September 27, 2017 Robust Physical-World Attacks on Machine Learning Models
Speaker: Earlence Fernandes
Abstract: Deep neural network-based classifiers are known to be vulnerable to adversarial examples that can fool them into misclassifying their input through the addition of small-magnitude perturbations. However, recent studies have demonstrated that such adversarial examples are not very effective in the physical world—they either completely fail to cause misclassification or only work in restricted cases where a relatively complex image is perturbed and printed on paper. In this paper we propose a new attack algorithm—Robust Physical Perturbations (RP2)— that generates perturbations by taking images under different conditions into account. Our algorithm can create spatiallyconstrained perturbations that mimic vandalism or art to reduce the likelihood of detection by a casual observer. We show that adversarial examples generated by RP2 achieve high success rates under various conditions for real road sign recognition by using an evaluation methodology that captures physical world conditions. We physically realized and evaluated two attacks, one that causes a Stop sign to be misclassified as a Speed Limit sign in 100% of the testing conditions, and one that causes a Right Turn sign to be misclassified as either a Stop or Added Lane sign in 100% of the testing conditions.
Paper: Paper on Arxiv
Note: Since this is our first meeting of the quarter, we will have a three-minute organizational meeting before the talk begins.
October 04, 2017 Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts
Speaker: Florian Tramer
Abstract: Vulnerability reward programs, a.k.a. bug bounties, are a popular tool that could help prevent software exploits. Today, however, they lack rigorous principles for setting bounty amounts and require high payments to attract economically rational hackers. Rather than claim bounties for serious bugs, hackers often sell or exploit them. We present the Hydra Framework, the first principled, general approach to modeling and administering bug bounties and boosting incentives for hackers to report bugs. The key idea is what we call an exploit gap, a program transformation that prevents exploitation of serious bugs as security-critical vulnerabilities. The Hydra Framework transforms programs via N-of-N-version programming (NNVP), a variant of classical N-version programming that involves multiple independently executing program instances. We apply the Hydra Framework to smart contracts, small programs that execute on blockchains. We survey major ex- ploits against Ethereum smart contracts, showing that hydra contracts would have abated most of them. We introduce a pricing model that shows how hydra contracts greatly amplify the power of bounties to incentivize disclosure by economically rational hackers. We also model powerful adversaries capable of bug withholding, exploiting race conditions in blockchains to claim bounties before honest users can. We present submarine commitments, a countermeasure that conceals transactions on existing blockchains and is of independent interest. We present a simple core Hydra Framework library for Ethereum. We report on its use to implement two efficient hydra Ethereum contracts—an ERC20 token contract and a generalized Monty-Hall-like game. This is joint (on-going) work with Phil Daian, Lorenz Breindenbach and Ari Juels
October 11, 2017 ObliDB: An Oblivious General-Purpose SQL Database for the Cloud
Speaker: Saba Eskandarian
Abstract: We present ObliDB, a secure SQL database for the public cloud that supports both transactional and analytics workloads and protects against access pattern leakage. With databases being a critical component in many applications, there is significant interest in outsourcing them securely. Hardware enclaves offer a strong practical foundation towards this goal by providing encryption and secure execution, but they still suffer from access pattern leaks that can reveal a great deal of information. The na¨ıve way to address this issue—using generic Oblivious RAM (ORAM) primitives beneath a database—adds prohibitive overhead. Instead, ObliDB co-designs both its data structures (e.g., oblivious B+ trees) and query operators to accelerate SQL processing, giving up to 329× speedup over na¨ıve ORAM. On analytics workloads, ObliDB ranges from competitive to 19× faster than systems designed only for analytics, such as Opaque, and comes within 2.6× of Spark SQL. Moreover, ObliDB also supports point queries, insertions, and deletions with latencies of 1–10ms, making it usable for transactional workloads too. To our knowledge, ObliDB is the first oblivious database that supports both transactional and analytic workloads.
Joint Work: Matei Zaharia
October 18, 2017 Full accounting for verifiable outsourcing
Speaker: Riad Wahby
Joint Work: Ye Ji, Andrew J. Blumberg, abhi shelat, Justin Thaler,Michael Walfish, and Thomas Wies
Abstract: Systems for verifiable outsourcing incur costs for a prover, a verifier, and precomputation; outsourcing makes sense when the combination of these costs is cheaper than not outsourcing. Yet, when prior works impose quantitative thresholds to analyze whether outsourcing is justified, they generally ignore prover costs. Verifiable ASICs (VA)---in which the prover is a custom chip---is the other way around: its cost calculations ignore precomputation. This paper describes a new VA system, called Giraffe; charges Giraffe for all three costs; and identifies regimes where outsourcing is worthwhile. Giraffe’s base is an interactive proof geared to data-parallel computation. Giraffe makes this protocol asymptotically optimal for the prover and improves the verifier's main bottleneck by almost 3x, both of which are of independent interest. Giraffe also develops a design template that produces hardware designs automatically for a wide range of parameters, introduces hardware primitives molded to the protocol’s data flows, and incorporates program analyses that expand applicability. Giraffe wins even when outsourcing several tens of sub-computations, scales to 500x larger computations than prior work, and can profitably outsource parts of programs that are not worthwhile to outsource in full.
October 25, 2017 Problems with Filecoin’s proofs-of-replication and how to fix them
Speaker: Benjamin Fisch
Abstract: Filecoin is a decentralized storage network in which “miners” earn coins by providing storage to clients. At the backbone of Filecoin is a proof of replication (PoR), which network nodes use to provide a publicly verifiable claim that they are storing multiple copies of a data file. I will discuss issues with Filecoin’s current proposal, and a new PoR construction.
