Showing papers by "Hovav Shacham published in 2011"

Comprehensive experimental analyses of automotive attack surfaces

Abstract: Modern automobiles are pervasively computerized, and hence potentially vulnerable to attack. However, while previous research has shown that the internal networks within some modern cars are insecure, the associated threat model--requiring prior physical access--has justifiably been viewed as unrealistic. Thus, it remains an open question if automobiles can also be susceptible to remote compromise. Our work seeks to put this question to rest by systematically analyzing the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, we discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them.

Careful with composition: limitations of the indifferentiability framework

Abstract: We exhibit a hash-based storage auditing scheme which is provably secure in the random-oracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem from [27] applies to any cryptosystem. We characterize the uncovered limitations of indifferentiability by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic public-key encryption (PKE), password-based cryptography, hash function nonmalleability, and more. We formalize a stronger notion, reset indifferentiability, that enables a composition theorem covering such multi-stage security notions, but our results show that practical hash constructions cannot be reset indifferentiable. We finish by giving direct security proofs for several important PKE schemes.

Eliminating fine grained timers in Xen

Abstract: The move to "infrastructure-as-a-service" cloud computing brings with it a new risk: cross-virtual machine side channels through shared physical resources such as the L2 cache. One approach to this risk is to rewrite sensitive code to eliminate the signal. In this paper we consider another approach: weakening malicious virtual machines' ability to receive the signal by eliminating fine-grained timers. Such "fuzzy time" was implemented in 1991 in the VAX security kernel, but it was not clearly applicabile to modern virtual machine managers such as Xen on platforms such as the x86, which exports a cycle counter through the RDTSC instruction.In this paper, we demonstrate that it is possible to modify the RDTSC instruction on Xen-virtualized x86 machines, making the timer provided by this instruction substantially more coarse. We perform a thorough evaluation of the impact of modifying this timer on the usability of the system, and we evaluate the limiting point of the timer coarseness.Our findings open the way to a specific research program for mitigating cloud computing side channels through fuzzy time: (1) What other sources of fine-grained time are available to a malicious VM, and is it possible to degrade them? (2) What distribution of noise should be introduced to RDTSC and other timing signals to maximize the effect on malicious VMs while minimizing the effect on legitimate ones? (3) What timing resolution is actually needed to make use of L2 cache side channels?

Do you know where your cloud files are

Abstract: Clients of storage-as-a-service systems such as Amazon's S3 want to be sure that the files they have entrusted to the cloud are available now and will be available in the future.Using protocols from previous work on proofs of retriev-ability and on provable data possession, clients can verify that their files are available now. But these protocols do not guarantee that the files are replicated onto multiple drives or multiple datacenters. Such tests are crucial if cloud storage is to provide resilience to natural disasters and power outages as well as improving the network latency to different parts of the world.In this paper, we study the problem of verifying that a cloud storage provider replicates the data in diverse geolocations. We provide a theoretical framework for verifying this property. Our model accurately determines which Amazon CloudFront location serves content for Planetlab nodes across the continental US.Our work is complementary to the recent paper of Bowers et al., which uses different techniques to verify that files are replicated across multiple drives in a single datacenter.

The phantom tollbooth: privacy-preserving electronic toll collection in the presence of driver collusion

Abstract: In recent years, privacy-preserving toll collection has been proposed as a way to resolve the tension between the desire for sophisticated road pricing schemes and drivers' interest in maintaining the privacy of their driving patterns. Two recent systems in particular, VPriv (USENIX Security 2009) and PrETP (USENIX Security 2010), use modern cryptographic primitives to solve this problem. In order to keep drivers honest in paying for their usage of the roads, both systems rely on unpredictable spot checks (e.g., by hidden roadside cameras or roaming police vehicles) to catch potentially cheating drivers. In this paper we identify large-scale driver collusion as a threat to the necessary unpredictability of these spot checks. Most directly, the VPriv and PrETP audit protocols both reveal to drivers the locations of spot-check cameras--information that colluding drivers can then use to avoid paying road fees. We describe Milo, a new privacy-preserving toll collection system based on PrETP, whose audit protocol does not have this information leak, even when drivers misbehave and collude. We then evaluate the additional cost of Milo and find that, when compared to naive methods to protect against cheating drivers, Milo offers a significantly more cost-effective approach.

Risk-limiting Audits for Nonplurality Elections

Abstract: : Many organizations have turned to alternative voting systems such as instant-runoff voting for determining the outcome of single-winner elections. It is our position in this paper that the increasing deployment of such alternative systems necessitate the study and development of risk-limiting audits for these systems. We initiate this study. We examine several commonly used single-winner voting systems and provide risk-limiting auditing procedures for them. In many cases the methods from auditing plurality contests can be applied with minor changes and little loss in efficiency. For instant-runoff voting (IRV), the situation is markedly different. We describe an algorithm for auditing the candidate elimination order using plurality methods which is risk-limiting. Standard risk-limiting methods can be employed if the margin of the election can be efficiently calculated or bounded. We provide efficiently computable upper and lower bounds on the margin and, when known, compare them to the exact margins. Both auditing algorithms are potentially far less efficient than the methods to audit other types of voting systems.

Careful with Composition: Limitations of Indifferentiability and Universal Composability

Abstract: We exhibit a hash-based storage auditing scheme which is provably secure in the random-oracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any cryptosystem. We characterize the uncovered limitation of the indifferentiability framework by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic public-key encryption (PKE), password-based cryptography, hash function nonmalleability, key-dependent message security, and more. We formalize a stronger notion, reset indifferentiability, that enables an indifferentiabilitystyle composition theorem covering such multi-stage security notions, but then show that practical hash constructions cannot be reset indifferentiable. We discuss how these limitations also affect the universal composability framework. We finish by showing the chosen-distribution attack security (which requires a multi-stage game) of some important public-key encryption schemes built using a hash construction paradigm introduced by Dodis, Ristenpart, and Shrimpton.