Your search keyword '"Michael Backes"' showing total 168 results

1. Controlling my genome with my smartphone: first clinical experiences of the PROMISE system

Author

Annika Krämer, Ali Amr, Michael Backes, Karen S. Frese, Hans-Ulrich Prokosch, Dominique Schröder, Hugo A. Katus, Benjamin Meder, Christoph Egger, Ninja Marnau, Norbert Frey, Andreas Keller, Dominic Deuber, Claudia Durand, Farbod Sedaghat-Hamedani, Marc Schweig, Marc Hinderer, Lena Griebel, Jan Haas, Florian Battke, Elham Kayvanpour, and Daniel Huhn

Subjects

medicine.medical_specialty, business.industry, Information Dissemination, Data management, Data security, Cryptography, Pilot Projects, General Medicine, Precision medicine, Data science, Data type, Digital health, Data sharing, Data exchange, Privacy, Internal medicine, Cardiology, Medicine, Humans, Smartphone, ddc:610, Cardiology and Cardiovascular Medicine, business, Computer Security

Abstract

Background The development of Precision Medicine strategies requires high-dimensional phenotypic and genomic data, both of which are highly privacy-sensitive data types. Conventional data management systems lack the capabilities to sufficiently handle the expected large quantities of such sensitive data in a secure manner. PROMISE is a genetic data management concept that implements a highly secure platform for data exchange while preserving patient interests, privacy, and autonomy. Methods The concept of PROMISE to democratize genetic data was developed by an interdisciplinary team. It integrates a sophisticated cryptographic concept that allows only the patient to grant selective access to defined parts of his genetic information with single DNA base-pair resolution cryptography. The PROMISE system was developed for research purposes to evaluate the concept in a pilot study with nineteen cardiomyopathy patients undergoing genotyping, questionnaires, and longitudinal follow-up. Results The safety of genetic data was very important to 79%, and patients generally regarded the data as highly sensitive. More than half the patients reported that their attitude towards the handling of genetic data has changed after using the PROMISE app for 4 months (median). The patients reported higher confidence in data security and willingness to share their data with commercial third parties, including pharmaceutical companies (increase from 5 to 32%). Conclusion PROMISE democratizes genomic data by a transparent, secure, and patient-centric approach. This clinical pilot study evaluating a genetic data infrastructure is unique and shows that patient’s acceptance of data sharing can be increased by patient-centric decision-making. Graphic abstract

Published

2022

2. 12 Angry Developers - A Qualitative Study on Developers' Struggles with CSP

Author

Michael Backes, Sebastian Roth, Lea Theresa Gröber, Ben Stock, and Katharina Krombholz

Subjects

Root (linguistics), Computer science, business.industry, Cross-site scripting, Cornerstone, Content Security Policy, computer.software_genre, Internet security, Task (project management), World Wide Web, Software deployment, Scripting language, business, computer

Abstract

The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. However, research has shown that the vast majority of all policies in the wild are trivially bypassable. To uncover the root causes behind the omnipresent misconfiguration of CSP, we conducted a qualitative study involving 12 real-world Web developers. By combining a semi-structured interview, a drawing task, and a programming task, we were able to identify the participant's misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.

Published

2021

3. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale

Author

Dolière Francis Somé, Ben Stock, Michael Backes, and Aurore Fass

Subjects

Computer science, business.industry, Computer security, computer.software_genre, Internet security, JavaScript, Data flow diagram, Scripting language, Threat model, Web page, Web application, business, Pointer analysis, computer, computer.programming_language

Abstract

Browser extensions are popular to enhance users' browsing experience. By design, they have access to security- and privacy-critical APIs to perform tasks that web applications cannot traditionally do. Even though web pages and extensions are isolated, they can communicate through messages. Specifically, a vulnerable extension can receive messages from another extension or web page, under the control of an attacker. Thus, these communication channels are a way for a malicious actor to elevate their privileges to the capabilities of an extension, which can lead to, e.g., universal cross-site scripting or sensitive user data exfiltration. To automatically detect such security and privacy threats in benign-but-buggy extensions, we propose our static analyzer DoubleX. DoubleX defines an Extension Dependence Graph (EDG), which abstracts extension code with control and data flows, pointer analysis, and models the message interactions within and outside of an extension. This way, we can leverage this graph to track and detect suspicious data flows between external actors and sensitive APIs in browser extensions. We evaluated DoubleX on 154,484 Chrome extensions, where it flags 278 extensions as having a suspicious data flow. Overall, we could verify that 89% of these flows can be influenced by external actors (i.e., an attacker). Based on our threat model, we subsequently demonstrate exploitability for 184 extensions. Finally, we evaluated DoubleX on a labeled vulnerable extension set, where it accurately detects almost 93% of known flaws.

Published

2021

4. Accountability in the Decentralised-Adversary Setting

Author

Deepak Garg, Robert Künnemann, and Michael Backes

Subjects

business.industry, Computer science, Access control, Cryptography, Adversary, Computer security, computer.software_genre, Accountability, Task analysis, business, Completeness (statistics), computer, Design space, Consumer behaviour

Abstract

A promising paradigm in protocol design is to hold parties accountable for misbehavior, instead of postulating that they are trustworthy. Recent approaches in defining this property, called accountability, characterized malicious behavior as a deviation from the protocol that causes a violation of the desired security property, but did so under the assumption that all deviating parties are controlled by a single, centralized adversary. In this work, we investigate the setting where multiple parties can deviate with or without coordination in a variant of the applied-$\pi$ calculus.We first demonstrate that, under realistic assumptions, it is impossible to determine all misbehaving parties; however, we show that accountability can be relaxed to exclude causal dependencies that arise from the behavior of deviating parties, and not from the protocol as specified. We map out the design space for the relaxation, point out protocol classes separating these notions and define conditions under which we can guarantee fairness and completeness. Most importantly, we discover under which circumstances it is correct to consider accountability in the single-adversary setting, where this property can be verified with off-the-shelf protocol verification tools.

Published

2021

5. Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild

Author

Michael Backes, Aurore Fass, Markus Demmel, and Marvin Moog

Subjects

Programming language, Computer science, business.industry, Static analysis, computer.software_genre, JavaScript, Internet security, Obfuscation (software), Code (cryptography), Malware, Minification, Abstract syntax tree, business, computer, computer.programming_language

Abstract

JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance. In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques. Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.

Published

2021

6. Measuring User Perception for Detecting Unexpected Access to Sensitive Resource in Mobile Apps

Author

Michael Backes, Gang Wang, Michael Schilling, Duc Cuong Nguyen, and Trung Tin Nguyen

Subjects

business.industry, Computer science, 020207 software engineering, Static program analysis, 02 engineering and technology, 010501 environmental sciences, Permission, User expectations, 01 natural sciences, Data access, Semantic mapping, Human–computer interaction, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), User interface, business, 0105 earth and related environmental sciences, Graphical user interface

Abstract

Understanding users' perception of app behaviors is an important step to detect data access that violates user expectations. While existing works have used various proxies to infer user expectations (e.g., by analyzing app descriptions), how real-world users perceive an app's data access when they interact with graphical user interfaces (UI) has not been fully explored. In this paper, we aimed to fill this gap by directly measuring how end-users perceive app behaviors based on graphical UI elements via extensive user studies. The results are used to build an automated tool - GUIBAT (Graphical User Interface Behavioral Analysis Tool) - that detects sensitive resource accesses that violate user expectations. We conducted three user studies in total (N=904). The first two user studies were used to build a semantic mapping between user expectations of sensitive resource accesses and the common graphical UI elements (N=459). The third user study (N=445) was used to validate the performance of GUIBAT in predicting user expectations. By comparing user expectations and the actual app behavior (inferred by static program analysis) for 47,909 Android apps, we found that 75.38% of the apps have at least one unexpected sensitive resource access in which third-party libraries attributed to 46.13%. Our analysis lays a concrete foundation for modeling user expectations based on UI elements. We show the urgent need for more transparent UI designs to better inform users of data access, and call for new tools to support app developers in this endeavor.

Published

2021

7. Assessing the Impact of Script Gadgets on CSP at Scale

Author

Michael Backes, Ben Stock, and Sebastian Roth

Subjects

050101 languages & linguistics, Markup language, business.industry, Computer science, Cross-site scripting, 05 social sciences, Whitelist, 02 engineering and technology, computer.file_format, Web developer, Content Security Policy, computer.software_genre, JavaScript, Computer security, Scripting language, 0202 electrical engineering, electronic engineering, information engineering, Web application, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Executable, business, computer, computer.programming_language

Abstract

The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data. One of the worst attacks on the Web is Cross-Site Scripting (XSS), in which an attacker is able to inject their malicious JavaScript code into a Web application, giving this code full access to the victimized site. To mitigate the impact of markup injection flaws that cause XSS, support for the Content Security Policy (CSP) is nowadays shipped in all browsers. Deploying such a policy enables a Web developer to whitelist from where script code can be loaded, essentially constraining the capabilities of the attacker to only be able to execute injected code from the said whitelist. As recently shown by Lekies et al., injecting script markup is not a necessary prerequisite for a successful attack in the presence of so-called script gadgets. These small snippets of benign JavaScript code transform non-script markup contained in a page into executable JavaScript, opening the door for bypasses of a deployed CSP. Especially in combination with CSP's logic in handling redirected resources, script gadgets enable attackers to bypass an otherwise secure policy. In this paper, we, therefore, ask the question: is securely deploying CSP even possible without a priori knowledge of all files hosted on even a partially trusted origin? To answer this question, we investigate the severity of the findings of Lekies et al., showing real-world Web sites on which, even in the presence of CSP and without code containing such gadgets being added by the developer, an attacker can sideload libraries with known script gadgets, as long as the hosting site is whitelisted in the CSP. In combination with CSPs matching logic for redirects, this enables us to bypass 10% of otherwise secure policies in the wild. To further answer our main research question, we conduct a hypothetical what-if analysis. Doing so, we automatically generate sensible CSPs for all of the Top 10,000 sites and show that around one-third of all sites would still be susceptible to a bypass through script gadget sideloading due to heavy reliance on third parties that also host such libraries.

