Archive for 2011

Faster Secure Two-Party Computation Using Garbled Circuits Talk

Sunday, August 14th, 2011

Yan Huang’s talk on Faster Secure Two-Party Computation Using Garbled Circuits at USENIX Security 2011 is now available: [PPTX] [PDF].

You can also download our framework and try our Android demo application.



Hoos At USENIX

Sunday, August 14th, 2011



University of Virginia people at USENIX Security in Union Square
San Francisco, 10 August 2011

Front row (left-to-right):

  • Joseph Calandrino (UVa BS Math with CS 2004, UVa MCS 2005, soon to finish a PhD at Princeton).
  • Erika Chin (UVa BSCS 2007, now a PhD student at UC Berkeley)
  • Michael Dietz (UVa BSCS 2008, now a PhD student at Rice University)
  • Jiamin Chen (finishing a UVa BACS in 2012, currently an undergraduate researcher on secure computation)
  • Brittany Harris (finishing a UVa BACS in 2013, currently an undergraduate researcher on secure computation)
  • Sang Koo (finishing UVa BSCS and BSCpE in 2013, currently an undergraduate researcher on mobile secure computation)
  • Yuchen Zhou (currently PhD student in Computer Engineering at UVa, working on web security
  • Yikan Chen (currently a PhD student in Computer Engineering at UVa, working on auditing information leakage)
  • Pieter Hooimeijer (nearly finished PhD student at UVa, working in Westley Weimer’s group on programming languages and security)

Back row:

  • Nate Paul (UVa PhD 2008, now at Associate Professor at the University of Tennessee, with a joint appointment at Oak Ridge National Labs)
  • Nicholas Christin (UVa PhD 2003, now faculty at CMU Cylab)
  • Adrienne Porter Felt (UVa BSCS 2008, now PhD student at UC Berkeley)
  • Samee Zahur (currently a PhD student in Computer Science at UVa, working on improving secure computations using partial evaluation)
  • Austin DeVinney (visiting researcher at UVa, completing a BSCS at Radford University in 2012)
  • Yan Huang (currently a PhD student at UVa, working on secure computation)

UVa students book-ended the symposium, with Pieter presenting the first paper (Fast and Precise Sanitizer Analysis with BEK), and Yan presenting the last paper (Faster Secure Two-Party Computation Using Garbled Circuits). Adrienne Felt (Permission Re-Delegation: Attacks and Defenses and Michael Dietz (Quire: Lightweight Provenance for Smart Phone Operating Systems) also presented papers in a session that I was privileged to chair. Erika Chin, Joseph Calandrino, and Nicholas Christin were also co-authors of papers, and Austin, Brittany, Jiamin, Samee, Yan, and Yuchen also presented posters. Peter Chapman (BACS 2012) also presented a paper at HotSec, but wasn’t able to stay for the rest of the symposium.



Side-Channel Analysis Paper

Sunday, August 14th, 2011

Our paper on side-channel analysis of web applications is now available:

Peter Chapman and David Evans. Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications. In 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, IL. 17-21 October 2011. [PDF, 12 pages]

The paper describes a black-box tool for detecting side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. Our tool quantifies the severity of side-channel leaks in a web application, and gives web application developers a measure of the risk of information leakage against different types of adversaries. The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks where an adversary can learn about the state of the application and visitor’s choices, even over encrypted connections. Our approach provides a new way to quantify the severity of these vulnerabilities based on analyzing the results of traces of the web traffic using the Fisher criterion.


System Overview

Peter will present the paper at CCS in Chicago in October.

Project Site

USENIX Security Posters

Sunday, August 14th, 2011

Several of our students presented posters at the USENIX Security Symposium Poster Session.


Sang Koo (with Yan Huang and Peter Chapman)
More Efficient Secure Computation on Smartphones

 

Brittany Harris and Jiamin Chen
Secure Computation with Neural Networks



Austin DeVinney and Yuchen Zhou
(with Jonathan Burket, Jenny Cha, and Casey Mihaloew)
Unifying Data Policies across the Server and Client

 
Samee Zahur
Exploiting Public Inputs to Optimize Circuits Used in Secure Computation Protocols

Mobile Data Vulnerabilities

Wednesday, August 10th, 2011

The New York Times is covering Karsten Nohl’s work on vulnerabilities in cellular data networks: Hacker to Demonstrate ‘Weak’ Mobile Internet Security, New York Times, 9 August 2011.

