Internet Society Frontpage

Events Membership
About the Internet Standards
Publications  Public Policy
About ISOC Education


NDSS Sponsors
NDSS 2011 - The Network and Security Conference

NDSS Symposium 2011

The Dana on Mission Bay
San Diego, California
6-9 February 2011

18th Annual Network & Distributed System Security Symposium

Symposium Program

Sunday, 6 February
16:00-19:00 Registration
18:00-20:00 Welcome Reception
Monday, 7 February
07:30-08:30 Continental Breakfast

Introductory Remarks

General Chair: Doug Szajda, University of Richmond
Program Chair: Adrian Perrig, Carnegie Mellon University


Opening & Keynote

Liam O Murchu


Session 1: Secure Emerging Applications: Social Networks and Smartphones

12:30-13:30 Lunch

Session 2: Wireless Attacks!


Session 3: OS Security

Tuesday, 8 February
07:30-08:30 Continental Breakfast

Session 4: Network Malware


Session 5: Software Security / Code Analysis

12:30-13:30 Lunch

Session 6: Web Security


Session 7: Network Security

19:00-21:00 Buffet Dinner
Wednesday, 9 February
08:00-09:00 Continental Breakfast

Session 8: Real-World Security: Cloud Computing, Biometrics, and Humans


Session 9: Privacy

12:30 – 13:30 Lunch

NDSS ’11 will focus on practical aspects of network and distributed system security, with emphasis on actual system design and implementation rather than theory. A major goal of the Symposium is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. The following presentations are planned.

Liam O Murchu

Opening Keynote

Liam O Murchu
Stuxnet Worm expert and Symantec's manager of security response operations for North America, Liam O Murchu, will be the NDSS '11 keynote speaker. In his work, O Murchu oversees a team of reverse engineers ensuring appropriate and timely response to malware outbreaks. O Murchu also blogs on Stuxnet and other security threats at

Research Paper Presentations

Session 1: Secure Emerging Applications: Social Networks and Smartphones

Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones

Roman Schlegel, Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang
We introduce Soundcomber, a "sensory malware" for smartphones that uses the microphone to steal private information from phone conversations. Soundcomber is lightweight and stealthy. It uses targeted profiles to locally analyze portions of speech likely to contain information such as credit card numbers. It evades known defenses by transferring small amounts of private data to the malware server utilizing smartphone-specific covert channels. Additionally, we present a general defensive architecture that prevents such sensory malware attacks.

A Security API for Distributed Social Networks

Michael Backes, Matteo Maffei, and Kim Pecina
We present a cryptographic framework to achieve access control, privacy of social relations, secrecy of resources, and anonymity of users in social networks. We illustrate our technique on a core API for social networking, which includes methods for establishing social relations and for sharing resources. As we do not put any constraints on the underlying social network, our framework is generally applicable and, in particular, constitutes an ideal plug-in for decentralized social networks.

Location Privacy via Private Proximity Testing

Arvind Narayanan, Narendran Thiagarajan, Mugdha Lakhani, Mike Hamburg, and Dan Boneh
We study privacy-preserving tests for proximity: Alice can test if she is close to Bob without either party revealing any other information about each other's location. We describe several secure protocols that support private proximity testing at various levels of granularity. We introduce the concept of location tags generated from the physical environment in order to strengthen the security of proximity testing. We implemented our system on the Android platform and report on its effectiveness. Our system uses a social network (Facebook) to manage user public keys. We argue that for proximity testing, social networks are better suited for managing user keys than traditional PKI.

Session 2: Wireless Attacks!

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Aurelien Francillon, Boris Danev, and Srdjan Capkun
We demonstrate relay attacks on Passive Keyless Entry and Start (PKES) systems used in modern cars. We build two attack realizations, wired and wireless physical-layer relays. They allow the attacker to enter and start a car by relaying messages between the car and the smart key, independently of the presence of authentication and encryption. We evaluate PKES systems of 10 car models from 8 manufacturers, discuss relevant systems’ details and propose a set of countermeasures.