Published

2020

8. Adversarial Attacks on Classifiers for Eye-based User Modelling

Author

Andreas Bulling, Michael Backes, and Inken Hagestedt

Subjects

FOS: Computer and information sciences, Class (computer programming), Computer Science - Cryptography and Security, H.5, Computer science, business.industry, Computer Science - Human-Computer Interaction, Eye movement, Cognition, Document type definition, Machine learning, computer.software_genre, Gaze, Task (project management), Human-Computer Interaction (cs.HC), Adversarial system, Classifier (linguistics), Artificial intelligence, business, computer, Cryptography and Security (cs.CR)

Abstract

An ever-growing body of work has demonstrated the rich information content available in eye movements for user modelling, e.g. for predicting users' activities, cognitive processes, or even personality traits. We show that state-of-the-art classifiers for eye-based user modelling are highly vulnerable to adversarial examples: small artificial perturbations in gaze input that can dramatically change a classifier's predictions. We generate these adversarial examples using the Fast Gradient Sign Method (FGSM) that linearises the gradient to find suitable perturbations. On the sample task of eye-based document type recognition we study the success of different adversarial attack scenarios: with and without knowledge about classifier gradients (white-box vs. black-box) as well as with and without targeting the attack to a specific class, In addition, we demonstrate the feasibility of defending against adversarial attacks by adding adversarial examples to a classifier's training data., 9 pages, 7 figures

Published

2020

9. When Machine Unlearning Jeopardizes Privacy

Author

Michael Backes, Zhikun Zhang, Yang Zhang, Min Chen, Tianhao Wang, and Mathias Humbert

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, business.industry, Computer science, Right to be forgotten, Inference, Sample (statistics), Context (language use), Machine Learning (stat.ML), Machine learning, computer.software_genre, Inference attack, Machine Learning (cs.LG), Statistics - Machine Learning, Information leakage, Code (cryptography), Differential privacy, Artificial intelligence, business, computer, Cryptography and Security (cs.CR)

Abstract

The right to be forgotten states that a data owner has the right to erase their data from an entity storing it. In the context of machine learning (ML), the right to be forgotten requires an ML model owner to remove the data owner's data from the training set used to build the ML model, a process known asmachine unlearning. While originally designed to protect the privacy of the data owner, we argue that machine unlearning may leave some imprint of the data in the ML model and thus create unintended privacy risks. In this paper, we perform the first study on investigating the unintended information leakage caused by machine unlearning. We propose a novel membership inference attack that leverages the different outputs of an ML model's two versions to infer whether a target sample is part of the training set of the original model but out of the training set of the corresponding unlearned model. Our experiments demonstrate that the proposed membership inference attack achieves strong performance. More importantly, we show that our attack in multiple cases outperforms the classical membership inference attack on the original ML model, which indicates that machine unlearning can have counterproductive effects on privacy. We notice that the privacy degradation is especially significant for well-generalized ML models where classical membership inference does not perform well. We further investigate four mechanisms to mitigate the newly discovered privacy risks and show that releasing the predicted label only, temperature scaling, and differential privacy are effective. We believe that our results can help improve privacy protection in practical implementations of machine unlearning. \footnoteOur code is available at \urlhttps://github.com/MinChen00/UnlearningLeaks.

Published

2020

10. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Author

Michael Backes, Sanam Ghorbani Lyastani, Michaela Neumayr, Sven Bugiel, and Michael Schilling

Subjects

Password, User authentication, Authentication, business.industry, Computer science, 05 social sciences, Usability, 02 engineering and technology, Service provider, Cryptographic protocol, Security token, Computer security, computer.software_genre, Authentication (law), 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, The Internet, business, computer, 050107 human factors

Abstract

The newest contender for succeeding passwords as the incumbent web authentication scheme is the FIDO2 standard. Jointly developed and backed by the FIDO Alliance and the W3C, FIDO2 has found support in virtually every browser, finds increasing support by service providers, and has adoptions beyond browser-software on its way. While it supports MFA and 2FA, its single-factor, passwordless authentication with security tokens has received the bulk of attention and was hailed by its supporters and the media as the solution that will replace text-passwords on the web. Despite its obvious security and deployability benefits—a setting that no prior solution had in this strong combination—the paradigm shift from a familiar knowledge factor to purely a possession factor raises questions about the acceptance of passwordless authentication by end-users.This paper presents the first large-scale lab study of FIDO2 single-factor authentication to collect insights about end-users’ perception, acceptance, and concerns about passwordless authentication. Through hands-on tasks our participants gather first-hand experience with passwordless authentication using a security key, which they afterwards reflect on in a survey. Our results show that users are willing to accept a direct replacement of text-based passwords with a security key for single-factor authentication. That is an encouraging result in the quest to replace passwords. But, our results also identify new concerns that can potentially hinder the widespread adoption of FIDO2 passwordless authentication. In order to mitigate these factors, we derive concrete recommendations to try to help in the ongoing proliferation of passwordless authentication on the web.

Published

2020

11. Privacy-Preserving Similar Patient Queries for Combined Biomedical Data

Author

Ahmed Salem, Mathias Humbert, Michael Backes, and Pascal Berrang

Subjects

050101 languages & linguistics, Computer science, Cryptography, 02 engineering and technology, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, Profiling (information science), 0501 psychology and cognitive sciences, biomedical data privacy, Biomedicine, General Environmental Science, Ethics, business.industry, 05 social sciences, Bandwidth (signal processing), Information technology, QA75.5-76.95, BJ1-1725, Euclidean distance, Electronic computers. Computer science, Scalability, General Earth and Planetary Sciences, 020201 artificial intelligence & image processing, Personalized medicine, Data mining, business, computer

Abstract

The decreasing costs of molecular profiling have fueled the biomedical research community with a plethora of new types of biomedical data, enabling a breakthrough towards more precise and personalized medicine. Naturally, the increasing availability of data also enables physicians to compare patients’ data and treatments easily and to find similar patients in order to propose the optimal therapy. Such similar patient queries (SPQs) are of utmost importance to medical practice and will be relied upon in future health information exchange systems. While privacy-preserving solutions have been previously studied, those are limited to genomic data, ignoring the different newly available types of biomedical data. In this paper, we propose new cryptographic techniques for finding similar patients in a privacy-preserving manner with various types of biomedical data, including genomic, epigenomic and transcriptomic data as well as their combination. We design protocols for two of the most common similarity metrics in biomedicine: the Euclidean distance and Pearson correlation coefficient. Moreover, unlike previous approaches, we account for the fact that certain locations contribute differently to a given disease or phenotype by allowing to limit the query to the relevant locations and to assign them different weights. Our protocols are specifically designed to be highly efficient in terms of communication and bandwidth, requiring only one or two rounds of communication and thus enabling scalable parallel queries. We rigorously prove our protocols to be secure based on cryptographic games and instantiate our technique with three of the most important types of biomedical data – namely DNA, microRNA expression, and DNA methylation. Our experimental results show that our protocols can compute a similarity query over a typical number of positions against a database of 1,000 patients in a few seconds. Finally, we propose and formalize strategies to mitigate the threat of malicious users or hospitals.

Published

2019

12. How Internet Resources Might Be Helping You Develop Faster but Less Securely

Author

Michael Backes, Yasemin Acar, Doowon Kim, Christian Stransky, Michelle L. Mazurek, and Sascha Fahl

Subjects

Computer Networks and Communications, business.industry, Computer science, Internet privacy, Mobile computing, 020207 software engineering, Cryptography, Mobile Web, 02 engineering and technology, Permission, Computer security, computer.software_genre, Documentation, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Mobile search, The Internet, Mobile telephony, Electrical and Electronic Engineering, Android (operating system), business, Law, computer

Abstract

In this experimental study, Android developers using Stack Overflow to solve common security issues were more likely to produce functional--but less secure--code. Given today's time constraints and economic pressures, developers need improved official documentation that's both secure and usable.

Published

2017

13. On the Security Relevance of Initial Weights in Deep Neural Networks

Author

Kathrin Grosse, Marius Mosbach, Dietrich Klakow, Thomas Alexander Trost, and Michael Backes

Subjects

Computer science, business.industry, Deep learning, 020206 networking & telecommunications, 02 engineering and technology, 010501 environmental sciences, Overfitting, Adversarial machine learning, Machine learning, computer.software_genre, 01 natural sciences, Stochastic gradient descent, 0202 electrical engineering, electronic engineering, information engineering, Relevance (information retrieval), Limit (mathematics), Artificial intelligence, business, computer, MNIST database, 0105 earth and related environmental sciences

Abstract

Recently, a weight-based attack on stochastic gradient descent inducing overfitting has been proposed. We show that the threat is broader: A task-independent permutation on the initial weights suffices to limit the achieved accuracy to for example 50% on the Fashion MNIST dataset from initially more than 90%. These findings are supported on MNIST and CIFAR. We formally confirm that the attack succeeds with high likelihood and does not depend on the data. Empirically, weight statistics and loss appear unsuspicious, making it hard to detect the attack if the user is not aware. Our paper is thus a call for action to acknowledge the importance of the initial weights in deep learning.

Published

2020

14. TrollThrottle —Raising the Cost of Astroturfing

Author

Michael Backes, Lucjan Hanzlik, Robert Künnemann, Lena Marie Budde, and Ilkan Esiyok

Subjects

050101 languages & linguistics, business.industry, media_common.quotation_subject, 05 social sciences, Internet privacy, Censorship, 02 engineering and technology, Raising (linguistics), Harm, Public discourse, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, The Internet, business, media_common

Abstract

Astroturfing, i.e., the fabrication of public discourse by private or state-controlled sponsors via the creation of fake online accounts, has become incredibly widespread in recent years. It gives a disproportionally strong voice to wealthy and technology-savvy actors, permits targeted attacks on public forums and could in the long run harm the trust users have in the internet as a communication platform.

