It is a pleasure to present to you the proceedings of this year's ACM Conference on Computer and Communications Security (CCS 2012), held October 16-18 in Raleigh, NC, USA.

This year we received 423 submissions from 41 countries. Each submission was reviewed by a technical program committee of 61 experts as well as over 293 external reviewers. The final program contains 81 full papers, a record number for any computer security conference so far, representing an acceptance rate of 19%.

The double-blind review process was organised in two rounds; it included an opportunity for authors to respond to reviews between rounds; and was followed by a discussion amongst the PC - a process that spanned overall 10 weeks. Reviews were assigned between phases dynamically to maximise scrutiny and discussion around submissions whose inclusion in the program was most uncertain. Overall 1395 reviews were filled, including 489 from external reviewers. Overall 365 papers received at least 3 reviews and 149 papers received at least 4 reviews - some 5 or 6. The decision to allocate fewer than 3 reviews to some papers was taken on the basis of both qualitative feedback, as well as a systematic quantitative analysis of the likelihood of them being included in the program given the first round reviews.

Many papers that were not selected for presentation contained interesting results and ideas, and we hope that the authors have benefitted from reviews to improve them further and eventually present them. We have also worked closely with the Program Chairs of workshops associated with CCS to ensure that authors have an opportunity to submit their work in those venues.

Proceedings of the 2012 ACM conference on Computer and communications security

Today, more and more web browsers and extensions provide anonymity features to hide user details. Primarily used to evade tracking by websites and advertisements, these features are also used by criminals to prevent identification. Thus, not only tracking companies but also law-enforcement agencies have an interest in finding flaws which break these anonymity features. For instance, for targeted exploitation using zero days, it is essential to have as much information about the target as possible. A failed exploitation attempt, e.g., due to a wrongly guessed operating system, can burn the zero-day, effectively costing the attacker money. Also for side-channel attacks, it is of the utmost importance to know certain aspects of the victim’s hardware configuration, e.g., the instruction-set architecture. Moreover, knowledge about specific environmental properties, such as the operating system, allows crafting more plausible dialogues for phishing attacks. In this paper, we present a fully automated approach to find subtle differences in browser engines caused by the environment. Furthermore, we present two new side-channel attacks on browser engines to detect the instruction-set architecture and the used memory allocator. Using these differences, we can deduce information about the system, both about the software as well as the hardware. As a result, we cannot only ease the creation of fingerprints, but we gain the advantage of having a more precise picture for targeted exploitation. Our approach allows automating the cumbersome manual search for such differences. We collect all data available to the JavaScript engine and build templates from these properties. If a property of such a template stays the same on one system but differs on a different system, we found an environment-dependent property. We found environment-dependent properties in Firefox, Chrome, Edge, and mobile Tor, allowing us to reveal the underlying operating system, CPU architecture, used privacy-enhancing plugins, as well as exact browser version. We stress that our method should be used in the development of browsers and privacy extensions to automatically find flaws in the implementation.

JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits

Darknet traffic classification is significantly important to categorize real-time applications. Although there are notable efforts to classify darknet traffic which rely heavily on existing datasets and machine learning classifiers, there are extremely few efforts to detect and characterize darknet traffic using deep learning. This work proposes a novel approach, named DeepImage, which uses feature selection to pick the most important features to create a gray image and feed it to a two-dimensional convolutional neural network to detect and characterize darknet traffic. Two encrypted traffic datasets are merged to create a darknet dataset to evaluate the proposed approach which successfully characterizes darknet traffic with 86% accuracy.

DIDarknet: A Contemporary Approach to Detect and Characterize the Darknet Traffic using Deep Image Learning

Proper use of an anonymity system requires adequate understanding of how it functions. Yet, there is surprisingly little research that looks into user understanding and usage of anonymity software. Improper use stemming from a lack of sufficient knowledge of the system has the potential to lead to deanonymization, which may hold severe personal consequences for the user. We report on the understanding and the use of the Tor anonymity system. Via semistructured interviews with 17 individuals (6 experts and 11 non-experts) we found that experts and non-experts view, understand, and use Tor in notably different ways. Moreover, both groups exhibit behavior as well as gaps in understanding that could potentially compromise anonymity. Based on these findings, we provide several suggestions for improving the user experience of Tor to facilitate better user understanding of its operation, threat model, and limitations.