Karsten Nohl, who published the algorithms used by mobile operators to encrypt voice conversations on digital phone networks in 2009, said during an interview he planned to demonstrate how he had intercepted and read the data during a presentation Wednesday.

Mr. Nohl said he and a colleague, Luca Melette, intercepted and decrypted wireless data using an inexpensive, modified, 7-year-old Motorola cellphone and several free software applications. The two intercepted and decrypted data traffic in a five-kilometer, or 3.1-mile, radius, Mr. Nohl said.

The interceptor phone was used to test networks in Germany, Italy and other European countries that Mr. Nohl declined to identify. In Germany, Mr. Nohl said he was able to decrypt and read data transmissions on all four mobile networks — T-Mobile, O2 Germany, Vodafone and E-Plus. He described the level of encryption provided by operators as “weak.”

In Italy, Mr. Nohl said his interceptions revealed that two operators, TIM, the mobile unit of the market leader, Telecom Italia, and Wind did not encrypt their mobile data transmissions at all. A third, Vodafone Italia, provided weak encryption, he said.


Technology Review also has an article: Researchers Hack Mobile Data Communications, Technology Review, 10 August 2011.

Phones might be the most familiar devices affected by the research, says Karsten Nohl, founder of Security Research Labs, a Berlin-based research consultancy that conducted the work. But the standard is also used in some cars, automated industrial systems, and electronic tollbooths. “It carries a lot of sensitive data,” Nohl says.

Security researchers haven’t looked at the GPRS standard much in the past, Nohl says, but since more and more devices are using GPRS, he believes the risk posed by poor security is growing.

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

The Register also has this story: Hackers crack crypto for GPRS mobile networks, The Register, 10 August 2011.

The details will be presented at Chaos Communications Camp today (August 10).

HotSec 2011

Tuesday, August 9th, 2011

Peter Chapman presented our paper on Privacy-Preserving Applications on Smartphones at the 6th USENIX Workshop on Hot Topics in Security today. Here are the talk slides [PDF].

The CommonContacts demonstration app is now available in the Android Market.

Project Website



Nineteenth Century Perfect Ciphers!

Tuesday, July 26th, 2011


Steve Bellovin has uncovered a Telegraph Codebook by Frank Miller from 1882 that describes a one-time pad cipher. This predates the invention by Vernam and Mauborgne during World War I, that was previously thought to be the first use of a one-time pad. The New York Times has an article, and Steve’s full report is available.

Privacy-Preserving Applications on Smartphones

Wednesday, July 6th, 2011

Our paper on Privacy-Preserving Applications on Smartphones is now available:

Yan Huang, Peter Chapman, and David Evans. Privacy-Preserving Applications on Smartphones. 6th USENIX Workshop on Hot Topics in Security (HotSec 2011), San Francisco. 9 August 2011. [PDF, 6 pages]


Abstract: Smartphones are increasingly becoming the most trusted computing device typical people own. They are often used to store highly sensitive information including email, financial accounts, and medical records. These properties make smartphones an ideal platform for privacy-preserving applications. To date, this area remains largely unexplored mainly because theoretical solutions to privacy-preserving computation were thought to be too heavyweight, even for standard PCs. We propose using smartphones to perform secure two (or more)-party computation. The limitations of smartphones provide a number of challenges for building such applications, but the novel trust model they provide, in particular the interactions between the phones and carriers, provides unique opportunities for useful secure computations against realistic adversaries. In this paper, we introduce the issues that make smartphones a unique platform for secure computation, identify some interesting potential applications, and describe our initial experiences creating privacy-preserving applications on Android devices.

You can also try our out demo applications and download the secure computation framework used to build them.

Peter Chapman will present the paper at HotSec on August 9 in San Francisco.

Private Editing Talk

Friday, June 24th, 2011

Yan Huang presented Private Editing Using Untrusted Cloud Services at the Second International Workshop on Security and Privacy in Cloud Computing in Minneapolis this morning.

Here are the slides from his talk: [PPTX, PDF].
The full paper is also available: [PDF, 10 pages].

USENIX WebApps Presentation

Thursday, June 16th, 2011

Jonathan Burket presented GuardRails at USENIX WebApps 2011. Here are his slides: [PPTX] [PDF]

See http://guardrails.cs.virginia.edu for more information and to download GuardRails.