Published

2020

15. JStap

Author

Michael Backes, Ben Stock, and Aurore Fass

Subjects

021110 strategic, defence & security studies, business.industry, Computer science, 0211 other engineering and technologies, Context (language use), 02 engineering and technology, Modular design, computer.software_genre, Internet security, JavaScript, Data flow diagram, Control flow, Scripting language, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Data mining, Layer (object-oriented design), business, computer, computer.programming_language

Abstract

Given the success of the Web platform, attackers have abused its main programming language, namely JavaScript, to mount different types of attacks on their victims. Due to the large volume of such malicious scripts, detection systems rely on static analyses to quickly process the vast majority of samples. These static approaches are not infallible though and lead to misclassifications. Also, they lack semantic information to go beyond purely syntactic approaches. In this paper, we propose JStap, a modular static JavaScript detection system, which extends the detection capability of existing lexical and AST-based pipelines by also leveraging control and data flow information. Our detector is composed of ten modules, including five different ways of abstracting code, with differing levels of context and semantic information, and two ways of extracting features. Based on the frequency of these specific patterns, we train a random forest classifier for each module. In practice, JStap outperforms existing systems, which we reimplemented and tested on our dataset totaling over 270,000 samples. To improve the detection, we also combine the predictions of several modules. A first layer of unanimous voting classifies 93% of our dataset with an accuracy of 99.73%, while a second layer-based on an alternative modules' combination-labels another 6.5% of our initial dataset with an accuracy over 99%. This way, JStap can be used as a precise pre-filter, meaning that it would only need to forward less than 1% of samples to additional analyses. For reproducibility and direct deployability of our modules, we make our system publicly available.1

Published

2019

16. HideNoSeek

Author

Ben Stock, Aurore Fass, and Michael Backes

Subjects

Computer science, business.industry, 02 engineering and technology, Internet security, computer.software_genre, Machine learning, JavaScript, Scripting language, 020204 information systems, Abstract syntax, Web page, 0202 electrical engineering, electronic engineering, information engineering, False positive paradox, Malware, 020201 artificial intelligence & image processing, Artificial intelligence, business, Classifier (UML), computer, computer.programming_language

Abstract

In the malware field, learning-based systems have become popular to detect new malicious variants. Nevertheless, attackers with specific and internal knowledge of a target system may be able to produce input samples which are misclassified. In practice, the assumption of strong attackers is not realistic as it implies access to insider information. We instead propose HideNoSeek, a novel and generic camouflage attack, which evades the entire class of detectors based on syntactic features, without needing any information about the system it is trying to evade. Our attack consists of changing the constructs of malicious JavaScript samples to reproduce a benign syntax. For this purpose, we automatically rewrite the Abstract Syntax Trees (ASTs) of malicious JavaScript inputs into existing benign ones. In particular, HideNoSeek uses malicious seeds and searches for isomorphic subgraphs between the seeds and traditional benign scripts. Specifically, it replaces benign sub-ASTs by their malicious equivalents (same syntactic structure) and adjusts the benign data dependencies--without changing the AST--so that the malicious semantics is kept. In practice, we leveraged 23 malicious seeds to generate 91,020 malicious scripts, which perfectly reproduce ASTs of Alexa top 10,000 web pages. Also, we can produce on average 14 different malicious samples with the same AST as each Alexa top 10. Overall, a standard trained classifier has 99.98% false negatives with HideNoSeek inputs, while a classifier trained on such samples has over 88.74% false positives, rendering the targeted static detectors unreliable.

Published

2019

17. Membership Privacy for Fully Dynamic Group Signatures

Author

Jonas Schneider-Bensch, Michael Backes, and Lucjan Hanzlik

Subjects

Scheme (programming language), 050101 languages & linguistics, Theoretical computer science, business.industry, Computer science, Group (mathematics), 05 social sciences, 02 engineering and technology, Group signature, Public-key cryptography, Information sensitivity, Digital signature, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, business, computer, Standard model (cryptography), computer.programming_language

Abstract

Group signatures present a compromise between the traditional goals of digital signatures and the need for signer privacy, allowing for the creation of unforgeable signatures in the name of a group which reveal nothing about the actual signer's identity beyond their group membership. An important consideration that is absent in prevalent models is that group membership itself may be sensitive information, especially if group membership is dynamic, i.e. membership status may change over time. We address this issue by introducing formal notions of membership privacy for fully dynamic group signature schemes, which can be easily integrated into the most expressive models of group signature security to date. We then propose a generic construction for a fully dynamic group signature scheme with membership privacy that is based on signatures with flexible public key (SFPK) and signatures on equivalence classes (SPSEQ). Finally, we devise novel techniques for SFPK to construct a highly efficient standard model scheme (i.e. without random oracles) that provides shorter signatures than even the non-private state-of-the-art from standard assumptions. This shows that, although the strictly stronger security notions we introduce have been completely unexplored in the study of fully dynamic group signatures so far, they do not come at an additional cost in practice.

Published

2019

18. MemGuard

Author

Neil Zhenqiang Gong, Ahmed Salem, Jinyuan Jia, Yang Zhang, and Michael Backes

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, business.industry, Computer science, Inference, 02 engineering and technology, 010501 environmental sciences, Machine learning, computer.software_genre, Inference attack, 01 natural sciences, Machine Learning (cs.LG), Adversarial system, Binary classification, Classifier (linguistics), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, Cryptography and Security (cs.CR), computer, Classifier (UML), 0105 earth and related environmental sciences

Abstract

In a membership inference attack, an attacker aims to infer whether a data sample is in a target classifier's training dataset or not. Specifically, given a black-box access to the target classifier, the attacker trains a binary classifier, which takes a data sample's confidence score vector predicted by the target classifier as an input and predicts the data sample to be a member or non-member of the target classifier's training dataset. Membership inference attacks pose severe privacy and security threats to the training dataset. Most existing defenses leverage differential privacy when training the target classifier or regularize the training process of the target classifier. These defenses suffer from two key limitations: 1) they do not have formal utility-loss guarantees of the confidence score vectors, and 2) they achieve suboptimal privacy-utility tradeoffs. In this work, we propose MemGuard, the first defense with formal utility-loss guarantees against black-box membership inference attacks. Instead of tampering the training process of the target classifier, MemGuard adds noise to each confidence score vector predicted by the target classifier. Our key observation is that attacker uses a classifier to predict member or non-member and classifier is vulnerable to adversarial examples. Based on the observation, we propose to add a carefully crafted noise vector to a confidence score vector to turn it into an adversarial example that misleads the attacker's classifier. Our experimental results on three datasets show that MemGuard can effectively defend against membership inference attacks and achieve better privacy-utility tradeoffs than existing defenses. Our work is the first one to show that adversarial examples can be used as defensive mechanisms to defend against membership inference attacks., ACM CCS 2019, code is available at this: https://github.com/jjy1994/MemGuard

Published

2019

19. How to Wrap it up - A Formally Verified Proposal for the use of Authenticated Wrapping in PKCS#11

Author

Sven Tangermann, Michael Backes, Alexander Dax, and Robert Künnemann

Subjects

Soundness, Authenticated encryption, Hardware security module, Computer science, business.industry, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Deterministic encryption, PKCS #11, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), 020201 artificial intelligence & image processing, Smart card, business, Computer network

Abstract

Being the most widely used and comprehensive standard for hardware security modules, cryptographic tokens and smart cards, PKCS#11 has been the subject of academic study for years. PKCS#11 provides a key store that is separate from the application, so that, ideally, an application never sees a key in the clear. Again and again, researchers have pointed out the need for an import/export mechanism that ensures the integrity of the permissions associated to a key. With version 2.40, for the first time, the standard included authenticated deterministic encryption schemes. The interface to this operation is insecure, however, so that an application can get the key in the clear, subverting the purpose of using a hardware security module. This work proposes a formal model for the secure use of authenticated deterministic encryption in PKCS#11, including concrete API changes to allow for secure policies to be implemented. Owing to the authenticated encryption mechanism, the policy we propose provides more functionality than any policy proposed so far and can be implemented without access to a random number generator. Our results cover modes of operation that rely on unique initialisation vectors (IVs), like GCM or CCM, but also modes that generate synthetic IVs. We furthermore provide a proof for the deduction soundness of our modelling of deterministic encryption in Bohl et.al.'s composable deduction soundness framework.

Published

2019

20. Automated Verification of Accountability in Security Protocols

Author

Ilkan Esiyok, Robert Künnemann, and Michael Backes

Subjects

FOS: Computer and information sciences, Soundness, Computer Science - Cryptography and Security, Computer science, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Cryptographic protocol, Computer security, computer.software_genre, Certificate transparency, Automation, Accountability, Completeness (statistics), business, Cryptography and Security (cs.CR), computer

Abstract

Accountability is a recent paradigm in security protocol design which aims to eliminate traditional trust assumptions on parties and hold them accountable for their misbehavior. It is meant to establish trust in the first place and to recognize and react if this trust is violated. In this work, we discuss a protocol-agnostic definition of accountability: a protocol provides accountability (w.r.t. some security property) if it can identify all misbehaving parties, where misbehavior is defined as a deviation from the protocol that causes a security violation. We provide a mechanized method for the verification of accountability and demonstrate its use for verification and attack finding on various examples from the accountability and causality literature, including Certificate Transparency and Kroll^{\prime}s Accountable Algorithms protocol. We reach a high degree of automation by expressing accountability in terms of a set of trace properties and show their soundness and completeness.

