We propose a new authentication mechanism, called ``life-experience passwords (LEPs).'' Sitting somewhere between passwords and security questions, a LEP consists of several facts about a user-chosen life event, such as a trip, a graduation, a wedding, etc. At LEP creation, the system extracts these facts from the user's input and transforms them into questions and answers. At authentication, the system prompts the user with questions and matches her answers with the stored ones. We show that question choice and design make LEPs much more secure than security questions and passwords, while the question-answer format promotes password diversity and recall, lowering reuse. Specifically, we find that: (1) LEPs are 10^9 -10^14 x stronger than an ideal, randomized, 8-character password, (2) LEPs are up to 3 x more memorable than passwords and on par with security questions, and (3) LEPs are reused half as often as passwords. While both LEPs and security questions use personal experiences for authentication, LEPs use several questions, which are closely tailored to each user. This increases LEP security against guessing attacks. In our evaluation, only 0.7% of LEPs were guessed by casual friends, and 9.5% by family members or close friends, roughly half of the security question guessing rate. On the downside, LEPs take around 5 x longer to input than passwords. So, these qualities make LEPs suitable for multi-factor authentication at high-value servers, such as financial or sensitive work servers, where stronger authentication strength is needed.
The specification of privacy goals in a formal way has proved to be not quite trivial so far---until this work. The most widely used approach in formal methods is based on the static equivalence of frames in the applied pi-calculus, basically asking whether or not the intruder is able to distinguish two given worlds. But then a subtle question emerges: how can we be sure that we have specified all pairs of worlds to properly reflect our intuitive privacy goal? To address this problem, we introduce in this paper a novel and declarative way to specify privacy goals, called (± , ² )-privacy. This new approach is based on specifying two formulae ± and ² in first-order logic with Herbrand universes, where ± reflects the intentionally released information and ² includes the actual cryptographic (technical) messages the intruder can see. Then (± , ² )-privacy means that the intruder cannot derive any non-technical statement from ² that he cannot derive from ± already. We describe by a variety of examples how this notion can be used in practice. Even though (± , ² )-privacy does not directly contain a notion of distinguishing between worlds, there is a close relationship to static equivalence of frames that we investigate formally. This allows us to justify (and criticize) the specifications that are currently used in verification tools, and obtain a decision procedure for a large fragment of (± , ² )-privacy.
While the logical centralization of functional properties of the network in Software-Defined Networking (SDN) brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties like security or dependability. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the re-iteration of the successful formula behind SDN - logical centralization. As a general concept, we propose ANCHOR, a subsystem architecture that promotes the logical centralization of non-functional properties. To show its effectiveness, we focus on security in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms. ANCHOR sets to provide essential security mechanisms such as secure device registration and association. We claim and justify in the paper that centralizing such mechanisms is key for their e effectiveness, by allowing us to: define and enforce global policies for those properties; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and better foster the resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms.
The number of unique malware samples is growing out of control. Over the years, security companies have designed and deployed complex infrastructures to collect and analyze this overwhelming number of samples. As a result, on average, a security company collects from its different feeds more than 1M unique files per day. These are automatically stored and processed to extract basic static and dynamic analysis information. However, only a tiny amount of this data is interesting for security researchers and attracts the interest of a human expert. To the best of our knowledge, nobody has systematically dissected these datasets to precisely understand what they really contain. The security community generally discards the problem because of the alleged prevalence of uninteresting samples. In this paper, we guide the reader through a step-by-step analysis of the hundred of thousands Windows executables collected every day. Our goal is to show how a company can employ existing state-of-the-art techniques to automatically process these samples, and then perform manual experiments to understand and document what is the real content of these gigantic datasets. We present the filtering steps and we discuss in detail the clustering solution we implemented to group samples according to their behavior and support manual verification. Finally, we use the results of this measurement experiment to provide a rough estimate of both the human and computer resources that are required to get to the bottom of the catch of the day.
The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, like in web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of code snippets in order to construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself. In this paper, we fill this gap by presenting kR^X: a kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to x86 Linux kernels (both 32- and 64-bit) and can benefit from hardware support (segmentation on x86, MPX on x86-64) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available, and 1.32% when memory segmentation is in use.