. In this paper, we find that a small degree of diversity in the network can provide good robustness against simultaneous router failures. In particular, for a large Tier-1 ISP network five implementations suffice. We observe that the best way of applying diversity is to partition the network into contiguous regions that use the same implementation, taking into account the node roles and possibly replicated nodes.

Automated Whitebox Fuzz Testing
Patrice Godefroid, Microsoft Research
Michael Y. Levin, Microsoft Center for Software Excellence
David Molnar, UC Berkeley & Microsoft

We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation. Our approach records an actual run of a program under test on a well-formed input, symbolically evaluates the recorded trace, and generates constraints capturing how the program uses its inputs. We have implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for whitebox fuzzing of arbitrary file-reading Windows applications. We describe key optimizations needed to make dynamic test generation scale to large input files and long execution traces with hundreds of millions of instructions. While still in an early stage of development, SAGE has already discovered 30+ new bugs in large shipped Windows applications including image processors, media players, and file decoders. 

Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution
Zhiqiang Lin, Dongyan Xu and Xiangyu Zhang, Purdue University
Xuxian Jiang, George Mason University

In this paper, we present a system named AutoFormat that aims at not only extracting the protocol fields with high accuracy, but also revealing the inherent “non-flat” hierarchical structures of protocol messages. AutoFormat is based on the key observation that different protocol fields in the same message are typically handled in different execution contexts (e.g., the run-time call stack). As such, by monitoring the program's execution, we can collect such execution context information for every message byte (annotated with its offset in the entire message), and then cluster the collected information to derive the protocol format.

Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
David Dagon, Chris Lee and Wenke Lee, Georgia Institute of Technology
Niels Provos, Google Inc.

We study and document an important development in how attackers are using Internet resources: the creation of malicious DNS resolution paths. In this growing form of attack, victims are forced to use rogue DNS servers for all resolution. To document the rise of this "second secret authority" on the Internet, we studied instances of aberrant DNS resolution on a university campus. We found dozens of viruses that corrupt resolution paths, and noted that hundreds of URLs discovered per week performed drive-by alterations of host DNS settings.

Taming the Devil: Techniques for Evaluating Anonymized Network Data
Scott Coull, Charles Wright and Fabian Monrose, Johns Hopkins University
Angelos Keromytis, Columbia University
Michael Reiter, University of North Carolina

Anonymization plays a key role in enabling the public release of network datasets, yet there are few, if any, techniques for evaluating the efficacy of network data anonymization techniques with respect to the privacy they afford. Specifically, we simulate the behavior of an adversary whose goal is to deanonymize objects, such as hosts or web pages, within the network data. By doing so, we are able to quantify the anonymity of the data using information theoretic metrics, objectively compare the efficacy of anonymization techniques, and examine the impact of selective deanonymization on the anonymity of the data.

Realizing Massive-Scale Conditional Access Systems Through Attribute-Based Cryptosystems
Patrick Traynor, Kevin Butler, William Enck and Patrick McDaniel, Penn State University
In this paper, we explore the ability of attribute-based encryption (ABE) to meet the unique performance and security requirements of conditional access systems such as subscription radio and pay-per-view television. We show through empirical study that costs of ABE make its direct application inappropriate, but present constructions that mitigate its incumbent costs. We develop an extensive simulation that allows us to explore the performance of a number of virtual hardware configurations and construction parameters over workloads developed from real subscription and television audiences.

Analyzing Privacy in Enterprise Packet Trace Anonymization
Bruno Ribeiro, Gerome Miklau and Don Towsley, UMass Amherst
Weifeng Chen, John Jay College of Criminal Justice

In this work we present a novel, systematic attack on prefix-preserving anonymization which can be efficiently executed by an adversary in possession of a modest amount of public information about the network. The attack is general (encompassing a range of fingerprinting attacks proposed by others) and flexible (it can be adapted to emerging variants of prefix-preserving anonymization). Perhaps most importantly, we develop analysis tools that allow data publishers to quantify the worst-case vulnerability of their trace given assumptions about the adversary's external information. Using this analysis we quantify the trade-off between privacy and utility of alternatives to full prefix-preserving anonymization.

Hallo-High Assurance Locate for Distributed Hash Tables
Apu Kapadia, Dartmouth College
Nikos Triandopoulos, University of Aarhus, Denmark

We study the problem of reliably searching for resources in untrusted peer-to-peer networks, where a significant portion of the participating network nodes act maliciously. We present a new method called Halo for performing redundant searches over a emph{distributed hash table (DHT)} structure that achieves high integrity levels without affecting the storage and communication complexities of the underlying DHT. In particular, a querier can successfully locate the network node storing an object despite the presence of malicious nodes trying to subvert the locate operation.

Robust Receipt-Free Election System with Ballot Secrecy and Verifiability
Sherman S.M. Chow, New York University
Joseph K. Liu, Institute for Infocomm Research, Singapore
Duncan S. Wong, City University of Hong Kong

We propose a new way of constructing vote-and-go election system without tamper-resistant hardware, randomizer, or anonymous channel. Receipt-freeness is guaranteed even if there is only one voting authority (in a distributed setting) remains honest. Regarding the correctness, voter alone has no chance to tamper with the validity of the final tally, while any misbehaving authority can be detected (and proven to the public) by the tallying center. Robustness can be achieved by fixing the corrupted vote in a verifiable manner. Ballot secrecy cannot be compromised even all tallying authorities collude.

