technical research report · cybersecurity, online behaviour and risks, privacy, data protection...

With the financial support from the Prevention ofand Fight against Crime Programme of the European UnionEuropean Commission – Directorate-General Home Affairs

TECHNICALRESEARCH REPORT

2011 – 2014

Research Report Technical

1

With the financial support from the Prevention of and Fight against Crime Programme of the European Union

European Commission – Directorate-General Home Affairs

2



Foreword ......................................................................................................................................................................... 5

B-CCENTRE Project objectives for the Technical research track .......................................................................... 6

Executive Summary ....................................................................................................................................................... 7 KU Leuven DistriNet ................................................................................................................................................... 7 UCL Crypto Group .................................................................................................................................................. 10

Partners ......................................................................................................................................................................... 16 Applicant organisation/Coordinator ................................................................................................................... 16

Manager ....................................................................................................................................................................... 18 Ann Mennens ........................................................................................................................................................... 18

Professors ....................................................................................................................................................................... 19 Prof. Dr. Danny Hughes .......................................................................................................................................... 19 Prof. Dr. Christophe Huygens................................................................................................................................. 19 Prof. Dr. Wouter Joosen .......................................................................................................................................... 19 Prof.Dr. Olivier Pereira ............................................................................................................................................. 19 Prof.Dr. Frank Piessens ............................................................................................................................................. 20 Prof. Dr. Bart Preneel ............................................................................................................................................... 20 Prof. Dr. François-Xavier Standaert ...................................................................................................................... 20

Researchers .................................................................................................................................................................. 21 Rafael Bachiller ........................................................................................................................................................ 21 Antoon Bosselaers ................................................................................................................................................... 21 Ping Chen ................................................................................................................................................................. 21 Dr. Danny Decock .................................................................................................................................................. 22 Dr. Lieven Desmet ................................................................................................................................................... 22 Dr. François Koeune ................................................................................................................................................ 23 Dr. Nick Nikiforakis ................................................................................................................................................... 23 Pieter Philippaerts .................................................................................................................................................... 23 Steven Van Acker ................................................................................................................................................... 23

Publications .................................................................................................................................................................. 24 FPDetective: Dusting The Web For Fingerprinters .............................................................................................. 24 JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications ....... 24 Salus: Non-hierarchical memory access rights to enforce the principle of least privilege ........................ 25 Compact Implementation and Performance Evaluation of Hash Functions in ATtiny Devices ............... 25 STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System ................................................ 26 How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios ....................... 26 Measuring Vote Privacy, Revisited ....................................................................................................................... 27 A dangerous mix: Large-scale analysis of mixed-content websites .............................................................. 27 A study on Advanced Persistent Threats; ........................................................................................................... 27 Election Verifiability or Ballot Privacy: Do We Need to Choose? ................................................................... 28 Better Security and Privacy for Web Browsers: a Survey of Techniques, and a New Implementation ... 28 Flowfox: a web browser with flexible and precise information flow control ................................................ 28 Information flow control for web scripts .............................................................................................................. 29 Secure multi-execution of web scripts: Theory and practice ......................................................................... 29 Automatic and Precise Client-Side Protection against CSRF Attacks ........................................................... 30 A Security Analysis of Emerging Web Standards HTML5 and Friends, from Specification to Implementation ....................................................................................................................................................... 30 Improving the Security of Session Management in Web Applications ......................................................... 30

3



TabShots: Client-Side Detection of Tabnabbing Attacks ................................................................................ 31 Federated authorization for Software-as-a-Service applications .................................................................. 31 Middleware for efficient and confidentiality-aware federation of access control policies ..................... 32 Block Ciphers That Are Easier to Mask: How Far Can We Go? ....................................................................... 32 Masking vs. Multiparty Computation: How Large Is the Gap for AES? .......................................................... 33 Low Entropy Masking Schemes, Revisited .......................................................................................................... 33 Efficient Masked S-Boxes Processing – A Step Forward .................................................................................... 33 Optimizing resource and data security in shared sensor networks ................................................................ 34 Solving the VerifyThis 2012 challenges with VeriFast; ........................................................................................ 34 From New Technologies to New Solutions (Exploiting FRAM Memories to Enhance Physical Security) .. 35 On the quaternion l-isogeny path problem ....................................................................................................... 35 Operational semantics for secure interoperation ............................................................................................. 35 DEMACRO: Defense against Malicious Cross-domain Requests .................................................................... 36 Access control in multi-party wireless sensor networks ..................................................................................... 36 Towards a Secure Web: Critical Vulnerabilities and Client-Side Countermeasures ................................... 37 You are what you include: Large-scale evaluation of remote JavaScript inclusions ................................ 37 Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting ................................. 38 Bitsquatting: Exploiting Bit-flips for Fun, or Profit? ............................................................................................... 38 Exploring the Ecosystem of Referrer-Anonymizing Services ............................................................................ 39 HeapSentry: Kernel-assisted protection against heap overflows; .................................................................. 39 Stranger danger: Exploring the ecosystem of ad-based URL shortening services; ..................................... 39 Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base ........................................................................................................................................................................... 40 There is safety in numbers: Preventing control-flow hijacking by duplication ............................................. 40 Bounding HFE with SRA Christophe Petit ............................................................................................................. 40 The future of mobile e-health application development: Exploring HTML5 for context-aware diabetes monitoring ................................................................................................................................................................ 41 Evolutionary algorithms for classification of malware families through different network behaviors. ..... 41 Network dialog minimization and network dialog diffing: Two novel primitives for network security applications ............................................................................................................................................................. 42 PESAP: a Privacy enhanced social application platform ................................................................................ 42 Empirical assessment of security requirements and architecture: lessons learned .................................... 43 Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions ............................ 43 Fides: Selectively hardening software application components against kernel-level or process-level malware .................................................................................................................................................................... 43 Protected software module architectures; ........................................................................................................ 44 WebJail: Least-privilege integration of third-party components in web mashups ..................................... 44 FlashOver: Automated Discovery of Cross-site Scripting Vulnerabilities in Rich Internet Applications .... 45 Monkey-in-the-browser: Malware and vulnerabilities in augmented browsing script markets - extended version ....................................................................................................................................................................... 45 Towards a systematic literature review on secure software design .............................................................. 46 Large-scale security analysis of the web: Challenges and findings .............................................................. 46 Practical verification of WPA-TKIP vulnerabilities ............................................................................................... 46 Crying wolf? On the price discrimination of online airline tickets .................................................................. 47 Empirical evaluation of a privacy-focused threat modeling methodology ................................................ 47

4



Foreword

The Belgian Cybercrime Centre of Excellence for Training, Research and Education is Belgium’s central coordination, collaboration and knowledge sharing platform in the fight against cybercrime. B-CCENTRE coordinates research teams at various universities which collaborate across disciplines on specific cybercrime, cybersecurity and cyberforensics related topics in both fundamental and applied research activities. Together with experts from public sector and industry partners, the academic B-CCENTRE partners design and teach basic and advanced trainings on specific cybercrime topics and develop and implement awareness raising initiatives in Belgium. B-CCENTRE does not only focus its efforts on a national level, but engages in the fight against cybercrime beyond the Belgian borders through numerous contacts with similar centres abroad. B-CCENTRE is the Belgian node in the European network of Cybercrime Centres of Excellence and collaborates with the main European and international organisations dealing with cybercrime. It is sponsored by the Prevention of and Fight against Crime Programme of the European Union under Grant Agreement HOME/2010/ISEC/AG/INT-01, and co-funded by the academic partners, under the coordination of the KU Leuven.

The B-CCENTRE started its activities in spring 2011 and has since launched and supported numerous activities to enhance knowledge and knowledge sharing related to cybercrime, digital forensics, cybersecurity, online behaviour and risks, privacy, data protection and other related topics in Belgium and beyond. This book provides an overview of the results of the technical research performed in the frame of the EU sponsored B-CCENTRE project, 18 April 2011-17 November 2014. There is a similar publication on the results of the criminological and of the legal research performed. These three publications are complementary to the B-CCENTRE report of activities.

For further reading we refer to the publications section under the research tab on our website, www.b-ccentre.be. On the site you can also find information about B-CCENTRE partners and activities as well as an overview of relevant actors and education programmes and awareness raising activities in Belgium and other interesting leads.

We wish you an interesting read and welcome your feedback on the work done.

Ann Mennens – Manager B-CCENTRE KU Leuven – iMinds – ICRI-CIR Sint-Michielsstraat 6, box 3443 BE-3000 Leuven [email protected] www.b-ccentre.be @B_CCENTRE

Disclaimer: All publications listed represent the opinions of their author(s) and do not represent the official position of the B-CCENTRE, nor of the European Commission on the topics discussed.

5



B-CCENTRE Project objectives for the Technical research track

In the B-CCENTRE Project, Work package 2 deals with the technology aspects of cybercrime. WP2 is devoted to fundamental and applied scientific research and the development and organisation of advanced training courses. The research and education activities in this Work package were drawn on the expertise built up by the academic partners over the past decades and planned to provide urgently needed in-depth knowledge on specific and advanced cybercrime issues experienced by law enforcement, both police and judiciary and other involved partners, such as e.g. ISPs, registrars, banks.

The following research topics have been defined in the project:

• Research on cryptanalysis (T1)

• Research on reverse engineering (T2)

• Research on data recovery and preservation tools (T3)

• Research on traffic analysis (T4)

• Research on secure system software in embedded systems (T5)

• Research on security solutions for web services (T6)

• Research on side-channel attacks, in particular against embedded services (T7)

• Research on key sizes and actual security (T8)

• Research on provable security to assess the security of a system (T9)

Furthermore, a series of technical training modules have been planned in English and French (T10 to T18).

The objectives set have largely been met since also additional study work has been performed by the dedicated research teams, involving also researchers funded on other than B-CCENTRE resources.

Activities have resulted in a Technical Research Report (this publication), several published articles, education and training modules and have been presented at international conferences, seminars and training sessions. Most information on these activities is available on the B-CCENTRE website.

6



Executive Summary

KU Leuven DistriNet

Research results

DistriNet has pursued two lines of research in the context of the B-CCENTRE: system security of embedded systems (T5) and security solutions for web services (T6). The research results can be summarised as follows. As to embedded systems, two topics have been treated - the emphasis has been on new system architectures centred on protected software modules. The approach has been demonstrated using software [1] as well as a hardware [2] trusted computing base. Both approaches include actual implementations of the secure systems, including the necessary compilers to use the security features. The next topic in the embedded systems track was related to the security of the Internet of Things – an architecture has been devised that facilitates sharing and federation of this class of devices whilst still maintaining a usable system footprint [3][4]. For the web security solutions, the focus has been on building an inventory of misuse and threats in the web or Internet ecosystem [5]. The results here are of key importance to battle cybercrime. On the one hand, understanding the problems is crucial to achieve security in this context and for the cybercrime community to come up with better security, but on the other hand the problems themselves also provide opportunities for law enforcement. For example, several threat/misuse scenarios can facilitate activities such as interception and tracking. All research work has been presented at peer-reviewed A-level conferences. However, in the context of B-CCENTRE, the standard academic type of research valorisation is not sufficient and care has been taken to translate research to target advisories for industry, and where possible to indicate opportunities for forensics, monitoring or law enforcement activities.

Importance of the B-CCENTRE network

In the DistriNet research track, law enforcement has been a key partner particularly in the area of web services research. The continuous interaction on this topic has led to an interception framework that can potentially be applied in the context of encrypted/authenticated web traffic if the intercepting party can achieve men-in-the-middle status. The framework has been provided and demonstrated to the Special Units of the Federal Police. The interception techniques also have been subject to a legal analysis (multidisciplinary approach) in order to identify potential legal changes necessary to make their application valid in a real setting. The research capability of DistriNet also has been available to law enforcement for selected questions on interception techniques as well as for technical analysis of cyber readiness exercises.

As a result of on-going ecosystem characterisation, several vulnerabilities (e.g. Flashover) were uncovered and pro-actively disseminated to industrial project partners (Febelfin, financial industry) for fixing. Again, the multi-disciplinary nature of B-CCENTRE has been key, since Belgian law prohibits probing of communication systems. As such, it is important to have the necessary legal support in place when performing this type of characterisation activities.

For the education tracks (T13/T14), trainings were specifically co-developed for a mixed audience of law enforcement and industry on selected topics. Where possible, these B-CCENTRE partners were given an active role, for example by providing parts of the course (FCCU, Cisco). So the trainings were not only delivered for but also by the B-CCENTRE network which was obviously beneficial for their quality.

7



Project changes

From a DistriNet perspective, there are no changes to report for the research activities in the proposal (T5, T6). For the education track, that targets a broader audience, and upon considering the requirements of law enforcement and industry, it became clear that the interest was less in the cutting edge research in the cybercrime area. Therefore these tasks were refocused on some practical challenges in these domains. For embedded systems, training centered on the introduction of IPv6 (the network software of the systems) and its security implications. For web solutions, training was directed at understanding the origin-based separation model in web applications, gain insight in upcoming web security technology (HTML5 sandbox, X-Frame-Options, CSP, HSTS, ...) and assess the benefits and drawbacks of these mechanisms for coarse-grained website confinement within the browser.

Available to other Cybercrime centres of Excellence

As a result of the B-CCENTRE grant, training material is available on IPv6 and the latest web standards. DistriNet already participated in the EU co-funded 2CENTRE project events with the IPv6 material. If so desired, the developed framework for lawful interception could also be shared to other Centres. On an ad-hoc basis, information has been exchanged with other Centres already.

Policy recommendations

As the DistriNet work is technical, it does not immediately direct policy changes. To apply the work in a practical setting however, several legal changes will be needed regarding interception and probing of communication. This should preferably be addressed at EU level.

Differences made by the project

In our opinion, the biggest benefit of the B-CCENTRE is the diversity of the partners. This diversity forces the academic partners to provide tangible real-world output that is short-term applicable, and provides valuable scenarios for validation of research results. Conversely, it provides law enforcement and industry with unprecedented access to subject matter experts that are well-versed in the state-of-the-art techniques of cybercrime.

Follow-up and continuation

Several aspects of ecosystem characterisation (element of project track T6) have been brought into a more continuous, operational setting (weather reports) at the request of industry partners – co-funded by regional or national initiatives.

