Stanford Security Lunch
Spring 2021

Get announcements:

March 31, 2021 Partitioning Oracle Attacks

Speaker:  Julia Len (Cornell)

Abstract:  In this talk we introduce partitioning oracles, a new class of decryption error oracles which, conceptually, take a ciphertext as input and output whether the decryption key belongs to some known subset of keys. We introduce the first partitioning oracles which arise when encryption schemes are not committing with respect to their keys. We detail novel adaptive chosen ciphertext attacks that exploit partitioning oracles to efficiently recover passwords and de-anonymize anonymous communications. The attacks utilize efficient key multi-collision algorithms — a cryptanalytic goal that we define — against widely used authenticated encryption with associated data (AEAD) schemes, including AES-GCM, XSalsa20/Poly1305, and ChaCha20/Poly1305. We build a practical partitioning oracle attack that quickly recovers passwords from Shadowsocks proxy servers. We also survey early implementations of the OPAQUE protocol for password-based key exchange, and show how many could be vulnerable to partitioning oracle attacks due to incorrectly using non-committing AEAD. Our results suggest that the community should standardize and make widely available committing AEAD to avoid such vulnerabilities.

Paper:  USENIX Security 2021

April 07, 2021 Novi doubleheader

Speaker:  Kevin Lewi (Facebook)

HashWires: Hyperefficient Credential-Based Range Proofs

HashWires is a hash-based range proof protocol that is applicable in settings for which there is a trusted third party (typically a credential issuer) that can generate commitments. We refer to these as “credential-based” range proofs. HashWires improves upon hash chain solutions that are typically restricted to micropayments for small interval ranges, achieving an exponential speedup in proof generation and verification time. In terms of proof size, we also show that HashWires compares favorably against Bulletproofs for both 32- and 64-bit numeric values. Although credential-based range proofs are inherently less flexible than general range proofs, we provide a number of applications in which a credential issuer can leverage HashWires to provide range proofs for private values, without having to rely on heavyweight cryptographic tools and assumptions.

Speaker:  Lera Nikolaenko (Facebook)

Security of EdDSA signatures and half-aggregation of Schnorr's

We have studied the security of EdDSA signatures, discovered discrepancies between the standards and the libraries, which may cause problems for consensus driven-applications that need to agree on the validity of signatures. We formulated the verification algorithm that satisfies the strongest notion of security in hope that it will inform the standardization bodies and the developers and help them implement the scheme in a unified way.

We've also studied the non-interactive half-aggregation of Schnorr's signatures that allows to shrink the space for storing signatures by a factor of 2. We formulate the notion of knowledge-of-signatures and study two different constructions with lossy-reduction-best-compression and tight-reduction-worse-compression.

April 14, 2021 Senate: A Maliciously-Secure MPC Platform for Collaborative Analytics

Speaker:  Rishabh Poddar (UC Berkeley)

Abstract:  Many organizations stand to benefit from pooling their data together in order to draw mutually beneficial insights—e.g., for fraud detection across banks, better medical studies across hospitals, etc. However, such organizations are often prevented from sharing their data with each other by privacy concerns, regulatory hurdles, or business competition.
We present Senate, a system that allows multiple parties to collaboratively run analytical SQL queries without revealing their individual data to each other. Unlike prior works on secure multi-party computation (MPC) that assume that all parties are semi-honest, Senate protects the data even in the presence of malicious adversaries. At the heart of Senate lies a new MPC decomposition protocol that decomposes the cryptographic MPC computation into smaller units, some of which can be executed by subsets of parties and in parallel, while preserving its security guarantees. Senate then provides a new query planning algorithm that decomposes and plans the cryptographic computation effectively, achieving a performance of up to 145x faster than the state-of-the-art.