Analysis-Resistant Malware
John Bethencourt, Dawn Song, University of California, Berkeley / Carnegie Mellon University
Brent Waters, SRI International

Traditionally, techniques for computing on encrypted data have been proposed with privacy preserving applications in mind. Several current cryptosystems support a homomorphic operation, allowing simple computations to be performed using encrypted values. This is sufficient to realize several useful applications, including schemes for electronic voting and single server private information retrieval (PIR). In this paper, we introduce an alternative application for these techniques in an unexpected setting: malware. We point out the possibility of malware which renders some aspects of its behavior provably resistant to forensic analysis, even with full control over the malware code, its input, and its execution environment.

Limits of Learning-based Signature Generation with Adversaries
Shobha Venkataraman, Avrim Blum and Dawn Song, Carnegie Mellon University
In this paper, we show fundamental limits on the accuracy of pattern-extraction algorithms for signature-generation in an adversarial setting. We formulate a natural framework that allows a unified analysis of these algorithms, and prove lower bounds on the number of mistakes any pattern- extraction learning algorithm must make under common assumptions, by showing how to adapt results from learning theory. While previous work has targeted specific algorithms, the work of these three authors generalizes these attacks through theoretical analysis to any algorithm with similar assumptions, not just the techniques developed so far.

Usable PIR
Peter Williams and Radu Sion, Stony Brook University
In “On the Practicality of Private Information Retrieval” (NDSS ’07) we showed that existing single-server computational private information retrieval (PIR) protocols for the purpose of preserving client access patterns leakage are orders of magnitude slower than trivially transferring the entire data sets to the inquiring clients. We thus raised the issue of designing efficient PIR mechanisms in practical settings. In this paper we introduce exactly such a technique, guaranteeing access pattern privacy against a computationally bounded adversary, in outsourced data storage, with communication and computation overheads orders of magnitude better than existing approaches. In the presence of a small amount (O(sqrt n), where n is the size of the database) of temporary storage, clients can achieve access pattern privacy with communication and computational complexities of less than O(log^2 n) per query (as compared to e.g., O(log^4 n) for existing approaches).  We achieve these novel results by applying new insights based on probabilistic analyses of data shuffling algorithms to Oblivious RAM, allowing us to significantly improve its asymptotic complexity.

Automatic Network Protocol Analysis
Gilbert Wondracek, Christopher Kruegel and Engin Kirda, Technical University Vienna
Paolo Milani, Scuola Superiore S. Anna

In this paper, we present a novel approach to automatic protocol reverse engineering. The approach works by dynamically monitoring the execution of the application, analyzing how the program is processing the protocol messages that it receives. This is motivated by the insight that an application encodes the complete protocol and represents the authoritative specification of the inputs that it can accept. In a first step, the authors extract information about the fields of individual messages. Then, they aggregate this information to determine a more general specification of the message format, which can include optional or alternative fields.

A New Privacy-Enhanced Matchmaking Protocol
Ji Sun Shin and Virgil D. Gligor, University of Maryland
Although several wide-spread Internet applications (e.g., job-referral services, dating services) can benefit from online matchmaking, protocols defined over the past two decades fail to address important privacy concerns. In this paper, we enhance traditional privacy requirements (e.g., user anonymity, matching-wish authenticity) with new privacy goals (e.g., resistance to off-line dictionary attacks, and forward privacy of users' identities and matching wishes), and argue that privacy-enhanced matchmaking cannot be provided by solutions to seemingly related problems such as secret handshakes, set intersection, and trust negotiation. We define an adversary model, which captures the key security properties of privacy-enhanced matchmaking, and show that a simple, practical protocol derived by a two-step transformation of a password-based authenticated key exchange counters adversary attacks in a provable manner.

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
Guofei Gu, Junjie Zhang and Wenke Lee, Georgia Institute of Technology
Botnets are now recognized as one of the most serious threats to Internet security. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP (and in protocol-conforming manners), making the detection of botnet C&C activities a challenging problem. In this paper, we propose using network-based anomaly detection to identify botnet C&C channels in a local network without any prior knowledge of signatures or C&C server addresses. This detection approach can help identify both the C&C servers and infected hosts in the network.

Impeding Malware Analysis using Conditional Code Obfuscation
Monirul Sharif, Jonathon Giffin and Wenke Lee, Georgia Institute of Technology
Andrea Lanzi, Universita` degli Studi di Milano, Italy

In this paper, we present a malware obfuscation technique that automatically conceals specific condition dependent malicious behavior from malware analyzers that have no prior knowledge of program inputs. Our technique, which is well-suited for concealing trigger-based behavior, automatically transforms a program by encrypting code that is conditionally dependent on some input value with a key derived from the input and then removing the key from the program. We have implemented a compiler-level tool that takes a malware source program and automatically generates an obfuscated binary. Experiments on various existing malware samples show that our tool can hide a significant portion of trigger based code.

PRECIP: Practical and Retrofittable Confidential Information Protection Against Spyware Surveillance
XiaoFeng Wang, Zhuowei Li and Jong Youl Choi, Indiana University
Ninghui Li, Purdue University

A grand challenge in information protection is how to preserve the confidentiality of sensitive information under spyware surveillance. This problem has not been well addressed by the existing access-control mechanisms which cannot prevent the spyware already in a system from monitoring an authorized party's interactions with sensitive data. Our answer to this challenge is PRECIP, a new security policy model for practical and retrofittable confidential information protection. This model is designed to offer efficient online protection for commercial applications and operating systems. It intends to be retrofitted to these applications and systems without modifying their code.

Detection and Mitigation of Fast-Flux Service Networks
Thorsten Holz, Christian Gorecki and Felix Freiling, University Mannheim, Germany
Konrad Rieck, Fraunhofer FIRST, Germany

We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widely-known phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Based on our detection technique we also discuss possible mitigation strategies.