November 01, 2017 Fully Automated Real-time Spear Phishing Detectio
Speaker: Lior Gavish(Barracuda)
Abstract: In the past few years, spear phishing and email-borne social engineering have become one of the most costly security threats, causing over $5 billion in reported losses. These attacks take several forms: some ask the recipient to wire transfer money to the attacker's account, others ask for W2 forms containing social security numbers, and some trick the recipient into sending their credentials by impersonating a widely used service like Microsoft Outlook. Existing security systems fail to detect spear phishing, because the emails typically do not contain overtly malicious attachments or links, and are personalized to each recipient. Prior research requires manual work from security analysts to inspect emails individually, and suffers from low accuracy and a high false positive rate. We present Sentinel, a security system that automatically detects and quarantines spear phishing attacks in real-time using supervised learning, without requiring any manual analysis or configuration. The key insight of Sentinel is to automatically learn the historical communication patterns of each organization, and use these patterns to detect anomalies. Sentinel leverages the APIs of cloud-based email systems (e.g., Office 365 and GMail), both to automatically learn the historical communication patterns of each organization within hours, and to quarantine emails in real-time. Sentinel achieves false positive rates of less than one in a million emails, and accuracy above 95%.
November 08, 2017 The Case For Secure Delegation
Speaker: Dima Kogan
Abstract: Today's secure stream protocols, SSH and TLS, were designed for end-to-end security and do not include a role for semi-trusted third parties. As a result, users who wish to delegate some of their authority to third parties (e.g., to run SSH clients in the cloud, or to host websites on CDNs) rely on insecure workarounds such as ssh-agent forwarding and Keyless TLS. We argue that protocol designers should consider the delegation use-case explicitly, and we propose a definition of "secure" delegation: Before a principal agrees to delegate its authority, a system should provide it with secure advance notice of *who* will do *what* to *whom* under that authority. We developed Guardian Agent, a delegation system for the SSH protocol that, unlike ssh-agent forwarding, allows the user to control which delegate machines can run which commands on which servers. We were able to implement Guardian Agent in a way that remains fully compatible with existing SSH servers, by "handing over" a secure connection to the delegate once it has been set up. Additionally, we use this work to suggest a path for secure delegation on the Web.
Joint Work with: Henri Stern, Ashley Tolbert, David Mazières, and Keith Winstein
To appear in: HotNets 2017
November 15, 2017 Ethereum Bugs Through the Lens of Formal Verification
Speaker: Yan Michalewsky
Abstract: The famous DAO bug in the Ethereum blockchain employed callbacks to steal $150M. Callbacks are essential in many programming environments, but drastically complicate program understanding and reasoning because they allow to mutate object’s local states by external objects in unexpected fashions, thus breaking modularity. We define the notion of Effectively Callback Free (ECF) objects in order to allow callbacks without preventing modular reasoning. We study the decidability of dynamically checking ECF in a given execution trace and statically checking if an object is ECF. We also show that dynamically checking ECF in Ethereum is feasible and can be done online. By running the history of all execution traces in Ethereum, we were able to verify that virtually all existing contract executions, excluding these of the DAO or of contracts with similar known vulnerabilities, are ECF. Finally, we show that ECF, whether it is verified dynamically or statically, enables modular reasoning about objects with encapsulated state.
November 23, 2017 Thanksgiving Week
November 29, 2017 The discrete-logarithm problem with preprocessing
Speaker: Henry Corrigan-Gibbs
Abstract: We study discrete-log algorithms that use preprocessing. In our model, an adversary may use a very large amount of precomputation to produce an "advice" string about a specific group (e.g., NIST P-256). In a subsequent online phase, the adversary’s task is to use the preprocessed advice to quickly compute discrete logarithms in the group. Motivated by surprising recent preprocessing attacks on the discrete-log problem, we study the power and limits of such algorithms.
Joint Work with:
Dima Kogan:
December 06, 2017 Unify ID
Speaker: John Whaley
Abstract: The proliferation of sensors and innovations in machine learning now make it possible to identify and authenticate individuals without any conscious user action, based purely on passive behavioral factors. Implicit authentication opens up a lot of opportunities, but also presents many unique challenges in security and privacy. I will present some of the challenges and open research questions we have encountered in our development of a real-world implicit authentication platform.
December 13, 2017 Bulletproofs: Short Proofs for Confidential Transactions and More.
Speaker: Benedikt Bünz
Abstract: Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. A bulletproof can be used to convince a verifier that an encrypted plaintext is well formed. For example, prove that an encrypted number is in a given range, without revealing anything else about the number. Compared to SNARKs, Bulletproofs require no trusted setup. However, verifying a bulletproof is more time consuming than verifying a SNARK proof. Bulletproofs are designed to enable efficient confidential tranactions in Bitcoin and other cryptocurrencies. Confidential transactions hide the amount that is transfered in the transaction. Every confidential transaction contains a cryptographic proof that the transaction is valid. Bulletproofs shrink the size of the cryptographic proof from over 10kB to less than 1kB. Moreover, bulletproofs support proof aggregation, so that proving that m transaction values are valid adds only O(log(m)) additional elements to the size of a single proof. If all Bitcoin transactions were confidential and used Bulletproofs, then the total size of the blockchain would be only 17 GB, compared to 160 GB with the currently used proofs. Bulletproofs have many other applications in cryptographic protocols, such as shortening proofs of solvency, short verifiable shuffles, confidential smart contracts, and as a general drop-in replacement for Sigma-protocols.
Joint Work: Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, Greg Maxwell