Johanna Ullrich

Cloudoscopy: services discovery and topology mapping

We define and study cloudoscopy, i.e., exposing sensitive information about the location of (victim) cloud services and/or about the internal organisation of the cloud network, in spite of location-hiding efforts by cloud providers. A typical cloudoscopy attack is composed of a number of steps: first expose the internal IP address of a victim instance, then measure its hop-count distance from adversarial cloud instances, and finally test to find a specific instance which is close enough to the victim (e.g., co-resident) to allow (denial of service or side-channel) attacks. We refer to the three steps/modules involved in such cloudoscopy attack by the terms IP address deanonymisation, hop-count measuring, and co-residence testing. We present specific methods for these three cloudoscopy modules, and report on results of our experimental validation on popular cloud platform providers. Our techniques can be used for attacking (victim) servers, as well as for benign goals, e.g., optimisation of instances placement and communication, or comparing clouds and validating cloud-provider placement guarantees.

QR Inception: Barcode-in-Barcode Attacks

2D barcodes offer many benefits compared to 1D barcodes, such as high information density and robustness. Before their introduction to the mobile phone ecosystem, they have been widely used in specific applications, such as logistics or ticketing. However, there are multiple competing standards with different benefits and drawbacks. Therefore, reader applications as well as dedicated devices have to support multiple standards. In this paper, we present novel attacks based on deliberately caused ambiguities when especially crafted barcodes conform to multiple standards. Implementation details decide which standard the decoder locks on. This way, two users scanning the same barcode with different phones or apps will receive different content. This potentially opens way for multiple problems related to security. We describe how embedding one barcode symbology into another can be used to perform phishing attacks as well as targeted exploits. In addition, we evaluate the extent to which popular 2D barcode reader applications on smartphones are susceptible to these barcode-in barcode attacks. We furthermore discuss mitigation techniques against this type of attack.

On Reconnaissance with IPv6: A Pattern-Based Scanning Approach

Todays capability of fast Internet-wide scanning allows insights into the Internet ecosystem, but the on-going transition to the new Internet Protocol version 6 (IPv6) makes the approach of probing all possible addresses infeasible, even at current speeds of more than a million probes per second. As a consequence, the exploitation of frequent patterns has been proposed to reduce the search space. Current patterns are manually crafted and based on educated guesses of administrators. At the time of writing, their adequacy has not yet been evaluated. In this paper, we assess the idea of pattern-based scanning for the first time, and use an experimental set-up in combination with three real-world data sets. In addition, we developed a pattern-based algorithm that automatically discovers patterns in a sample and generates addresses for scanning based on its findings. Our experimental results confirm that pattern-based scanning is a promising approach for IPv6 reconnaissance, but also that currently known patterns are of limited benefit and are outperformed by our new algorithm. Our algorithm not only discovers more addresses, but also finds implicit patterns. Furthermore, it is more adaptable to future changes in IPv6 addressing and harder to mitigate than approaches with manually crafted patterns.

Towards a Hardware Trojan Detection Cycle

Intentionally inserted malfunctions in integrated circuits, referred to as Hardware Trojans, have become an emerging threat. Recently, the scientific community started to propose technical approaches to mitigate the threat of unspecified and potentially malicious functionality. However, these detection and prevention mechanisms are still hardly integrated in the industrys Hardware development life cycles. We therefore propose in this work a secure hardware development life cycle that assembles methods from trustworthy software engineering. In addition to full traceability from specification to implementation, and down to each gate, we introduce a feedback detection cycle that systematically escorts every single step of the development process. To do so, we integrate different detection methods for each development phase that are derived from a common knowledge base.

The Role and Security of Firewalls in IaaS Cloud Computing

Cloud computing is playing an ever larger role in the IT infrastructure. The migration into the cloud means that we must rethink and adapt our security measures. Ultimately, both the cloud provider and the customer have to accept responsibilities to ensure security best practices are followed. Firewalls are one of the most critical security features. Most IaaS providers make firewalls available to their customers. In most cases, the customer assumes a best-case working scenario which is often not assured. In this paper, we studied the filtering behavior of firewalls provided by five different cloud providers. We found that three providers have firewalls available within their infrastructure. Based on our findings, we developed an open-ended firewall monitoring tool which can be used by cloud customers to understand the firewalls filtering behavior. This information can then be efficiently used for risk management and further security considerations. Measuring todays firewalls has shown that they perform well for the basics, although may not be fully featured considering fragmentation or stateful behavior.

