Archive for 2016

SRG at Oakland 2016

Wednesday, May 25th, 2016

At the IEEE Symposium on Security and Privacy in San Jose, CA, Samee Zahur presented on Square-Root ORAM and Anant, Jack, and Sam presented posters.



Anant Kharkar
Evading Web Malware Classifiers using Genetic Programming


Jack Doerner
Secure Gale-Shapley: Efficient Stable Matching for Multi-Party Computation


Samuel Havron
Secure Multi-Party Computation as a Tool for Privacy-Preserving Data Analysis

Summer School at Notre Dame

Friday, May 13th, 2016

I presented two tutorials on oblivious computation at Notre Dame’s Summer School on Secure and Oblivious Computation and Outsourcing. SRG PhD Yan Huang, now at Indiana University, was one of the other tutorial presenters. I also learned a lot about verifiable computation and argument systems from Justin Thaler. Thanks to Marina Blanton for organizing a great summer school!

Slides for my tutorials on garbling techniques and memory for data oblivious computation are below.




SRG Graduates Lunch

Sunday, May 1st, 2016


Top row: Anant Kharkar, Glenn Field, Ethan Robertson, David Evans, Hao Bai (BSCS 2016), Wenjiang Fan (honorary), Mohammad Etemad, Samee Zahur (PhD 2016), Jack Doerner, Weilin Xu, Longze Chen (MCS 2015), Kevin Zhao.
Front row: Mahnush Movahedi, Ziqi Liu (BACS DMP 2016), Hannah Li

Congratulations to our 2016 SRG Graduates:

Dr. Samee Zahur, PhD 2016
Dissertation: Demystifying Secure Computation: Familiar Abstractions for Efficient Protocols
Dr. Zahur will be joining Google, and working in the group that works on secure computation (broadly) led by SRG alumnus Jonathan McCune.

Hao Bai, BSCS 2016
Thesis project: Mitigating Memory Trace Side-Channels through Cache Loading
Hao will be starting graduate school at Harvard University in the fall.

Ziqi Liu, Distinguished Major with High Distinction in Computer Science (BACS) 2016
DMP project: A Proxy for Mitigating Threats from Embedded Third-party Scripts
Ziqi will be joining Microsoft (Redmond).



Tracking Congressional Phones

Monday, April 18th, 2016

Karsten Nohl (SRG CpE PhD 2009) was on CBS’ 60 Minutes (April 17) as their “Moment of the Week”: Hacking into a congressman’s phone.


We heard we could find some of the world’s best hackers in Germany. So we headed for Berlin. Just off a trendy street and through this alley we rang the bell at the door of a former factory. That’s where we met Karsten Nohl, a German hacker, with a doctorate in computer engineering from the University of Virginia.

hackingyourphone.jpg

Karsten demonstrated to the reporter how to track a Congressman’s location and listen in on phone conversations using SS7 vulnerabilities (for a real Congressman, Ted Liu of California, who actually has a CS degree). With permission, of course!

We wanted to see whether Nohl’s group could actually do what they claimed — so we sent an off-the-shelf iPhone from 60 Minutes in New York to Representative Ted Lieu, a congressman from California. He has a computer science degree from Stanford and is a member of the House committee that oversees information technology. He agreed to use our phone to talk to his staff knowing they would be hacked and they were. All we gave Nohl, was the number of the 60 Minutes iPhone that we lent the congressman.

An excerpt from the show was also the 60 Minutes Moment of the Week.

An exercise in password security went terribly wrong, security experts say

Friday, April 1st, 2016

PCWord has a story about CNBC’s attempt to “help” people measure their password security: CNBC just collected your password and shared it with marketers: An exercise in password security went terribly wrong, security experts say, 29 March 2016.

Adrienne Porter Felt, a software engineer with Google’s Chrome security team, spotted that the article wasn’t delivered using SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption.

SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.

“Worried about security? Enter your password into this @CNBC website (over HTTP, natch). What could go wrong,” Felt wrote on Twitter. “Alternately, feel free to tweet your password @ me and have the whole security community inspect it for you.”