On the other hand, several follow-up activities could be envisioned that have yet to find funding:

• A help line for law enforcement and industry to discuss impact of and approach towards state-of-the-art technologies.

• A forum for the exchange of needs and ideas regarding the national cybercrime landscape. • A continuous education approach for cybercrime, with training on more topics and the ability to

keep training material up-to-date. • Automatic exchange mechanisms with other Cybercrime Centres of Excellence regarding

cybercrime and the Centres’ key capabilities and offerings.

8



References

[1] Strackx, R., & Piessens, F. (2012). Fides: Selectively hardening software application components against kernel-level or process-level malware. CCS’12, Raleigh, North Carolina, USA.

[2] Noorman, J., Agten, P., Daniels, W., Huygens, C., Piessens, F., Preneel, B., Strackx, R., Van Herrewege, A., & Verbauwhede I. (2013). Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base. 22nd USENIX Security Symposium.

[3] Huygens, C., Matthys, N., & Joosen, W. (2011). Optimizing resource and data security in shared sensor networks. Security and Communication Networks.doi: 10.1002/sec.342.

[4] Maerien, J., Michiels, S., Huygens, C., Hughes, D., & Joosen, W. (2013). Access control in multi-party wireless sensor networks. 10th European Conference, EWSN 2013, Ghent, Belgium.

[5] Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., & Vigna, G. (2013). You are what you include: Large-scale evaluation of remote JavaScript inclusions. CCS’12, October 16–18, 2012, Raleigh, North Carolina, USA.

9



UCL Crypto Group

Introduction

Cryptography is one of the cornerstones of defense mechanisms against cyber-attacks, and a domain in constant evolution: new protection techniques, but also new attacks and unexpected flaws in existing schemes are regularly identified, sometimes with very serious practical consequences.

Although a very wide diversity of cryptographic algorithms and protocols exist nowadays – and the field keeps broadening – some of these elements are still of mere academic interest: they open new directions and perspective for promising new solutions, but are not yet widely used in practical systems nowadays. On the other hand, some research questions are transversal to a large number of applications and likely to have a strong impact on a lot of real-life solutions. For example, the discrete logarithm problem has strong impact on a very large number of public-key cryptography constructions. The work of the UCL Crypto Group focused on such transversal problems of strong practical relevance.

Even so, the research scope remains very broad, with required expertise ranging from microelectronics to formal methods and number theory. Considering the limited size of the B-CCENTRE project, we focused on synergies with other activities to create leverage effect. A typical example thereof is the implementation of hash functions described below. Implementing 15 hash functions in assembly language represents a huge amount of work, but finding volunteers willing to take part to it is not too difficult. Besides researchers from UCL and ESAT/COSIC, this implementation effort involved thus many volunteers from multiple institutions, and B-CCENTRE resources allowed coordinating the effort, setting up the common framework and running the performances comparison.

B-CCENTRE also enabled multi-disciplinary activities, in particular with computer scientists of CERT and Belnet and with the law department of UNamur, with whom we explored the technical and legal aspects of solutions like Tor, allowing anonymous browsing on the internet.

We describe below the main technical tasks undertaken by UCL. Most of these results are already published and freely available: we will thus simply summarise them and provide references to detailed descriptions.

Provable security to assess the security of a system

Over the last decades, the notions of security in cryptography evolved from ad-hoc towards provable security. Whereas the first protocols provided ad-hoc, or empirical, security, in the sense that the only guarantee was that nobody could identify attacks against them, modern protocols come with a formal proof that a security breach would immediately be transformable into a solver to some problem that is believed to be very hard (such as factorisation). By contraposition, this proof guarantees that, provided the underlying problem is indeed hard, no attack against the protocol is possible. Far from being a merely academic artifact, provable security showed to be of strong practical relevance. As a matter of fact, many attacks have been found against “heuristically secure” constructions (SSL...) that turned out to bear unexpected security flaws, some of which were only discovered after several years, and at a time where the system had been widely used.

Authentication mechanisms

In [2], we investigated the security of the well-known Fiat-Shamir transform, used in signature, identification schemes and in various voting systems. Our study showed a broad discrepancy in the way it is

10



implemented, and led to the identification of security weaknesses of several systems, including the Helios system, widely used in Internet elections. We also fixed the security breach by proposing a strong variant that is provably secure.

Electronic voting

Many attempts were made to introduce electronic voting systems, but these often turned out to bear strong weaknesses. Recent electronic voting systems evolved – as usual in cryptography – towards provably secure systems, but the problem is complex and this goal has not been reached yet.

Considering its importance for democracy and the numerous issues that occurred in Belgium, we decided to take part to the effort of design and security evaluation of e-voting systems.

Clear and sound definitions are paramount to achieve provable security. In [3], we proposed a new measure for the privacy of votes, which captures in a unified manner the privacy loss due to the number of participants, the distribution of their votes and the insecurity of the underlying cryptographic schemes. This metric was tested on data from political elections and demonstrated several deficiencies in the privacy of votes.

One fundamental requirement for a voting scheme is that it should allow easy and convincing verification of the outcome. Ideally, the scheme should be universally verifiable, in the sense that anyone could examine the audit trail and be convinced that the results are genuine. In [6], we identified the precise encryption security notion allowing to achieve universal verifiability without loss of privacy and with a computational complexity comparable to that of traditional voting schemes.

In order to push further the analysis of the real-life viability of provably secure electronic voting systems, we participated – as the only non-US experts – to a consortium that developed STAR-Vote, Secure, Transparent, Auditable, and Reliable Voting System that is being considered for the next political elections in the Travis County (Austin, Texas). This system is described in detail in [5].

Side-channel attacks and embedded devices

Hash functions Hash functions probably are the most fundamental cryptographic primitive used in authentication mechanisms. They also probably are the cryptographic primitive that was the most damaged in the last few years: a serious weakness was found in SHA-1 and MD5 (collision attack, can be – and actually was – for example used to generated false certificates and hence break PKIs), and replacement hash functions are needed. We implemented SHA-3 candidates on embedded platforms and ran performance comparisons [1].

Side-channel attacks Physical security is another very important topic. Over the last 15 years, side-channel attacks, that target the security of cryptographic devices by exploiting their physical behaviour (running time, power consumption, electromagnetic emanations…), have proven to be of much practical significance for the security of embedded devices. Hundreds of papers have been published in the field, and this is one of the domains that receives the most attention, not only from academics, but also from the industry, as these attacks represent a very important threat for real-life devices. A well-known example of this type of attack is applied to Keeloq devices which were used in many remote keyless car systems. Another example is that of the attack against the COMP128 algorithm, discovered at UCL, which proved to defeat the security of most of the SIM cards used by GSM operators in China.

11



Another aspect we focused on during this project is thus the design and assessment of cost-effective countermeasures.

In [4], we proposed a countermeasure to protect generic S-boxes against side-channel attacks. Based on the use of addition chains, this countermeasure is to this day the most efficient way that allows protecting against higher-order attacks.

The cost of side-channel countermeasures is a very important factor, since the target platform is typically an embedded device that is very lightweight and must remain low-cost. Among the elements strongly influencing the cost of countermeasures, the need for randomness is often critical: countermeasures inject random elements in the computation, but generating random values is a difficult task on an embedded device. To reduce it, recent research explored Low Entropy Masking Schemes (LEMS), aiming at reducing randomness requirements of countermeasures, hence making them cheaper. In [12], we analysed the efficiency of LEMS when the attacker’s behaviour deviates from what is expected, and highlighted some risks that must be taken into account.

Another recent proposal for efficient countermeasures was to use MultiParty Computation (MPC) techniques to achieve masking, but the efficiency of this method compared to classical masking was unclear. In [8], we showed that the cost was indeed quite higher for first-order countermeasure, but that the relative costs evolved differently when higher-order attacks were taken into account, with the MPC technique proving more efficient for high-order attacks.

Side-channel countermeasures have a cost, which can be quite important, in particular for embedded systems. This cost must be taken into account, and it sometimes turns out that lightweight algorithms cannot be masked efficiently, in the sense that a protected implementation implies big overhead, and the algorithm turns out in fine not to be lightweight. In [9], we investigated the possibility to slightly modify standard block ciphers (such as the AES), in order to allow more efficient masking, and proposed such a solution.

New technologies in electronic circuitry can also be useful to improve the efficiency of countermeasures. Ferroelectric RAM (FRAM) is a non-volatile memory technology becoming available for low-cost microcontrollers. It bears the advantage of faster write performances, and tolerates a much larger number of write/erase cycles compared to the current technology based on flash memories. We had the idea of exploiting these properties to implement efficient side-channel countermeasures. In[11], we explore the possibility to use FRAM for shuffling (i.e. changing the order of execution so that an attacker cannot predict exactly which operation is being performed at a specific time), and for pre-computing masked look-up tables achieving resistance against higher-order adversaries.

As of today, countermeasures against side-channel attacks are still heuristic, and their efficiency is only assessed by the fact that they seem to provide resistance against known attacks. In the future it would be very useful to have them evolve towards countermeasures whose effectiveness can be formally proved. This would be in line with the aforementioned general evolution of cryptography from ad hoc to provable security. Leakage-resilient cryptography is an attempt in this direction. Yet, this approach will be of practical relevance only if the formal models can be adequately connected to the practice aspects of side-channel attacks. In [7], we analysed this correspondence between theory and practice. We showed that the requirement of “bounded leakage” used in several theoretical works was indeed hard to fulfill by hardware engineers. We then introduced a new, more realistic and empirically verifiable assumption under which security proofs can be obtained.

12



Key sizes and actual security A recurrent question in cryptography is that of the actual security of a given system and parameter set. The question is in fact twofold. The first aspect relates to the computational capabilities of adversaries: any system can in theory be broken by brute force (e.g. trying every possible key) or other algorithmic means (e.g. running factorisation algorithms), and parameter sizes must be chosen big enough for such attacks to require impracticable running time, yet small enough to allow efficient execution by legitimate users. As the computational power of devices increases over time, these parameter sizes must be regularly re-evaluated and adapted.

The second aspect is that two systems with same parameter size do not necessarily bring the same level of security. For example, elliptic curve cryptography (ECC) operates in specific mathematical structures named elliptic curves, and rely on the assumption that a mathematical problem known as the discrete logarithm computation is hard to solve on these curves. Due to their computational and storage efficiency, many different cryptosystems based on ECC have been proposed, using various elliptic curves as underlying structure, for performance improvement. Yet, the discrete logarithm problem turned out not to be of the same complexity in each of these contexts, so that some proposals proved weaker than expected. A similar situation happens for another family of cryptosystems, the security of which is based on solving a large system of polynomial equations.

A clear understanding of the exact complexity of fundamental problems is paramount in order to correctly choose the cryptosystems to use, and tune their parameters to get appropriate security and performance levels. We investigated the actual security of the discrete logarithm (DL) problem, which underlies a large proportion of the signature schemes used to secure the Internet traffic. In this context, we provided strong arguments that the asymptotic security of the DL problem in binary fields was considerably smaller than expected. While our results do not have a direct impact on the key lengths used today, they suggest that, in the future, the increase of the key lengths resulting from the growing computational power may need to be much faster than it has been until now. In [10], we provided a rigorous bound on the complexity of solving a class of polynomial systems, used for example for the Hidden Field Equation (HFE) cryptosystem. This approach could have further implications on other systems connected to the elliptic curve discrete logarithm problem. In [15], we proposed a probabilistic algorithm to solve a quaternion ideal analog of the path problem in some specific graphs. This algorithm, subject to some heuristics, runs in polynomial time. This has security implications for the Charles-Goren-Lauter hash function, and for the original CGL construction in terms of supersingular elliptic curves.

Miscellaneous

Anonymity on the Internet The massive surveillance activities by various states and large organisations, demonstrated the weakness of the protection of our cyber-infrastructure. UCL investigated, through several approaches, anonymous communication technologies, and Tor network in particular.

Tor is a network of Internet relays that route traffic in such a way that traffic surveillance becomes considerably harder. Initiated by the US Navy, the project went open when it was realised that soldiers would be hardly hidden in a network used by military only. Since then, the project remained fully open source, gathering the energies of various activists, and is used by numerous law enforcement agencies and journalists working on sensitive matters, among others (Tor is in part funded by these groups).

The use of Tor was quite reduced in Belgium until the last few years, and no noticeable public router was running in the country. UCL, in collaboration with Belnet and Cert, deployed a complete Tor router (including exit trafic) early in 2013, the first stable one in Belgium. The behaviour of this router was closely monitored and, in collaboration with lawyers from UNamur, the legal aspects of running a Tor node in

13



Belgium was investigated [12]. This study, taking into account the various information that could be obtained from our router, confirmed that routing Tor trafic did not raise any legal difficulty in Belgium. Attempting at filtering the trafic, e.g., by filtering malware or blocking offensive content, would become considerably more sensitive, as UCL could become liable if the filtering fails at some point.

Concerned by the relatively small number of Tor nodes routing a large proportion of the Tor traffic (due to their high bandwidth and stability), UCL also investigated the possible use of Multipath TCP to bring more diversity in the Tor routing mechanism [13]. Our study indicates that a deployment of Tor over MPTCP could provide an important additional protection against trafic correlation attack (probably the most widely used attack against Tor), without impairing the stability of the connection. Further work in this direction is ongoing.

Cyber-security investigationUCL also performed an investigation for the Belgian Institute for Postal services and Telecommunications (BIPT), related to a cyber-security incident that occurred in Belgium. The details of this incident and investigation are confidential.

Education track

Besides research activities, B-CCENTRE also contributed to long-term changes in our education track, thanks to the reorganisation and promotion of different courses, opening them up to multi-disciplinary audience:

Impact, follow-ups, recommendations

The collaborations with other public institutions and centers focusing on cybersecurity has been quite successful, is expected to remain so, and will hopefully develop. The UCL Crypto Group will keep contributing to such collaborations through its internationally acknowledged expertise in most aspects of cryptography and its applications.

An important aspect of cybersecurity, which UCL is seeking to develop, would be the setting up of a national certification and evaluation centre to validate the security of commercial products, and of hardware systems in particular (hardware identification tokens, encrypting devices, ...). Throughout our contacts, multiple governmental and industrial actors have acknowledged how important such a center (to be compared with the BSI in Germany, or the ANSSI in France) would be for the industry.

