Author copy of paper

Abstract: With the rise of AI-enabled Real-Time Deepfakes (RTDFs), the integrity of online video interactions has become a growing concern. RTDFs have now made it feasible to replace an imposter's face with their victim in live video interactions. Such advancement in deepfakes also coaxes detection to rise to the same standard. However, existing deepfake detection techniques are asynchronous and hence ill-suited for RTDFs. To bridge this gap, we propose a challenge-response approach that establishes authenticity in live settings. We focus on talking-head style video interaction and present a taxonomy of challenges that specifically target inherent limitations of RTDF generation pipelines. We evaluate representative examples from the taxonomy by collecting a unique dataset comprising eight challenges, which consistently and visibly degrades the quality of state-of-the-art deepfake generators. These results are corroborated both by humans and a new automated scoring function, leading to 88.6\% and 73.2\% AUC, respectively. The findings underscore the promising potential of challenge-response systems for explainable and scalable real-time deepfake detection in practical scenarios.

Meta Review: This paper explores the feasibility of challenge-based detection of live deepfake videos. The problem is well-defined and well-motivated. The proposed solution involves active and dynamic engagement with imposters through challenges, which is more sophisticated than static methods. The proposed solution is to check both (1) video compliance (i.e., the person indeed follows the instruction and performs the challenge) and (2) video realism (i.e., the quality of the video reflects it from a real person). The user study in this paper provides insights into human perceptions and the trade-offs between the effectiveness of challenges and usability costs. Finally, the study provides a valuable dataset that can benefit future work. While the "compliance detection" in the initial submission had weaknesses, the authors improved this part over the revision process. After the revision, the reviewers collectively agreed that the paper is strong, and would be a great addition to this year's EuroS&P

Author copy of paper

Abstract: Deep neural networks for image classification are vulnerable to adversarial attacks, where small perturbations to input images lead to incorrect predictions. This susceptibility, combined with the black-box nature of such networks, limits their adoption in critical applications like autonomous driving. Feature-attribution-based explanation methods provide relevance of input features for model predictions on input images, thus explaining model decisions. However, we observe that both model predictions and feature attributions for input images are sensitive to noise. We develop a practical method for this characteristic of model prediction and feature attribution to detect adversarial images. Our method, PASA, requires the computation of two test statistics using model prediction and feature attribution and can reliably detect adversarial images using thresholds learned from benign images. We validate our lightweight approach by evaluating the performance of PASA on varying strengths of FGSM, PGD, BIM, and CW attacks on multiple image datasets. On average, we outperform state-of-the-art statistical unsupervised adversarial detectors on CIFAR-10 and ImageNet by 15\% and 31\% ROC-AUC scores, respectively. Moreover, our approach demonstrates competitive performance even when an adversary is aware of the defense mechanism.

Meta Review: The paper "PASA: Attack Agnostic Unsupervised Adversarial Detection using Prediction & Attribution Sensitivity Analysis" proposes a method, PASA, to detect "adversarial examples". Abundant prior work have tackled this problem, but a practical solution to such a challenging problem has yet to be found. This paper makes a step in the right direction: the "unsupervised" nature of PASA, combined with its "attack-agnosticity" represent valuable contributions to overcome some of the limitations of prior work. These contributions are well described in the paper, and a thorough experimental evaluation (carried out on datasets spanning diverse application domains of machine learning) confirm the paper's claims. The evaluation also represents a stepping stone for future work, since the code is publicly released. In summary, the paper makes a significant contribution to the domain of "robust and trustworthy machine learning", and deserves to be included in the EuroS&P'24 program.

Author copy of paper

Abstract: Generative Adversarial Networks (GANs) have been widely used in various application scenarios. Since the production of a commercial GAN requires substantial computational and human resources, the copyright protection of GANs is urgently needed. This paper presents a novel fingerprinting scheme for the Intellectual Property (IP) protection of image-to-image GANs. We break through the stealthiness and robustness bottlenecks suffered by previous fingerprinting methods for classification models being naively transferred to GANs. Specifically, we innovatively construct a composite deep learning model from the target GAN and a classifier. Then we generate fingerprint samples from this composite model, and embed them in the classifier for effective ownership verification. This scheme inspires some concrete methodologies to practically protect the modern image-to-image translation GANs. Theoretical analysis proves that these methods can satisfy different security requirements necessary for IP protection. We also conduct extensive experiments to show that our solutions outperform existing strategies.

Meta Review: The committee chose to accept this paper mainly due to its following merits: 1) new and probably the first fingerprinting approach especially designed for I2I GANs, 2) the fingerprinting approach is stronger and more principled, and outperforms existing heuristic-based approaches, 3) the paper provides thorough evaluation of the fingerprinting approach for multiple settings and shows its state-of-the-art performances, and 4) the proposed approach is useful in practical scenarios, although with the use of a trusted third party.

Abstract: Machine learning models, in particular deep neural networks, are currently an integral part of various applications, from healthcare to finance. However, using sensitive data to train these models raises concerns about privacy and security. One method that has emerged to verify if the trained models are privacy-preserving is Membership Inference Attacks (MIA), which allows adversaries to determine whether a specific data point was part of a model's training dataset. While a series of MIAs have been proposed in the literature, only a few can achieve high True Positive Rates (TPR) in the low False Positive Rate (FPR) region (0.01% ~ 1%). This is a crucial factor to consider for an MIA to be practically useful in real-world settings. In this paper, we present a novel approach to MIA that is aimed at significantly improving TPR at low FPRs. Our method, named learning-based difficulty calibration for MIA (LDC-MIA), characterizes data records by their hardness levels using a neural network classifier to determine membership. The experiment results show that LDC-MIA can improve TPR at low FPR by up to 4x compared to the other difficulty calibration based MIAs. It also has the highest Area Under ROC curve (AUC) across all datasets. Our method's cost is comparable with most of the existing MIAs, but is orders of magnitude more efficient than one of the state-of-the-art methods, LiRA, while achieving similar performance.

