This day had a lot of interesting papers, but some of the presentations were disappointing: they spent their time on uninteresting aspects of their work, or handwaved over critical details.

That said, most of the work on passwords was compelling, and if you read to the end there’s a cranky rant about the panel discussion.

## Privacy and Anonymity

### Detecting Hoaxes, Frauds, and Deception in Writing Style Online

I missed the train that would have gotten me to SF in time for this talk by one lousy minute.

### LASTor: A Low-Latency AS-Aware Tor Client

These folks had a set of client-only modifications to Tor that, they claim, both improve latency and add robustness against “profiling attacks.”

Their latency-reduction shtick is to record propagation delay in between all Tor relays, and then choose paths with probability inversely proportional to overall delay; they call this “Weighted Shortest Path” selection. This does increase the risk of using a path with compromised relays; they allow the user to tune the proportionality constant to trade off anonymity for latency or vice versa, and they also group relays into geographic clusters for WSP and choose randomly within a cluster. They didn’t attempt to analyze the odds of getting a compromised relay, that I saw, though. They claim 20% improvement in median latency—that’s relative to the baseline Tor algorithm, which imposes a 500% median latency penalty relative to unmasked web surfing.

They define “profiling attack” as: unmasking anonymous Tor users by correlating traffic to the entry node with traffic from the exit node. Because Tor relays are not uniformly distributed over the network’s topology, this is plausibly possible for an AS operator, who may control routers that sit between the Tor client and the entry, and routers that sit between the Tor exit and the destination site. Of course there is nothing to be done when the ultimate source and ultimate destination are in the same AS, but that’s unusual. By default, Tor ensures that no two relays are in the same /16, which (they say) misses 50% of shared ASes. AS-path prediction is known to be hard, with the best known approaches only 70% correct; they claim an improvement to 90% (median) but glossed over the details.

An audience member asked: if all clients switch to WSP, won’t that overload the relays on the shortest paths? The speaker did not appear to understand the question.

### OB-PWS: Obfuscation-Based Private Web Search

Database searches reveal sensitive information. This paper surveys one class of techniques to prevent this, which is based on generating “dummy queries” to obscure what was really searched for. They find all existing techniques wanting, and offer a systematization of “features that should be considered in security evaluation” of this type of design, hoping that people will do better in the future.

I couldn’t make much sense of this talk because the speaker talked very fast, the slides were in illegibly tiny type, and I’m not previously familiar with the topic. However, the basic problem seems to be that it’s not terribly hard to distinguish dummy queries from real queries, especially for an adversary who knows what system is in use.

### Lightweight Anonymity and Privacy

These folks are also trying to improve on Tor’s latency issues, but they’re doing it by weakening the adversary model: they only care about protecting against remote tracking by the destination host of any given TCP connection. To this end they have developed their own mixmaster scheme which only conceals the initial prefix of the route from the client to the server. They also go to some length to avoid increasing the overall path length, minimize cryptographic operations, and minimize state carried at intermediate relays. They claim an anonymity set on the order of 216 client-hosts by concealing the first hop; 224 with two hops, 228 with three, and not much improvement beyond.

They do not try to protect against application-layer tracking (by the destination host or otherwise), timing attacks, or detailed traffic analysis a la “Peek-A-Boo, I Still See You” from yesterday. It seemed like there were a lot of technical details to be worked out, and I’m also not clear on why the destination host wouldn’t just go ahead and do application-layer tracking, as they do already even when you’re not bothering to conceal your IP address.

### Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms

This is an analysis of offline attacks on large files of passwords. Attackers have a large set of encrypted passwords, and can mount many guesses; there are various “intelligent” strategies in the literature for the order in which to guess. How well do these strategies work? System administrators try to encourage users to make passwords harder to guess, by imposing “password composition policies”. How well does that work? Most such policies are ad hoc, not based on empirical evidence. They also often make the passwords harder to remember, which can hurt security in other ways.