References

[1] J. Balasch, B. Ege, T. Eisenbarth, B. Gerard, Z. Gong, T. Guneysu, S. Heyse, S. Kerckhof, F. Koeune, T. Plos, T. Poppelmann, F. Regazzoni, F.-X. Standaert, G. Van Assche, R. Van Keer, L. van Oldeneel tot Oldenzeel, I. von Maurich, Compact Implementation and Performance Evaluation of Hash Functions in ATtiny Devices, in the proceedings of CARDIS 2012, Lecture Notes in Computer Science, vol 7771, pp 158-172, Graz, Austria, November 2012, Springer

[2] David Bernhard, Olivier Pereira, and Bogdan Warinschi. How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios, In X. Wang and K. Sako, editor(s), ASIACRYPT 2012, Volume 7658 of Lecture Notes in Computer Science, pages 626--643, Springer, December 2012.

[3] David Bernhard, Veronique Cortier, Olivier Pereira, and Bogdan Warinschi. Measuring vote privacy, revisited, In Ting Yu and George Danezis and Virgil D. Gligor, editor(s), ACM Conference on Computer and Communications Security, pages 941-952, ACM, October 2012.

[4] Vincent Grosso, Emmanuel Prouff, and François-Xavier Standaert. Efficient Masked S-Boxes Processing – A Step Forward –, In D. Pointcheval D. Vergnaud, editor(s), AFRICACRYPT 2014, Lecture Notes in Computer Science, Spinger, May 2014

[5] Susan Bell, Josh Benaloh, Mike Byrne, Dana DeBeauvoir, Bryce Eakin, Gail Fischer, Philip Kortum, Neal McBurnett, Julian Montoya, Michelle Parker, Olivier Pereira, Philip Stark, Dan Wallach, and

14



Michael Winn. STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System, Volume 1, pages 18--37, Usenix, August 2013

[6] Édouard Cuvelier, Olivier Pereira, and Thomas Peters. Election Verifiability or Ballot Privacy : Do We Need to Choose?, In Crampton, Jason and Jajodia, Sushil and Mayes, Keith, editor(s), Computer Security – ESORICS 2013, Volume 8134 of Lecture Notes in Computer Science (LNCS), pages 481-498, Springer Berlin Heidelberg, September 2013

[7] François-Xavier Standaert, Olivier Pereira, and Yu Yu. Leakage-Resilient Symmetric Cryptography under Empirically Verifiable Assumptions, Advances in Cryptology – CRYPTO 2013 , Lecture Notes in Computer Science, pages 335--352, August 2013

[8] Vincent Grosso, Francois-Xavier Standaert, Sebastian Faust, Masking vs. Multiparty Computation: How Large Is the Gap for AES?, in Proc. Cryptographic Hardware and Embedded Systems - CHES 2013, Lecture Notes in Computer Science Volume 8086, 2013, pp 400-416, Springer, 2013

[9] Benoît Gérard, Vincent Grosso, Maria Naya-Plasencia, François-Xavier Standaert, Block Ciphers That Are Easier to Mask: How Far Can We Go?, in Proc. Cryptographic Hardware and Embedded Systems - CHES 2013, Lecture Notes in Computer Science Volume 8086, 2013, pp 383-399, Springer, 2013

[10] Christophe Petit, Bounding HFE with SRA, submitted [11] Stéphanie Kerckhof, Francois-Xavier Standaert and Eric Peeters, From New Technologies to New

Solutions (Exploiting FRAM Memories to Enhance Physical Security), in Proc. Twelfth Smart Card Research and Advanced Application Conference – CARDIS 2013, Lecture Notes in Computer Science (LNCS), Springer

[12] V. Grosso, F.-X. Standaert, E. Prouff, Low Entropy Masking Schemes, Revisited, in the proceedings of CARDIS 2013, Lecture Notes in Computer Science, vol 8419, pp 33-43, Berlin, Germany, November 2013

[13] Colin Melotte, TOR: un système d'anonymisation des communications internet face au droit. Ms Thesis, Unamur, 2013.

[14] Florentin Rochet, Improving Tor With Multipath TCP. Ms Thesis, UCL, 2014. [15] David Kohel, Kristin Lauter, Christophe Petit, Jean-Pierre Tignol, On the quaternion $\ell$-isogeny

path problem. LMS Journal of Computation and Mathematics, Volume 17, Issue A, pp 418-432. Special issue for ANTS, Algorithmic Number Theory Symposium conference.

15



Partners

Applicant organisation/Coordinator

KU Leuven

KU Leuven is the largest academic institution in Belgium and one of the oldest European universities as it was founded in 1425. It is a research-intensive, internationally oriented university that carries out both fundamental and applied research. It is strongly inter- and multidisciplinary in focus and strives for international excellence. To this end, KU Leuven works together actively with its research partners at home and abroad.

With a research expenditure of € 365 million in 2012, the KU Leuven is a leading research university in Europe. KU Leuven is also a member of the League of European Research Universities (LERU), a group of twenty European research-intensive universities committed to the values of high-quality education in an internationally competitive research environment. More than 200 KU Leuven researchers are permanently working on information and communications technology related issues. They belong to different university departments with a strong tradition in multidisciplinary research on information and communications technology issues.

DistriNet

The iMinds-DistriNet research group is part of the Department of Computer Science at the KU Leuven and of the iMinds Security Department.

The general domain of expertise and innovation of DistriNet is the development of open, distributed object support platforms for advanced applications. The research is always application driven and is often conducted in close collaboration with industry.

iMinds-DistriNet was founded in 1984 and has built up experience and expertise in system software for distributed systems since. The research has expanded from pure distributed operating systems to support platforms for distributed applications. Currently the DistriNet group works on a wide range of problems involving computer networks, middleware, distributed systems, embedded systems, multi-agent systems, security and internet middleware.

COSIC

Computer Security and Industrial Cryptography (COSIC) group is part of the KU Leuven Department of Electrical Engineering and the Security department of iMinds. It was founded in 1979 and currently has 5 professors, 4 support staff, and more than 40 researchers. During the last 15 years, COSIC obtained more than 1200 international reviewed publications in journals and conferences, 13 edited books, 10 patents and has graduated 60 PhD students.

The COSIC research group provides expertise in digital security and strives for innovative security solutions. The research is applied in a broad range of application domains, where the focus lays in the design, evaluation and implementation of cryptographic algorithms and protocols, the development of security architectures for information and communication systems, the building of security mechanisms for embedded systems and the design and analysis of privacy preserving systems.

16

B-CCENTRE Report – Technical Research – 2014

Co-beneficiaries

Université catholique de Louvain (UCL) – Crypto Group

Part of the Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM) of the Université catholique de Louvain, the UCL Crypto Group ((http://www.uclouvain.be/crypto) gathers 2 full-time and 2 associate professors, 7 post-docs and 7 PhD students with backgrounds from microelectronics, telecommunications, computer science and mathematics. This wide diversity of knowledge allowed the group to develop an internationally recognised expertise in cryptography but also in its applications to various security-related issues, including design and analysis of cryptosystems and protocols, physical attacks on hardware systems and countermeasures, efficient hardware implementation of cryptosystems, elliptic curves, formal foundations of cryptography, zero-knowledge identification, privacy enhancing technologies, voting technologies, etc.

Its academic activity produced more than 100 international publications over the last 5 years. Over the last 15 years, the Crypto Group has been involved in more than 30 projects, both at local and European level (it has been taking part in European projects since 1994).

17


Manager

Ann Mennens

Ann Mennens is the Manager for the B-CCENTRE Project. She started working in September 2011 at ICRI, KU Leuven to organise the work of the Belgian Cybercrime Centre of Excellence for Training, Research and Education. She coordinates the activities of several academic research groups, public sector bodies and businesses in Belgium dealing with cybercrime. She initiates, supports and manages interdisciplinary research on cybercrime and cyber security, the development and teaching of basic and advanced cybercrime trainings. She is active in setting up and creating awareness raising initiatives related to safe online experiences, both for businesses and organisations, as well as the general public. She is representing

the B-CCENTRE in conferences and working groups in Belgium, the EU and worldwide.

She is one of the founders of the Belgian Cyber Security Coalition, a coalition of public authorities, the academic world and the business sector joining forces against cybercrime in Belgium. It brings together more than 50 key players to share knowledge, raise awareness among citizens and businesses and issue recommendations for a more efficient policy. www.cybersecuritycoalition.be

For over 20 years, she has led various projects in the field of Justice and Security, involving governmental and other actors from the EU Member States and beyond. The fight against crime and cooperation between judicial authorities and law enforcement in the EU, have been at the core of the projects under her management. She has a track record of creating networks and systems for cooperation, information exchange and dissemination and of organising training programmes for several target groups, in particular Police and Judiciary.

18


Professors

Prof. Dr. Danny Hughes

Danny Hughes holds a Ph.D. in computer science from the University of Lancaster (UK). Since 2011 he has been working as a Professor with the iMinds-DistriNet research group of KU Leuven, where he coordinates the activities of the Networked Embedded Software task-force. His research interests include: distributed systems, middleware and networking. His current focus is on software technologies for the Internet of Things.

Prof. Dr. Christophe Huygens

Christophe Huygens is a consultant, an academic and an entrepreneur. He holds a Ph.D. in Computer Ccience from the Katholieke Universiteit Leuven, where he teaches Internet Security. His research interests include methods and metrics for quantification of policy compliance, assurance processes, policy enforcement and assurance strategies and security of sensor networks. He co-founded security start-up Ubizen and served as its CTO. As a consultant, Christophe helps clients with operational risk management as well as security and large-scale monitoring problems.

Prof. Dr. Wouter Joosen

Wouter Joosen is full professor at the Department of Computer Science of the Katholieke Universiteit Leuven in Belgium, where he teaches courses on software architecture and component-based software engineering, distributed systems and the engineering of secure service platforms. His research interests are in aspect-oriented software development, focusing on software architecture and middleware, and in security aspects of software, including security in component frameworks and security architectures.

Prof.Dr. Olivier Pereira

Olivier Pereira is a Professor at Université catholique de Louvain where he has co-lead the UCL Crypto Group since 2007. His research interests are in cryptography and distributed algorithms, spanning from the formal definition, design and analysis of protocols to the actual implementation and deployment of secure systems. In particular, his work on voting technologies ranged from the definition of new cryptosystems with enhanced security properties to the lead on the design and organisation of the first large-scale universally verifiable and legally binding election.

19


Olivier Pereira has been a visiting scientist in the theory of computation group of MIT, in the Okamoto Laboratory of NTT (Japan), an invited professor at ENS of Cachan and at the University of Bukavu (RDC). His research has been supported by various grants from the Belgian Science Foundation (F.R.S-FNRS), the Belgian regional and federal governments, as well as from the EU.

Prof.Dr. Frank Piessens

Frank Piessens is a professor in the Department of Computer Science at the Katholieke Universiteit Leuven, Belgium. His research field is software security, where he focuses on the development of high-assurance techniques to deal with implementation-level software vulnerabilities and bugs, including techniques such as software verification, run-time monitoring, type systems and programming language design. He studies the theory behind these techniques as well as their application in many types of software systems, including web applications, embedded software, and mobile applications.

Prof. Dr. Bart Preneel

Prof. Bart Preneel received the Electrical Engineering degree and the Doctorate degree in applied sciences in 1987 and 1993, respectively, both from the Katholieke Universiteit Leuven, Leuven, Belgium. He has been a visiting professor at 5 universities and a research fellow at the University of California at Berkeley. His main research interests are cryptography, network security, and wireless communications. He has authored and coauthored more than 300 scientific publications and is the inventor of three patents. He has been serving on the IACR Board since 1997 as Director, Vice-President and President. He is a member of the Editorial Board of the Journal of Cryptology, the IEEE Transactions on Information Forensics and Security, and the

International Journal of Information & Computer Security. He is also a Member of the Accreditation Board of the Computer and Communications Security Reviews (ANBAR, UK). He has been project manager of the EU FP7 NoE ECRYPT I and II (http://www.ecrypt.eu.org) between 2004 and 2013, which grouped more than 250 researchers in the area of cryptology.

Prof. Dr. François-Xavier Standaert

Francois-Xavier Standaert was born in Brussels, Belgium in 1978. He received the Electrical Engineering degree and PhD degree from the Universite catholique de Louvain, respectively in June 2001 and June 2004. In 2004-2005, he was a Fulbright visiting researcher at Columbia University, Department of Computer Science, Network Security Lab and at the MIT Medialab, Center for Bits and Atoms. In March 2006, he was a founding member of IntoPix s.a. From 2005 to 2008, he was a post-doctoral researcher of the UCL Crypto Group and a regular visitor of the two aforementioned laboratories. Since September 2008, he has been associate researcher of the Belgian Fund for Scientific Research (F.R.S.-FNRS) and professor at

the UCL Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM). In June 2011, he was awarded a Starting Independent Research Grant by the European Research Council. His research interests include digital electronics, FPGAs and cryptographic hardware, low power implementations for constrained environments (RFIDs, sensor networks, ...), the design and cryptanalysis of symmetric cryptographic primitives, physical security isssues in general and side-channel analysis in particular.

20


http://www.ecrypt.eu.org/

Researchers

Rafael Bachiller

Rafael Bachiller Soler hold an M.Sc. in Telecommunication Engineering from Universidad de Sevilla (Spain). Since 2012 he has been working as a PhD researcher at DistriNet-iMinds Research group of KU Lueven. His research focuses on building mobile crowdsourcing applications by using component-based tools and online social networks. His research interests also include the study IPv6 networking (fundamentals, transition mechanisms and security) applied to the Internet of Things.

Antoon Bosselaers

Antoon Bosselaers received a Master’s Degree in Electrical Engineering from the Katholieke Universiteit Leuven (Belgium) in 1987. He joined the research group COSIC of the Department of Electrical Engineering (ESAT) at the KU Leuven in 1988. His main research intrest is cryptology. This includes discrete mathematics, the cryptanalysis and design of cryptographic algorithms and protocols, and the development of secure and efficient software implementations. He has authored and co-authored more than 20 articles in international conference proceedings and journals, and is inventor of one patent. He is a co-designer of the hash function RIPEMD-160. He has participated to several international research projects sponsored by the European

Commission.

Ping Chen

Ping Chen obtained his Master's degree in Computer Science (specialized in information security) from the Technische Universiteit Eindhoven (TU/e in the Netherlands) in August 2012. As of January 2013, he has been working in the iMinds-DistriNet group in KU Leuven as a PhD student. His research focus is Cybercrime and Web Application Security, under the supervision of prof. Christophe Huygens and Dr. Lieven Desmet.