Published

2019

21. Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security & Privacy

Author

Michael Backes, Duc Cuong Nguyen, Sven Bugiel, and Erik Derr

Subjects

Point (typography), business.industry, Computer science, Best practice, Internet privacy, 020207 software engineering, 02 engineering and technology, Task (project management), Incentive, Leverage (negotiation), Order (business), mental disorders, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Privacy law, business

Abstract

Application markets streamline the end-users’ task of finding and installing applications. They also form an immediate communication channel between app developers and their end-users in form of app reviews, which allow users to provide developers feedback on their apps. However, it is unclear to which extent users employ this channel to point out their security and privacy concerns about apps, about which aspects of apps users express concerns, and how developers react to such security- and privacy-related reviews. In this paper, we present the first study of the relationship between end-user reviews and security- & privacy-related changes in apps. Using natural language processing on 4.5M user reviews for the top 2,583 apps in Google Play, we identified 5,527 security and privacy relevant reviews (SPR). For each app version mentioned in the SPR, we use static code analysis to extract permission-protected features mentioned in the reviews. We successfully mapped SPRs to privacy-related changes in app updates in 60.77% of all cases. Using exploratory data analysis and regression analysis we are able to show that preceding SPR are a significant factor for predicting privacy-related app updates, indicating that user reviews in fact lead to privacy improvements of apps. Our results further show that apps that adopt runtime permissions receive a significantly higher number of SPR, showing that runtime permissions put privacy-jeopardizing actions better into users’ minds. Further, we can attribute about half of all privacy-relevant app changes exclusively to third-party library code. This hints at larger problems for app developers to adhere to users’ privacy expectations and markets’ privacy regulations. Our results make a call for action to make app behavior more transparent to users in order to leverage their reviews in creating incentives for developers to adhere to security and privacy best practices, while our results call at the same time for better tools to support app developers in this endeavor.

Published

2019

22. Towards automated network mitigation analysis

Author

Marcel Steinmetz, Patrick Speicher, Michael Backes, Jörg Hoffmann, and Robert Künnemann

Subjects

Network security, business.industry, Computer science, Vulnerability, 020207 software engineering, 02 engineering and technology, Network topology, Automation, Identification (information), Risk analysis (engineering), 020204 information systems, Component (UML), 0202 electrical engineering, electronic engineering, information engineering, Stackelberg competition, business, Vulnerability (computing), Network model

Abstract

Penetration testing is a well-established practical concept for the identification of potentially exploitable security weaknesses and an important component of a security audit. Providing a holistic security assessment for networks consisting of several hundreds hosts is hardly feasible though without some sort of mechanization. Mitigation, prioritizing counter-measures subject to a given budget, currently lacks a solid theoretical understanding and is hence more art than science. In this work, we propose the first approach for conducting comprehensive what-if analyses in order to reason about mitigation in a conceptually well-founded manner. To evaluate and compare mitigation strategies, we use simulated penetration testing, i.e., automated attack-finding, based on a network model to which a subset of a given set of mitigation actions, e.g., changes to the network topology, system updates, configuration changes etc. is applied. Using Stackelberg planning, we determine optimal combinations that minimize the maximal attacker success (similar to a Stackelberg game), and thus provide a well-founded basis for a holistic mitigation strategy. We show that these Stackelberg planning models can largely be derived from network scan, public vulnerability databases and manual inspection with various degrees of automation and detail, and we simulate mitigation analysis on networks of different size and vulnerability.

Published

2019

23. Data Lineage in Malicious Environments

Author

Niklas Grimm, Michael Backes, and Aniket Kate

Subjects

Oblivious transfer, Computer science, business.industry, Internet privacy, 020206 networking & telecommunications, 02 engineering and technology, Data lineage, Computer security, computer.software_genre, Outsourcing, Data flow diagram, Information leakage, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Confidentiality, Concrete security, Electrical and Electronic Engineering, business, Personally identifiable information, computer

Abstract

Intentional or unintentional leakage of confidential data is undoubtedly one of the most severe security threats that organizations face in the digital era. The threat now extends to our personal lives: a plethora of personal information is available to social networks and smartphone providers and is indirectly transferred to untrustworthy third party and fourth party applications. In this work, we present a generic data lineage framework Lime for data flow across multiple entities that take two characteristic, principal roles (i.e., owner and consumer). We define the exact security guarantees required by such a data lineage mechanism toward identification of a guilty entity, and identify the simplifying non-repudiation and honesty assumptions. We then develop and analyze a novel accountable data transfer protocol between two entities within a malicious environment by building upon oblivious transfer, robust watermarking, and signature primitives. Finally, we perform an experimental evaluation to demonstrate the practicality of our protocol and apply our framework to the important data leakage scenarios of data outsourcing and social networks. In general, we consider Lime , our lineage framework for data transfer, to be an key step towards achieving accountability by design .

Published

2016

24. A NECTAr-based upgrade for the Cherenkov cameras of the H.E.S.S. 12-meter telescopes

Author

H. Leich, Thomas Murach, T. Schwab, Marko Kossatz, P. Nayman, Albert Jahnke, Francois Brun, P. Vincent, J.-P. Lenain, Jim Hinton, Christian Stegmann, A. Balzer, J. Bolmont, J. F. Glicenstein, P. Manigot, M. Füßling, Eric Delagnes, Michael Backes, Gianluca Giavitto, Marek Penno, T. Chaminade, F. Toussenel, Terry Ashton, M. de Naurois, David Salek, E. Moulin, D. Berge, Gerard Fontaine, J.-P. Tavernet, Kleopas Shiningayamwe, S. Ohm, V. Lefranc, A. Kretzschmann, J. Thornhill, H. Lüdecke, V. Marandon, Markus Schade, Stefan Klepser, B. Giebels, Iryna Lypova, D. Ross, Tobias Gräber, S. Bonnefoy, Constantin Steppa, Laboratoire de Physique Nucléaire et de Hautes Énergies (LPNHE (UMR_7585)), Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3)-Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS), Institut de Recherches sur les lois Fondamentales de l'Univers (IRFU), Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Université Paris-Saclay, Laboratoire Leprince-Ringuet (LLR), Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3)-École polytechnique (X)-Centre National de la Recherche Scientifique (CNRS), 28644743 - Backes, Michael, Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3)-Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS)-Université de Paris (UP), Centre National de la Recherche Scientifique (CNRS)-École polytechnique (X)-Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3), Centre National de la Recherche Scientifique (CNRS), and Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3)-Université Paris Diderot - Paris 7 (UPD7)-Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS)

Subjects

Ethernet, data acquisition, atmosphere [Cherenkov counter], computer: communications, High-energy instrumentation upgrade, 01 natural sciences, design [detector], Cherenkov camera, Data acquisition, Software, HESS, [PHYS.HEXP]Physics [physics]/High Energy Physics - Experiment [hep-ex], High Energy Stereoscopic System, 010303 astronomy & astrophysics, ComputingMilieux_MISCELLANEOUS, FPGA, NECTAr, Physics, Upgrade, H.E.S.S, ddc:540, design [electronics], mechanical engineering, upgrade, Astrophysics - Instrumentation and Methods for Astrophysics, performance, Computer hardware, Photomultiplier, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, FOS: Physical sciences, Cherenkov counter: atmosphere, electrical engineering, programming, 0103 physical sciences, communications [computer], [PHYS.PHYS.PHYS-INS-DET]Physics [physics]/Physics [physics]/Instrumentation and Detectors [physics.ins-det], Electronics, Instrumentation and Methods for Astrophysics (astro-ph.IM), detector: design, Cherenkov radiation, Gamma-ray astronomy, 010308 nuclear & particles physics, business.industry, Astronomy and Astrophysics, PMT Cameras, trigger, electronics: readout, HESS - Abteilung Hinton, photon: detector, readout [electronics], business, detector [photon], electronics: design

Abstract

The High Energy Stereoscopic System (H.E.S.S.) is one of the three arrays of imaging atmospheric Cherenkov telescopes (IACTs) currently in operation. It is composed of four 12-meter telescopes and a 28-meter one, and is sensitive to gamma rays in the energy range ~30 GeV - 100 TeV. The cameras of the 12-m telescopes recently underwent a substantial upgrade, with the goal of improving their performance and robustness. The upgrade involved replacing all camera components except for the photomultiplier tubes (PMTs). This meant developing new hardware for the trigger, readout, power, cooling and mechanical systems, and new software for camera control and data acquisition. Several novel technologies were employed in the cameras: the readout is built around the new NECTAr digitizer chip, developed for the next generation of IACTs; the camera electronics is fully controlled and read out via Ethernet using a combination of FPGA and embedded ARM computers; the software uses modern libraries such as Apache Thrift, ZMQ and Protocol buffers. This work describes in detail the design and the performance of the upgraded cameras., Comment: 35 pages, 14 figures, accepted for publication in "Astroparticle physics"

Published

2020

25. Formally Reasoning about the Cost and Efficacy of Securing the Email Infrastructure

Author

Patrick Speicher, Marcel Steinmetz, Michael Backes, Robert Künnemann, Giancarlo Pellegrino, Milivoj Simeonovski, and Jörg Hoffmann

Subjects

business.industry, Computer science, computer.internet_protocol, 02 engineering and technology, Computer security, computer.software_genre, Electronic mail, Software deployment, 020204 information systems, Scale (social sciences), IPsec, Threat model, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Confidentiality, The Internet, business, Relocation, computer

Abstract

Security in the Internet has historically been added post-hoc, leaving services like email, which, after all, is used by 3.7 billion users, vulnerable to large-scale surveillance. For email alone, there is a multitude of proposals to mitigate known vulnerabilities, ranging from the introduction of completely new protocols to modifications of the communication paths used by big providers. Deciding which measures to deploy requires a deep understanding of the induced benefits, the cost and the resulting effects. This paper proposes the first automated methodology for making formal deployment assessments. Our planning algorithm analyses the impact and cost-efficiency of different known mitigation strategies against an attacker in a formal threat model. This novel formalisation of an infrastructure attacker includes routing, name resolution and application level weaknesses. We apply the methodology to a large-scale scan of the Internet, and assess how protocols like IPsec, DNSSEC, DANE, SMTP STS, SMTP over TLS and other mitigation techniques like server relocation can be combined to improve the confidentiality of email users in 45 combinations of attacker and defender countries and nine cost scenarios. This is the first deployment analysis for mitigation techniques at this scale.

