Research Highlights

Christof Beierle, Gregor Leander, Yosuke Todo

Improved Differential-Linear Attacks with Applications to ARX Ciphers

BEST PAPER AWARD

40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to significantly improve upon the best attacks published so far. (...)

Maik Ender, Amir Moradi, Christof Paar

The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs

DISTINGUISHED PAPER AWARD

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

In this paper, we introduce novel low-cost attacks against the Xilinx 7-Series (and Virtex-6) bitstream encryption, resulting in the total loss of authenticity and confidentiality. We exploit a design flaw which piecewise leaks the decrypted bitstream. (...)

David Rupprecht, Katharina Kohls, Thorsten Holz

Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

Voice over LTE (VoLTE) is a packet-based telephony service seamlessly integrated into the Long Term Evolution (LTE) standard and deployed by most telecommunication providers in practice. Due to this widespread use, successful attacks against VoLTE can affect a large number of users worldwide. In this work, we introduce ReVoLTE, an attack that exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call, hence enabling an adversary to eavesdrop on phone calls. ReVoLTE makes use of a predictable keystream reuse on the radio layer that allows an adversary to decrypt a recorded call with minimal resources.

Tim Bla­zyt­ko, Mo­ritz Schlö­gel, Cor­ne­li­us Ascher­mann, Ali Ab­ba­si, Joel Frank, Simon Wör­ner, Thors­ten Holz

Au­ro­ra: Sta­tis­ti­cal Crash Ana­ly­sis for Au­to­ma­ted Root Cause Ex­pla­na­ti­on

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

(...) In this paper, we propose an automated analysis approach that does not only identify the root cause of a given crashing input for a binary executable, but also provides the analyst with context information on the erroneous behavior that characterizes crashing inputs. (...)

Joel Frank, Cornelius Aschermann, Thorsten Holz

ETHBMC: A Bounded Model Checker for Smart Contracts

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

(...) we present the design and implementation of, a bounded model checker based on symbolic execution which provides a precise model of the Ethereum network. We demonstrate its capabilities in a series of experiments. (...)

Paul Fiterau-Brostean, Bengt Jonsson, Robert Merget, Joeri de Ruiter,  Konstantinos Sagonas, Juraj Somorovsky

Analysis of DTLS Implementations Using Protocol State Fuzzing

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

We present the first comprehensive analysis of DTLS implementations using protocol state fuzzing. To that end, we extend TLS-Attacker, an open source framework for analyzing TLS implementations, with support for DTLS tailored to the stateless and unreliable nature of the underlying UDP layer. (...)

Abraham A Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, Mathias Payer

HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

Given the increasing ubiquity of online embedded devices, analyzing their firmware is important to security, privacy, and safety. The tight coupling between hardware and firmware and the diversity found in embedded systems makes it hard to perform dynamic analysis on firmware. (...)

Daniel J. Bernstein, Tanja Lange

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

This paper describes a protocol, suitable for today's networks and tiny servers, in which clients transmit their code-based one-time public keys to servers. (...)

Dominik Hartmann, Geoffroy Couteau

Shorter Non-Interactive Zero-Knowledge Arguments and ZAPs for Algebraic Languages

40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

We put forth a new framework for building pairing-based non-interactive zero- knowledge (NIZK) arguments for a wide class of algebraic languages, which are an extension of linear languages, containing disjunctions of linear languages and more. (...)

Christof Beierle, Alex Biryukov, Luan Cardoso dos Santos, Johann Großschädl, Léo Perrin, Aleksei Udovenko, Vesselin Velichkov, Qingju Wang

Alzette: a 64-bit ARX-box (feat. CRAX and TRAX)

40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

In this paper, we present a 64-bit ARX-based S-box called Alzette, which can be evaluated in constant time using only 12 instructions on modern CPUs. Its parallel application can also leverage vector (SIMD) instructions. (...)

Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Gaëtan Leurent, Léo Perrin, María Naya Plasencia, Yu Sasaki, Yosuke Todo, Friedrich Wiemer

Out of Oddity -- New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems

40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

This work compares the security levels offered by two recent families of such primitives, namely GMiMC and HadesMiMC. We exhibit low-complexity distinguishers against the GMiMC and HadesMiMC permutations for most parameters proposed in recently launched public challenges for STARK-friendly hash functions. (...)

Eduard Hauck, Eike Kiltz, Julian Loss, Ngoc Khanh Nguyen

Lattice-Based Blind Signatures, Revisited

40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

We observe that all previously known lattice-based blind signature schemes contain subtle flaws in their security proofs (e.g., R\"uckert, ASIACRYPT '08) or can be attacked (e.g., BLAZE by Alkadri et al., FC '20). Motivated by this, we revisit the problem of constructing blind signatures from standard lattice assumptions. (...)

