Check out the new USENIX Web site.
WOOT '10 Banner

Back to Program

WOOT '10 PROGRAM ABSTRACTS

Zero-sized Heap Allocations Vulnerability Analysis
Back to Program
In this article, we discuss a source of security vulnerabilities related to zero-sized heap allocations. We present a feasibility study to show the use of a theorem prover based extended static checker to help code audit to find these vulnerabilities. We employed this tool to uncover around 10 local and remote untrusted code execution vulnerabilities in three core OS components. We highlight the benefits, the challenges faced and outstanding problems to enable wider use. Additional manual code review of remotely exposed software suggests that zero and near-zero allocations are particularly difficult to handle for developers.

Recovering Windows Secrets and EFS Certificates Offline
Back to Program
In this paper we present the result of our reverse-engineering of DPAPI, the Windows API for safe data storage on disk. Understanding DPAPI was the major roadblock preventing alternative systems such as Linux from reading Windows Encrypting File System (EFS) files. Our analysis of DPAPI reveals how an attacker can leverage DPAPI design choices to gain a nearly silent backdoor. We also found a way to recover all previous passwords used by any user on a system. We implement DPAPI data decryption and previous password extraction in a free tool called DPAPIck. Finally, we propose a backwards compatible scheme that addresses the issue of previous password recovery.

Crawling BitTorrent DHTs for Fun and Profit
Back to Program
This paper presents two kinds of attacks based on crawling the DHTs used for distributed BitTorrent tracking. First, we show how pirates can use crawling to rebuild BitTorrent search engines just a few hours after they are shut down (crawling for fun). Second, we show how content owners can use related techniques to monitor pirates' behavior in preparation for legal attacks and negate any perceived anonymity of the decentralized BitTorrent architecture (crawling for profit). We validate these attacks and measure their performance with a crawler we developed for the Vuze DHT. We find that we can establish a search engine with over one million torrents in under two hours using a single desktop PC. We also track 7.9 million IP addresses downloading 1.5 million torrents over 16 days. These results imply that shifting from centralized BitTorrent tracking to DHT-based tracking will have mixed results for the file sharing arms race. While it will likely make illicit torrents harder to quash, it will not help users hide their activities.

Practical Padding Oracle Attacks
Back to Program
At Eurocrypt 2002, Vaudenay introduced a powerful side-channel attack, which is called padding oracle attack, against CBC-mode encryption with PKCS#5 padding (See [6]). If there is an oracle which on receipt of a ciphertext, decrypts it and then replies to the sender whether the padding is correct or not, Vaudenay shows how to use that oracle to efficiently decrypt data without knowing the encryption key. In this paper, we turn the padding oracle attack into a new set of practical web hacking techniques. We also introduce a new technique that allows attackers to use a padding oracle to encrypt messages of any length without knowing the secret key. Finally, we show how to use that technique to mount advanced padding oracle exploits against popular web development frameworks.

Smudge Attacks on Smartphone Touch Screens
Back to Program
Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred. In this paper we examine the feasibility of such smudge attacks on touch screens for smartphones, and focus our analysis on the Android password pattern. We first investigate the conditions (e.g., lighting and camera orientation) under which smudges are easily extracted. In the vast majority of settings, partial or complete patterns are easily retrieved. We also emulate usage situations that interfere with pattern identification, and show that pattern smudges continue to be recognizable. Finally, we provide a preliminary analysis of applying the information learned in a smudge attack to guessing an Android password pattern.

Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks
Back to Program
While many popular web sites on the Internet use frame busting to defend against clickjacking, very few mobile sites use frame busting. Similarly, few embedded web sites such as those used on home routers use frame busting. In this paper we show that framing attacks on mobile sites and home routers can have devastating effects. We develop a new attack called tap-jacking that uses features of mobile browsers to implement a strong clickjacking attack on phones. Tap-jacking on a phone is more powerful than traditional clickjacking attacks on desktop browsers. For home routers we show that framing attacks can result in theft of the wifi WPA secret key and a precise geo-localization of the wifi network. Finally, we show that overlay-based frame busting, such as used by Facebook, can leak private user information.

Interpreter Exploitation
Back to Program
As remote exploits further dwindle and perimeter defenses become the standard, remote client-side attacks are becoming the standard vector for attackers. Modern operating systems have quelled the explosion of client-side vulnerabilities using mitigation techniques such as data execution prevention (DEP) and address space layout randomization (ASLR). This work illustrates two novel techniques to bypass these mitigations. The two techniques leverage the attack surface exposed by the script interpreters commonly accessible within the browser. The first technique, pointer inference, is used to find the memory address of a string of shellcode within the Adobe Flash Player's ActionScript interpreter despite ASLR. The second technique, JIT spraying, is used to write shellcode to executable memory, bypassing DEP protections, by leveraging predictable behaviors of the ActionScript JIT compiler. Previous attacks are examined and future research directions are discussed.

A Framework for Automated Architecture-Independent Gadget Search
Back to Program
We demonstrate that automated, architecture-independent gadget search is possible. Gadgets are code fragments which can be used to build unintended programs from existing code in memory. Our contribution is a framework of algorithms capable of locating a Turing-complete gadget set. Translating machine code into an intermediate language allows our framework to be used for many different CPU architectures with minimal architecture-dependent adjustments. We define the paradigm of free-branch instructions to succinctly capture which gadgets will be found by our framework and investigate side effects of the gadgets produced. Furthermore we discuss architectural idiosyncrasies for several widely spread CPU architectures and how they need to be taken into account by the generic algorithms when locating gadgets.

footer
? Need help? Use our Contacts page.

Back to Program
Last changed: 30 June 2010 jel