Internet Society Frontpage

Events Membership
About the Internet Standards
Publications  Public Policy
About ISOC Education


NDSS Sponsors
NDSS 2010 - The Network and Security Conference

Symposium Program

Sunday, 28 February
16:00-19:00 Registration
18:00-20:00 Welcome Reception

Monday, 1 March

07:30-08:30 Continental Breakfast
08:30-09:00 Introductory Remarks
General Chair: Doug Szajda, University of Richmond
Program Chair: Wenke Lee, Georgia Institute of Technology
09:00-10:30 Opening & Keynote:

Steve Santorelli, Director of Global Outreach Team Cymru

10:30-11:00 Break
11:00-12:30 Session 1: Distributed Systems and Networks

Chair: Kosta Beznosov, University of British Columbia, Canada
12:30-13:30 Lunch
13:30-15:00 Session 2: Web Security and Privacy

Chair: Christopher Kruegel, University of California Santa Barbara
15:00-15:30 Break
15:30-17:00 Session 3: Intrusion Detection and Attack Analysis

Chair: Scott Coull, University of North Carolina at Chapel Hill

Tuesday, 2 March

08:00-09:00 Continental Breakfast
09:00-10:30 Session 4: Spam

Chair: Adrian Perrig, Carnegie Mellon University
10:30-11:00 Break
11:00-12:30 Panel Discussion: Ethics in Networking and Security Research
12:30-13:30 Lunch
13:30-15:00 Session 5: Anonymity and Cryptographic Systems

Michael K. Reiter, University of North Carolina at Chapel Hill
15:00-15:30 Break
15:30-17:00 Session 6: Security Protocols and Policies

Chair: Lujo Bauer, Carnegie Mellon University
19:00-21:00 Buffet Dinner
Wednesday 3 March
08:00-09:00 Continental Breakfast
09:00-10:30 Session 7: Languages and Systems Security

Chair: David Brumley, Carnegie Mellon University
10:30-11:00 Break
11:00-12:30 Session 8: Malware

Chair: Christian Kriebich, International Computer Science Institute

NDSS '10 will focus on practical aspects of network and distributed system security, with emphasis on actual system design and implementation rather than theory. A major goal of the Symposium is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. The following presentations are planned.

Opening Keynote

The Current State of Cyber-crime Investigations

Steve Santorelli, Director of Global Outreach Team Cymru
Steve Santorelli became a police officer in 1994, working in London, UK. He worked his way up through various detective grades and branches until he joined Scotland Yards Computer Crime Unit in 2000. During the following 5 years he specialized in malware and botnet cases and reached the rank of Detective Sergeant. Steve received several awards and commendations from various international law enforcement agencies and judges. He was also an associate instructor for the CISSP certification.

Steve then left law enforcement to join the Microsoft Internet Crimes Investigation Team, based in Redmond, USA. He spent the next 3 years investigating botnet cases which were then referred out to law enforcement officers around the world for further work and arrests. During this time he also developed the International Botnet Task Force, a unique group of industry and law enforcement from 35 countries, dedicated to working together to combat botnets and ruin the lives of botherders. He was also the lead investigator on the Zotob case.

Steve left Microsoft 3 years ago to join Team Cymru, a small group of researchers who work to discover who is behind internet crime and why they carry out their activities. He spends his time working with a team of ex-law enforcement investigators, re-actively and proactively building cases against some of the most notorious criminal gangs on the internet today.


Special Panel Discussion

Ethics in Networking and Security Research: Have We Gone Too Far?

Increasingly the challenges faced by security and networking researchers require us to test the boundaries of community standards for ethical behavior. As we seek to address important research questions, we must take care to understand not only the benefits of our work, but also the potential harm of our work to individuals and society at large. The goal of this panel is to highlight the problems we currently face as a community and promote a dialog that will inform our evolving standards and guidelines for ethical behavior.


Research Paper Presentations

Session 1: Distributed Systems and Networks

Server-side Verification of Client Behavior in Online Games

Darrell Bethea, Robert Cochran and Michael Reiter
Online gaming is a lucrative industry, but one that is slowed by cheating that compromises the gaming experience and hence drives away players (and revenues). This paper develops a technique by which game developers can enable game operators to validate the behavior of game clients as being consistent with valid execution of the sanctioned client software. The paper demonstrates its approach in two case studies: one of the open-source game XPilot, and one of a multiplayer game similar to Pac-Man.

Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs

Scott Wolchok, Owen S. Hofmann, Nadia Heninger, Edward W. Felten, J. Alex Halderman, Christopher J. Rossbach, Brent Waters, and Emmett Witchel
We examine the security of Vanish, a recent proposal for creating "self-destructing" data. Vanish works by encrypting messages and scattering the keys in a million-node DHT, where they remain accessible for only a few hours. We show that an attacker can defeat Vanish by conducting a large Sybil attack against the DHT and recording every value before it ages out. Optimizations allow the attacker to reduce the cost by more than two orders of magnitude from the Vanish authors' projections.

Stealth DoS Attacks on Secure Channels

Amir Herzberg and Haya Shulman
Can security mechanisms in IP layer, protect TCP from denial/degradation (DoS) of service attacks, by a stealth adversary, who can eavesdrop and inject (few) packets? We present such attacks on IPsec without anti-replay window, and on IPsec with small anti-replay window. We subsequently show how to calculate correct size of anti-replay window. Then, we present a (slightly more elaborate) attack that works for any size window. Finally we propose modifications to IPsec gateway, that defend against the stealth DoS attacks.

Session 2: Web Security and Privacy

Protecting Browsers from Extension Vulnerabilities

Adam Barth, Adrienne Porter Felt, Prateek Saxena, and Aaron Boodman
Buggy browser extensions can be exploited by malicious web site operators. In Firefox, these exploits are dangerous because extensions run with the user's full privileges, including local system access. We analyze 25 popular Firefox extensions and find that 88% need less than the full set of privileges. We propose a new browser extension platform based on least privilege, privilege separation, and strong isolation. Our design has been adopted as the Google Chrome extension system.

Adnostic: Privacy Preserving Targeted Advertising

Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen Nissenbaum and Solon Barocas
Adnostic is a practical architecture and prototype implementation that enables targeted advertising without compromising user privacy. Behavioral profiling and targeting in Adnostic takes place in the browser while the ad network remains agnostic to the user's interests. Our paper discusses the effectiveness of the system as well as potential social engineering and web-based attacks on the architecture. We also describe a cryptographic billing system that lets ad networks bill the correct advertiser without knowing which ad was displayed to the user.

FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications

Prateek Saxena, Steve Hanna, Pongsin Poosankam and Dawn Song
Much of the prior research on web application vulnerabilities has focused on server-side vulnerabilities. This paper highlights a new class of vulnerabilities, which we term client-side validation (or CSV) vulnerabilities, that arise due to improper validation in client-side JavaScript code and can result in a broad spectrum of attacks. We propose a new dynamic analysis technique to systematically discover this class of vulnerabilities that is light-weight, efficient and has no false positives. We implement our approach in a tool called FLAX. In our evaluation on live web applications, FLAX has found numerous CSV vulnerabilities in the wild, demonstrating both its practical scalability and the prevalence of this class of vulnerabilities in real-world applications.

Session 3: Intrusion Detection and Attack Analysis

Effective Anomaly Detection with Scarce Training Data

William Robertson, Federico Maggi, Christopher Kruegel and Giovanni Vigna
Learning-based anomaly detection has proven to be an effective black-box technique for detecting unknown attacks. However, the technique crucially depends upon both the quality and the completeness of the training data, both of which are routinely lacking in real-world settings. In this work, we present an approach for remediating a local scarcity of training data by automatically leveraging similar, well-trained models from other sites. We experimentally demonstrate the efficacy of the approach in the context of web application anomaly detection over a data set of more than 58 million HTTP requests.

Large-Scale Automatic Classification of Phishing Pages

Colin Whittaker, Brian Ryner and Marria Nazif
We present the design and performance characteristics of a scalable machine learning classifier that detects phishing websites. We use this classifier to maintain Google's phishing blacklist automatically, analyzing millions of potentially phishing pages every day. To train our classifier, we use a dataset consisting of millions of samples from previously classified pages labeled according to our published blacklist. Despite noise in the training labels, our classifier learns a robust model for identifying phishing pages which correctly classifies more than 90% of phishing pages several weeks after training concludes.