21


Dr. Danny Decock

Danny De Cock researches as a post-doc applied cryptography at the KU Leuven in Belgium. Danny is an expert in computer security, identity management and industrial cryptography applications and he has conducted extensive research projects in this field.

His work includes the analysis and design of privacy preserving identity management systems and secure communications architectures for various environments and communities. He has also researched security aspects of mobile devices, car telematics, home appliances, electronic banking, electronic voting schemes, electronic identity cards and privacy enhanced identity management

systems.

He was the coordinator of a study for the four Belgian governments to lay out the security architecture and functionality of the electronic voting system for Belgian elections. This system has been deployed for official elections in October 2012.

Danny is involved with different identity management projects to increase the efficiency of Belgian eGovernment services on the regional and federal level, and was the coordinator of the European Project TAS3 (Trusted Architecture for Securely Shared Services, cf. http://tas3.eu). This project focused on service oriented architectures that can be deployed in the employability and healthcare sector, in full compliance with European data protection regulations.

He was also in charge of the Modinis-IDM study (http://godot.be/modinis) that was organized by the European Commission to build on expertise and initiatives in the EU Member States to progress towards a coherent approach in electronic identity management in eGovernment in the European Union. The outcome of this study contributed to the current initiatives of the European Commission regarding the data protection regulation that is deployed.

He is also involved in research on computer forensics through the BC-Centre, focusing on the protection of evidence.

Dr. Lieven Desmet

Lieven Desmet is Research Manager on Secure Software within the iMinds-DistriNet Research Group at the KU Leuven. His interests are in software security and the security of web-enabled technologies. He is on the OWASP board.

As research manager, Lieven Desmet coordinates the different security research tracks within DistriNet, outlines new research programs and coaches junior researchers in (web) application security. In particular, he follows up on valorization opportunities and collaborations with industrial partners.

Lieven Desmet bootstrapped the web application security research within DistriNet and has built a dedicated research team which belongs to the top in Europe. The core expertise of the team includes cross-domain interactions in web environments, HTML5 and JavaScript security and the security of web mashups. He intensively collaborates on these topics with labs and industrial partners across Europe.

22


http://tas3.eu/

http://godot.be/modinis

Dr. François Koeune

François Koeune holds a Ph.D. in engineering sciences (cryptography) from UCL. Since 2003, he has been working both as the CEO of the consulting company K2Crypt and as a part-time senior researcher at the UCL Crypto Group, where he is manages the Group's applied research projects. As shown by his profile, shared between academic research and industrial activities, one of his main fields of interest is the practical relevance of new cryptographic protocols or attacks on real-life systems.

Dr. Nick Nikiforakis

Dr. Nick Nikiforakis is an Assistant Professor in the Computer Science Department at Stony Brook University. He is interested in web application security and privacy, which he usually approaches by looking at the web as a series of, interconnected ecosystems.

Pieter Philippaerts

Pieter Philippaerts is employed as a postdoctoral researcher at the department of Computer Science of the KU Leuven. His main research interests lie in the field of computer security. In his doctoral thesis, he investigated the security of mobile devices and studied the different approaches that can be taken to secure untrusted mobile code. Before joining the KU Leuven, Pieter worked as a .NET technical consultant at Capgemini and AE. He has a good understanding of the practical and theoretical aspects of software engineering, but he also realizes the importance of high quality and readable code, and a solid architectural design.

Steven Van Acker

Steven Van Acker is a PhD candidate at the iMinds-DistriNet research group of KU Leuven, working on web security. His main research interests are JavaScript sandboxing and large-scale experimentation on the Internet. Because of his involvement in hacker wargames and capture-the-flag competitions, he has a lot of practical experience in designing, building and maintaining secure systems and infrastructure.

23


Publications

FPDetective: Dusting The Web For Fingerprinters

Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., & Preneel, B.

In the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly fingerprint the user: a practice that may have serious privacy and security implications. In this paper, we report on the design, implementation and deployment of FPDetective, a framework for the detection and analysis of web-based fingerprinters. Instead of relying on information about known fingerprinters or third- party-tracking blacklists, FPDetective focuses on the detection of the fingerprinting itself. By applying our framework with a focus on font detection practices, we were able to conduct a large scale analysis of the million most popular websites of the Internet, and discovered that the adoption of fingerprinting is much higher than previous studies had estimated. Moreover, we analyze two countermeasures that have been proposed to defend against fingerprinting and find weaknesses in them that might be exploited to bypass their protection. Finally, based on our findings, we discuss the current understanding of fingerprinting and how it is related to Personally Identifiable Information, showing that there needs to be a change in the way users, companies and legislators engage with fingerprinting.

Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., & Preneel, B. (2013). FPDetective: Dusting The Web For Fingerprinters. 2013 ACM SIGSAC conference on Computer & communications security. doi: 10.1145/2508859.2516674.

JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications

Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., & Piessens, F.

The inclusion of third-party scripts in web pages is a common practice. A recent study has shown that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. We propose JSand, a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well.

Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., & Piessens, F. (2012). JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications. Annual Computer Security Applications Conference (ACSAC).

24


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20FPDetective%20Dusting%20the%20Web%20for%20Fingerprinters.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20JSand.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20JSand.pdf

Salus: Non-hierarchical memory access rights to enforce the principle of least privilege

Avonds N, Strackx R, Agten P, Piessens F.

Consumer devices are increasingly being used to perform security and privacy critical tasks. The software used to perform these tasks is often vulnerable to attacks, due to bugs in the application itself or in included software libraries. Recent work proposes the isolation of security-sensitive parts of applications into protected modules, each of which can only be accessed through a predefined public interface. But most parts of an application can be considered security-sensitive at some level, and an attacker that is able to gain in-application level access may be able to abuse services from protected modules. We propose Salus, a Linux kernel modification that provides a novel approach for partitioning processes into isolated compartments. By enabling compartments to restrict the system calls they are allowed to perform and to authenticate their callers and callees, the impact of unsafe interfaces and vulnerable compartments is significantly reduced. We describe the design of Salus, report on a prototype implementation and evaluate it in terms of security and performance. We show that Salus provides a significant security improvement with a low performance overhead, without relying on any non-standard hardware support.

Avonds N, Strackx R, Agten P, Piessens F. (2013) Salus: Non-hierarchical memory access rights to enforce the principle of least privilege; Security and Privacy in Communication Networks (SecureComm 2013), volume 127, pages 252-269, Sydney, Australia, 25-27 September

Compact Implementation and Performance Evaluation of Hash Functions in ATtiny Devices

J. Balasch, B. Ege, T. Eisenbarth, B. Gerard, Z. Gong, T. Guneysu, S. Heyse, S. Kerckhof, F. Koeune, T. Plos, T. Poppelmann, F. Regazzoni, F.-X. Standaert, G. Van Assche, R. Van Keer, L. van Oldeneel tot Oldenzeel, I. von Maurich

The pervasive diffuusion of electronic devices in security and privacy sensitive applications has boosted research in cryptography. In this context, the study of lightweight algorithms has been a very active direction over the last years. In general, symmetric cryptographic primitives are good candidates for low-cost implementations. For example, several previous works have investigated the performance of block ciphers on various platforms. Motivated by the recent SHA3 competition, this paper extends these studies to another family of cryptographic primitives, namely hash functions. We implemented different algorithms on an ATMEL AVR ATtiny45 8-bit microcontroller, and provide their performance evaluation. All the implementations were carried out with the goal of minimizing the code size and memory utilization, and are evaluated using a common interface. As part of our contribution, we make all the corresponding source codes available on a web page, under an open-source license. We hope that this paper provides a good basis for researchers and embedded system designers who need to include more and more functionalities in next generation smart devices.

J. Balasch, B. Ege, T. Eisenbarth, B. Gerard, Z. Gong, T. Guneysu, S. Heyse, S. Kerckhof, F. Koeune, T. Plos, T. Poppelmann, F. Regazzoni, F.-X. Standaert, G. Van Assche, R. Van Keer, L. van Oldeneel tot Oldenzeel, I. von Maurich, Compact Implementation and Performance Evaluation of Hash Functions in ATtiny Devices, in the proceedings of CARDIS 2012, Lecture Notes in Computer Science, vol 7771, pp 158-172, Graz, Austria, November 2012, Springer

25


STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System

Benaloh, J., Byrne, M., Kortum, P., Mcburnett, N., Pereira, O., Stark, P.B., & Wallach, D.S.

In her 2011 EVT/WOTE keynote, Travis County, Texas County Clerk Dana DeBeauvoir described the qualities she wanted in her ideal election system to replace their existing DREs. In response, in April of 2012, the authors, working with DeBeauvoir and her staff, jointly architected STAR-Vote, a voting system with a DRE-style human interface and a “belt and suspenders” approach to verifiability. It provides both a paper trail and end-to-end cryptography using COTS hardware. It is designed to support both ballot-level risk-limiting audits, and auditing by individual voters and observers. The human interface and process flow is based on modern usability research. This paper describes the STAR-Vote architecture, which could well be the next-generation voting system for Travis County and perhaps elsewhere.

Benaloh, J., Byrne, M., Kortum, P., Mcburnett, N., Pereira, O., Stark, P.B., & Wallach, D.S. (2013). STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System. Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE '13).

How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios

David Bernhard, Olivier Pereira, and Bogdan Warinschi

The Fiat-Shamir transformation is the most effcient construction of non-interactive zero-knowledge proofs.

This paper is concerned with two variants of the transformation that appear but have not been clearly delineated in existing literature. Both variants start with the prover making a commitment. The strong variant then hashes both the commitment and the statement to be proved, whereas the weak variant hashes only the commitment. This minor change yields dramatically different security guarantees: in situations where maliciousprovers can select their statements adaptively, the weak Fiat-Shamir transformation yields unsound/unextractable proofs. Yet such settings naturally occur in systems when zero-knowledge proofs are used to enforce honest behavior. We illustrate this point by showing that the use of the weak Fiat-Shamir transformation in the Helios cryptographic voting system leads to several possible security breaches: for some standard types of elections, under plausible circumstances, malicious parties can cause the tallying procedure to run indefinitely and even tamper with the result of the election.

On the positive side, we define a form of adaptive security for zeroknowledge proofs in the random oracle model (essentially simulationsound extractability), and show that a variant which we call strong Fiat-Shamir yields secure non-interactive proofs.

This level of security was assumed in previous works on Helios and our results are then necessary for these analyses to be valid. Additionally, we show that strong proofs in Helios achieve non-malleable encryption and satisfy ballot privacy, improving on previous results that required CCA security.

David Bernhard, Olivier Pereira, and Bogdan Warinschi. How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios, In X. Wang and K. Sako, editor(s), ASIACRYPT 2012, Volume 7658 of Lecture Notes in Computer Science, pages 626--643, Springer, December 2012

26


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20STAR-Vote.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Practical%20Verification%20of%20WPA-TKIP%20Vulnerabilities.pdf

Measuring Vote Privacy, Revisited

David Bernhard, Veronique Cortier, Olivier Pereira, and Bogdan Warinschi

We propose a new measure for privacy of votes. Our measure relies on computational conditional entropy, an extension of the traditional notion of entropy that incorporates both informationtheoretic and computational aspects. As a result, we capture in a unified manner privacy breaches due to two orthogonal sources of insecurity: combinatorial aspects that have to do with the number of participants, the distribution of their votes and published election outcome as well as insecurity of the cryptography used in an implementation.

Our privacy measure overcomes limitations of two previous approaches to defining vote privacy and we illustrate its applicability through several case studies. We offer a generic way of applying our measure to a large class of cryptographic protocols that includes the protocols implemented in Helios. We also describe a practical application of our metric on Scantegrity audit data from a real election.

David Bernhard, Veronique Cortier, Olivier Pereira, and Bogdan Warinschi. Measuring vote privacy, revisited, In Ting Yu and George Danezis and Virgil D. Gligor, editor(s), ACM Conference on Computer and Communications Security, pages 941-952, ACM, October 2012

A dangerous mix: Large-scale analysis of mixed-content websites

Chen P, Nikiforakis N, Huygens C, Desmet L.

In this paper, we investigate the current state of practice about mixed-content websites, websites that are accessed using the HTTPS protocol, yet include some additional resources using HTTP. Through a large-scale experiment, we show that about half of the Internet's most popular websites are currently using this practice and are thus vulnerable to a wide range of attacks, including the stealing of cookies and the injection of malicious JavaScript in the context of the vulnerable websites. Additionally, we investigate the default behavior of browsers on mobile devices and show that most of them, by default, allow the rendering of mixed content, which demonstrates that hundreds of thousands of mobile users are currently vulnerable to MITM attacks.

Chen P, Nikiforakis N, Huygens C, Desmet L. (2013) A dangerous mix: Large-scale analysis of mixed-content websites. Proceedings of the 16th Information Security Conference, Dallas, Texas, USA, 13-15 November 2013

A study on Advanced Persistent Threats;

Chen P, Desmet L, Huygens C.

A recent class of threats, known as Advanced Persistent Threats (APTs), has drawn increasing attention from researchers, primarily from the industrial security sector. APTs are cyber attacks executed by sophisticated and well-resourced adversaries targeting specifc information in high-profile companies and governments, usually in a long term campaign involving different steps. To a signifcant extent, the academic community has neglected the specificity of these threats and as such an objective approach to the APT issue is lacking. In this paper, we present the results of a comprehensive study on APT, characterizing its distinguishing characteristics and attack model, and analyzing techniques commonly seen in APT attacks. We also enumerate some non-conventional countermeasures that can help to mitigate APTs, hereby highlighting the directions for future research.

Chen P, Desmet L, Huygens C. (2014) A study on Advanced Persistent Threats; Proceedings of the 15th IFIP TC6/TC11 Conference on Communications and Multimedia Security, pages 63-70, Aveiro, Portugal, 25-26 September 2014

27


Election Verifiability or Ballot Privacy: Do We Need to Choose?

Cuvelier, E., Pereira, O., & Peters, T.