/pdf/new-me-understanding-expert-and-non-expert-perceptions-and-2t4zl9q24h.pdf

New me: Understanding expert and non-expert perceptions and usage of the Tor anonymity network

Council of Europe Convention on Cybercrime

https://researchportal.port.ac.uk/portal/files/11523722/paper.pdf

The darknet's smaller than we thought: The life cycle of Tor Hidden Services

: Motivated by the effectiveness of correlation attacks against Tor, the censorship arms race, and observations of malicious relays in Tor, we propose that Tor users capture their trust in network elements using probability distributions over the sets of elements observed by network adversaries. We present a modular system that allows users to efficiently and conveniently create such distributions and use them to improve their security. To illustrate this system, we present two novel types of adversaries. First, we study a powerful, pervasive adversary that can compromise an unknown number of Autonomous System organizations, Internet Exchange Point organizations, and Tor relay families. Second we initiate the study of how an adversary might use Mutual Legal Assistance Treaties (MLATs) to enact surveillance. As part of this, we identify submarine cables as a potential subject of trust and incorporate data about these into our MLAT analysis by using them as a proxy for adversary power. Finally, we present preliminary experimental results that show the potential for our trust framework to be used by Tor clients and services to improve security.

https://sciendo.com/pdf/10.1515/popets-2015-0002

20,000 In League Under the Sea: Anonymous Communication, Trust, MLATs, and Undersea Cables

[1] A corrupt Australian Law Enforcement Agency (LEA) wishes to track the communications of a journalist who has published leaked whistleblowing documents from a confidential source, revealing the Australian LEA’s complicity in illegal narcotics activity. The target journalist lives in New York and is a U.S. citizen. She opens her laptop, goes online and fires up Tor Browser. She is communicating with her whistleblowing source in Australia, who faces death if his identity is uncovered. Her communication and network traffic passes through Tor relays in Canada, Finland, and Malaysia before arriving at her source in Australia.