The form also sent passwords to advertising networks and other parties with trackers on CNBC’s page, according to Ashkan Soltani, a privacy and security researcher, who posted a screenshot.

Despite saying the tool would not store passwords, traffic analysis showed it was actually storing them in a Google Docs spreadsheet, according to Kane York, who works on the Let’s Encrypt project.

(Posted on April 1, but this is actually a real story, as hard as that might be to believe.)

Spectra Articles: Privacy-Preserving Regression and Ombuds

Monday, March 21st, 2016

The latest edition of Spectra: The Virginia Engineering and Science Research Journal includes two articles about SRGers!



The first is an article about Sam Havron’s research on using MPC to perform linear regression for social science applications: [PDF]


alt : Ombuds.pdf

The second is by Alex Kuck and Nick Skelsey on their work on using a blockchain to provide censorship-resistant messaging: Ombuds: A Public Space with a Single Shared History: [PDF]


alt : Ombuds.pdf

The full issue is available at the Spectra site (thanks to Garrett Beeghly for granting permission to post these excerpts here).

Apple and the FBI

Thursday, February 25th, 2016

I’m quoted in this article on the controversy over the FBI’s requests to Apple for assistance in unlocking an iPhone used by one of the San Bernardino terrorists: Unlocking Terrorist’s iPhone Won’t Risk Your Security, Discovery News, 24 February 2016.



“Backdoors are complicated and impossible technical challenges and would risk everyone’s privacy,” Evans said. “But what the FBI is asking for is different from what Apple says the FBI is asking for.”

For the most part, I think the article gets things right. It is very misleading to conflate what the FBI has asked for here with a cryptographic backdoor that would indeed dangerously risk everyone’s privacy and security. I covered some of the technical aspects of this in my introductory computing course last week.

NDSS Talk: Automatically Evading Classifiers (including Gmail’s)

Wednesday, February 24th, 2016

Weilin Xu presented his work on Automatically Evading Classifiers today at the Network and Distributed Systems Security Symposium in San Diego, CA (co-advised by Yanjun Qi and myself). The work demonstrates an automated approach for finding evasive variants of malicious PDF files using genetic programming techniques. Starting with a malicious seed file (that is, a PDF file with the intended malicious behavior, but that is correctly classified as malicious by the target classifier), it heuristically searches for an evasive variant that preserves the malicious behavior of the seed sample but is now classified as benign. The method automatically found an evasive variant for every seed in our test set of 500 malicious PDFs for both of the target classifiers used in the experiment (PDFrate and Hidost).

Slides from the talk are below, the full paper and code is available on the EvadeML.org website.

In addition to the results in the paper, Weilin found some new results examining gmail’s PDF malware classifier. We had hoped the classifier used by gmail would be substantially better than what we found in the research prototype classifiers used in the original experiments, and the initial cross-evasion experiments supported this. Of the 500 evasive variants found for Hidost in the original experiment, 387 were also evasive variants against PDFrate, but only 3 of them were evasive variants against Gmail’s classifier.

From those 3, and some other manual tests, however, Weilin was able to find two very simple transformations (any change to JavaScript such as adding a variable declaration, and adding padding to the file) that are effective at finding evasive variants for 47% of the seeds.




The response we got from Google about this was somewhat disappointing (and very inconsistent with my all previous experiences raising security issues to Google):



Its true, of course, that any kind of static program analysis is theoretically impossible to do perfectly. But, that doesn’t mean the dominant email provider shouldn’t be trying to do better to detect one of the main vectors for malware distribution today (and there are, we believe, many fairly straightforward and inexpensive things that could be done to do dramatically better than what Gmail is doing today).

The other new result in the talk that isn’t in the paper is the impact of adjusting the target classifier threshold. The search for evasive variants can succeed even at lower thresholds for defining maliciousness (as shown in the slide below, finding evasive variants against PDFrate at the 0.25 maliciousness threshold).



Weilin’s Summer of Code

Friday, February 5th, 2016

Google’s Open Source blog has a story by Weilin Xu about his experiences in their Summer of Code before he came to UVA: Coming to America: how Google Summer of Code helped change my life, 3 February 2016.