Paper:  USENIX Security 2021

April 21, 2021 DORY: An Encrypted Search System with Distributed Trust

Speaker:  Emma Dauterman (UC Berkeley)

April 28, 2021 Practical Approach to Automate the Discovery & Eradication of Open-Source Software Vulnerabilities

Speaker:  Felipe Munera Savino (Netflix)

Abstract:  Over the last decade, there has been steady growth in the adoption of open-source components in modern web applications. Although this is generally a good trend for the industry, there are potential risks stemming from this practice that requires careful attention. In this talk, we will describe a simple but pragmatic approach to identifying and eliminating open-source vulnerabilities in Netflix applications at scale.
Our solution at Netflix is focused on identifying, triaging, and eliminating vulnerabilities in common software packages and their transitive dependencies.
This talk will cover the following topics:

We will then explore how the Netflix AppSec team has worked to solve the problem at scale, describing the various stages in our automation strategy and the tools that we are using to help us achieve our goals.

May 05, 2021 Lessons Learned from the Election Integrity Partnership

Speaker:  Jack Cable & Isabella Garcia-Camargo

Abstract:  In this talk, we present lessons learned from the Election Integrity Partnership, analyzing the effects of months of disinformation that culminated in the storming of the US Capital. The Election Integrity Partnership was a months-long effort comprising leading research entities in mis- disinformation with the set goal of defending the 2020 election against voting-related mis- and disinformation. Ultimately, the partnership bridged the gap between government and civil society, helped to strengthen platform standards for combating election-related misinformation, and shared its findings with its stakeholders, media, and the American public. This talk details our process and findings, and provides recommendations for future actions.


May 12, 2021 Signal's Cellebrite Hack: Using Vulns to Cast Doubt on Digital Forensics Evidence

Speaker:  Riana Pfefferkorn (Stanford Internet Observatory)

Abstract:  You may have seen a story in the news recently about vulnerabilities discovered in the digital forensics tool made by Israeli firm Cellebrite. Cellebrite's software extracts data from mobile devices and generates a report about the extraction. It's popular with law enforcement agencies as a tool for gathering digital evidence from smartphones in their custody. In April, the team behind the popular end-to-end encrypted chat app Signal published a blog post detailing how they had obtained a Cellebrite device, analyzed the software, and found vulnerabilities that would allow for arbitrary code execution by a device that's being scanned with a Cellebrite tool. According to the blog post, an exploit could be wielded to modify—arbitrarily, undetectably, and at random—"not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports" for past and future devices scanned using that particular Cellebrite tool.
As coverage of the blog post pointed out, the vulnerability draws into question whether Cellebrite's tools are reliable in criminal prosecutions after all. While Cellebrite has since taken steps to mitigate the vulnerability, there's already been a motion for a new trial filed in at least one criminal case on the basis of Signal's blog post. Is that move likely to succeed? What will be the likely ramifications of Signal's discovery in court cases? How do lawyers, rather than software engineers, view Signal's blog post? This talk—by a lawyer, not a software engineer—will delve into the legal side of Signal's Cellebrite hack.

May 19, 2021 TBA

Speaker:  Cathie Yun (Google)

May 26, 2021 Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

Speaker:  Riccardo Paccagnella (UIUC)

Abstract:  We introduce the first microarchitectural side channel attacks that leverage contention on the CPU ring interconnect. There are two challenges that make it uniquely difficult to exploit this channel. First, little is known about the ring interconnect's functioning and architecture. Second, information that can be learned by an attacker through ring contention is noisy by nature and has coarse spatial granularity. To address the first challenge, we perform a thorough reverse engineering of the sophisticated protocols that handle communication on the ring interconnect. With this knowledge, we build a cross-core covert channel over the ring interconnect with a capacity of over 4 Mbps from a single thread, the largest to date for a cross-core channel not relying on shared memory. To address the second challenge, we leverage the fine-grained temporal patterns of ring contention to infer a victim program's secrets. We demonstrate our attack by extracting key bits from vulnerable EdDSA and RSA implementations, as well as inferring the precise timing of keystrokes typed by a victim user.

Paper:  USENIX Security 2021