Published

2018

26. Dissecting Privacy Risks in Biomedical Data

Author

Mathias Humbert, Irina Lehmann, Yang Zhang, Michael Backes, Roland Eils, and Pascal Berrang

Subjects

0301 basic medicine, Information privacy, Computer science, business.industry, media_common.quotation_subject, Bayesian network, Inference, Adversary, Data science, Interdependence, 03 medical and health sciences, 030104 developmental biology, Profiling (information science), Personalized medicine, Security community, business, media_common

Abstract

The decreasing costs of molecular profiling has fueled the biomedical research community with a plethora of new types of biomedical data, enabling a breakthrough towards a more precise and personalized medicine. However, the release of these intrinsically highly sensitive data poses a new severe privacy threat. While biomedical data is largely associated with our health, there also exist various correlations between different types of biomedical data, along the temporal dimension, and also in-between family members. However, so far, the security community has focused on privacy risks stemming from genomic data, largely overlooking the manifold interdependencies between other biomedical data. In this paper, we present a generic framework for quantifying the privacy risks in biomedical data taking into account the various interdependencies between data (i) of different types, (ii) from different individuals, and (iii) at different time. To this end, we rely on a Bayesian network model that allows us to take all aforementioned dependencies into account and run exact probabilistic inference attacks very efficiently. Furthermore, we introduce a generic algorithm for building the Bayesian network, which encompasses expert knowledge for known dependencies, such as genetic inheritance laws, and learns previously unknown dependencies from the data. Then, we conduct a thorough inference risk evaluation with a very rich dataset containing genomic and epigenomic data of mothers and children over multiple years. Besides effective probabilistic inference, we further demonstrate that our Bayesian network model can also serve as a building block for other attacks. We show that, with our framework, an adversary can efficiently identify the parent-child relationships based on methylation data with a success rate of 95%.

Published

2018

27. MLCapsule: Guarded Offline Deployment of Machine Learning as a Service

Author

Yang Zhang, Mario Fritz, Max Augustin, Kathrin Grosse, Ahmed Salem, Lucjan Hanzlik, and Michael Backes

Subjects

Service (business), Reverse engineering, FOS: Computer and information sciences, Computer Science - Machine Learning, Information privacy, Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer science, business.industry, Control (management), Machine Learning (stat.ML), Service provider, Business model, Machine learning, computer.software_genre, Data modeling, Machine Learning (cs.LG), Artificial Intelligence (cs.AI), Statistics - Machine Learning, Software deployment, Artificial intelligence, business, computer, Cryptography and Security (cs.CR)

Abstract

With the widespread use of machine learning (ML) techniques, ML as a service has become increasingly popular. In this setting, an ML model resides on a server and users can query it with their data via an API. However, if the user's input is sensitive, sending it to the server is undesirable and sometimes even legally not possible. Equally, the service provider does not want to share the model by sending it to the client for protecting its intellectual property and pay-per-query business model. In this paper, we propose MLCapsule, a guarded offline deployment of machine learning as a service. MLCapsule executes the model locally on the user's side and therefore the data never leaves the client. Meanwhile, MLCapsule offers the service provider the same level of control and security of its model as the commonly used server-side execution. In addition, MLCapsule is applicable to offline applications that require local execution. Beyond protecting against direct model access, we couple the secure offline deployment with defenses against advanced attacks on machine learning models such as model stealing, reverse engineering, and membership inference.

Published

2018

28. Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications

Author

Frank Li, Michael Backes, Giancarlo Pellegrino, Christian Rossow, and Ben Stock

Subjects

Focus (computing), Computer science, business.industry, Internet privacy, Vulnerability, 02 engineering and technology, Vulnerability disclosure, Phone, 020204 information systems, Scale (social sciences), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Social media, business

Abstract

After treating the notification of affected parties as mere side-notes in research, our community has recently put more focus on how vulnerability disclosure can be conducted at scale. The first works in this area have shown that while notifications are helpful to a significant fraction of operators, the vast majority of systems remain unpatched. In this paper, we build on these previous works, aiming to understand why the effects are not more significant. To that end, we report on a notification experiment targeting more than 24,000 domains, which allowed us to analyze what technical and human aspects are roadblocks to a successful campaign. As part of this experiment, we explored potential alternative notification channels beyond email, including social media and phone. In addition, we conducted an anonymous survey with the notified operators, investigating their perspectives on our notifications. We show the pitfalls of email-based communications, such as the impact of anti-spam filters, the lack of trust by recipients, and hesitations to fix vulnerabilities despite awareness. However, our exploration of alternative communication channels did not suggest a more promising medium. Seeing these results, we pinpoint future directions in improving security notifications.

Published

2018

29. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Author

Ahmed Salem, Michael Backes, Yang Zhang, Mario Fritz, Mathias Humbert, and Pascal Berrang

Subjects

FOS: Computer and information sciences, Service (systems architecture), Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer science, Computer Science - Artificial Intelligence, Inference, 02 engineering and technology, Machine learning, computer.software_genre, Machine Learning (cs.LG), 0202 electrical engineering, electronic engineering, information engineering, Structure (mathematical logic), Class (computer programming), business.industry, 020206 networking & telecommunications, Adversary, 16. Peace & justice, Inference attack, Artificial Intelligence (cs.AI), Key (cryptography), 020201 artificial intelligence & image processing, The Internet, Artificial intelligence, business, computer, Cryptography and Security (cs.CR)

Abstract

Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has severe security and privacy implications. However, the early demonstrations of the feasibility of such attacks have many assumptions on the adversary, such as using multiple so-called shadow models, knowledge of the target model structure, and having a dataset from the same distribution as the target model's training data. We relax all these key assumptions, thereby showing that such attacks are very broadly applicable at low cost and thereby pose a more severe risk than previously thought. We present the most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains. In addition, we propose the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model., Comment: NDSS 2019

Published

2018

30. Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys

Author

Lucjan Hanzlik, Michael Backes, Jonas Schneider, and Kamil Kluczniak

Subjects

060201 languages & linguistics, Discrete mathematics, Class (set theory), Cryptographic primitive, Relation (database), business.industry, Computer science, Key space, 06 humanities and the arts, 02 engineering and technology, Space (mathematics), Public-key cryptography, Ring signature, 0602 languages and literature, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business

Abstract

We introduce a new cryptographic primitive called signatures with flexible public key \((\mathsf{SFPK})\). We divide the key space into equivalence classes induced by a relation \(\mathcal {R}\). A signer can efficiently change his or her key pair to a different representatives of the same class, but without a trapdoor it is hard to distinguish if two public keys are related. Our primitive is motivated by structure-preserving signatures on equivalence classes (\(\mathsf{SPS\text {-}EQ}\)), where the partitioning is done on the message space. Therefore, both definitions are complementary and their combination has various applications.

Published

2018

31. Keep me Updated

Author

Michael Backes, Erik Derr, Yasemin Acar, Sascha Fahl, and Sven Bugiel

Subjects

Third party, business.industry, Computer science, Internet privacy, 020207 software engineering, 02 engineering and technology, Attack surface, World Wide Web, Empirical research, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), business, Software versioning

Abstract

Third-party libraries in Android apps have repeatedly been shown to be hazards to the users' privacy and an amplification of their host apps' attack surface. A particularly aggravating factor to this situation is that the libraries' version included in apps are very often outdated. This paper makes the first contribution towards solving the problem of library outdatedness on Android. First, we conduct a survey with 203 app developers from Google Play to retrieve first-hand information about their usage of libraries and requirements for more effective library updates. With a subsequent study of library providers' semantic versioning practices, we uncover that those providers are likely a contributing factor to the app developers' abstinence from library updates in order to avoid ostensible re-integration efforts and version incompatibilities. Further, we conduct a large-scale library updatability analysis of 1,264,118 apps to show that, based on the library API usage, 85.6% of the libraries could be upgraded by at least one version without modifying the app code, 48.2% even to the latest version. Particularly alarming are our findings that 97.8% out of 16,837 actively used library versions with a known security vulnerability could be easily fixed through a drop-in replacement of the vulnerable library with the fixed version. Based on these results, we conclude with a thorough discussion of solutions and actionable items for different actors in the app ecosystem to effectively remedy this situation.

Published

2017

32. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs

Author

Christian Rossow, Martin Johns, Michael Backes, Giancarlo Pellegrino, and Simon Koch

Subjects

FOS: Computer and information sciences, 021110 strategic, defence & security studies, Computer Science - Cryptography and Security, business.industry, Computer science, Cross-site scripting, 0211 other engineering and technologies, Vulnerability, Cross-site request forgery, 02 engineering and technology, Computer security, computer.software_genre, Internet security, Security testing, Graph, Vulnerability assessment, 0202 electrical engineering, electronic engineering, information engineering, Web application, 020201 artificial intelligence & image processing, business, computer, Cryptography and Security (cs.CR)

Abstract

Cross-Site Request Forgery (CSRF) vulnerabilities are a severe class of web vulnerabilities that have received only marginal attention from the research and security testing communities. While much effort has been spent on countermeasures and detection of XSS and SQLi, to date, the detection of CSRF vulnerabilities is still performed predominantly manually. In this paper, we present Deemon, to the best of our knowledge the first automated security testing framework to discover CSRF vulnerabilities. Our approach is based on a new modeling paradigm which captures multiple aspects of web applications, including execution traces, data flows, and architecture tiers in a unified, comprehensive property graph. We present the paradigm and show how a concrete model can be built automatically using dynamic traces. Then, using graph traversals, we mine for potentially vulnerable operations. Using the information captured in the model, our approach then automatically creates and conducts security tests, to practically validate the found CSRF issues. We evaluate the effectiveness of Deemon with 10 popular open source web applications. Our experiments uncovered 14 previously unknown CSRF vulnerabilities that can be exploited, for instance, to take over user accounts or entire websites.