Using Classification to Protect the Integrity of Spectrum Measurements in White Space Networks

Omid Fatemieh, Ali Farhadi, Ranyeer Chandra, and Carl A. Gunter
A key enabling technology for forming networks over the TV white-spaces is the aggregation of spectrum availability data from multiple sources. However, this aggregation is vulnerable to maliciously misreported measurements. We propose a technique that uses trusted propagation data to build an SVM classifier, which is subsequently used to detect violations. Our work eliminates the need for arbitrary assumptions about propagation models and parameters. Evaluations using FCC and NASA data show our technique is effective.

Good Neighbor: Ad hoc Pairing of Nearby Wireless Devices by Multiple Antennas

Liang Cai, Kai Zeng, Hao Chen, and Prasant Mohapatra
The paper proposed a proximity-based wireless device pairing scheme. Its basic idea is that a wireless device with two antennas can infer the proximity of another device to one of its antenna by the difference between RSS values read from its two antennas. The paper validates the scheme by theoretical analysis and experimental measurements. A prototype is implemented to demonstrate its practicality.

Session 3: OS Security

Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions

Xi Xiong, Donghai Tian, and Peng Liu
This paper presents HUKO, a hypervisor-based integrity protection system designed to protect commodity OS kernels from untrusted extensions (e.g., drivers). In HUKO system, the behaviors of untrusted extensions are confined by mandatory access control policies so that they cannot subvert the integrity of the kernel. HUKO leverages contemporary hardware-assisted virtualization features to achieve an efficient isolation and reference monitor framework, which is essential to provide kernel integrity protection in multiple aspects.

Efficient Monitoring of Untrusted Kernel-Mode Execution

Abhinav Srivastava and Jonathon Giffin
We design and implement a hypervisor-based system called Gateway that monitors kernel APIs invoked by drivers. Gateway creates a hardened, non-bypassable monitoring interface by isolating drivers in an address space separate from the kernel. To overcome the performance degradation introduced by switches between these separate address spaces, our design rewrites the binary kernel and driver code at runtime and generates new code on demand to optimize the address space transition speed.

SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures

Zhiqiang Lin, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu, and Xuxian Jiang
Brute force scanning of OS kernel memory images requires context-free signatures of individual data structures. We present SigGraph, a framework that systematically generates non-isomorphic kernel data structure signatures, each being a graph rooted at the corresponding data structure with edges reflecting "points-to" relations with other data structures. SigGraph-generated signatures achieve high accuracy and robustness without requiring global memory mapping and object reachability, with applicability to kernel memory forensics, rootkit detection, and kernel version inference.

Session 4: Network Malware

Losing Control of the Internet: Using the Data Plane to Attack the Control Plane

Max Schuchard, Abedelaziz Mohaisen, Denis Foo Kune, Nicholas Hopper, Yongdae Kim, and Eugene Y. Vasserman
Internet control plane events propagate globally; as a result, an excess of these events can disrupt core Internet routers. This can lead to network instability, resulting in loss of connectivity and data. We investigate the possibility of intentionally generating these incidents without compromising BGP speakers. We show via simulation that such events can be generated by modestly-sized botnets. Further, we show these attacks are difficult to repel with any currently-deployed defense mechanisms.

EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis

Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi
In our paper, we present EXPOSURE, a system that employs large-scale,
passive DNS analysis techniques to detect domains that are involved in malicious activity. We introduce a number of novel features that we extract from the DNS traffic to characterize the behavior of malicious domains. Our experiments show that our approach is scalable and is able to automatically identify unknown domains that are misused in a wide range of malicious activities.

Session 5: Software Security / Code Analysis

Howard: A Dynamic Excavator for Reverse Engineering Data Structures

Asia Slowinska, Traian Stancescu, and Herbert Bos
Howard is a new solution to extract data structures from C binaries without any need for symbol tables. Our results are significantly more accurate than those of previous methods and allow one to generate partial symbol tables without access to source code. Also, we show that we can protect existing binaries from memory corruption attacks-- again without source code. Howard uses dynamic analysis and detects data structures by tracking how a program uses memory.