We propose a new encryption primitive, commitment consistent encryption (CCE), and instances of this primitive that enable building the first universally verifiable voting schemes with a perfectly private audit trail (PPAT) and practical complexity. That is: the audit trail that is published for verifying elections guarantees everlasting privacy, and the computational load required from the participants is only increased by a small constant factor compared to traditional voting schemes, and is optimal in the sense of Cramer, Gennaro and Schoenmakers [16]. These properties make it possible to introduce election verifiability in large scale elections as a pure benefit, that is, without loss of privacy compared to a non-verifiable scheme and at a similar level of efficiency. We propose different approaches for constructing voting schemes with PPAT from CCE, as well as two efficient CCE constructions: one is tailored for elections with a small number of candidates, while the second is suitable for elections with complex ballots.

Cuvelier, E., Pereira, O., & Peters, T. (2013). Election Verifiability or Ballot Privacy: Do We Need to Choose?. 18th European Symposium on Research in Computer Security, Egham, UK. doi: 10.1007/978-3-642-40203-6_27.

Better Security and Privacy for Web Browsers: a Survey of Techniques, and a New Implementation

De Groef, W., Devriese, D., & Piessens, F.

The web browser is one of the most security critical software components today. It is used to interact with a variety of important applications and services, including social networking services, e-mail services, and e-commerce and e-health applications. But the same browser is also used to visit less trustworthy sites, and it is unreasonable to make it the end-user’s responsibility to “browse safely”. So it is an important design goal for a browser to provide adequate privacy and security guarantees, and to make sure that potentially malicious content from one web site can not compromise the browser, violate the user’s privacy, or interfere with other web sites that the user interacts with.

Hence, browser security has been a very active topic of research over the past decade, and many proposals have been made for new browser security techniques or architectures. In the first part of this paper, we provide a survey of some important problems and some proposed solutions. We start with a very broad view on browser security problems, and then zoom in on the issues related to the security of JavaScript scripts on the Web. We discuss three important classes of techniques: fine-grained script access control, capability-secure scripting and information flow security for scripts, focusing on techniques with a solid formal foundation. In the second part of the paper, we describe a novel implementation of one information flow security technique. We discuss how we have implemented the technique of secure multi-execution in the Mozilla Firefox browser, and we report on some preliminary experiments with this implementation.

De Groef, W., Devriese, D., & Piessens, F. (2011). Better Security and Privacy for Web Browsers: a Survey of Techniques, and a New Implementation. 8th International Workshop on Formal Aspects of Security and Trust (FAST 2011). doi: 10.1007/978-3-642-29420-4.

Flowfox: a web browser with flexible and precise information flow control

De Groef, W., Devriese, D., Nikiforakis, N., & Piessens, F.

We present FlowFox, the first fully functional web browser that implements a precise and general information flow control mechanism for web scripts based on the technique of secure multi-execution.

28


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Election%20Verifiability%20or%20Ballot%20Privacy.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Better%20Security%20and%20Privacy%20for%20Web%20Browsers.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Better%20Security%20and%20Privacy%20for%20Web%20Browsers.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Flowfox(2).pdf

We demonstrate how FlowFox subsumes many ad-hoc script containment countermeasures developed over the last years. We also show that FlowFox is compatible with the current web, by investigating its behavior on the Alexa top-500 web sites, many of which make intricate use of JavaScript.

The performance and memory cost of FlowFox is substantial (a performance cost of around 20% on macro benchmarks for a simple two level policy), but not prohibitive. Our prototype implementation shows that information flow enforcement based on secure multi-execution can be implemented in full-scale browsers. It can support powerful, yet precise policies refining the same-origin-policy in a way that is compatible with existing websites.

De Groef, W., Devriese, D., Nikiforakis, N., & Piessens, F. (2012). flowfox: a web browser with flexible and precise information flow control. CCS’12, Raleigh, North Carolina, USA..

Information flow control for web scripts

De Groef W, Devriese D, Vanhoef M, Piessens F.

Modern web applications heavily rely on JavaScript code executing in the browser. These web scripts are useful for instance for improving the interactivity and responsiveness of web applications, and for gathering web analytics data. However, the execution of server-provided code in the browser also brings substantial security and privacy risks. Web scripts can access a fair amount of sensitive information, and can leak this information to anyone on the Internet. This tutorial paper discusses information ow control mechanisms for countering these threats. We formalize both a static, type-system based and a dynamic, multiexecution based enforcement mechanism, and show by means of examples how these mechanisms can enforce the security of information ows in web scripts.

De Groef W, Devriese D, Vanhoef M, Piessens F. (2014) Information flow control for web scripts; Lecture Notes in Computer Science, volume 8604, 2014

Secure multi-execution of web scripts: Theory and practice

De Groef W, Devriese D, Nikiforakis N,Piessens F.

Secure Multi-Execution (SME) is a precise and general information flow control mechanism that was claimed to be a good fit for implementing information flow security in browsers. We validate this claim by developing FlowFox, the first fully functional web browser that implements an information flow control mechanism for web scripts based on the technique of secure multi-execution. We provide evidence for the security of FlowFox by proving non-interference for a formal model of the essence of FlowFox, and by showing how it stops real attacks. We provide evidence of usefulness by showing how FlowFox subsumes many ad-hoc script-containment countermeasures developed over the last years. An experimental evaluation on the Alexa top-500 web sites provides evidence for compatibility, and shows that FlowFox is compatible with the current web, even on sites that make intricate use of JavaScript. The performance and memory cost of FlowFox is substantial (a performance cost of around 20% on macro benchmarks for a simple two-level policy), but not prohibitive. Our prototype implementation shows that information flow enforcement based on secure multi-execution can be implemented in full-scale browsers. It can support powerful, yet compatible policies rening the same-origin-policy in a way that is compatible with existing websites.

De Groef W, Devriese D, Nikiforakis N,Piessens F. (2014) Secure multi-execution of web scripts: Theory and practice; Journal of Computer Security, volume 22, issue 4, pages 469-509

29


Automatic and Precise Client-Side Protection against CSRF Attacks

De Ryck, P., Desmet, L., Joosen, W., & Piessens, F.

A common client-side countermeasure against Cross Site Request Forgery (CSRF) is to strip session and authentication information from malicious requests. The difficulty however is in determining when a request is malicious. Existing client-side countermeasures are typically too strict, thus breaking many existing websites that rely on authenticated cross-origin requests, such as sites that use third-party payment or single sign-on solutions.

The contribution of this paper is the design, implementation and evaluation of a request filtering algorithm that automatically and precisely identifies expected cross-origin requests, based on whether they are preceded by certain indicators of collaboration between sites. We formally show through bounded-scope model checking that our algorithm protects against CSRF attacks under one specific assumption about the way in which good sites collaborate cross-origin. We provide experimental evidence that this assumption is realistic: in a data set of 4.7 million HTTP requests involving over 20.000 origins, we only found 10 origins that violate the assumption. Hence, the remaining attack surface for CSRF attacks is very small. In addition, we show that our filtering does not break typical non-malicious cross-origin collaboration scenarios such as payment and single sign-on.CSRF, web security, browser security.

De Ryck, P., Desmet, L., Joosen, W., & Piessens, F. (2011). Automatic and Precise Client-Side Protection against CSRF Attacks. ESORICS'11 Proceedings of the 16th European conference on Research in computer security.

A Security Analysis of Emerging Web Standards HTML5 and Friends, from Specification to Implementation

De Ryck, P., Desmet, L., Piessens, F., & Joosen, W.

Over the past few years, a significant effort went into the development of a new generation of web standards, centered around the HTML5 specification. Given the importance of the web in our society, it is essential that these new standards are scrutinized for potential security problems. This paper reports on a systematic analysis of ten important, recent specifications with respect to two generic security goals: (1) new web mechanisms should not break the security of existing web applications, and (2) different newly proposed mechanisms should interact with each other gracefully. In total, we found 45 issues, of which 12 are violations of the security goals and 31 issues concern under-specified features. Additionally, we found that 6 out of 11 expli- cit security considerations have been overlooked/overruled in major browsers, leaving secure specifications vulnerable in the end. All details can be found in an extended version of this paper (De Ryck et al., 2012).

De Ryck, P., Desmet, L., Piessens, F., & Joosen, W. (2012). A Security Analysis of Emerging Web Standards HTML5 and Friends, from Specification to Implementation. SECRYPT 2012 - International Conference on Security and Cryptography.

Improving the Security of Session Management in Web Applications

De Ryck, P., Desmet, L., Piessens, F., & Joosen, W.

Session management is a critical component of modern web applications, allowing a server to keep track of user-specific state, such as an authentication status. Unfortunately, many applications deploy session management over an insecure HTTP channel, making them vulnerable to eavesdropping, session hijacking or session fixation attacks. On the contrary, state-of-practice guidelines advocate the deployment of session management on a secure HTTPS channel, using the HttpOnly and Secure cookie

30


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Automatic%20and%20Precise%20Client-Side%20Protection%20against%20CSRF%20Attacks.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20A%20Security%20Analysis%20of%20Emerging%20Web%20Standards.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20A%20Security%20Analysis%20of%20Emerging%20Web%20Standards.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Improving%20the%20Security%20of%20Session%20Management%20in%20Web%20Applications.pdf

attributes, effectively eliminating these well-known session management attacks. The goal of this paper is to provide secure session management to web applications deployed over HTTP. We propose a secure and lightweight session management mechanism, effectively improving session management security with HTTP deployments. By establishing a safely contained, shared secret between browser and server, an attacker is prevented from taking over a user’s session, since the secret is never transmitted, nor accessible. We demonstrate the applicability of our solution to a common scenario involving third-party authentication, clearly indicating the gained security properties. Our secure and lightweight session management mechanism raises the security bar for HTTP deployments, which will eventually lead to secure session management for all web applications.

De Ryck, P., Desmet, L., Piessens, F., & Joosen, W. (2013). Improving the Security of Session Management in Web Applications. OWASP AppsecEU13.

TabShots: Client-Side Detection of Tabnabbing Attacks

De Ryck, P., Nikiforakis, N., Desmet, L., & Joosen, W.

As the web grows larger and larger and as the browser becomes the vehicle-of-choice for delivering many applications of daily use, the security and privacy of web users is under constant attack. Phishing is as prevalent as ever, with anti-phishing communities reporting thousands of new phishing campaigns each month. In 2010, tabnabbing, a variation of phishing, was introduced. In a tabnabbing attack, an innocuous-looking page, opened in a browser tab, disguises itself as the login page of a popular web application, when the user’s focus is on a different tab. The attack exploits the trust of users for already opened pages and the user habit of long-lived browser tabs. To combat this recent attack, we propose TabShots. TabShots is a browser extension that helps browsers and users to remember what each tab looked like, before the user changed tabs. Our system compares the appearance of each tab and highlights the parts that were changed, allowing the user to distinguish between legitimate changes and malicious masquerading. Using an experimental evaluation on the most popular sites of the Internet, we show that TabShots has no impact on 78% of these sites, and very little on another 19%. Thereby, TabShots effectively protects users against tabnabbing attacks without affecting their browsing habits and without breaking legitimate popular sites.

De Ryck, P., Nikiforakis, N., Desmet, L., & Joosen, W. (2013). TabShots: Client-Side Detection of Tabnabbing Attacks. ASIA CCS’13, Hangzhou, China..

Federated authorization for Software-as-a-Service applications

Decat, M., Lagaisse, B., Van Landuyt, D., Crispo, B., Joosen, W., Meersman, R., Panetto, H., Dillon, T., Eder, J., Bellahsene, Z., Ritter, N., De Leenheer, P., & Dou D.

Software-as-a-Service (SaaS) is a type of cloud computing in which a tenant rents access to a shared, typically web-based application hosted by a provider. Access control for SaaS should enable the tenant to control access to data that are located at the provider based on tenant-specific access control policies. To achieve this, state-of-practice SaaS applications provide application-specific access control configuration interfaces and as a result, the tenant policies are evaluated at the provider side. This approach does not support collaboration between provider-side and tenant-side access control infrastructures, thus scattering tenant access control management and forcing the tenant to disclose sensitive access control data. To address these issues, we describe the concept of federated authorization in which management and evaluation of the tenant policies is externalized from the SaaS application to the tenant. This centralizes tenant access control management and lowers the required trust in the provider. This paper presents a generic middleware architecture for federated authorization, describing required extensions to current policy languages and a distributed execution environment. Our

31


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20TabShots.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Federated%20Authorization%20for%20Software-as-a-Service%20Applications.pdf

evaluation explores the trade-off between performance and security and shows that federated authorization is a feasible and promising approach.

Decat, M., Lagaisse, B., Van Landuyt, D., Crispo, B., Joosen, W., Meersman, R., Panetto, H., Dillon, T., Eder, J., Bellahsene, Z., Ritter, N., De Leenheer, P., & Dou D. (2012). Federated authorization for Software-as-a-Service applications. CEUR Workshop Proceedings Doctoral Symposium of ESSoS 12.

Middleware for efficient and confidentiality-aware federation of access control policies

Decat M, Lagaisse B, Joosen W.

Software product line engineering (SPLE) techniques revolve around a central variability model which in many cases is a feature model that documents the logical capabilities of the system as features and the variability relationships between them. In more traditional SPLE, this feature model is a result of domain analysis and requirement elicitation, while more recently this approach has been extended to represent also design-time variability, for example to document different ways to realize the same functionality. In many approaches, the feature model has run-time relevance as well. For example, in earlier work, we have used SPLE techniques to develop customizable multi-tenant SaaS applications, i.e. SaaS applications of which a single run-time instance is offered to many customer organizations (tenants), often with widely different requirements. In such systems, tenant customization is accomplished entirely at run time. In this paper, we present and explore the idea of promoting the feature model as a run-time artifact in the context of customizable multi-tenant SaaS applications, and we discuss the potential benefits in terms of the deployment, operation, maintenance, and evolution of these systems. In addition, we discuss the requirements this will impose on the development methods, the variability modeling languages, and the middleware.

Decat M, Lagaisse B, Joosen W. (2014) Middleware for efficient and confidentiality-aware federation of access control policies; Journal of Internet Services and Applications, volume 5, pages 1-15, February 2014

Block Ciphers That Are Easier to Mask: How Far Can We Go?

Gérard, B., Grosso, V., Naya-Plasencia, M., & Standaert, F.