Published

2017

33. Reconciling Privacy and Utility in Continuous-Time Diffusion Networks

Author

Praveen Manoharan, Michael Backes, Bartlomiej Surma, and Manuel Gomez-Rodriguez

Subjects

Transitive relation, Social network, Linear programming, business.industry, Privacy software, Computer science, 0102 computer and information sciences, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Submodular set function, Leverage (negotiation), 010201 computation theory & mathematics, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Social media, business, Set (psychology), computer

Abstract

Social Networks and other social media systems are an ever popular medium that allow users to freely communicate and interact with their peers. Once a user shares a piece of information, however, the transitive propagation of information in such systems can allow this information to spread quickly throughout the whole system. Due to the potentially sensitive nature of the shared information, users naturally have an interest in controlling the propagation of information to ensure privacy. At the same time, users also have utility requirements in terms of users they want to share a certain piece of information with, which naturally causes a conflict with the privacy requirements.,,In this paper, we tackle the issue of controlling the propagation of information through a social network while at the same time maintaining utility requirements set by the user. We leverage continuous-time diffusion networks to model the global propagation behavior in social networks and define combined privacy and utility policies that allow us to enforce privacy under utility restrictions, and vice versa. We show that optimally satisfying such policies corresponds to solving a constrained submodular minimization problem, which, while NP-hard, allows for a constant factor approximation due to the structure of our objective function.

Published

2017

34. Hardware and software architecture of the upgraded H.E.S.S. cameras

Author

Francois Brun, A. Kretzschmann, P. Manigot, Mathieu de Naurois, Jean-Philippe Lenain, Kleopas Shiningayamwe, David Salek, Eric Delagnes, Marek Penno, G. Fontaine, A. Balzer, S. Bonnefoy, Thomas Schwab, Berrie Giebels, Stefan Klepser, Marko Kossatz, Thomas Chaminade, V. Lefranc, Emmanuel Moulin, Terry Ashton, Iryna Lypova, David Berge, Stefan Ohm, J. Thornhill, Jean-Francois Glicenstein, Albert Jahnke, Jim Hinton, D. Ross, Michael Backes, Constantin Steppa, Markus Schade, Vincent Marandon, Tobias Gräber, H. Leich, Gianluca Giavitto, Francois Toussnel, P. Nayman, H. Lüdecke, C. Stegmann, Matthias Fuessling, Institut de Recherches sur les lois Fondamentales de l'Univers (IRFU), Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Université Paris-Saclay, Laboratoire Leprince-Ringuet (LLR), Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3)-École polytechnique (X)-Centre National de la Recherche Scientifique (CNRS), Laboratoire de Physique Nucléaire et de Hautes Énergies (LPNHE (UMR_7585)), Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3)-Université Paris Diderot - Paris 7 (UPD7)-Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS), CEA/DSM Centre de Saclay (CEA/DSM), Commissariat à l'énergie atomique et aux énergies alternatives (CEA), Département de Physique des Particules (ex SPP) (DPP), Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Université Paris-Saclay-Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Université Paris-Saclay, Collège de France (CdF), Département de Physique Nucléaire (ex SPhN) (DPHN), Département de Physique des Particules (ex SPP) (DPhP), Collège de France (CdF (institution)), Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3)-Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS), and Centre National de la Recherche Scientifique (CNRS)-École polytechnique (X)-Institut National de Physique Nucléaire et de Physique des Particules du CNRS (IN2P3)

Subjects

Ethernet, Astrophysics and Astronomy, Computer science, FOS: Physical sciences, Integrated circuit, programming, law.invention, High Energy Physics - Experiment, High Energy Physics - Experiment (hep-ex), Software, law, HESS, [PHYS.HEXP]Physics [physics]/High Energy Physics - Experiment [hep-ex], Electronics, [PHYS.PHYS.PHYS-INS-DET]Physics [physics]/Physics [physics]/Instrumentation and Detectors [physics.ins-det], Instrumentation and Methods for Astrophysics (astro-ph.IM), activity report, Flexibility (engineering), business.industry, hep-ex, integrated circuit, Modular design, electronics: communications, detector: upgrade, Upgrade, Cherenkov counter, electronics: readout, upgrade, control system, business, Software architecture, Astrophysics - Instrumentation and Methods for Astrophysics, Computer hardware, Particle Physics - Experiment, astro-ph.IM, electronics: design

Abstract

In 2015/16, the photomultiplier cameras of the H.E.S.S. Cherenkov telescopes CT1-4 have undergone a major upgrade. The entire electronics has been replaced, using NECTAr chips for the front-end readout. A new ventilation system has been installed and several auxiliary components have been replaced. Besides this, the internal control and readout software was rewritten from scratch in a modern and modular way. Ethernet technology was used wherever possible to ensure both flexibility, stability and high bandwidth. An overview of the installed components will be given. In 2015/16, the photomultiplier cameras of the H.E.S.S. Cherenkov telescopes CT1-4 have undergone a major upgrade. The entire electronics has been replaced, using NECTAr chips for the front-end readout. A new ventilation system has been installed and several auxiliary components have been replaced. Besides this, the internal control and readout software was rewritten from scratch in a modern and modular way. Ethernet technology was used wherever possible to ensure both flexibility, stability and high bandwidth. An overview of the installed components will be given.

Published

2017

35. Identifying Personal DNA Methylation Profiles by Genotype Inference

Author

Michael Backes, Mathias Humbert, Irina Lehmann, Roland Eils, Pascal Berrang, Carl Herrmann, and Matthias Bieg

Subjects

0301 basic medicine, business.industry, Computer science, Inference, Genomics, Methylation, Computational biology, computer.software_genre, Genome, 03 medical and health sciences, chemistry.chemical_compound, 030104 developmental biology, chemistry, DNA methylation, Epigenetics, Personalized medicine, Data mining, business, computer, DNA

Abstract

Since the first whole-genome sequencing, the biomedical research community has made significant steps towards a more precise, predictive and personalized medicine. Genomic data is nowadays widely considered privacy-sensitive and consequently protected by strict regulations and released only after careful consideration. Various additional types of biomedical data, however, are not shielded by any dedicated legal means and consequently disseminated much less thoughtfully. This in particular holds true for DNA methylation data as one of the most important and well-understood epigenetic element influencing human health. In this paper, we show that, in contrast to the aforementioned belief, releasing one's DNA methylation data causes privacy issues akin to releasing one's actual genome. We show that already a small subset of methylation regions influenced by genomic variants are sufficient to infer parts of someone's genome, and to further map this DNA methylation profile to the corresponding genome. Notably, we show that such re-identification is possible with 97.5% accuracy, relying on a dataset of more than 2500 genomes, and that we can reject all wrongly matched genomes using an appropriate statistical test. We provide means for countering this threat by proposing a novel cryptographic scheme for privately classifying tumors that enables a privacy-respecting medical diagnosis in a common clinical setting. The scheme relies on a combination of random forests and homomorphic encryption, and it is proven secure in the honest-but-curious model. We evaluate this scheme on real DNA methylation data, and show that we can keep the computational overhead to acceptable values for our application scenario.

Published

2017

36. Comparing the Usability of Cryptographic APIs

Author

Christian Stransky, Michelle L. Mazurek, Michael Backes, Sascha Fahl, Yasemin Acar, Simson L. Garfinkel, and Doowon Kim

Subjects

Correctness, Cryptographic primitive, Application programming interface, business.industry, Computer science, Software development, 020207 software engineering, Cryptography, Usability, 02 engineering and technology, Computer security, computer.software_genre, Public-key cryptography, Documentation, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, business, computer

Abstract

Potentially dangerous cryptography errors are well-documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programming Interfaces (APIs) that are too complicated, have insecure defaults, or are poorly documented. To address this problem, researchers have created several cryptographic libraries that they claim are more usable, however, none of these libraries have been empirically evaluated for their ability to promote more secure development. This paper is the first to examine both how and why the design and resulting usability of different cryptographic libraries affects the security of code written with them, with the goal of understanding how to build effective future libraries. We conducted a controlled experiment in which 256 Python developers recruited from GitHub attempt common tasks involving symmetric and asymmetric cryptography using one of five different APIs. We examine their resulting code for functional correctness and security, and compare their results to their self-reported sentiment about their assigned library. Our results suggest that while APIs designed for simplicity can provide security benefits – reducing the decision space, as expected, prevents choice of insecure parameters – simplicity is not enough. Poor documentation, missing code examples, and a lack of auxiliary features such as secure key storage, caused even participants assigned to simplified libraries to struggle with both basic functional correctness and security. Surprisingly, the availability of comprehensive documentation and easy-to-use code examples seems to compensate for more complicated APIs in terms of functionally correct results and participant reactions, however, this did not extend to security results. We find it particularly concerning that for about 20% of functionally correct tasks, across libraries, participants believed their code was secure when it was not. Our results suggest that while new cryptographic libraries that want to promote effective security should offer a simple, convenient interface, this is not enough: they should also, and perhaps more importantly, ensure support for a broad range of common tasks and provide accessible documentation with secure, easy-to-use code examples.

Published

2017

37. Who Controls the Internet?

Author

Michael Backes, Christian Rossow, Milivoj Simeonovski, and Giancarlo Pellegrino

Subjects

business.industry, Computer science, 020206 networking & telecommunications, Denial-of-service attack, 02 engineering and technology, Computer security, computer.software_genre, JavaScript, World Wide Web, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Graph (abstract data type), The Internet, Great Cannon, business, computer, computer.programming_language

Abstract

The Internet is built on top of intertwined network services, e.g., email, DNS, and content distribution networks operated by private or governmental organizations. Recent events have shown that these organizations may, knowingly or unknowingly, be part of global-scale security incidents including state-sponsored mass surveillance programs and large-scale DDoS attacks. For example, in March 2015 the Great Cannon attack has shown that an Internet service provider can weaponize millions of Web browsers and turn them into DDoS bots by injecting malicious JavaScript code into transiting TCP connections. While attack techniques and root cause vulnerabilities are routinely studied, we still lack models and algorithms to study the intricate dependencies between services and providers, reason on their abuse, and assess the attack impact. To close this gap, we present a technique that models services, providers, and dependencies as a property graph. Moreover, we present a taint-style propagation-based technique to query the model, and present an evaluation of our framework on the top 100k Alexa domains.