They use “guess number” (the number of attempts required to guess a password, assuming a fixed list of guesses tried in sequence) as their metric, and allow their model attacker to make up to 50 trillion (short scale; 5 × 1013) guesses, using precomputed guess-number indexes for three different attack strategies, of which Weir’s probabilistic context-free grammar does best on real passwords. For data, they used several large leaked password databases, plus passwords solicited from Mechanical Turk users under various password-composition policies.

Some conclusions:

• Policies’ performance when attackers are limited to 108 guesses does not predict their performance when attackers can make 1013 guesses
• Training data conforming to a particular policy helps the attacker a great deal
• Subsets of test data are not reflective of the general population; some users just naturally pick better passwords under all policies
• NIST guidelines for password policies do not reflect actual password strength under each policy

and

• Requiring longer passwords, but not being picky about what’s in them, produces both better usability and better security.

### The science of guessing: analyzing an anonymized corpus of 70 million passwords

This is another analysis of password guessing difficulty, but focuses on user demographics rather than password policy. They collected keyed hashes of 70 million users across various Yahoo-owned sites and modeled their guessability as a probability distribution (“mean number of guesses required to succeed with probability α”). Their main conclusion is that most of the demographic splits they tried don’t make much difference: in particular, older users seem to pick slightly better passwords than younger users, and it doesn’t matter whether the account has a credit card number on file. Also, 42% of all passwords collected were unique, which is better than I would have expected.

### The quest to replace passwords: A framework for comparative evaluation of web authentication schemes

Lots of people have been trying to replace passwords entirely for some time: why haven’t we succeeded? The authors analyzed what has already been done and why it didn’t work, and came up with a methodology for evaluating new systems. The talk is mostly about the details of the methodology, in a vacuum; I’d rather they had taken more time describing how specific schemes measured up, and then drawn some inferences from that. Perhaps this is covered in the paper.

I did see one interesting takeaway: deployability has been neglected over and over again (despite its obvious relevance).

## System Security

### ILR: Where’d My Gadgets Go?

This is an attempt to thwart “return-oriented programming” code injection attacks, by randomizing the location of every instruction in memory. (The state of the art, “address space layout randomization,” moves instructions around in large blocks; if the attacker can find one address in the block, they can find everything.)

They’re doing this on binaries, so they can’t be absolutely sure where the instructions are, which pointers are pointers to code, etc. But, it’s okay to dump some random might-be-an-instruction bytes in some random places, because they just won’t get used. They statically translate the binary to an “extended instruction set,” whose instructions can be arbitrarily rearranged, because each contains the location of the next instruction (which makes me think of The Story of Mel). Then, a dynamic-translating VM executes these extended instructions on real hardware. More than 95% of instructions can be moved, and there’s a 13% slowdown.

They achieve 31 bits of entropy, out of a 32-bit address space, in each instruction’s location. (I presume the other half of the address space is where they put all the program’s data.) They assured us (but offered no explanation) that the attacker cannot get at gadgets within the VM runtime or the dynamically re-translated code that’s actually getting executed, and they demonstrated the defeat of a real-world ROP attack on Adobe Acrobat.

### Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

If you have a whole bunch of virtual machines running on shared hardware, you might want to set up a special supervisory VM that can audit the state of all the others. Unfortunately, all the stock diagnostic tools are designed to run inside the (possibly virtual) machine that is being diagnosed. From outside, you are working on a frozen snapshot, so you have to write code that digs through the machine’s memory space without benefit of any of the normal diagnostic APIs or even normal address translation logic. It’s difficult, tedious, and duplicative.

These people developed a special framework that can run stock diagnostic tools against a snapshot rather than a live VM. It was unclear how this got them out of digging through the snapshot. The talk was mostly a big long list of confusingly-described minor problems that they claimed to have solved.

### Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization

This is a similar concept to two talks back, but these people don’t want to have to run a dynamic translator, so instead, they scramble up the binary in place, ahead of time. They don’t move code around at large scale; the idea seems to be to eliminate byte sequences that comprise ROP gadgets, rather than make it hard to find them. They gave several worked examples of their transformations. It basically amounts to redoing the late stage of a compilation pipeline: select alternative instruction encodings as long as they’re the same length; within a basic block, reschedule instructions as long as dependencies are still honored; shuffle the order of register saves; redo the register allocation. Overall, they claim to be able to eliminate 80% of all ROP gadgets, with the remaining 20% due to not being able to prove that the entire contents of the compiled-code segment of the binary image are in fact code, rather than data. But this is good enough to break two state-of-the-art exploit generators (Mona and Q)

After the talk, I asked them if they’d considered modifying a compiler to avoid generating gadgets in the first place. They said several other people had already done that (e.g. “G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries”), so they wanted to see if it was doable with no more information than you get from an executable.

### Building Verifiable Trusted Path on Commodity X86 Computers

A “trusted path” is a secure channel from some process to the user, so that the user can be sure that confidential information goes straight to its intended recipient. This was difficult to achieve even on the simple TTY-oriented computers of yesteryear and is nigh-impossible now, because there’s lots more system components in between the input devices and the desired destination of user input.

The authors have developed a bolt-on trusted path that works together with the commodity OS of your choice (quite possibly “as long as that choice is Windows”, however). It consists of a very simple hypervisor, whose main function is to provide device isolation: none of the other devices on the system can be allowed to tamper with the device hosting the secure channel. That device is given over temporarily to a trusted device driver embedded in the program that uses the secure channel. Finally, an external verification device interrogates a TPM to confirm that all the software involved in the trusted path is as it should be. They claim that this design minimizes trusted components and allows the code that’s both trusted and highly privileged to be as simple as possible.

This is clever and all, but it seems to me that if you have to have an external verification device, you maybe should just pull the confidential interaction out to that device and use the computer only to transport messages that are already secured.

## Panel Discussion: How can a focus on “science” advance research in cybersecurity?

The thinking behind this prompt appears to have been: We’ve been doing “cybersecurity” “research” (for some value of both terms) for thirty-three years at this conference and quite a bit longer elsewhere, and yet we do not seem to be getting anywhere in terms of actual security improvements delivered to the general public, or even to the funding agencies (read: the US military). Clearly this means we are not being Scientific enough. What’s wrong and how do we fix it?

As you might suspect, I don’t much agree with any of the above premises or their presuppositions. Yeah, we haven’t reduced computer security to well-understood engineering practice yet. We’re still doing messy, methodologically unscrupulous, exploratory science. To an observer not directly engaged in the work, this can look like flailing around in the dark, and it can be frustratingly slow, but if you go back to the pioneering work in any scientific field, you see the same sort of thing. This is how exploratory science goes. That isn’t to say the way we do our research is ideal, but I think the real problems are just the well-known dysfunctions of the modern academic enterprise and its funding sources.

We do have a genuine problem with translating what solid results we have into real-world security improvements. We have known how to design ciphers that resist all known attacks for some years now, and yet—as seen in the case of the satellite phones at this very conference—people in industry are still deploying ciphers that are trivially broken. This I believe should be blamed on the overlapping well-known dysfunctions of what my pinko commie friends call “terminal-stage capitalism.” Conversely, industrial folks have a legitimate beef with academics doing research that has no possible relevance to the real world at all. I didn’t see any of that at this conference, except maybe the “Why Johnny Isn’t Robust” guys from yesterday, but it does happen. (I think as CS subfields go, security is generally better about staying relevant than e.g. programming language design.) And we shouldn’t forget that we are, in fact, doing better now than we were ten years ago. TLS is a pile of hacks on top of a flawed design but mostly it works.

Okay, I’ve dumped on the prompt enough, how was the panel? It was a whole lot of words saying not much at all. Which is what you get when you start with the wrong question—and I think most of the panelists knew in their bones it was the wrong question—and then make people talk for five minutes each. I’ll admit it was entertaining when they asked for audience questions and a whole row of people brought up their most favorite axes and started grinding.