8:45 a.m.–10:00 a.m. Tuesday

10:05 a.m.–10:35 a.m. Tuesday

Improving Malicious Code Microgadgets: Size Does Matter in Turing-Complete Return-Oriented Programming Andrei Homescu, Michael Stewart, Per Larsen, Stefan Brunthaler, and Michael Franz, University of California Irvine Return-oriented programming (ROP) has gained a lot of popularity lately, as an attack against currently implemented defenses in modern operating systems. Several kinds of ROP-based attacks and anti-ROP defenses have been proposed in recent years. The original attack technique depends on the existence of a hand-picked set of byte sequences (called gadgets) in the program, while subsequent approaches use complex scanners, which perform semantic analysis on the code to locate gadgets. The latter ones are efficient at finding gadgets and building an attack, but incur a significant cost in time. We propose a ROP attack technique, based on a handpicked but flexible and Turing-complete set of gadgets. One novelty in this approach is the use of microgadgets, which are gadgets restricted to 2 or 3 bytes in length. Our approach splits gadgets into several classes of varying sizes (from 1 to more than 800). Only a single gadget from each class is required for Turing-completeness. The short length of the gadgets, as well as the large size of the classes, increase the likelihood of finding all required gadgets. We also describe an efficient scanner which locates these gadgets in a given program. We then use this scanner on the /usr/bin directories from several Linux distributions, to show that many programs indeed contain a Turing-complete set of microgadgets, which attackers can use to perform arbitrary computations. Available Media Frankenstein: Stitching Malware from Benign Binaries Vishwath Mohan and Kevin W. Hamlen, University of Texas at Dallas This paper proposes a new self-camouflaging malware propagation system, Frankenstein, that overcomes shortcomings in the current generation of metamorphic malware. Specifically, although mutants produced by current state-of-theart metamorphic engines are diverse, they still contain many characteristic binary features that reliably distinguish them from benign software. Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses. This makes it more difficult for featurebased malware detectors to reliably use those byte sequences as a signature to detect the malware. The instruction sequence harvesting process leverages recent advances in gadget discovery for return-oriented programming. Preliminary tests show that mining just a few local programs is sufficient to provide enough gadgets to implement arbitrary functionality. Available Media

10:35 a.m.–11:00 a.m. Tuesday

Break Grand Ballroom Foyer

11:00 a.m.–12:30 p.m. Tuesday

Bypassing System Security SMT Solvers in Software Security Julien Vanegue, Microsoft Security Science; Sean Heelan, Immunity Inc.; Rolf Rolles Computational capacity of modern hardware and algorithmic advances have allowed SAT solving to become a tractable technique to rely on for the decision of properties in industrial software. In this article, we present three practical applications of SAT to software security in static vulnerability checking, exploit generation, and the study of copy protections. These areas are some of the most active in terms of both theoretical research and practical solutions. Investigating the successes and failures of approaches to these problems is instructive in providing guidance for future work on the problems themselves as well as other SMT-based systems. Available Media Web-based Attacks on Host-Proof Encrypted Storage Karthikeyan Bhargavan, INRIA; Antoine Delignat-Lavaud, ENS Cachan Cloud-based storage services, such as Wuala, and password managers, such as LastPass, are examples of socalled host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing. We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces. Available Media Read It Twice! A Mass-Storage-Based TOCTTOU Attack Collin Mulliner and Benjamin Michéle, Technische Universität Berlin and Telekom Innovation Laboratories

Awarded Best Paper! Consumer electronics and embedded devices often allow the installation of applications and firmware upgrades from user-provided mass-storage devices. To protect the integrity of these devices and the associated electronic markets, the software packages are protected by cryptographic signatures. The software installation code assumes that files on attached mass-storage devices cannot change while the storage device is connected. The software installation is therefore not bound to the file integrity check, thus laying the foundations for a time-of-check-to-time-of-use (TOCTTOU) attack. This work presents a TOCTTOU attack via externally attached mass-storage devices. The attack is based on emulating a mass-storage device to observe and alter file access from the consumer device. The TOCTTOU attack is executed by providing different file content to the check and installation code of the target device, respectively. The presented attack effectively bypasses the file content inspection, resulting in the execution of rogue code on the device. Available Media

12:30 p.m.–2:00 p.m. Tuesday

Workshop Luncheon Grand EFGH

2:00 p.m.–3:30 p.m. Tuesday

Keynote Address Everything You Know About Password-Stealing Is Wrong Cormac Herley, Microsoft The popular and trade presses are full of stories of the easy billions being made in cybercrime. Cybercriminals extract money effortlessly from consumers and small businesses. Trillion dollar estimates are tossed around, the NSA director refers to cybercrime as "the greatest transfer of wealth in history," and so on. We argue that this is all wrong. Emptying compromised accounts is extremely hard. Passwords are not the bottleneck in the cybercrime pipeline. Underground markets are not thriving. Credential-stealing, far from being a recession-proof gold-mine, is a terrible business opportunity. Widely circulated cybercrime estimates are based on absurdly bad statistical methods and are wholly unreliable. Cormac Herley is a Principal Researcher with Microsoft Research. His interests include economics, authentication, and data-driven security. He's been with MSR since 1999, and has a PhD from Columbia University. The popular and trade presses are full of stories of the easy billions being made in cybercrime. Cybercriminals extract money effortlessly from consumers and small businesses. Trillion dollar estimates are tossed around, the NSA director refers to cybercrime as "the greatest transfer of wealth in history," and so on. We argue that this is all wrong. Emptying compromised accounts is extremely hard. Passwords are not the bottleneck in the cybercrime pipeline. Underground markets are not thriving. Credential-stealing, far from being a recession-proof gold-mine, is a terrible business opportunity. Widely circulated cybercrime estimates are based on absurdly bad statistical methods and are wholly unreliable. Cormac Herley is a Principal Researcher with Microsoft Research. His interests include economics, authentication, and data-driven security. He's been with MSR since 1999, and has a PhD from Columbia University. Available Media

3:30 p.m.–4:00 p.m. Tuesday

Break Grand Ballroom Foyer

4:00 p.m.–4:30 p.m. Tuesday