The design and analysis of lightweight block ciphers has been a very active research area over the last couple of years, with many innovative proposals trying to optimize different performance gures. However, since these block ciphers are dedicated to low-cost embedded devices, their implementation is also a typical target for side-channel adversaries. As preventing such attacks with countermeasures usually implies signi cant performance overheads, a natural open problem is to propose new algorithms for which physical security is considered as an optimization criteria, hence allowing better performances again. We tackle this problem by studying how much we can tweak standard block ciphers such as the AES Rijndael in order to allow efficient masking (that is one of the most frequently considered solutions to improve security against side-channel attacks). For this purpose, we rst investigate alternative S- boxes and round structures. We show that both approaches can be used separately in order to limit the total number of non-linear operations in the block cipher, hence allowing more efficient masking. We then combine these ideas into a concrete instance of block cipher called Zorro. We further provide a detailed security analysis of this new cipher taking its design speci cities into account, leading us to exploit innovative techniques borrowed from hash function cryptanalysis (that are sometimes of independent interest). Eventually, we conclude the paper by evaluating the efficiency of masked Zorro implementations in an 8-bit microcontroller, and exhibit their interesting performance gures.

32


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Block%20Ciphers%20that%20are%20Easier%20to%20Mask.pdf

Gérard, B., Grosso, V., Naya-Plasencia, M., & Standaert, F. (2013). Block Ciphers That Are Easier to Mask: How Far Can We Go?. 15th International Workshop, Santa Barbara, CA, USA. doi: 10.1007/978-3-642-40349-1_22.

Masking vs. Multiparty Computation: How Large Is the Gap for AES?

Grosso, V., Standaert, F., & Faust, S.

In this paper, we evaluate the performances of state-of-the art higher-order masking schemes for the AES. Doing so, we pay a particular attention to the comparison between specialized solutions introduced exclusively as countermeasures against side-channel analysis, and a recent proposal by Roche and Prouff exploiting MultiParty Computation (MPC) techniques. We show that the additional security features this latter scheme provides (e.g. its glitch-freeness) comes at the cost of large performance overheads. We then study how exploiting standard optimization techniques from the MPC literature can be used to reduce this gap. In particular, we show that “packed secret sharing” based on a modified multiplication algorithm can speed up MPC-based masking when the order of the masking scheme increases. Eventually, we discuss the randomness requirements of masked implementations. For this purpose, we first show with information theoretic arguments that the security guarantees of masking are only preserved if this randomness is uniform, and analyze the consequences of a deviation from this requirement. We then conclude the paper by including the cost of randomness generation in our performance evaluations. These results should help actual designers to choose a masking scheme based on security and performance constraints.

Grosso, V., Standaert, F., & Faust, S. (2013). Masking vs. Multiparty Computation: How Large Is the Gap for AES?. 15th International Workshop, Santa Barbara, CA, USA.. doi: 10.1007/978-3-642-40349-1_23.

Low Entropy Masking Schemes, Revisited

Grosso, V., Standaert, F., & Prouff, E.

Low Entropy Masking Schemes (LEMS) are a recent countermeasure against side-channel attacks. They aim at reducing the randomness requirements of masking schemes under certain (adversarial and implementation) conditions. Previous works have put forward the interest of this approach when such conditions are met. We complement these investigations by analyzing LEMS against adversaries and implementations that deviate from their expected behavior, in a realistic manner. Our conclusions are contrasted: they confirm the theoretical interest of the countermeasure, while suggesting that its exploitation in actual products may be risky, because of hard(er) to control hardware assumptions.

Grosso, V., Standaert, F., & Prouff, E. (2013). Low Entropy Masking Schemes, Revisited. In the proceedings of CARDIS 2013, Lecture Notes in Computer Science, vol 8419, pp 33-43, Berlin, Germany, November 2013

Efficient Masked S-Boxes Processing – A Step Forward

Vincent Grosso, Emmanuel Prouff, and François-Xavier Standaert

To defeat side-channel attacks, the implementation of block-cipher algorithms in embedded devices must include dedicated countermeasures. To this end, security designers usually apply secret sharing techniques and build masking schemes to securely operate and share data. The popularity of this approach can be explained by the fact that it enables formal security proofs. The construction of masking schemes thwarting higher-order side-channel attacks, which correspond to a powerful adversary able to exploit the leakage of the different shares, has been a hot topic during the last decade. Several solutions have been proposed, usually at the cost of significant performance overheads. As a result, the quest for

33


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Masking%20vs%20Multiparty%20Computation.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Low%20Entropy%20Masking%20Schemes,%20Revisited.pdf

efficient masked S-box implementations is still ongoing. In this paper, we focus on the scheme proposed by Carlet et al at FSE 2012, and latter improved by Roy and Vivek at CHES 2013. This scheme is today the most efficient one to secure a generic S-box at any order. By exploitingan idea introduced by Coron et al at FSE 2013, we show that Carlet et al's scheme can still be improved for S-boxes with input dimension larger than four. We obtain this result thanks to a new definition for the addition-chain exponentiation used during the masked S-box processing. For the AES and DES S-boxes, we show that our improvement leads to significant efficiency gains.

Vincent Grosso, Emmanuel Prouff, and François-Xavier Standaert. Efficient Masked S-Boxes Processing – A Step Forward –, In D. Pointcheval D. Vergnaud, editor(s), AFRICACRYPT 2014, Lecture Notes in Computer Science, Spinger, May 2014

Optimizing resource and data security in shared sensor networks

Huygens, C., Matthys, N., & Joosen, W.

A growing number of deployments of Wireless Sensor Networks (WSNs) position the nodes as multi-purpose albeit limited platforms. These platforms offer services to a set of applications of different owners. This view introduces security problems complementary to protection against outsiders requiring mechanisms beyond the existing physical, base crypto and network-level protection. Limited trust in the different applications mandates a security solution providing granular control over resources and data. Due to the constrained nature of network embedded systems transferring solutions from the distributed systems domain to the embedded system requires optimization. Distributed monitors can provide adequate security but must be concise and controllable by lightweight run-time artifacts as well as be deployed only where needed. Presented research consists of an operational model that inserts controls by instrumentation of local or remote interaction in the resource-rich backend, subsequently enforcing control at the nodes by using scaled down policy engines. The selective injection is achieved through aspect-oriented techniques. The solution is demonstrated for two paradigms encountered when building WSN applications thus achieving local resource protection and protection of distributed event-based data flow. The costs and benefits of the selective injection approach are validated and quantified through a river monitoring case and associated simulation experiments.

Huygens, C., Matthys, N., & Joosen, W. (2011). Optimizing resource and data security in shared sensor networks. Security and Communication Networks.doi: 10.1002/sec.342.

Solving the VerifyThis 2012 challenges with VeriFast;

Jacobs B, Smans J, Piessens F.

We describe our experience solving the VerifyThis 2012 challenges with our program verification tool VeriFast, including detailed explanations of our solutions. We also describe some alternative solutions that we developed after the competition. VeriFast is a modular verifier that takes Java or C-source code annotated with function/method specifications written in a variant of separation logic, and verifies that the code complies with the annotations through symbolic execution.

Jacobs B, Smans J, Piessens F. (2014) Solving the VerifyThis 2012 challenges with VeriFast; International Journal on Software Tools for Technology Transfer, 2014

34


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Optimizing%20resource%20and%20data%20security%20in%20shared%20sensor%20networks.pdf

From New Technologies to New Solutions (Exploiting FRAM Memories to Enhance Physical Security)

Kerckhof, S., Standaert, F., & Peeters E.

Ferroelectric RAM (FRAM) is a promising non-volatile memory technology that is now available in low-end microcontrollers. Its main advantages over Flash memories are faster write performances and much larger tolerated number of write/erase cycles. These properties are profitable for the efficient implementation of side-channel countermeasures exploiting pre-computations. In this paper, we illustrate the interest of FRAM-based microcontrollers for physically secure cryptographic hardware with two case studies. First we consider a recent shuffling scheme for the AES algorithm, exploiting randomized program memories. We exhibit signi cant performance gains over previous results in an Atmel microcontroller, thanks to the ne-grained programmability of FRAM. Next and most importantly, we propose the rst working implementation of the \masking with randomized look-up table” countermeasure, applied to reduced versions of the block cipher LED. This implementation provides unconditional security against side-channel attacks (of all orders!) under the assumption that pre-computations can be performed without leakage. It also provides high security levels in cases where this assumption is relaxed (e.g. for context or performance reasons).

Kerckhof, S., Standaert, F., & Peeters E. (2013). From New Technologies to New Solutions (Exploiting FRAM Memories to Enhance Physical Security). 12th Smart Card Research and Advanced Application Conference.

On the quaternion l-isogeny path problem

David Kohel, Kristin Lauter, Christophe Petit, Jean-Pierre Tignol

Let O be a maximal order in a definite quaternion algebra over Q of prime discriminant p, and l a small prime. We describe a probabilistic algorithm, which for a given left O-ideal, computes a representative in its left ideal class of l-power norm. In practice the algorithm is efficient, and subject to heuristics on expected distributions of primes, runs in expected polynomial time. This breaks the underlying problem for a quaternion analog of the Charles-Goren-Lauter hash function, and has security implications for the original CGL construction in terms of supersingular elliptic curves.

David Kohel, Kristin Lauter, Christophe Petit, Jean-Pierre Tignol On the quaternion `-isogeny path problem, To appear in the LMS Journal of Computation and Mathematics, as a special issue for ANTS (Algorithmic Number Theory Symposium) conference.

Operational semantics for secure interoperation

Larmuseau A, Patrignani M, Clarke D.

Modern software systems are commonly programmed in multiple languages. Research into the security and correctness of such multi-language programs has generally relied on static methods that check both the individual components as well as the interoperation between them. In practice, however, components are sometimes linked in at run-time through malicious means. In this paper we introduce a technique to specify operational semantics that securely combine an abstraction-rich language with a model of an arbitrary attacker, without relying on any static checks. The resulting operational semantics, instead, lifts a proven memory isolation mechanism into the resulting multi-language system. We establish the security benefits of our technique by proving that the obtained multi-language system preserves and reflects the equivalences of the abstraction-rich language. To that end a notion of bisimilarity for this new type of Multilanguage system is developed.

35


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20From%20New%20Technologies%20to%20New%20Solutions.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20From%20New%20Technologies%20to%20New%20Solutions.pdf

Larmuseau A, Patrignani M, Clarke D. (2014) Operational semantics for secure interoperation; Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security, pages 40-52, Uppsala, 1-08-2014

DEMACRO: Defense against Malicious Cross-domain Requests

Lekies, S., Nikiforakis, N., Tighzert, W., Piessens, F., & Johns, M.

In the constant evolution of the Web, the simple always gives way to the more complex. Static webpages with click-through dialogues are becoming more and more obsolete and in their place, asynchronous JavaScript requests, Web mash-ups and proprietary plug-ins with the ability to conduct cross-domain requests shape the modern user experience. Three recent studies showed that a significant number of Web applications implement poor cross-domain policies allowing malicious domains to embed Flash and Silverlight applets which can conduct arbitrary requests to these Web applications under the identity of the visiting user. In this paper, we confirm the findings of the aforementioned studies and we design DEMACRO, a client-side defense mechanism which detects potentially malicious cross-domain requests and de-authenticates them by removing existing session credentials. Our system requires no training or user interaction and imposes minimal performance overhead on the user’s browser.

Lekies, S., Nikiforakis, N., Tighzert, W., Piessens, F., & Johns, M. (2012). DEMACRO: Defense against Malicious Cross-domain Requests. 15th International Symposium, RAID 2012, Amsterdam, The Netherlands.. doi: 10.1007/978-3-642-33338-5_13.

Access control in multi-party wireless sensor networks

Maerien, J., Michiels, S., Huygens, C., Hughes, D., & Joosen, W.

Emerging real world WSNs seldom exist as single owner, single application, isolated networks, but instead comprise of sensor nodes owned by multiple parties, offering multiple services to users in the WSN or across the Internet, travelling between multiple WSNs. However, users should only have access to a limited subset of services, depending on their access rights. Due to a need for direct interactions of users with nodes, authentication and authorisation at the node level is critical. This paper presents an access control infrastructure consisting of three parts: 1) an authentication protocol to ensure authenticity of messages, 2) a role based authorisation framework to perform access control, and 3) a user management service to enable user and permission management. A prototype implementation on the ContikiOS demonstrates the validity and feasibility of node local role based access control on low power micro-controllers.

Maerien, J., Michiels, S., Huygens, C., Hughes, D., & Joosen, W. (2013). Access control in multi-party wireless sensor networks. 10th European Conference, EWSN 2013, Ghent, Belgium.

36


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20DEMACRO.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Access%20Control%20in%20Multi-Party%20Wireless%20Sensor%20Networks.pdf

Towards a Secure Web: Critical Vulnerabilities and Client-Side Countermeasures

Nikiforakis, N.

As the web keeps on expanding, so does the interest of attackers who seek to exploit users and services for profit. The last years, users have witnessed that it is hard for a month to pass without news of some major web-application break-in and the subsequent exfiltration of private or financial data. At the same time, attackers constantly register rogue domains, using them to perform phishing attacks, collect private user information, and exploit vulnerable browsers and plugins. In this dissertation, we approach the increasingly serious problem of cybercrime from two different and complementary standpoints. First, we investigate large groups of web applications, seeking to discover systematic vulnerabilities across them. We analyze the workings of referrer-anonymizing services, file hosting services, remote JavaScript inclusions and web-based device fingerprinting, exploring their interactions with users and third-parties, as well as their consequences on a user’s security and privacy. Through a series of automated and manual experiments we uncover many, previously unknown, issues that could readily be used to exploit vulnerable services and compromise user data. Second, we study existing, well-known, web application attacks and propose client-side countermeasures that can strengthen the security of a user’s browsing environment without the collaboration, or even awareness, of the web application. We propose countermeasures to defend against session hijacking, SSL stripping, and malicious, plugin-originating, cross-domain requests. Our countermeasures involve near-zero interaction with the user after their installation, have a minimal performance overhead, and do not assume the existence of trusted third-parties.

Nikiforakis, N. (2012). Towards a Secure Web: Critical Vulnerabilities and Client-Side Countermeasures. Dissertation presented in partial fulfillment of the requirements for the degree of Doctor in Engineering.

You are what you include: Large-scale evaluation of remote JavaScript inclusions

Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., & Vigna, G.