A Systematic Characterization of IM Threats using Honeypots

Iasonas Polakis, Thanasis Petsas, Evangelos P. Markatos and Spiros Antonatos
The popularity of instant messaging (IM) services has recently attracted the interest of attackers that send malicious URLs or files to the contact lists of compromised instant messaging accounts or clients. This work aims to provide a systematic characterization of IM threats based on the information collected by HoneyBuddy, a honeypot-like infrastructure for detecting malicious activities in IM networks. We also deploy the prototype implementation of our myMSNhoneypot service, an early detection service that can inform users if their accounts or IM clients have been compromised.

Session 4: Spam

On Network-level Clusters for Spam Detection

Zhiyun Qian, Zhuoqing Mao, Yinglian Xie and Fang Yu
Researchers have already recognized the need to identify IP clusters instead of focusing on individual IP addresses to construct blacklists for detecting spam. In this paper, building on BGP clusters, we propose a significantly improved clustering approach integrating both network origin and DNS information. False negative rate can be reduced by 30% - 50% using 7 month traces compared to directly applying various public IP-based blacklists and SpamAssassin without affecting false positive rate.

Improving Spam Blacklisting Through Dynamic Thresholding and Speculative Aggregation

Sushant Sinha, Michael Bailey and Farnam Jahanian
Spam constitutes a significant fraction of all e-mail connection attempts and routinely frustrates users, consumes resources, and serves as an infection vector for malicious software. In an effort to reduce the impact of these e-mails, operators have increasingly turned to course-grained, reputation-based, dynamic policy enforcement, or blacklisting. While scalable, blacklisting exhibits both false positives and false negatives. In this paper, we argue that blacklists should be tailored and present two techniques that leverage local perspectives to significantly improve blacklist accuracy.

Botnet Judo: Fighting Spam with Itself

Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage
Judo is a system for better filtering spam by exploiting the vantage point of the spammer. By instantiating and monitoring botnet hosts in a controlled environment, we are able to monitor new spam as it is created, and consequently infer the underlying template used to generate polymorphic e-mail messages. We demonstrate this approach on mail traces from a range of modern botnets and show that we can automatically filter such spam precisely and with virtually no false positives.

Session 5: Anonymity and Cryptographic Systems

Contractual Anonymity

Edward J. Schwartz, David Brumley and Jonathan M. McCune
We propose, develop, and implement techniques for achieving contractual anonymity. In contractual anonymity, a user and service provider enter into an anonymity contract. The user is guaranteed anonymity and message unlinkability from the contractual anonymity system unless she breaks the contract. The service provider is guaranteed that it can identify users who break the contract. Our system can enforce many types of contract policies, is efficient, and has a small trusted computing base.

A3: An Extensible Platform for Application-Aware Anonymity

Micah Sherr, Andrew Mao, William R. Marczak, Wenchao Zhou, Boon Thau Loo, and Matt Blaze
This paper presents the design and implementation of Application-Aware Anonymity (A3), an extensible platform for deploying anonymity-based services on the Internet. A3 allows applications to tailor their anonymity and performance properties according to their communication requirements. To support flexible path construction, A3 exposes a declarative language (A3Log) that enables applications to compactly specify path selection and instantiation policies. A3Log is sufficiently versatile to represent novel multi-metric performance constraints as well as existing relay selection algorithms.

When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography

Thomas Ristenpart and Scott Yilek
Random number generators (RNGs) are consistently a weak link in the secure use of cryptography. Routine cryptographic operations such as encryption and signing can fail spectacularly given predictable or repeated randomness, even when using good long-lived key material. This has proved problematic in prior settings when RNG implementation bugs, poor design, or low-entropy sources have resulted in predictable randomness. We investigate a new way in which RNGs fail due to reuse of virtual machine (VM) snapshots. We exhibit such VM reset vulnerabilities in widely-used TLS clients and servers: the attacker takes advantage of (or forces) snapshot replay to compromise sessions or even expose a server's DSA signing key. Our next contribution is a backwards-compatible framework for hedging routine cryptographic operations against bad randomness, thereby mitigating the damage due to randomness failures. We apply our framework to the OpenSSL library and experimentally confirm that it has little overhead.

Session 6: Security Protocols and Policies

InvisiType: Object-Oriented Security Policies

Jiwon Seo and Monica S. Lam
This paper proposes InvisiType, an object-oriented approach that enables platform developers to enforce safety checks on third-party extensions without requiring their cooperation. Developers encapsulate safety checks in an InvisiType policy class and selectively subjects objects at risk to these policies. The run-time enforces these policies by changing the types of these objects dynamically. Our InvisiType policies successfully found 19 cross-site scripting vulnerabilities and 6 access control errors in total. The runtime overhead is small, indicating that the technique is practical.