No Loitering: Exploiting Lingering Vulnerabilities in Default COM Objects

David Dewey and Patrick Traynor
The Component Object Model (COM) facilitates the creation of software plug-ins for applications running in Microsoft Windows. As vulnerabilities in COM objects have been found, Microsoft has responded by blacklisting their use by specific applications. In this paper, we demonstrate that this blacklist can be easily circumvented. After demonstrating this weakness on fully patched Windows machines, we design and implement an enforcement architecture called COMBlocker, which successfully prevents the instantiation of known flawed controls.

TIE: Principled Reverse Engineering of Types in Binary Programs

JongHyup Lee, Thanassis Avgerinos, and David Brumley
A recurring problem in security is reverse engineering binary code to recover high-level language data abstractions and types. We develop novel techniques for reverse engineering data type abstractions. At the heart of our approach is a type reconstruction system based upon binary code analysis. Our results show TIE is both more conservative and more accurate than existing mechanisms.

DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation

Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song
Dynamic taint analysis (DTA) suffers false negatives caused by control flow. We propose DTA++ to automatically diagnose under-tainting in information-preserving transformations and propagate taint along a subset of control dependencies. Applied to 8 Windows applications such as Microsoft Word, DTA++ efficiently avoids under-tainting while introducing little over-tainting.

AEG: Automatic Exploit Generation

Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley
We develop the first techniques for automatic exploit generation, where given a program we automatically find bugs and generate working control-flow hijack exploits. Our approach uses a novel formal verification technique called preconditioned symbolic execution to make automatic exploit generation feasible on real-world programs. We implemented our techniques in a system called AEG, which we use to automatically generate 16 exploits for 14 open-source projects. Two of the generated exploits are zero-day exploits.

Session 6: Web Security

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda
HTTP Parameter Pollution (HPP) is a new class of injection vulnerabilities that uses parameter delimiters to compromise the logic of web applications and to perform client or server-side attacks. Our paper presents the first automated system (called PAPAS) for the discovery of HPP flaws. Our experimental results suggest that HTTP Parameter Pollution flaws are largely unknown by web developers: Over 14% of the 5,000 popular websites we analyzed can be exploited by HPP attacks.

WebShield: Enabling Various Web Defense Techniques without Client Side Modifications

Zhichun Li, Yi Tang, Yinzhi Cao, Vaibhav Rastogi, Yan Chen, Bin Liu and Clint Sbisa
Defense adoption tends to be slow if requiring end-host modification. This paper presents WebShield, a middlebox framework for preventing web attacks without end-host modification. WebShield runs all potentially malicious JavaScripts in a sandboxed shadow browser inside the middlebox, encodes visual effects into DOM updates, and renders them using a trusted JavaScript agent inside the client’s browser. The agent also forwards user inputs back to the shadow browser. Since most web attacks require running malicious scripts, WebShield reduces the attack surface. Moreover, various host-based defense mechanisms can be plugged into the WebShield middlebox, which makes the defense adoption easier.

HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows

Xiapu Luo, Peng Zhou, Edmond W. W. Chan, Wenke Lee, Rocky K. C. Chang, and Roberto Perdisci
Leakage of private information from web applications—even when the traffic is encrypted—is a serious security threat to many applications using HTTP for data delivery. In this paper, we present HTTPOS, a browser-side approach that provides a comprehensive suite of traffic-transformation techniques to prevent the state-of-the-art traffic analysis attacks from inferring private information from encrypted HTTP flows. Unlike existing server-side approaches, HTTPOS has much better scalability and flexibility, and doesn’t require changing the servers.

Session 7: Network Security

Accurate and Provably Secure Latency Estimation with Treeple

Eric Chan-Tin and Nicholas Hopper
A network latency estimation scheme associates a short "position string" to each peer in a distributed system so that the latency between any two peers can be estimated given only their positions. Applications for these schemes have included efficient overlay construction, byzantine agreement, and compact routing. This paper introduces Treeple, a new scheme for latency estimation that is provably secure, reflects the underlying network topology, and is as accurate as existing schemes while being stable.