/pdf/mlat-jiu-jitsu-and-tor-mutual-legal-assistance-treaties-in-2awvleb6v4.pdf

MLAT Jiu-Jitsu and Tor: Mutual Legal Assistance Treaties in Surveillance

Since 2004, privacy-protecting, anonymous web browsers, like Tor Browser, have allowed users to hide their identities online. Law enforcement agencies (LEA) responded in contradictory ways to these technologies and tools. On the one hand, LEA have become extensive users to pursue criminals anonymously. On the other, LEAs seek to demonize the technology and break the underlying encryption, which was invented by the Navy in 1998. For example, slides Edward Snowden leaked revealed the NSA undertook a project, “Egotistical Giraffe,” to break Tor encryption and privacy protections. Tor usage significantly increased after Edward Snowden recommended its use as one of his “top tips” for whistleblowers and ordinary people to protect their privacy and anonymity online. Policymakers are becoming aware of Tor’s role in protecting online identity and anonymity, and seek to understand the role of this technology in legal cases. The documents released by Snowden reveal far greater levels of US and other government surveillance than previously known, including surveillance outside the US and across multiple country borders. This startlingly far-reaching surveillance includes online data and telecommunications, much of it culled from third party communication service providers (CSPs). It reveals that government attempts to apply pressure on CSPs now extends across US and other borders, as well. Some contend that much of this surveillance, often referred to by LEAs as “Lawful Intercept (LI), is actually “Un-”Lawful.Mutual Legal Assistance Treaties, or MLATs, are little-noticed legal instruments that enable legal pressure on CSPs worldwide, and so offer a significant vector to attempt to “break” Tor or its underlying encryption. Legal pressure on CSPs like Facebook and Google by foreign governments to locate surveillance-enabled servers in their countries, has led CSPs to seek to incorporate into MLATs the automation of remote global surveillance. Their industry groups, like the International Chamber of Commerce (ICC), seek to incorporate technical standards for automated surveillance LI into MLATs, through remote “dynamic triggering.” A multi-stakeholder group, the Global Network Initiative, announced on January 28, 2015 its public policy agenda, “Data Beyond Borders: Mutual Legal Assistance in the Internet Era,” which sets forth a public policy agenda to further shape MLAT policy. Little-noticed MLATs have eroded fundamental civil liberties both abroad and in the US. Ignored largely due to a perception that MLATs primarily affect “foreign” individuals, the MLAT “devil’s bargain” is rebounding increasingly against US citizens. In this paper, we review the quiet but dramatic expansion, both in number and in scope, of MLATs in recent years. We review recent decisions, including the September 30, 2014 and 2013 Second Circuit rulings in US v. Getto, and the September 2013 First Circuit rulings in Boston College Trustees. In these cases, the executive branch is playing out a quiet struggle to maintain MLAT supremacy over the small, but increasing pushback of the judicial branch. These cases appear to have split approaches in the different circuits, and have all the earmarks of being headed to a higher court in the near future. We review how the benefits MLATs conferred in the 1970s to combat money laundering and narcotics have impacted fundamental civil liberties, to lay the groundwork for understanding their impact on surveillance and global communications networks, and internet privacy and anonymity. Representatives of Global Intelligence Agencies (“GIAs”) have asserted since Snowden’s revelations that their activities are lawful. So far, the legal basis is unclear. We demonstrate the ways little-observed but versatile MLATs contribute to a legal basis for global surveillance. We review the international silver platter doctrine and compare it with MLAT provisions, finding a close fit, which offers further clues as to a “legal” basis for mass global surveillance. In this Article, we offer a number of new contributions, including: demonstrating a new category of attack against Tor, an attack through law; demonstrating a new (MLAT) attack against Tor in this new category, completing the first global MLAT map, using the first comprehensive MLAT database. We believe we are the first to link MLATs to increased surveillance by GIAs, the first to quantify measures of the MLAT “hostility factor,” and the first to offer and analysis of MLATs’ effect on technology, i.e. anonymous network communications.

MLATs and TorBrowser: Mutual Legal Assistance Treaties in Online Anonymity Technology and Domestic Surveillance

Figure 15. The ​MLAT.is​ web portal tool with database query and visualization [152] Recent events continue to expose the ability and commitment of Government Intelligence Agencies (GIAs) to conduct cross-border surveillance of the Internet. These revelations have significant consequences for anonymous communication systems like Tor. Current adversarial models do not incorporate international surveillance, meaning that realistic adversaries are much more powerful than what is assumed by prior work. In this work, we take the first steps towards quantifying the risk of surveillance posed by GIAs. We use legal and technical data to assess the hostility of each country to Internet traffic, and build a graph of the intelligence treaties between countries to identify cross-border surveillance capabilities. Based on this data, we develop metrics that quantify the ability of an adversarial GIA to conduct surveillance in any other country. We apply our risk metrics to the current state of the Tor anonymity network and discover that the majority of Tor users are at significant risk to passive deanonymization attacks by GIAs. We incorporate our metrics into alternative Tor relay selection algorithms, and show that the resulting circuits have significantly reduced surveillance risk, compared to Tor’s standard relay selection algorithm.

https://repository.library.northeastern.edu/files/neu:cj82qt59v/fulltext.pdf

Sarah Cortes

Papers

The darknet's smaller than we thought: The life cycle of Tor Hidden Services

20,000 In League Under the Sea: Anonymous Communication, Trust, MLATs, and Undersea Cables

MLAT Jiu-Jitsu and Tor: Mutual Legal Assistance Treaties in Surveillance

MLATs and TorBrowser: Mutual Legal Assistance Treaties in Online Anonymity Technology and Domestic Surveillance

Jurisdictional arbitrage: quantifying and counteracting the threat of government intelligence agencies against Tor.