Workshop Program

Clickjacking is a powerful attack against modern web applications. While browser primitives like X-Frame-Options provide a rigorous defense for simple applications, mashups such as social media widgets require secure user interaction while embedded in an untrusted webpage. Motivated by these application scenarios, the W3C UI safety specification proposes new browser primitives to provide a strong defense against clickjacking attacks on embedded widgets. We investigate whether these proposed primitives provide requisite security against clickjacking. We observe that UI security attacks such as clickjacking are fundamentally attacks on human perception. Revisiting clickjacking from a perceptual perspective, we develop five novel attacks that completely bypass the proposed UI safety specification. Our attacks are powerful with success rates ranging from 20% to 99%. However, they only scratch the surface of possible perceptual attacks on UI security. We discuss possible defenses against our perceptual attacks and find that most defenses either have an unacceptable usability cost or do not provide a comprehensive defense. Finally, we posit that a number of attacks are possible with a more comprehensive study of human perception.

Over the last decade, it has become well-established that a captcha’s ability to withstand automated solving lies in the difficulty of segmenting the image into individual characters. The standard approach to solving captchas automatically has been a sequential process wherein a segmentation algorithm splits the image into segments that contain individual characters, followed by a character recognition step that uses machine learning. While this approach has been effective against particular captcha schemes, its generality is limited by the segmentation step, which is hand-crafted to defeat the distortion at hand. No general algorithm is known for the character collapsing anti-segmentation technique used by most prominent real world captcha schemes.

This paper introduces a novel approach to solving captchas in a single step that uses machine learning to attack the segmentation and the recognition problems simultaneously. Performing both operations jointly allows our algorithm to exploit information and context that is not available when they are done sequentially. At the same time, it removes the need for any hand-crafted component, making our approach generalize to new captcha schemes where the previous approach can not. We were able to solve all the real world captcha schemes we evaluated accurately enough to consider the scheme insecure in practice, including Yahoo (5.33%) and ReCaptcha (33.34%), without any adjustments to the algorithm or its parameters. Our success against the Baidu (38.68%) and CNN (51.09%) schemes that use occluding lines as well as character collapsing leads us to believe that our approach is able to defeat occluding lines in an equally general manner. The effectiveness and universality of our results suggests that combining segmentation and recognition is the next evolution of catpcha solving, and that it supersedes the sequential approach used in earlier works. More generally, our approach raises questions about how to develop sufficiently secure captchas in the future.

The history of computers is full of underestimation: 640 kilobyte, 2-digit years, and 32-bit Internet addresses. IPv6 was invented to overcome the latter as well as to revise other drawbacks and security vulnerabilities of its predecessor IPv4. Initially considered the savior in terms of security because of its mandatory IPsec support, it turned out not to be the panacea it was thought to be. Outsourcing security to IPsec but eventually removing it as well as other design decisions led to a number of vulnerabilities. They range from the already known spoofing of answers to link-layer address requests to novel possibilities regarding node tracking. In an effort to fix them, a vast amount of updates have been introduced.

In this paper, we discuss security and privacy vulnerabilities with regard to IPv6 and their current countermeasures. In a second step, vulnerabilities and countermeasures are systematized by the appliance of an extendible common language for computer security incidents. Our evaluation shows that a large part of vulnerabilities can be mitigated but several security challenges remain. We deduce three main research challenges for IPv6 security, namely address assignment and structure, securing local network discovery, and address selection for reconnaissance.

The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leverage these flaws to create attacks which gain control of the system, and we successfully demonstrate them on the deployment in coordination with authorities. Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage. We make recommendations on how to improve existing systems and discuss the lessons learned for embedded systems security in general.

State machine learning is a useful technique for automating reverse engineering. In essence, it involves fuzzing different sequences of inputs for a system. We show that this technique can be successfully used to reverse engineer hand-held smartcard readers for Internet banking, by using a Lego robot to operate these devices. In particular, the state machines that are automatically inferred by the robot reveal a security vulnerability in one such a device, the e.dentifier2, that was previously discovered by manual analysis, and confirm the absence of this flaw in an updated version of this device.

The primary purpose of printed circuit board (PCB) reverse engineering is to determine electronic system or subsystem functionality by analyzing how components are interconnected. We performed a series of experiments using both inexpensive home-based solutions and state-of-the-art technologies with a goal of removing exterior coatings and accessing individual PCB layers. This paper presents our results from the most effective techniques.

Increased focus on the Universal Serial Bus (USB) attack surface of devices has recently resulted in a number of new vulnerabilities. Much of this advance has been aided by the advent of hardware-based USB emulation techniques. However, existing tools and methods are far from ideal, requiring a significant investment of time, money, and effort. In this work, we present a USB testing framework that improves significantly over existing methods in providing a cost-effective and flexible way to read and modify USB communication. Amongst other benefits, the framework enables man-in-the-middle fuzz testing between a host and peripheral. We achieve this by performing two-way emulation using inexpensive bespoke USB testing hardware, thereby delivering capabilities of a USB analyzer at a tenth of the cost. Mutation fuzzing is applied during live communication between a host and peripheral, yielding new security-relevant bugs. Lastly, we comment on the potential of the framework to improve current exploitation techniques on the USB channel.

Android is the most prevalent Linux-based mobile Operating System in the market today. Many features of the platform security (such as stack protection, key generation, etc.) are based on values provided by the Linux Pseudorandom Number Generator (LPRNG) and weaknesses in the LPRNG could therefore directly affect platform security. Much literature has been published previously investigating and detailing such weaknesses in the LPRNG. We build upon this prior work and show that - given a leak of a random value extracted from the LPRNG - a practical, inexpensive attack against the LPRNG internal state in early boot is feasible. Furthermore, the version of the Linux kernel vulnerable to such an attack is used in the majority of Android-based mobile devices in circulation. We also present two real-world exploitation vectors that could be enabled by such an attack. Finally, we mention current mitigations and highlight lessons that can be learned in respect to the design and use of future PRNGs for security features on embedded platforms.

Mobile devices can be protected by a variety of information flow control systems. These systems can prevent Trojans from leaking secrets over network connections. As mobile devices become more secure, attackers will begin to use unconventional methods for exfiltrating data.

We propose two sound-based covert channels, ultrasonic and isolated sound. Speakers on mobile devices can produce frequencies too high for most humans to hear. This ultrasonic sound can be received by a microphone on the same device or on another device. We implemented an ultrasonic modem for Android and found that it could send signals up to 100 feet away. We also determined that this attack is practical with the transmitter inside of a pocket. Android devices with vibrators can produce short vibrations which create isolated sound. These vibrations can be detected by the accelerometer, but they are not loud enough for humans to hear. If performed while the user is not holding the device, the vibrations will not be noticed.

Both covert channels can stealthily bypass many information flow control mechanisms. We propose several simple solutions to these vulnerabilities. In order to guarantee information flow control, sound-based channels must be regulated.