Ariadne a Minimal Approach to State Continuity
- Info
3 DistriNet papers accepted at the USENIX Security Symposium 2016.
DistriNet will be well represented at the 25th USENIX Security Symposium on August 10-12, 2016 in Austin, Texas. Tom Van Goethem, Raoul Strackx and Mathy Vanhoef will be presenting their latest research at this top level security conference. Below a sneak preview of their accepted papers.
Ariadne: A Minimal Approach to State Continuity
Raoul Strackx and Frank Piessens, Katholieke Universiteit Leuven
Protected-module architectures such as Intel SGX provide strong isolation guarantees to sensitive parts of applications while the system is up and running. Unfortunately, systems in practice crash, go down for reboots or lose power at unexpected moments in time. To deal with such events, additional security measures need to be taken to guarantee that stateful modules will either recover their state from the last stored state, or fail-stop on detection of tampering with that state. More specifically, protected-module architectures need to provide a security primitive that guarantees that (1) attackers cannot present a stale state as being fresh (i.e. rollback protection), (2) once a module accepted, it will continue execution on that input or never advance, and (3) an unexpected loss of power must never leave the system in a state from which it can never resume execution (i.e. liveness guarantee).
We propose Ariadne, a solution to the state-continuity problem that achieves the theoretical lower limit of requiring only a single bit flip of non-volatile memory per state update. Ariadne can be easily adapted to the platform at hand. In low-end devices where non-volatile memory may wear out quickly and the bill of materials (BOM) needs to be minimized, Ariadne can take optimal use of non-volatile memory. On SGX-enabled processors, Ariadne can be readily deployed to protect stateful modules (e.g., as used by Haven and VC^3).
Request and Conquer: Exposing Cross-Origin Resource Size
Tom Van Goethem, Mathy Vanhoef, Frank Piessens and Wouter Joosen, Katholieke Universiteit Leuven
Numerous initiatives are encouraging website owners to enable and enforce TLS encryption for the communication between the server and their users. Although this encryption, when configured properly, completely prevents adversaries from disclosing the content of the traffic, certain features are not concealed, most notably the size of messages. As modern-day web applications tend to provide users with a view that is tailored to the information they entrust these web services with, it is clear that knowing the size of specific resources, an adversary can easily uncover personal and sensitive information.
In this paper, we explore various techniques that can be employed to reveal the size of resources. As a result of this in-depth analysis, we discover several design flaws in the storage mechanisms of browsers, which allows an adversary to expose the exact size of any resource in mere seconds. Furthermore, we report on a novel size-exposing technique against Wi-Fi networks. We evaluate the severity of our attacks, and show their worryingly consequences in multiple real-world attack scenarios. Furthermore, we propose an improved design for browser storage, and explore other viable solutions that can thwart size-exposing attack methods.
Predicting, Recovering, and Abusing 802.11 Group Keys
Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven
We analyze the generation and management of 802.11 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we argue that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients, and discover a downgrade-style attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The RC4 key is the concatenation of a public 16-byte initialization vector with a static 16-byte key, and the first 256 keystream bytes are dropped. We analyze this peculiar usage of RC4, and find that capturing 2^31 handshakes can be sufficient to recover a 128-bit group key. In a third phase we investigate whether broadcast traffic is properly isolated from unicast traffic. We found this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
Source: https://distrinet.cs.kuleuven.be/news/2016/3DistriNetPapersAtUsenixSecurity2016.jsp
0 Response to "Ariadne a Minimal Approach to State Continuity"
Post a Comment