Benedikt Auerbach, Federico Giacon, and Eike Kiltz.

Everybody’s a Target: Scalability in Public-Key Encryption

39th Annual International Conference on the Theory and Applications of Cryptographic, 2020

For 1≤m≤n, we consider a natural m-out-of-n multi-instance scenario for a public-key encryption (PKE) scheme. An adversary, given n independent instances of PKE, wins if he breaks at least m out of the n instances. In this work, we are interested in the scaling factor of PKE schemes, SF, which measures how well the difficulty of breaking m out of the n instances scales in m. (...)

Joel Frank, Cor­ne­li­us Ascher­mann, Thors­ten Holz

Eth­B­MC: A Boun­ded Model Che­cker for Smart Contracts

USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

We surveyed eight recently proposed static analyzers for Ethereum smart contracts and found that none of them captures all relevant features of the Ethereum ecosystem. For example, we discovered that a precise memory model is missing and inter-contract analysis is only partially supported. Based on these insights, we present the design and implementation of ETHBMC. (...)

Cor­ne­li­us Ascher­mann, Ser­gej Schu­mi­lo, Ali Ab­ba­si, Thors­ten Holz

IJON: Ex­plo­ring Deep State Spaces via Fuz­zing

IEEE Sym­po­si­um on Se­cu­ri­ty and Pri­va­cy ("Oak­land"), San Jose, CA, May 2020

In this paper, we propose IJON, an annotation mechanism that a human analyst can use to guide the fuzzer. In contrast to the two aforementioned techniques, this approach allows a more systematic exploration of the program’s behavior based on the data representing the internal state of the program. As a consequence, using only a small (usually one line) annotation, a user can help the fuzzer to solve previously unsolvable challenges. (...)

Erwin Quiring, Alwin Maier, and Konrad Rieck, TU Braunschweig

Misleading Authorship Attribution of Source Code using Adversarial Learning

29th USENIX Security Symposium, 2019

In this paper, we present a novel attack against authorship attribution of source code. We exploit that recent attribution methods rest on machine learning and thus can be deceived by adversarial examples of source code. Our attack performs a series of semantics-preserving code transformations that mislead learning-based attribution but appear plausible to a developer. (...)

Daniel J. Bernstein and Andreas Hülsing and Stefan Kölbl and Ruben Niederhagen and Joost Rijneveld and Peter Schwabe

The SPHINCS+ Signature Framework

ACM SIGSAC Conference on Computer and Communications Security 2019

We introduce SPHINCS+, a stateless hash-based signature framework. SPHINCS+ has significant advantages over the state of the art in terms of speed, signature size, and security, and is among the nine remaining signature schemes in the second round of the NIST PQC standardization project. One of our main contributions in this context is a new few-time signature scheme that we call FORS. (...)

Phil­ipp Mar­kert, Da­ni­el V. Bai­ley, Ma­xi­mi­li­an Golla, Mar­kus Dür­muth, Adam J. Aviv

This PIN Can Be Ea­si­ly Gues­sed: Ana­ly­zing the Se­cu­ri­ty of Smart­pho­ne Un­lock PINs

IEEE Sym­po­si­um on Se­cu­ri­ty and Pri­va­cy (SP '20). San Fran­cis­co, Ca­li­for­nia, May, 2020

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security.

Ser­gej Schu­mi­lo, Cor­ne­li­us Ascher­mann, Ali Ab­ba­si, Simon Wör­ner, Thors­ten Holz

Hy­per-Cu­be: High-Di­men­sio­nal Hy­per­vi­sor Fuz­zing

Net­work and Di­stri­bu­ted Sys­tem Se­cu­ri­ty Sym­po­si­um (NDSS), San Diego, Ca­li­for­nia, USA, Fe­bru­ary 2020

In this paper, we present the design and implementation of HYPER-CUBE, a novel fuzzer that aims explicitly at testing hypervisors in an efficient, effective, and precise way. Our approach is based on a custom operating system that implements a custom bytecode interpreter. This high-throughput design for long-running, interactive targets allows us to fuzz a large number of both open source and proprietary hypervisors.

Daniel J. Bernstein and Tanja Lange

McTiny: fast high-confidence post-quantum key erasure for tiny network servers

29th USENIX Security Symposium, 2019

This paper describes a protocol, suitable for today's networks and tiny servers, in which clients transmit their code-based one-time public keys to servers. Servers never store full client public keys but work on parts provided by the clients, without having to maintain any per-client state. Intermediate results are stored on the client side in the form of encrypted cookies and are eventually combined by the server to obtain the ciphertext. (...)