JavaScript is used by web developers to enhance the interactivity of their sites, offload work to the users’ browsers and improve their sites’ responsiveness and user-friendliness, making web pages feel and behave like traditional desktop applications. An important feature of JavaScript, is the ability to combine multiple libraries from local and remote sources into the same page, under the same namespace. While this enables the creation of more advanced web applications, it also allows for a malicious JavaScript provider to steal data from other scripts and from the page itself. Today, when developers include remote JavaScript libraries, they trust that the remote providers will not abuse the power bestowed upon them. In this paper, we report on a large-scale crawl of more than three million pages of the top 10,000 Alexa sites, and identify the trust relationships of these sites with their library providers. We show the evolution of JavaScript inclusions over time and develop a set of metrics in order to assess the maintenance-quality of each JavaScript provider, showing that in some cases, top Internet sites trust remote providers that could be successfully compromised by determined attackers and subsequently serve malicious JavaScript. In this process, we identify four, previously unknown, types of vulnerabilities that attackers could use to attack popular web sites. Lastly, we review some proposed ways of protecting a web application from malicious remote scripts and show that some of them may not be as effective as previously thought.

Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., & Vigna, G. (2013). You are what you include: Large-scale evaluation of remote JavaScript inclusions. CCS’12, October 16–18, 2012, Raleigh, North Carolina, USA..

37


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Towards%20a%20Secure%20Web.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20You%20Are%20What%20You%20Include.pdf

Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting

Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., & Vigna, G.

The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browseridentifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.

Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., & Vigna, G. (2013) Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting. IEEE Symposium on Security & Privacy, 39, 2013.

Bitsquatting: Exploiting Bit-flips for Fun, or Profit?

Nikiforakis, N., Van Acker, S., Desmet, W., Piessens, F., & Joosen, W.

Over the last fifteen years, several types of attacks against domain names and the companies relying on them have been observed. The well-known cybersquatting of domain names gave way to typosquatting, the abuse of a user’s mistakes when typing a URL in her browser’s address bar. Recently, a new attack against domain names surfaced, namely bitsquatting. In bitsquatting, an attacker leverages random bit-errors occurring in the memory of commodity computers and smartphones, to redirect Internet traffic to attacker-controlled domains. In this paper, we report on a large-scale experiment, measuring the adoption of bitsquatting by the domain-squatting community through the tracking of registrations of bitsquatting domains targeting popular web sites over a 9-month period. We show how new bitsquatting domains are registered daily and how attackers are trying to monetize their domains through the use of ads, abuse of affiliate programs and even malware installations. Lastly, given the discovered prevalence of bitsquatting, we review possible defense measures that companies, software developers and Internet Service Providers can use to protect against it.

Nikiforakis, N., Van Acker, S., Desmet, W., Piessens, F., & Joosen, W. (2013). Bitsquatting: Exploiting Bit-flips for Fun, or Profit?. WWW 2013, Rio de Janeiro, Brazil. .

38


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Cookieless%20Monster.pdf

https://www.b-ccentre.be/_dev/download/b-ccentre_technical/B-CCENTRE%20Cookieless%20Monster.pdf

https://www.b-ccentre.be/_dev/download/b-ccentre_technical/B-CCENTRE%20Cookieless%20Monster.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Bitsquatting.pdf

Exploring the Ecosystem of Referrer-Anonymizing Services

Nikiforakis, N., Van Acker, S., Piessens, F., & Joosen, W.

The constant expansion of the World Wide Web allows users to enjoy a wide range of products and services delivered directly to their browsers. At the same time however, this expansion of functionality is usually coupled with more ways of attacking a user’s security and privacy. In this arms race, certain web-services present themselves as privacy- preserving or privacy-enhancing. One type of such services is a Referrer- Anonymizing Service (RAS), a service which relays users from a source site to a destination site while scrubbing the contents of the referrer header from user requests.

In this paper, we investigate the ecosystem of RASs and how they interact with web-site administrators and visiting users. We discuss their workings, what happens behind the scenes and how top Internet sites react to traffic relayed through such services. In addition, we present user statistics from our own Referrer-Anonymizing Service and show the leakage of private information by others towards advertising agencies as well as towards ‘curious’ RAS owners.

Nikiforakis, N., Van Acker, S., Piessens, F., & Joosen, W. (2012). Exploring the Ecosystem of Referrer-Anonymizing Services. 12th International Symposium, PETS 2012, Vigo, Spain.

HeapSentry: Kernel-assisted protection against heap overflows;

Nikiforakis N, Piessens F, Joosen W.

The last twenty years have witnessed the constant reaction of the security community to memory corruption attacks and the evolution of attacking techniques in order to circumvent the newly-deployed countermeasures. In this evolution, the heap of a process received little attention and thus today, the problem of heap overows is largely unsolved. In this paper we present HeapSentry, a system designed to detect and stop heap overow attacks through the cooperation of the memory allocation library of a program and the operating system's kernel. HeapSentry places unique random canaries at the end of each heap object which are later checked by the kernel, before system calls are allowed to proceed. HeapSentry operates on binaries (no source code needed) and has, by design, no false-positives. At the same time, the active involvement of the kernel provides stronger security guarantees than the current state of the art in heap protection mechanisms for a modest performance overhead.

Nikiforakis N, Piessens F, Joosen W. (2013) HeapSentry: Kernel-assisted protection against heap overflows; Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2013), pages 177-196, Berlin, Germany, 17-19 July 2013

Stranger danger: Exploring the ecosystem of ad-based URL shortening services;

Nikiforakis N, Maggi F,Stringhini G, Rafique M, Joosen W, Kruegel C, Piessens F, Vigna G, Zanero S.

URL shortening services facilitate the need of exchanging long URLs using limited space, by creating compact URL aliases that redirect users to the original URLs when followed. Some of these services show advertisements (ads) to link-clicking users and pay a commission of their advertising earnings to link-shortening users. In this paper, we investigate the ecosystem of these increasingly popular ad-based URL shortening services. Even though traditional URL shortening services have been thoroughly investigated in previous research, we argue that, due to the monetary incentives and the presence of third-party advertising networks, ad-based URL shortening services and their users are exposed to more hazards than traditional shortening services. By analyzing the services themselves, the advertisers involved, and their users, we uncover a series of issues that are actively exploited by malicious advertisers and endanger the users. Moreover, next to documenting the ongoing abuse, we suggest a series of defense mechanisms that services and users can adopt to protect themselves.

39


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Exploring%20the%20Ecosystem%20of%20Referrer-Anonymizing%20Services.pdf

Nikiforakis N, Maggi F, Stringhini G, Rafique M, Joosen W, Kruegel C, Piessens F, Vigna G, Zanero S. (2014) Stranger danger: Exploring the ecosystem of ad-based URL shortening services; Proceedings of the 23rd International World Wide Web Conference (WWW 2014), pages 51-62, Seoul, Korea

Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base

Noorman, J., Agten, P., Daniels, W., Huygens, C., Piessens, F., Preneel, B., Strackx, R., Van Herrewege, A., & Verbauwhede I.

In this paper we propose Sancus, a security architecture for networked embedded devices. Sancus supports extensibility in the form of remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running uncompromised, and can authenticate messages from software modules to software providers. Software modules can securely maintain local state, and can securely interact with other software modules that they choose to trust. The most distinguishing feature of Sancus is that it achieves these security guarantees without trusting any infrastructural software on the device. The Trusted Computing Base (TCB) on the device is only the hardware. Moreover, the hardware cost of Sancus is low. We describe the design of Sancus, and develop and evaluate a prototype FPGA implementation of a Sancusenabled device. The prototype extends an MSP430 processor with hardware support for the memory access control and cryptographic functionality required to run Sancus. We also develop a C compiler that targets our device and that can compile standard C modules to Sancus protected software modules.

Noorman, J., Agten, P., Daniels, W., Huygens, C., Piessens, F., Preneel, B., Strackx, R., Van Herrewege, A., & Verbauwhede I. (2013). Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base. 22nd USENIX Security Symposium.

There is safety in numbers: Preventing control-flow hijacking by duplication

Noorman, J., Nikiforakis, N., & Piessens, F.

Despite the large number of proposed countermeasures against control-flow hijacking attacks, these attacks still pose a great threat for today’s applications. The problem with existing solutions is that they either provide incomplete probabilistic protection (e.g., stack canaries) or impose a high runtime overhead (e.g., bounds checking). In this paper, we show how the concept of program-part duplication can be used to protect against control-flow hijacking attacks and present two different instantiations of the duplication concept which protect against popular attack vectors. First, we use the duplication of functions to eliminate the need of return addresses and thus provide complete protection against attacks targeting a function’s return address. Then we demonstrate how the integrity of function pointers can be protected through the use of data duplication. We test the combined effectiveness of our two methods and experimentally show that they provide an almost complete protection against control-flow hijacking attacks with only a low runtime overhead in real-world applications.

Noorman, J., Nikiforakis, N., & Piessens, F. (2012). There is safety in numbers: Preventing control-flow hijacking by duplication. 17th Nordic Conference, NordSec 2012, Karlskrona, Sweden.

Bounding HFE with SRA Christophe Petit

The Hidden Field Equation cryptosystem (HFE) is a public key encryption scheme whose security relies on the hardness of solving a system of polynomial equations over the finite field F2.

40


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Sancus%20Low-cost%20trustworthy%20extensible%20networked%20devices%20with%20a%20zero-software%20Trusted%20Computing%20Base.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Sancus%20Low-cost%20trustworthy%20extensible%20networked%20devices%20with%20a%20zero-software%20Trusted%20Computing%20Base.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20There%20is%20Safety%20in%20Numbers.pdf

This scheme and its generalizations have attracted a lot of attention by the cryptographic community. It is known that HFE polynomial systems are much easier to solve than generic systems, and in fact the parameters proposed in the original HFE cryptosystem can be broken in practice using Grobner basis algorithms. Several theoretical explanations have been provided for this property, but all of them have so far relied on some plausible conjectures or heuristic assumptions. In this paper, we provide a rigourous bound on the complexity of solving a general class of polynomial systems including HFE systems. Our proof connects the polynomials constructed by Grobner basis algorithms to the partial computation results of the Successive Resultants Algorithm (SRA), a recently introduced algorithm for finding roots of polynomials over finite fields. Besides, we provide a variant of SRA that may be of independent interest. We believe that our approach could have further applications on similar systems that were recently introduced in connection to the elliptic curve discrete logarithm problem over small characteristic fields.

Suggested Citation: Christophe Petit, Bounding HFE with SRA, to appear

The future of mobile e-health application development: Exploring HTML5 for context-aware diabetes monitoring

Preuveneers D, Berbers Y, Joosen W.

According to predictions of information technology research and advisory firms, such as Gartner, hybrid HTML5 applications will be the future for mobile application development. In this paper, we explore the feasibility of using HTML5 and related web application standards for the development of mobile e-health applications, sing a diabetes monitoring application as a practical use case. Context-awareness and visualizing multivariate data with parallel coordinates for decision support are key features of this mobile e-health application. We compare the strengths and weaknesses of the hybrid HTML5 approach with native mobile applications, and report on practical experiences with the development and usage of the application. Our experiments show that developers of fairly advanced context-aware mobile applications can definitely benefit from the HTML5 application portability across different mobile platforms. However, compared to native applications, they should be aware of missing features such as secure storage, non-negligible performance penalties of JavaScript business logic on a mobile platform, and an inferior user experience.

Preuveneers D, Berbers Y, Joosen W. (2013) The future of mobile e-health application development: Exploring HTML5 for context-aware diabetes monitoring; 3rd International Conference on Current and Future Trends of Information and Communication Technologies in Healthcare (ICTH-2013), volume 21, pages 351-359, Niagara Falls, Ontario, Canada, 21-24 October

Evolutionary algorithms for classification of malware families through different network behaviors.

Rafique M, Chen P, Huygens C, Joosen W.

The staggering increase of malware families and their diversity poses a significant threat and creates a compelling need for automatic classification techniques. In this paper, we first analyze the role of network behavior as a powerful technique to automatically classify malware families and their polymorphic variants. Afterwards, we present a framework to efficiently classify malware families by modelling their different network behaviors (such as HTTP, SMTP, UDP, and TCP). We propose protocol-aware and state-space modeling schemes to extract features from malware network behaviors. We analyze the applicability of various evolutionary and non-evolutionary algorithms for our malware family classification framework. To evaluate our framework, we collected a real-world dataset of 6, 000 unique and active malware samples belonging to 20 different malware families. We provide a detailed analysis of network behaviors exhibited by these prevalent malware families. The results of our experiments shows that evolutionary algorithms, like sUpervised Classifier System (UCS), can effectively classify malware families

41


through different network behaviors in realtime. To the best of our knowledge, the current work is the first malware classification framework based on evolutionary classifier that uses different network behaviors.

Rafique M, Chen P, Huygens C, Joosen W. (2014) Evolutionary algorithms for classification of malware families through different network behaviors; Proceedings of the 2014 Conference on Genetic and Evolutionary Computation, pages 1167-1174, Vancouver, B.C., 12-16 July 2014

Network dialog minimization and network dialog diffing: Two novel primitives for network security applications

Rafique M, Caballero J, Huygens C, Joosen W.

In this work, we present two fundamental primitives for network security: network dialog minimization and network dialog diffing. Network dialog minimization (NDM) simplifies an original dialog with respect to a goal, so that the minimized dialog when replayed still achieves the goal, but requires minimal network communication, achieving significant time and bandwidth savings. We present network delta debugging, the first technique to solve NDM. Network dialog diffing compares two dialogs, aligns them, and identifies their common and different parts. We propose a novel dialog diffing technique that aligns two dialogs by finding a mapping that maximizes similarity. We have applied our techniques to 5 applications. We apply our dialog minimization approach for: building drive-by download milkers for 9 exploit kits, integrating them in a infrastructure that has collected over 14,000 malware samples running from a single machine; efficiently measuring the percentage of popular sites that allow cookie replay, finding that 31% do not destroy the server-side state when a user logs out and that 17% provide cookies that live over a month; simplifying a cumbersome user interface, saving our institution 3 hours of time per year and employee; and finding a new vulnerability in a SIP server. We apply our dialog diffing approach for clustering benign (F-Measure = 100%) and malicious (F-Measure = 87.6%) dialogs.