Published

2017

38. Efficient and Flexible Discovery of PHP Application Vulnerabilities

Author

Fabian Yamaguchi, Malte Skoruppa, Michael Backes, Ben Stock, and Konrad Rieck

Subjects

SQL, Source lines of code, Graph database, Database, business.industry, Computer science, 020207 software engineering, 02 engineering and technology, Attack surface, computer.software_genre, World Wide Web, Scripting language, SQL injection, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Web application, 020201 artificial intelligence & image processing, business, computer, computer.programming_language

Abstract

The Web today is a growing universe of pages and applications teeming with interactive content. The security of such applications is of the utmost importance, as exploits can have a devastating impact on personal and economic levels. The number one programming language in Web applications is PHP, powering more than 80% of the top ten million websites. Yet it was not designed with security in mind and, today, bears a patchwork of fixes and inconsistently designed functions with often unexpected and hardly predictable behavior that typically yield a large attack surface. Consequently, it is prone to different types of vulnerabilities, such as SQL Injection or Cross-Site Scripting. In this paper, we present an interprocedural analysis technique for PHP applications based on code property graphs that scales well to large amounts of code and is highly adaptable in its nature. We implement our prototype using the latest features of PHP 7, leverage an efficient graph database to store code property graphs for PHP, and subsequently identify different types of Web application vulnerabilities by means of programmable graph traversals. We show the efficacy and the scalability of our approach by reporting on an analysis of 1,854 popular open-source projects, comprising almost 80 million lines of code.

Published

2017

39. LUNA: Quantifying and Leveraging Uncertainty in Android Malware Analysis through Bayesian Machine Learning

Author

Michael Backes and Mohammad Nauman

Subjects

Open platform, Computer science, business.industry, Bayesian probability, Probabilistic logic, 020206 networking & telecommunications, 020207 software engineering, 02 engineering and technology, computer.software_genre, Machine learning, 0202 electrical engineering, electronic engineering, information engineering, Statistical inference, Malware, Artificial intelligence, False positive rate, Data mining, Android (operating system), business, computer, Humanoid robot

Abstract

Android's growing popularity seems to be hindered only by the amount of malware surfacing for this open platform. Machine learning algorithms have been successfully used for detecting the rapidly growing number of malware families appearing on a daily basis. Existing solutions along these lines, however, have a common limitation: they are all based on classical statistical inference and thus ignore the concept of uncertainty invariably involved in any prediction task. In this paper, we show that ignoring this uncertainty leads to incorrect classification of both benign and malicious apps. To reduce these errors, we utilize Bayesian machine learning – an alternative paradigm based on Bayesian statistical inference – which preserves the concept of uncertainty in all steps of calculation. We move from a black-box to a white-box approach to identify the effects different features (such as sensitive resource usage, declared activities, services and intent filters etc.) have on the classification status of an app. We show that incorporating uncertainty in the learning pipeline helps to reduce incorrect decisions, and significantly improves the accuracy of classification. We achieve a false positive rate of 0.2% compared to the previous best of 1%. We present sufficient details to allow the reader to reproduce our results through openly available probabilistic programming tools and to extend our techniques well beyond the boundaries of this paper.

Published

2017

40. Quantifying information flow in cryptographic systems

Author

Michael Backes and Boris Köpf

Subjects

Theoretical computer science, Computer science, Process (engineering), business.industry, Cryptography, Upper and lower bounds, Computer Science Applications, Channel capacity, Mathematics (miscellaneous), Bounded function, Converse, Universal composability, Information flow (information theory), business

Abstract

We provide a novel definition of quantitative information flow, called transmissible information, that is suitable for reasoning about informational-theoretically secure (or non-cryptographic) systems, as well as about cryptographic systems with their polynomially bounded adversaries, error probabilities, etc. Transmissible information captures deliberate communication between two processes, and it safely over-approximates the quantity of information that a process unintentionally leaks to another process.We show that transmissible information is preserved under universal composability, which constitutes the prevalent cryptographic notion of a secure implementation. This result enables us to lift quantitative bounds of transmissible information from simple ideal functionalities of cryptographic tasks to actual cryptographic systems.We furthermore prove a connection between transmissible information in the unconditional setting and channel capacity, based on the weak converse of Shannon's coding theorem. This connection enables us to compute an upper bound on the transmissible information for a restricted class of protocols, using existing techniques from quantitative information flow.

Published

2014

41. AnoA: A Framework for Analyzing Anonymous Communication Protocols

Author

Michael Backes, Esfandiar Mohammadi, Sebastian Meiser, Praveen Manoharan, and Aniket Kate

Subjects

Statistics and Probability, Anonymous Communication, Computer science, Data_MISCELLANEOUS, Unlinkability, Cryptography, Relationship Anonymity, Computer security, computer.software_genre, lcsh:Technology, lcsh:Social Sciences, Universal composability, Computer Science (miscellaneous), Differential privacy, Communication source, Protocol (science), Anoa, biology, lcsh:T, business.industry, Telecommunication security, Adversary, biology.organism_classification, Computer Science Applications, lcsh:H, ComputingMilieux_COMPUTERSANDSOCIETY, The Internet, Anonymity Metric, Communications protocol, business, computer, Anonymity

Abstract

Anonymous communication (AC) protocols such as the widely used Tor network have been designed to provide anonymity over the Internet to their participating users. While AC protocols have been the subject of several security and anonymity analyses in the last years, there still does not exist a framework for analyzing these complex systems and their different anonymity properties in a unified manner. In this work we present AnoA: a generic framework for defining, analyzing, and quantifying anonymity properties for AC protocols. In addition to quantifying the (additive) advantage of an adversary in an indistinguishability-based definition, AnoA uses a multiplicative factor, inspired from differential privacy. AnoA enables a unified quantitative analysis of well-established anonymity properties, such as sender anonymity, sender unlinkability, and relationship anonymity. AnoA modularly specifies adversarial capabilities by a simple wrapper-construction, called adversary classes. We examine the structure of these adversary classes and identify conditions under which it suffices to establish anonymity guarantees for single messages in order to derive guarantees for arbitrarily many messages. This then leads us to the definition of Plug’n’Play adversary classes (PAC), which are easy-to-use, expressive, and satisfy this condition. We prove that our framework is compatible with the universal composability (UC) framework and show how to apply AnoA to a simplified version of Tor against passive adversaries, leveraging a recent realization proof in the UC framework.

Published

2017

42. Dachshund: Digging for and Securing (Non-)Blinded Constants in JIT Code

Author

Michael Backes, Giorgi Maisuradze, and Christian Rossow

Subjects

Shellcode, business.industry, Programming language, Computer science, computer.file_format, computer.software_genre, JavaScript, Constant (computer programming), Code (cryptography), Compiler, Rewriting, Enhanced Data Rates for GSM Evolution, Executable, business, computer, Computer hardware, computer.programming_language

Abstract

Modern browsers such as Chrome and Edge deploy constant blinding to remove attacker-controlled constants from the JIT-compiled code. Without such a defense, attackers can encode arbitrary shellcode in constants that get compiled to executable code. In this paper, we review the security and completeness of current constant blinding implementations. We develop DACHSHUND, a fuzzing-driven framework to find user-specified constants in JIT-compiled code. DACHSHUND reveals several cases in which JIT compilers of modern browsers fail to blind constants, ranging from constants passed as function parameters to blinded constants that second-stage code optimizers revert to a non-protected form. To tackle this problem, we then propose a JavaScript rewriting mechanism that removes all constants from JavaScript code. We prototype this cross- browser methodology as part of a Web proxy and show that it can successfully remove all constants from JavaScript code.

Published

2017

43. Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

Author

Michael Backes, Christian Stransky, Felix Fischer, Sascha Fahl, Konstantin Böttinger, Huang Xiao, and Yasemin Acar

Subjects

FOS: Computer and information sciences, Database, Computer science, business.industry, Code reuse, 020207 software engineering, 02 engineering and technology, Static analysis, computer.software_genre, Considered harmful, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Stack overflow, Android (operating system), business, computer, Classifier (UML), Cryptography and Security (cs.CR)

Abstract

Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and oftentimes ready-to-use code snippets. Previous research identified Stack Overflow as one of the most important information sources developers rely on. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-provided code snippets into production software. To date, the impact of this behaviour on code security is unknown. We answer this highly important question by quantifying the proliferation of security-related code snippets from Stack Overflow in Android applications available on Google Play. Access to the rich source of information available on Stack Overflow including ready-to-use code snippets provides huge benefits for software developers. However, when it comes to code security there are some caveats to bear in mind: Due to the complex nature of code security, it is very difficult to provide ready-to-use and secure solutions for every problem. Hence, integrating a security-related code snippet from Stack Overflow into production software requires caution and expertise. Unsurprisingly, we observed insecure code snippets being copied into Android applications millions of users install from Google Play every day. To quantitatively evaluate the extent of this observation, we scanned Stack Overflow for code snippets and evaluated their security score using a stochastic gradient descent classifier. In order to identify code reuse in Android applications, we applied state-of-the-art static analysis. Our results are alarming: 15.4% of the 1.3 million Android applications we analyzed, contained security-related code snippets from Stack Overflow. Out of these 97.9% contain at least one insecure code snippet.

