Kehuan Zhang

Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound

The popularity of mobile devices has made peoples lives more convenient, but threatened peoples privacy at the same time. As end users are becoming more and more concerned on the protection of their private information, it is even harder for hackers to track a specific user by using conventional technologies. For example, cookies might be cleared by users regularly. Besides, OS designers have developed a series of measures to cope with tracker. Apple has stopped apps accessing UDIDs, and Android phones use some special permissions to protect IMEI code. However, some recent studies showed that attackers are able to find new ways to get around those limitations, even though these new methods should be improved in order to be practically deployed in large scale. For example, attackers can trace smart phones by using the hardware features resulting from the imperfect manufacturing process of accelerometers. In this paper, we will present another new and more practical method for the adversaries to generate stable and unique device ID stealthily for the smartphone by exploiting the frequency response of the speaker. With carefully selected audio frequencies and special sound wave patterns, we can reduce the impact of non-linear effects and noises, and keep our feature extraction process un-noticeable to phone owners. The extracted feature is not only very stable for a given smart phone, but also unique to that phone. The feature contains rich information, which is even enough to differentiate millions of smart phones of the same model. We have built a prototype to evaluate our method, and the results show that the generated device ID can be used to track users practically.

No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis

Many new specialized hardware components have been integrated into Android smartphones to improve mobility and usability, such as touchscreen, Bluetooth module, and NFC controller. At the system level, the kernel of Android is built on Linux and inherits its device management mechanisms. However, the security implications surfaced from the integration of new hardware components and the tailored Linux kernel are not fully understood. In this paper, we make the first attempt to evaluate such implications. As a result, we identify a critical information leakage channel from the interrupt handling mechanism, which can be exploited to launch inference attacks without any permission. On Android, all reported interrupts are counted by Linux kernel and the statistical information is logged in a system file /proc/interrupts, which is public to any process. Such statistical information reveals the running status of all integrated devices, and could be exploited by attackers to infer sensitive information passing through them. To assess this new threat, we propose a general attack approach -- interrupt timing analysis and apply it to interrupt logs. As showcases, we present two concrete inference attacks against users unlock pattern and foreground app status respectively. Through analyzing the interrupt time series produced from touchscreen controller, attackers chance of cracking users unlock pattern is increased substantially. The interrupt time series produced from Display Sub-System reveals unique UI refreshing patterns and could be leveraged as fingerprints to identify the app running in the foreground. Such information can serve as the stepping stone for the subsequent phishing attacks. The experiment results suggest our inference attacks are highly effective, and the risks should be mitigated immediately.

An Empirical Study on Android for Saving Non-shared Data on Public Storage

With millions of apps provided from official and third-party markets, Android has become one of the most active mobile platforms in recent years. These apps facilitate people’s lives in a broad spectrum of ways but at the same time touch numerous users’ information, raising huge privacy concerns. To prevent leaks of sensitive information, especially from legitimate apps to malicious ones, developers are encouraged to store users’ sensitive data into private folders which are isolated and securely protected. But for non-sensitive data, there is no specific guideline on how to manage them, and in many cases, they are simply stored on public storage which lacks fine-grained access control and is almost open to all apps.

On Code Execution Tracking via Power Side-Channel

With the proliferation of Internet of Things, there is a growing interest in embedded system attacks, e.g., key extraction attacks and firmware modification attacks. Code execution tracking, as the first step to locate vulnerable instruction pieces for key extraction attacks and to conduct control-flow integrity checking against firmware modification attacks, is therefore of great value. Because embedded systems, especially legacy embedded systems, have limited resources and may not support software or hardware update, it is important to design low-cost code execution tracking methods that require as little system modification as possible. In this work, we propose a non-intrusive code execution tracking solution via power-side channel, wherein we represent the code execution and its power consumption with a revised hidden Markov model and recover the most likely executed instruction sequence with a revised Viterbi algorithm. By observing the power consumption of the microcontroller unit during execution, we are able to recover the program execution flow with a high accuracy and detect abnormal code execution behavior even when only a single instruction is modified.

Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations

Motivated by the prevalence of OAuth-related vulnerabilities in the wild, large-scale security testing of real-world OAuth 2.0 implementations have received increasing attention lately [31,37,42]. However, these existing works either rely on manual discovery of new vulnerabilities in OAuth 2.0 implementations or perform automated testing for specific, previously-known vulnerabilities across a large number of OAuth implementations. In this work, we propose an adaptive model-based testing framework to perform automated, large-scale security assessments for OAuth 2.0 implementations in practice. Key advantages of our approach include (1) its ability to identify existing vulnerabilities and discover new ones in an automated manner; (2) improved testing coverage as all possible execution paths within the scope of the model will be checked and (3) its ability to cater for the implementation differences of practical OAuth systems/ applications, which enables the analyst to offload the manual efforts for large-scale testing of OAuth implementations. We have designed and implemented OAuthTester to realize our proposed framework. Using OAuthTester, we examine the implementations of 4 major Identity Providers as well as 500 top-ranked US and Chinese websites which use the OAuth-based Single-Sign-On service provided by the formers. Our empirical findings demonstrate the efficacy of adaptive model-based testing on OAuth 2.0 deployments at scale. More importantly, OAuthTester not only manages to rediscover various existing vulnerabilities but also identify several previously unknown security flaws and new exploits for a large number of eal-world applications implementing OAuth 2.0.