Rafique M, Caballero J, Huygens C, Joosen W. (2014) Network dialog minimization and network dialog diffing: Two novel primitives for network security applications; Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, Louisiana, USA, 8-12 December 2014

PESAP: a Privacy enhanced social application platform

Reynaert, T., De Groef, W., Devriese, D., Desmet, L., & Piessens, F

Nowadays, social networking sites provide third party application developers with means to access their social graph, by providing a social application platform. Through their users, these developers acquire a significant set of personal information from the social graph. The current protection mechanisms, such as privacy policies and access control mechanisms fall short on protecting the privacy of the users. In this paper we present a framework for a privacy enhanced social application platform, called PESAP, that technically enforces the protection of the personal information of a user, when interacting with social applications. The framework is based on two pillars: anonymization of the social graph and secure information flow inside the browser. PESAP is targeted to be as compatible as possible with the current state-of-the-art design of social application platforms, while technically enforcing the protection of user privacy. We evaluate this compliance, based on a classification of applications in different categories.

Reynaert, T., De Groef, W., Devriese, D., Desmet, L., & Piessens, F. (2012). PESAP: a Privacy enhanced social application platform. International Workshop on Security and Privacy in Social Networks (SPSN) SOCIALCOM-PASSAT '12 Pages: 827-833.

42


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20PESAP.pdf

Empirical assessment of security requirements and architecture: lessons learned

Scandariato R, Paci F, Tran L, Labunets K, Yskout K, Massacci F, Joosen W.

Over the past three years, our groups at the University of Leuven and the University of Trento have been conducting a number of experimental studies. In particular, two common themes can be easily identified within our work. First, we have investigated the value of several threat modeling and risk assessment techniques. The second theme relates to the problem of preserving security over time, i.e., security evolution. Although the empirical results obtained in our studies are interesting on their own, the main goal of this chapter is to share our experience. The objective is to provide useful, hands-on insight on this type of research work so that the work of other researchers in the community would be facilitated. The contribution of this chapter is the discussion of the challenges we faced during our experimental work. Contextually, we also outline those solutions that worked out in our studies and couldbe reused in the field by other studies.

Scandariato R, Paci F, Tran L, Labunets K, Yskout K, Massacci F, Joosen W. (2014) Empirical assessment of security requirements and architecture: lessons learned.

Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions

Standaert, F., Pereira, O., & Yu Y.

Leakage-resilient cryptography aims at formally proving the security of cryptographic implementations against large classes of side-channel adversaries. One important challenge for such an approach to be relevant is to adequately connect the formal models used in the proofs with the practice of side-channel attacks. It raises the fundamental problem of finding reasonable restrictions of the leakage functions that can be empirically verified by evaluation laboratories. In this paper, we first argue that the previous “bounded leakage” requirements used in leakage-resilient cryptography are hard to fulfill by hardware engineers. We then introduce a new, more realistic and empirically verifiable assumption of simulatable leakage, under which security proofs in the standard model can be obtained. We finally illustrate our claims by analyzing the physical security of an efficient pseudorandom generator (for which security could only be proven under a random oracle based assumption so far). These positive results come at the cost of (algorithm-level) specialization, as our new assumption is specifically defined for block ciphers. Nevertheless, since block ciphers are the main building block of many leakage-resilient cryptographic primitives, our results also open the way towards more realistic constructions and proofs for other pseudorandom objects.

Standaert, F., Pereira, O., & Yu Y. (2013). Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions. Lecture Notes in Computer Science.

Fides: Selectively hardening software application components against kernel-level or process-level malware

Strackx, R., & Piessens, F.

Protecting commodity operating systems against software exploits is known to be challenging, because of their sheer size. The same goes for key software applications such as web browsers or mail clients. As a consequence, a significant fraction of internet-connected computers is infected with malware.

To mitigate this threat, we propose a combined approach of (1) a run-time security architecture that can efficiently protect fine-grained software modules executing on a standard operating system, and (2) a compiler that compiles standard C source code modules to such protected binary modules.

43


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Leakage-Resilient%20Symmetric%20Cryptography%20Under%20Empirically%20Verifiable%20Assumptions.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Fides.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Fides.pdf

The offered security guarantees are significant: relying on a TCB of only a few thousand lines of code, we show that the power of arbitrary kernel-level or process-level malware is reduced to interacting with the module through the module’s public API. With a proper API design and implementation, modules are fully protected.

The run-time architecture can be loaded on demand and only incurs performance overhead when it is loaded. Bench- marks show that, once loaded, it incurs a 3.22% system-wide performance cost. For applications that make intensive use of protected modules, and hence benefit most of the security guarantees provided, the performance cost is up to 14%.

Strackx, R., & Piessens, F. (2012). Fides: Selectively hardening software application components against kernel-level or process-level malware. CCS’12, Raleigh, North Carolina, USA.

Protected software module architectures;

Strackx R, Noorman J, Verbauwhede I, Preneel B, Piessens F.

A significant fraction of Internet-connected computing devices is infected with malware. With the in-creased connectivity and software extensibility of embedded and industrial devices, this threat is now also relevant for our industrial infrastructure and our personal environments. Since many of these de-vices interact with remote parties for security-critical or privacy sensitive transactions, it is important to develop security architectures that allow a stakeholder to assess the trustworthiness of a computing device, and that allow such stakeholders to securely execute software on that device. Over the past decade, the security research community has proposed and evaluated such architectures. Important and promising examples are protected software module architectures. These architectures support the se-cure execution of small protected software modules even on devices that are malware infected. They also make it possible for remote parties to collect trust evidence about a device; the remote party can use the security architecture to collect measurements that give assurance that the device is in a trust-worthy state.

In this paper we outline the essential ideas behind this promising recent line of security research, and report on our experiences in developing several protected module architectures for different types of devices.

Strackx R, Noorman J, Verbauwhede I, Preneel B, Piessens F. (2013) Protected software module architectures; . ISSE 2013 Securing Electronic Business Processes, pages 241-251, 2013

WebJail: Least-privilege integration of third-party components in web mashups

Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., & Joosen, W.

In the last decade, the Internet landscape has transformed from a mostly static world into Web 2.0, where the use of web applications and mashups has become a daily routine for many Internet users. Web mashups are web applications that combine data and functionality from several sources or components. Ideally, these components contain benign code from trusted sources. Unfortunately, the reality is very different. Web mashup components can misbehave and perform unwanted actions on behalf of the web mashup’s user.

Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., & Joosen, W. (2011). WebJail: Least-privilege integration of third-party components in web mashups. ACSAC ’11 Dec. 5-9, 2011, Orlando, Florida USA.

44


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20WebJail.pdf

FlashOver: Automated Discovery of Cross-site Scripting Vulnerabilities in Rich Internet Applications

Van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., & Piessens, F.

Today’s Internet is teeming with dynamic web applications visited by numerous Internet users. During their visits, typical Web users will unknowingly use tens of Rich Inter- net Applications like Flash banners or media players. For HTML-based web applications, it is well-known that Cross-site Scripting (XSS) vulnerabilities can be exploited to steal credentials or otherwise wreak havoc, and there is a lot of research into solving this problem. An aspect of this problem that seems to have been mostly overlooked by the academic community, is that XSS vulnerabilities also exist in Adobe Flash applications, and are actually easier to exploit because they do not require an enclosing HTML ecosystem.

In this paper we present FlashOver, a system to automatically scan Rich Internet Applications for XSS vulnerabilities by using a combination of static and dynamic code analysis that reports no false positives. FlashOver was used in a large-scale experiment to analyze Flash applications found on the top 1,000 Internet sites, exposing XSS vulnerabilities that could compromise 64 of those sites, of which six are in the top 50.

Van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., & Piessens, F. (2012). FlashOver: Automated Discovery of Cross-site Scripting Vulnerabilities in Rich Internet Applications. ASIACCS ’12, May 2–4, 2012, Seoul, Korea.

Monkey-in-the-browser: Malware and vulnerabilities in augmented browsing script markets - extended version

Van Acker S, Nikiforakis N, Desmet L, Piessens F, Joosen W.

With the constant migration of applications from the desktop to the web, power users have found ways of enhancing web applications, at the client-side, according to their needs.

In this paper, we investigate this phenomenon by focusing on the popular Greasemonkey extension which enables users to write scripts that arbitrarily change the content of anypage, allowing them to remove unwanted features from web applications, or add additional, desired features to them. The creation of script markets, on which these scripts are often shared, extends the standard web security model with two new actors, introducing novel vulnerabilities. We describe the architecture of Greasemonkey and perform a large-scale analysis of the most popular, community-driven, script market for Greasemonkey. Through our analysis, we discover not only dozens of malicious scripts waiting to be installed by users, but thousands of benign scripts with vulnerabilities that could be abused by attackers. In 58 cases, the vulnerabilities are so severe, that they can be used to bypass the Same-Origin Policy of the user's browser and steal sensitive user-data from all sites. We verify the practicality of our attacks, by developing a proof-of-concept exploit against a vulnerable user script with an installation base of 1.2 million users, equivalent to a “Man-in-the-browser" attack.

Van Acker S, Nikiforakis N, Desmet L, Piessens F, Joosen W. (2014) Monkey-in-the-browser: Malware and vulnerabilities in augmented browsing script markets -- extended version; ASIACCS, Kyoto, Japan, 2-4 June 2014

45


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20FlashOver.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20FlashOver.pdf

Towards a systematic literature review on secure software design

Van Den Berghe, A., Scandariato, R., Joosen, W., Heisel M., & Marchetti, E.

In recent years numerous researchers proposed approaches to incorporate security into software design. Unfortunately a systematic literature review (SLR) providing a detailed overview of the state of the art and defining interesting research opportunities is lacking. This creates an extra barrier for (new) researchers to enter the domain and contribute to it. We describe a protocol for an SLR aimed at minimizing this barrier. By providing this protocol we first hope to trigger a discussion and get feedback on the protocol. Second, this protocol is useful when updating the SLR with approaches that emerged after its initial performance.

Van Den Berghe, A., Scandariato, R., Joosen, W., Heisel M., & Marchetti, E. (2013). Towards a systematic literature review on secure software design. Proceedings of the Doctoral Symposium of the International Symposium on Engineering Secure Software and Systems (ESSoS-DS 2013).

Large-scale security analysis of the web: Challenges and findings

Van Goethem T, Chen P, Nikiforakis N, Desmet L, Joosen W.

The security of Industrial Control Systems (ICS) has become an important topic. Recent attacks have shown that inadequately protecting control systems could have disastrous consequences for society. This paper presents an extension for the Systems Modeling Language (SysML), allowing for the extraction of vulnerabilities from an industrial control system model. After a control system is modeled in SysML, the model is converted into input for a formal reasoning tool. This tool contains a logic theory which is used for the vulnerability extraction. The rules in this logic theory are inferred from the ICS-CERT vulnerability database and ICS security standards. Once the vulnerabilities have been extracted, they are included in the SysML diagrams of the model. The modeling approach allows the user to quickly see which changes to the system get rid of the reported vulnerabilities. It is also possible to mark certain components as compromised to see the consequences of attacks on these components for system security as a whole. The resulting analysis can be used to strengthen the security of the control system.

Van Goethem T, Chen P, Nikiforakis N, Desmet L, Joosen W. (2014) Large-scale security analysis of the web: Challenges and findings; International Symposium for ICS & SCADA Cyber Security Research, volume 2, pages 1-9, University of Applied Sciences St. Pölten, Austria, 11-12-September 2014

Practical verification of WPA-TKIP vulnerabilities

Vanhoef, M., & Piessens, F.

We describe three attacks on the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). The first attack is a Denial of Service attack that can be executed by injecting only two frames every minute. The second attack demonstrates how fragmentation of 802.11 frames can be used to inject an arbitrary amount of packets, and we show that this can be used to perform a portscan on any client. The third attack enables an attacker to reset the internal state of the Michael algorithm. We show that this can be used to efficiently decrypt arbitrary packets sent towards a client. We also report on implementation vulnerabilities discovered in some wireless devices. Finally we demonstrate that our attacks can be executed in realistic environments.

Vanhoef, M., & Piessens, F. (2013). Practical verification of WPA-TKIP vulnerabilities. Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security Pages 427-436. doi: 10.1145/2484313.2484368.

46


https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Towards%20a%20Systematic%20Literature%20Review%20on%20Secure%20Software%20Design.pdf

https://www.b-ccentre.be/download/b-ccentre_technical/B-CCENTRE%20Practical%20Verification%20of%20WPA-TKIP%20Vulnerabilities.pdf

Crying wolf? On the price discrimination of online airline tickets

Vissers T, Nikiforakis N, Bielova N, Joosen W.

Price discrimination refers to the practice of dynamically varying the prices of goods based on a customer's purchasing power and willingness to pay. In this paper, motivated by several anecdotal accounts, we report on a three-week experiment, conducted in search of price discrimination in airline tickets. Despite presenting the companies with multiple opportunities for discriminating us, and contrary to our expectations, we do not have any evidence for systematic price discrimination. At the same time, we witness the highly volatile prices of certain airlines which make it hard to establish cause and effect. Finally, we provide alternative explanations for the observed price differences.

Vissers T, Nikiforakis N, Bielova N, Joosen W. (2014) Crying wolf? On the price discrimination of online airline tickets, 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014), 18 July 2014

Empirical evaluation of a privacy-focused threat modeling methodology

Wuyts K, Scandariato R, Joosen W.

Privacy is a key issue in today's society. Software systems handle more and more sensitive information concerning citizens. It is important that such systems are privacy-friendly by design. In previous work, we proposed a privacy threat analysis methodology, named LINDDUN. The methodology supports requirements engineers and software architects in identifying privacy weaknesses in the system they contribute to developing. As this is a fairly new technique, its results when applied in realistic scenarios are yet unknown. This paper presents a series of three empirical studies that thoroughly evaluate LINDDUN from a multi faceted perspective. Our assessment characterizes the correctness and completeness of the analysis results produced by LINDDUN, as well as the productivity associated with executing the methodology. We also look into aspects such as the ease of use and reliability of LINDDUN. The results are encouraging, overall. However, some areas for further improvement have been identified as a result of this empirical inquiry.

Wuyts K, Scandariato R, Joosen W. (2014) Empirical evaluation of a privacy-focused threat modeling methodology. The Journal of Systems and Software, volume 96, pages 122-138

47


www.b-ccentre.be

@B_CCENTRE

In collaboration with our academic partners

technical research report · cybersecurity, online behaviour and risks, privacy, data protection...

Documents