Published

2017

44. Periodicity detection in irregularly sampled light curves by robust regression and outlier detection

Author

Michael Backes, Anita Monika Thieler, Roland Fried, and Wolfgang Rhode

Subjects

Least-squares spectral analysis, business.industry, Phase dispersion minimization, Pattern recognition, White noise, Light curve, Computer Science Applications, Robust regression, Outlier, Statistics, Anomaly detection, Artificial intelligence, business, Unit-weighted regression, Analysis, Information Systems, Mathematics

Abstract

An important task in astroparticle physics is the detection of periodicities in irregularly sampled time series, called light curves. Many periodogram methods for light curves may be characterized as fitting periodic models using least squares regression. We generalize this approach and allow robust regression and weighted regression. This gives a unified concept which includes further methods proposed in the literature, allows to create new methods and take additional information about measurement accuracies into account. We compare all these methods using simulated data. We observe that if the quality of the measurement accuracies is dubious, they should be ignored, and that robust methods can be helpful if the light curve contains outliers. Finally, we propose a new way to determine valid periods by robust fitting of a distribution to the periodogram and outlier detection. In our simulations, this leads to better detection rates for periodic fluctuations with unexpected shape and less wrong detections in light curves of pure red and white noise. © 2013 Wiley Periodicals, Inc. Statistical Analysis and Data Mining 6: 73–89, 2013

Published

2013

45. Efficient Cryptographic Password Hardening Services from Partially Oblivious Commitments

Author

Nils Fleischhacker, Michael Backes, Dominique Schröder, and Jonas Schneider

Subjects

0301 basic medicine, Password, Pseudorandom number generator, Authentication, Password policy, Cryptographic primitive, computer.internet_protocol, business.industry, Computer science, Cryptography, 02 engineering and technology, Computer security, computer.software_genre, Random oracle, Password strength, 03 medical and health sciences, 030104 developmental biology, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Password authentication protocol, business, computer

Abstract

Password authentication still constitutes the most widespread authentication concept on the Internet today, but the human incapability to memorize safe passwords has left this concept vulnerable to various attacks ever since. Affected enterprises such as Facebook now strive to mitigate such attacks by involving external cryptographic services that harden passwords. Everspaugh et al.~provided the first comprehensive formal treatment of such a service, and proposed the Pythia PRF-Service as a cryptographically secure solution (Usenix Security'15). Pythia relies on a novel cryptographic primitive called partially oblivious pseudorandom functions and its security is proven under a strong new interactive assumption in the random oracle model. In this work, we prove that this strong assumption is inherently necessary for the Pythia construction, i.e., it cannot be weakened without invalidating the security of Pythia. More generally, it is impossible to reduce the security of Pythia to any non-interactive assumptions. Hence any efficient, scalable password hardening service that is secure under weaker assumptions necessarily requires a conceptually different construction. To this end, we propose a construction for password hardening services based on a novel cryptographic primitive called partially oblivious commitments, along with an efficient secure instantiation based on simple assumptions. The performance and storage evaluation of our prototype implementation shows that our protocol runs almost twice as fast as Pythia, while achieving a slightly relaxed security notion but relying on weaker assumptions.

Published

2016

46. POSTER

Author

Sven Bugiel, Jie Huang, Michael Backes, and Oliver Schranz

Subjects

World Wide Web, ComputerSystemsOrganization_COMPUTERSYSTEMIMPLEMENTATION, business.industry, Computer science, Sandbox (computer security), Access control, Android (operating system), business, Personalization

Abstract

On Android, advertising libraries are commonly integrated with their host apps. Since the host and advertising components share the application's sandbox, advertisement code inherits all permissions and can access host resources with no further approval needed. Motivated by the privacy risks of advertisement libraries as already shown in the literature, this poster introduces an Android Runtime (ART) based app compartmentalization mechanism to achieve separation between trusted app code and untrusted library code without system modification and application rewriting. With our approach, advertising libraries will be isolated from the host app and the original app will be partitioned into two sub-apps that run independently, with the host app's resources and permissions being protected by Android's app sandboxing mechanism. ARTist [1], a compiler-based Android app instrumentation framework, is utilized here to recreate the communication channels between host and advertisement library. The result is a robust toolchain on device which provides a clean separation of developer-written app code and third-party advertisement code, allowing for finer-grained access control policies and information flow control without OS customization and application rebuilding.

Published

2016

47. Reliable Third-Party Library Detection in Android and its Security Applications

Author

Michael Backes, Erik Derr, and Sven Bugiel

Subjects

021110 strategic, defence & security studies, Third party, business.industry, Computer science, 0211 other engineering and technologies, Vulnerability, 020207 software engineering, Cryptography, 02 engineering and technology, Attack surface, Computer security, computer.software_genre, GeneralLiterature_MISCELLANEOUS, World Wide Web, mental disorders, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), business, computer

Abstract

Third-party libraries on Android have been shown to be security and privacy hazards by adding security vulnerabilities to their host apps or by misusing inherited access rights. Correctly attributing improper app behavior either to app or library developer code or isolating library code from their host apps would be highly desirable to mitigate these problems, but is impeded by the absence of a third-party library detection that is effective and reliable in spite of obfuscated code. This paper proposes a library detection technique that is resilient against common code obfuscations and that is capable of pinpointing the exact library version used in apps. Libraries are detected with profiles from a comprehensive library database that we generated from the original library SDKs. We apply our technique to the top apps on Google Play and their complete histories to conduct a longitudinal study of library usage and evolution in apps. Our results particularly show that app developers only slowly adapt new library versions, exposing their end-users to large windows of vulnerability. For instance, we discovered that two long-known security vulnerabilities in popular libs are still present in the current top apps. Moreover, we find that misuse of cryptographic APIs in advertising libs, which increases the host apps' attack surface, affects 296 top apps with a cumulative install base of 3.7bn devices according to Play. To the best of our knowledge, our work is first to quantify the security impact of third-party libs on the Android ecosystem.

Published

2016

48. Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks

Author

Johannes Krupp, Michael Backes, and Christian Rossow

Subjects

Honeypot, Spoofing attack, business.industry, Computer science, Fingerprint (computing), Application layer DDoS attack, 020206 networking & telecommunications, Denial-of-service attack, 02 engineering and technology, Computer security, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, business, computer

Abstract

Amplification DDoS attacks have gained popularity and become a serious threat to Internet participants. However, little is known about where these attacks originate, and revealing the attack sources is a non-trivial problem due to the spoofed nature of the traffic. In this paper, we present novel techniques to uncover the infrastructures behind amplification DDoS attacks. We follow a two-step approach to tackle this challenge: First, we develop a methodology to impose a fingerprint on scanners that perform the reconnaissance for amplification attacks that allows us to link subsequent attacks back to the scanner. Our methodology attributes over 58% of attacks to a scanner with a confidence of over 99.9%. Second, we use Time-to-Live-based trilateration techniques to map scanners to the actual infrastructures launching the attacks. Using this technique, we identify 34 networks as being the source for amplification attacks at 98\% certainty.

Published

2016

49. POSTER

Author

Michael Backes, Martin Johns, Ben Stock, Giancarlo Pellegrino, and Christian Rossow

Subjects

Structure (mathematical logic), business.industry, Computer science, Vulnerability, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Software, 020204 information systems, Scale (social sciences), Server, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, computer

Abstract

The Internet is an ever-growing ecosystem with diverse software and hardware applications deployed in numerous countries around the globe. This heterogenous structure, however, is reduced to a homogenous means of addressing servers, i.e., their IP address. Due to this, analyzing different Internet services for vulnerabilities at scale is easy, leading to many researcher focusing on large-scale detection of many types of flaws. On the other hand, the persons responsible for the administration of said services are as heterogenous as the Internet architecture itself: be it in spoken languages or knowledge of technical details of the services. The notification of vulnerable services has long been treated as a side note in research. Recently, the community has focussed more not only the detection of flaws, but also on the notification of affected parties. These works, however, only analyze a small segment of the problem space. Hence, in this paper, we investigate the issues encountered by the previous works and provide a number of future directions for research, ultimately aiming to allow for an easier means of notifying affected parties about vulnerabilities at scale.

Published

2016

50. A Survey on Routing in Anonymous Communication Protocols

Author

Claudia Diaz, Michael Backes, Muhammad Rizwan Asghar, Milivoj Simeonovski, and Fatemeh Shirazi

Subjects

Routing protocol, FOS: Computer and information sciences, Computer Science - Cryptography and Security, General Computer Science, business.industry, Computer science, Internet privacy, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Telecommunications network, Theoretical Computer Science, Public interest, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, business, Communications protocol, computer, Cryptography and Security (cs.CR)

Abstract

The Internet has undergone dramatic changes in the past 15 years, and now forms a global communication platform that billions of users rely on for their daily activities. While this transformation has brought tremendous benefits to society, it has also created new threats to online privacy, ranging from profiling of users for monetizing personal information to nearly omnipotent governmental surveillance. As a result, public interest in systems for anonymous communication has drastically increased. Several such systems have been proposed in the literature, each of which offers anonymity guarantees in different scenarios and under different assumptions, reflecting the plurality of approaches for how messages can be anonymously routed to their destination. Understanding this space of competing approaches with their different guarantees and assumptions is vital for users to understand the consequences of different design options. In this work, we survey previous research on designing, developing, and deploying systems for anonymous communication. To this end, we provide a taxonomy for clustering all prevalently considered approaches (including Mixnets, DC-nets, onion routing, and DHT-based protocols) with respect to their unique routing characteristics, deployability, and performance. This, in particular, encompasses the topological structure of the underlying network; the routing information that has to be made available to the initiator of the conversation; the underlying communication model; and performance-related indicators such as latency and communication layer. Our taxonomy and comparative assessment provide important insights about the differences between the existing classes of anonymous communication protocols, and it also helps to clarify the relationship between the routing characteristics of these protocols, and their performance and scalability., 24 pages, 4 tables, 4 figures

Published

2016