A Security Evaluation of DNSSEC with NSEC3

Jason Bau and John Mitchell
This paper studies the goals and operations of DNSSEC/NSEC3 and uses Murphi, a finite-state enumeration tool, to check its security properties in presence of a network attacker model. We uncover several weaknesses in DNSSEC, including incorrect dependencies in the signature chain and NSEC3 options that allow forged name insertion into a domain. We then confirm the exploitability of the NSEC3 vulnerability in a realistic laboratory DNSSEC domain. We finally offer implementation and configuration advice minimizing exploitability of the uncovered vulnerabilities.

On the Safety of Enterprise Policy Deployment

Yudong Gao, Ni Pan, Xu Chen and Z. Morley Mao
We present the first work to address the security issues of enterprise policy deployment, an under-studied procedure that leaves security vulnerabilities if not carefully designed. We formally define insecure states during policy deployments and demonstrate their security implications with real examples. We further propose an efficient algorithm to generate deployment procedures that are free of insecure states, and implement it on Group Policy framework requiring no infrastructure modification. We show that our algorithm adds minimal overhead while provably eliminating insecure intermediate states.

Session 7: Languages and Systems Security

Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation

Suresh Chari, Shai Halevi and Wietse Venema
We analyze filename-based privilege escalation attacks, where victim programs are "tricked" into opening unintended files. Solutions to this problem nowadays are built into some applications, but we show that it can be solved in the file system itself (or a library), thus providing protection to all applications. Our solution build on a new name-resolution procedure, ensuring that files in "safe directories" cannot be opened using an "unsafe pathname". Comprehensive tests on several UNIX variants confirm that this solution is viable.

Joe-E: A Security-Oriented Subset of Java

Adrian Mettler, David Wagner and Tyler Close
Joe-E is a subset of Java that makes it easier to architect and implement programs with strong security properties that can be checked during a security review. It enables programmers to apply the principle of least privilege to their programs; implement application-specific reference monitors that cannot be bypassed; introduce and use domain-specific security abstractions; safely execute and interact with untrusted code; and build secure, extensible systems. Joe-E provides object-capability security while retaining the features and feel of a mainstream language.

Preventing Capability Leaks in Secure JavaScript Subsets

Matthew Finifter, Joel Weinberger and Adam Barth
To protect themselves from malicious web advertisements, publishers wish to sandbox ads. One popular approach is to statically verify that the ads conform to a "safe" subset of JavaScript that blacklists known-dangerous properties. We show this approach is insufficient because the ads can abuse new methods defined by the hosting page. We propose an improved subset based on whitelisting known-safe properties using namespaces.

Session 8: Malware

Binary Code Extraction and Interface Identification for Security Applications

Juan Caballero, Noah M. Johnson, Stephen McCamant, and Dawn Song
In this paper we conduct the first systematic study of binary code reuse, the process of automatically identifying the interface and extracting the instructions and data dependencies of a code fragment from the program's binary, so that it is self-contained and can be reused by external code. We propose a novel technique to identify the prototype of an undocumented code fragment directly from the program's binary, and use a combination of dynamic and static analysis to extract the code.

Automatic Reverse Engineering of Data Structures from Binary Execution

Zhiqiang Lin, Xiangyu Zhang and Dongyan Xu
In many security and forensics applications, it is desirable to uncover data structures in a binary program with their syntactic and semantic definitions. We present REWARDS, a reverse engineering technique that automatically reveals such information via dynamic analysis. By performing runtime data flow tracking, REWARDS identifies variables and resolves variable types based on type-revealing execution points encountered during execution. We demonstrate that REWARDS provides unique benefits to two applications: memory image forensics and binary fuzzing for vulnerability discovery.

Efficient Detection of Split Personalities in Malware

Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel and Giovanni Vigna
A current challenge in malware analysis is detecting split-personality malware, i.e., malicious programs that, when run in an emulated or virtualized analysis environment, behave differently than on a real system. We developed a novel approach to detect such malware by first recording the malware's interaction with the operating system on an uninstrumented reference host and then leveraging the collected information to deterministically re-execute the program in a virtualized environment. If the malware's behavior is different, we conclude that the program has a split personality.