When Privacy Meets Usability: Unobtrusive Privacy Permission Recommendation System for Mobile Apps Based on Crowdsourcing

People nowadays almost want everything at their fingertips, from business to entertainment, and meanwhile they do not want to leak their sensitive data. Strong information protection can be a competitive advantage, but preserving privacy is a real challenge when people use the mobile apps in the smartphone. If they are too lax with privacy preserving, important or sensitive information could be lost. If they are too tight with privacy, making users jump through endless hoops to access the data they need to get their work done, productivity can nosedive. Thus, striking a balance between privacy and usability in mobile applications can be difficult. Leveraging the privacy permission settings in mobile operating systems, our basic idea to address this issue is to provide proper recommendations about the settings so that the users can preserve their sensitive information and maintain the usability of apps. In this paper, we propose an unobtrusive recommendation system to implement this idea, which can crowdsource users’ privacy permission settings and generate the recommendations for them accordingly. Besides, our system allows users to provide feedback to revise the recommendations for getting better performance and adapting different scenarios. For the evaluation, we collected users’ preferences from 382 participants on Amazon Technical Turks and released our system to users in the real world for 10 days. According to the study, our system can make appropriate recommendations which can meet participants’ privacy expectation and mobile apps’ usability.

Vulnerable GPU Memory Management: Towards Recovering Raw Data from GPU

Abstract According to previous reports, information could be leaked from GPU memory; however, the security implications of such a threat were mostly over-looked, because only limited information could be indirectly extracted through side-channel attacks. In this paper, we propose a novel algorithm for recovering raw data directly from the GPU memory residues of many popular applications such as Google Chrome and Adobe PDF reader. Our algorithm enables harvesting highly sensitive information including credit card numbers and email contents from GPU memory residues. Evaluation results also indicate that nearly all GPU-accelerated applications are vulnerable to such attacks, and adversaries can launch attacks without requiring any special privileges both on traditional multi-user operating systems, and emerging cloud computing scenarios.

Evading Android Runtime Analysis Through Detecting Programmed Interactions

Dynamic analysis technique has been widely used in Android malware detection. Previous works on evading dynamic analysis focus on discovering the fingerprints of emulators. However, such method has been challenged since the introduction of real devices in recent works. In this paper, we propose a new approach to evade automated runtime analysis through detecting programmed interactions. This approach, in essence, tries to tell the identity of the current app controller (human user or automated exploration tool), by finding intrinsic differences between human user and machine tester in interaction patterns. The effectiveness of our approach has been demonstrated through evaluation against 11 real-world online dynamic analysis services.

Efficient Authenticated Multi-Pattern Matching

Multi-pattern matching compares a large set of patterns against a given query string, which has wide application in various domains such as bio-informatics and intrusion detection. This paper shows how to authenticate the classic Aho-Corasick multi-pattern matching automation, without requiring the verifier to store the whole pattern set, nor downloading a proof for every single matching step. The storage complexity for the authentication metadata at the server side is the same as that of the unauthenticated version. The communication overhead is minimal since the proof size is linear in the query length and does not grow with the sizes of query result nor the pattern set. Our evaluation has shown that the query and verification times are practical.

All Your VMs are Disconnected: Attacking Hardware Virtualized Network

Single Root I/O Virtualization (SRIOV) allows one physical device to be used by multiple virtual machines simultaneously without the mediation from the hypervisor. Such technique significantly decreases the overhead of I/O virtualization. But according to our latest findings, in the meantime, it introduces a high-risk security issue that enables an adversary-controlled VM to cut off the connectivity of the host machine, given the limited filtering capabilities provided by the SRIOV devices. As showcase, we demonstrate two attacks against SRIOV NIC by exploiting a vulnerability in the standard network management protocol, OAM. The vulnerability surfaces because SRIOV NICs treat the packets passing through OAM as data-plane packets and allow untrusted VMs to send and receive these packets on behalf of the host. By examining several off-the-shelf SRIOV NICs and switches, we show such attack can easily turn off the network connection within a short period of time. In the end, we propose a defense mechanism which runs on the existing hardware and can be readily deployed.