On Measuring the Similarity of Network Hosts: Pitfalls, New Metrics, and Empirical Analyses

Scott Coull, Fabian Monrose, and Michael Bailey
As the scale of network data grows, network operators are increasingly turning to automated methods for data analysis. Underpinning these methods are distance metrics that capture a notion of similarity between objects. In this paper, we explore common pitfalls encountered when developing such metrics for network host behavior, and propose new metrics that incorporate semantic and long-term temporal information. Empirical evaluations show that our new metrics capture intuitive and robust notions of behavior among hosts.

SWIRL: A Scalable Watermark to Detect Correlated Network Flows

Amir Houmansadr and Nikita Borisov
Flow watermarks are active traffic analysis techniques that help establish a causal connection between two network flows. We design SWIRL, a scalable watermark that is invisible and robust to packet losses. SWIRL is the first watermark that is practical to use for large-scale traffic analysis. By using a flow-dependent approach, SWIRL is also resistant to multi-flow attacks. We also propose a novel application of watermarks to protect from congestion attacks on Tor.

Session 8: Real-World Security: Cloud Computing, Biometrics, and Humans

SPARE: Replicas on Hold

Tobias Distler, Ivan Popov, Wolfgang Schroder-Preikschat, Hans P. Reiser, and Ruediger Kapitza,
The paper presents SPARE, a cloud-aware approach that harnesses virtualization to reduce the resource demand of Byzantine fault-tolerant replication and to provide efficient support for proactive recovery. During fault-free operation, only the minimum number of replicas actively process requests, while all other replicas remain passive. By activating those replicas only in case of faults, SPARE saves 21-32% of CPU, memory, and power compared to a traditionally-replicated system.

Efficient Privacy-Preserving Biometric Identification

Yan Huang, Lior Malka, David Evans, and Jonathan Katz
This paper presents an efficient matching protocol that can be used in many privacy-preserving biometric identification systems, including a practical privacy-preserving fingerprint matching system. It presents a more efficient protocol for computing the Euclidean distances, optimized circuits for finding the closest match from a set, and a new backtracking protocol that uses the by-product of evaluating a garbled circuit to enable efficient oblivious information retrieval.

Usability Testing a Malware-Resistant Input Mechanism

Alana Libonati, Jonathan M. McCune, and Michael K. Reiter
We report the results of a usability study of Bumpy, a system that enables a user to provide secret inputs to remote web servers without trusting the computer on which she types those inputs. We evaluate the originally proposed Bumpy design and several new alternatives in a user study involving 85 participants, each of whom utilized one of these designs for roughly four months to protect her password entries to a university course web page.

Session 9: Privacy

Tracker: Security and Privacy for RFID-based Supply Chains

Erik-Oliver Blass, Kaoutar Elkhiyaoui, Refik Molva
Tracker is a protocol for object genuineness verification in RFID-based supply chains. Tracker securely identifies legitimate paths objects/tags take through supply chains. Tracker provides privacy: adversaries cannot learn details about objects' paths and cannot trace objects. Tracker protocol is based on a combination of polynomial signatures with homomorphic encryption whereby tags are not required to perform any computation but only to store a few bytes such as EPC tags.

PiOS: Detecting Privacy Leaks in iOS Applications

Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna
iOS applications have access to a plethora of private user information stored on the iPhone. Our system, PiOS, applies binary static analysis to identify applications that violate a user's privacy by leaking this information. The predominant use of Objective-C to create these applications requires PiOS to handle the dynamic aspects (e.g., dynamic method-calls) of the ObjC runtime. Our evaluation of PiOS on 1,400 applications shows that many programs read and transmit sensitive data (e.g., deviceIds, geo-location).

Privacy-Preserving Aggregation of Time-Series Data

Elaine Shi, T-H. Hubert Chan, Eleanor Rieffel, Richard Chow, and Dawn Song
We propose algorithms that allow an untrusted aggregator to learn aggregate statistics of a population, without harming each individual's privacy. Our construction allows multiple participants to continually upload noisy encryptions of their values to the aggregator, who can periodically evaluate (noisy) sums and distributions, without learning anything unintended. We guarantee the differential privacy of each participant, even when a subset of the participants may be compromised.