Privacy is Not an Option: Attacking the IPv6 Privacy Extension

The IPv6 privacy extension introduces temporary addresses to protect against address-based correlation, i.e., the attribution of different transactions to the same origin using addresses, and is considered as state-of-the-art mechanism for privacy protection in IPv6. In this paper, we scrutinize the extensions capability for protection by analyzing its algorithm for temporary address generation in detail. We develop an attack that is based on two insights and shows that the notion of protection is false: First, randomization is scarce and future identifiers can be predicted once the algorithms internal state is known. Second, a victims temporary addresses form a side channel and allow an adversary to synchronize to this internal state. Finally, we highlight mitigation strategies, and recommend a revision of the extensions specification.

Grid Shock: Coordinated Load-Changing Attacks on Power Grids: The Non-Smart Power Grid is Vulnerable to Cyber Attacks as Well

Electric power grids are among the largest human-made control structures and are considered as critical infrastructure due to their importance for daily life. When operating a power grid, providers have to continuously maintain a balance between supply (i.e., production in power plants) and demand (i.e., power consumption) to keep the power grids nominal frequency of 50 Hz or alternatively 60 Hz. Power consumption is forecast by elaborated models including multiple parameters like weather, season, and time of the day; they are based on the premise of many small consumers averaging out their energy consumption spikes. In this paper, we develop attacks violating this assumption, investigate their impact on power grid operation, and assess their feasibility for todays adversaries. In our scenario, an adversary builds (or rents) a botnet of zombie computers and modulates their power consumption, e.g., by utilizing CPU, GPU, hard disks, screen brightness, and laser printers in a coordinated way over the Internet. Outperforming the grids countervailing mechanisms in time, the grid is pushed into unstable states triggering automated load shedding or tie-line tripping. We show that an adversary does not have to rely on smart grid features to modulate power consumption given that an adequate communication infrastructure for striking the (legacy) power grid is currently nearly omnipresent: the Internet to whom more and more power-consuming devices are connected. Our simulations estimate that between 2.5 and 9.8 million infections are sufficient to attack the European synchronous grid -- depending on the mix of infected devices, the current mix of active power plant types, and the current overall produced power. However, the herein described attack mechanisms are not limited to the European grid.

Network-Based Secret Communication in Clouds: A Survey

The cloud concept promises computing as a utility. More and more functions are moved to cloud environments. But this transition comes at a cost: security and privacy solutions have to be adapted to new challenges in cloud environments. We investigate secret communication possibilities—data transmission concealing its mere existence or some of its characteristics—in clouds. The ability to establish such secret communication provides a powerful instrument to adversaries and can be used to gather information for attack preparation, to conceal the coordination of malicious instances or to leak sensitive data. In this paper, we investigate potentials for secret communication in cloud environments and show possible application scenarios. We survey current approaches of different kinds of secret communication including covert channels, side channels, and obfuscation techniques. While most existing work focuses on covert and side channels within a physical server (cross-VM channels), we place emphasis on network-based covert and side channels, which are rarely addressed in current literature about cloud security. We then discuss secret communication techniques with respect to the application scenarios and show their advantages and limitations.

QR Code Security -- How Secure and Usable Apps Can Protect Users Against Malicious QR Codes

QR codes have emerged as a popular medium to make content instantly accessible. With their high information density and robust error correction, they have found their way to the mobile ecosystem. However, QR codes have also proven to be an efficient attack vector, e.g. To perform phishing attacks. Attackers distribute malicious codes under false pretenses in busy places or paste malicious QR codes over already existing ones on billboards. Ultimately, people depend on reader software to ascertain if a given QR code is benign or malicious. In this paper, we present a comprehensive analysis of QR code security. We determine why users are still susceptible to QR code based attacks and why currently deployed smartphone apps are unable to mitigate these attacks. Based on our findings, we present a set of design recommendations to build usable and secure mobile applications. To evaluate our guidelines, we implemented a prototype and found that secure and usable apps can effectively protect users from malicious QR codes.

Lightweight Address Hopping for Defending the IPv6 IoT

The rapid deployment of IoT systems on the public Internet is not without concerns for the security and privacy of consumers. Security in IoT systems is often poorly engineered and engineering for privacy does notseemtobea concern for vendors at all. Thecombination of poor security hygiene and access to valuable knowledge renders IoT systems a much-sought target for attacks. IoT systems are not only Internet-accessible but also play the role of servers according to the established client-server communication model and are thus configured with static and/or easily predictable IPv6 addresses, rendering them an easy target for attacks. We present 6HOP, a novel addressing scheme for IoT devices. Our proposal is lightweight in operation, requires minimal administration overhead, and defends against reconnaissance attacks, address based correlation as well as denial-of-service attacks. 6HOP therefore exploits the ample address space available in IPv6 networks and provides effective protection this way.