David Rupp­recht, Ka­tha­ri­na Kohls, Thors­ten Holz, Chris­ti­na Pöp­per

IM­P4GT: IM­Per­so­na­ti­on At­tacks in 4G NeT­works

Net­work and Di­stri­bu­ted Sys­tem Se­cu­ri­ty Sym­po­si­um (NDSS), San Diego, Ca­li­for­nia, USA, Fe­bru­ary 2020

In this work, we introduce a novel cross-layer attack that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three. More precisely, we take advantage of the default IP stack behavior of operating systems and show that combining it with the layer-two vulnerability allows an active attacker to impersonate a user towards the network and vice versa; we name these attacks IMP4GT. (...)

Vla­dis­lav Mla­de­nov, Chris­ti­an Main­ka, Kars­ten Meyer zu Sel­hau­sen, Mar­tin Gro­the, Jörg Schwenk

1 Trillion Dollar refund - how to spoof PDF signatures

26th ACM Con­fe­rence on Com­pu­ter and Com­mu­ni­ca­ti­ons Se­cu­ri­ty, 2019

In this paper, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce three novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF. We analyzed 22 different PDF viewers and found 21 of them to be vulnerable. (...)

Tim Bla­zyt­ko, Cor­ne­li­us Ascher­mann, Mo­ritz Schlö­gel, Ali Ab­ba­si, Ser­gej Schu­mi­lo, Simon Wör­ner, Thors­ten Holz

GRI­MOIRE: Syn­the­si­zing Struc­tu­re while Fuz­zing

USE­NIX Se­cu­ri­ty Sym­po­si­um, Santa Clara, CA, USA, Au­gust 2019

In this paper, we present the design and implementation of GRIMOIRE, a fully automated coverage-guided fuzzer which works without any form of human interaction or pre-configuration; yet, it is still able to efficiently test programs that expect highly structured inputs. (...)

Jens Mül­ler, Mar­cus Brink­mann, Da­mi­an Pod­debni­ak, Hanno Böck, Se­bas­ti­an Schin­zel, Juraj So­mo­rovs­ky, Jörg Schwenk

“John­ny, you are fired!” – Spoo­fing Open­PGP and S/MIME Si­gna­tu­res in Emails

28th USE­NIX Se­cu­ri­ty Sym­po­si­um (USE­NIX Se­cu­ri­ty '19)

In this work we show practical forgery attacks against various implementations of OpenPGP and S/MIME email signature verification in five attack classes: (1) We analyze edge cases in S/MIME’s container format. (2) We exploit in-band signaling in the GnuPG API, the most widely used OpenPGP implementation. (3) We apply MIME wrapping attacks that abuse the email clients’ handling of partially signed messages. (...)

Manu Drijvers, Kasra Edalatnejad, Bryan Ford, Eike Kiltz, Julian Loss, Gregory Neven and Igors Stepanovs

On the Security of Two-Round Multi-Signatures

In 40th IEEE Symposium on Security and Privacy: May 20 2019 to May 22 2019  San Fransisco, CA, US; 2019; pp 780–797.

In this work, we point out serious security issues in all currently known two-round multi-signature schemes (without pairings). First, we prove that none of the schemes can be proved secure without radically departing from currently known techniques. Namely, we show that if the one-more discrete-logarithm problem is hard, then no algebraic reduction exists that proves any of these schemes secure under the discrete-logarithm or one-more discrete-logarithm problem. (...)

Thorben Moos, Amir Moradi, Tobias Schneider, François-Xavier Standaert

Glitch-Resistant Masking Revisited.

IACR Transactions on Cryptographic Hardware and Embedded Systems, 2019(2), 256-292. Best Paper Award.

(...) In this paper, we argue that the lack of proofs for TIs, DOM, UMA and GLM makes the interpretation of their security guarantees difficult as the number of shares increases. For this purpose, we first put forward that the higher-order variants of all these schemes are affected by (local or composability) security flaws in the (robust) probing model, due to insufficient refreshing. (…)

Lea Schönherr, Katharina Kohls, Steffen Zeiler, Thorsten Holz, Dorothea Kolossa

Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding.

NDSS ISOC Network and Distributed System Security Symposium 2019.

(...) In this paper, we introduce a new type of adversarial examples based on psychoacoustic hiding. Our attack exploits the characteristics of DNN-based ASR systems, where we extend the original analysis procedure by an additional backpropagation step. (...)

Emre Güler, Cornelius Aschermann, Ali Abbasi, Thorsten Holz

AntiFuzz: Impeding Fuzzing Audits of Binary Executables.

USENIX Security Symposium: conference proceedings ; Santa Clara, CA, USA, August 14-16, 2019; pp 1931–1948.

(...) In this paper, we introduce several techniques to protect a binary executable against an analysis with automated bug finding approaches that are based on fuzzing, symbolic/concolic execution, and taint-assisted fuzzing (commonly known as hybrid fuzzing). More specifically, we perform a systematic analysis of the fundamental assumptions of bug finding tools and develop general countermeasures for each assumption. (...)