Meta Review: The committee chose to accept this paper mainly due to its following merits: - interesting observations that the paper makes about different types of samples. - novel and very well-motivated MI attack based on the observations - proposed MI attack outperforms the state-of-the-art attacks especially in low-compute regimes which makes it more useful in many practical settings, e.g., when auditing large models -thorough evaluation of the proposed attack from various aspects including different model sizes, datasets, comparisons with prior MIAs, etc.

Abstract: Autonomous systems that rely on object recognition are susceptible to the unique vulnerability of phantom attacks. In these scenarios, adversaries exploit the system by projecting sophisticated deceptive illusions that cause confusion between real objects and their virtual shadows. Despite the growing consensus on the importance of this threat, previous research has lacked comprehensive and quantitative assessments. In an effort to address this research gap, we first methodically investigated the success rates of attacks at various projection distances and angles. Following this baseline assessment, we conducted targeted experiments on two different setups: a black-box approach using the commercial DJI Mavic Air drone with its ActiveTrack feature, and a white-box approach using the open-source Tello drone integrated with YOLOv3 object recognition. These real-world evaluations clearly demonstrated the effectiveness of the phantom attacks. Considering the identified vulnerabilities, we developed DeGhost, a deep learning framework capable of distinguishing real entities from their projected counterparts. To ensure a holistic understanding of its performance, we projected phantoms using different types of projectors onto various surfaces such as concrete, screens, white cloth, white walls, whiteboards, and wooden boards. DeGhost was then evaluated against a range of SoTA object detectors, including the YOLO series, Faster R-CNN, and CenterNet. Our results underscored the ability of DeGhost to detect these phantom attacks with high accuracy, as evidenced by an AUC of 0.998, an FNR of 0.013, and an FPR of 0.018. In addition, the incorporation of an advanced Fourier technique enhanced the robustness of the model. This study not only illuminates the feasibility of the attack but also offers practical security countermeasures for emerging autonomous technologies.

Meta Review: The value of this paper is rooted in the following aspects: First, it introduces a pioneering exploration into phantom attacks on drones, capitalizing on the visual detection systems integral to driving assistance technologies. Second, the feasibility of these methods has been proven through practical experiments, employing actual devices like the Tello and DJI drones, various types of projectors, and a range of distance and illuminance conditions. It is, however, noteworthy that the effectiveness of the DeGhost system diminishes considerably on surfaces such as plants and glass.

Author copy of paper

Abstract: In this work, we analyze to what extent actors target poorly-secured cloud storage buckets for attack. We deployed hundreds of AWS S3 honeybuckets with different names and content to lure and measure different scanning strategies. Actors exhibited clear preferences for scanning buckets that appeared to belong to organizations, especially commercial entities in the technology sector with a vulnerability disclosure program. Actors continuously engaged with the content of buckets by downloading, uploading, and deleting files. Most alarmingly, we recorded multiple instances in which malicious actors downloaded, read, and understood a document from our honeybucket, leading them to attempt to gain unauthorized server access.

Meta Review: The reviewers unanimously agreed that the paper presents a compelling study of cloud storage scanning behaviors, offering useful insights into the tactics and techniques used to locate misconfigured Amazon S3 buckets. The research stands out due to its clever use of deception, which involves “honey buckets” populated with decoy documents that contain enticing information, such as fake credentials. The authors thoughtfully address ethical considerations and demonstrate a commitment to improvement with a refined second experiment. The results of the study shed light on the strategies employed by attackers for finding misconfigured cloud storage buckets. Overall, the paper enhances our understanding of cloud security risks and provides tools for the community to mitigate them.

Author copy of paper

Abstract: Home Internet of Things (IoT) devices can be difficult for users to secure. Prior work has suggested measuring these devices' network behaviors and using these characterizations to create allowlists of permitted endpoints. Unfortunately, previous studies have typically been conducted in controlled lab settings, with one or two devices per product. In this paper, we examine whether popular home IoT products' network behaviors generalize via both in-lab experiments of 24 devices and a large, crowdsourced dataset of IoT devices in the wild. We find that observing traffic from one device in one lab is often insufficient to fully characterize an IoT product's network behaviors. For example, specifying which endpoints a device may contact based on initial measurements in our lab led 25% of products to stop functioning later, and even more when using a VPN. We then used the crowdsourced dataset to better understand this traffic's heterogeneity and pinpoint how to create more generalizable allowlists. We identified causes of failure, such as regionalization, CDN usage, third-party integrations, and API changes. Finally, we used the crowdsourced data in numerous configurations to specify which endpoints each product in our lab could contact. We found that domain-level allowlists enabled the majority of devices to function in our lab using data collected years in the past. For the remaining devices, we characterize how to mitigate the failures observed and pave the way to creating more generalizable allowlists.

Meta Review: This paper conducts a thorough analysis of the feasibility of employing MUD files for implementing hostname-based network traffic control on IoT devices. The study explores how these measures can effectively mitigate risks associated with unauthorized access and data breaches, while ensuring seamless and secure communication between connected IoT devices within the network infrastructure. Undoubtedly, the central message of this work is pertinent and revolves around security. Specifically, the study demonstrates how MUD file based defense (i.e., allowlisting) is employed in practical scenarios and discusses its potential shortcomings in various cases. Using allowlists for cybersecurity has always had challenges. The results in the paper could have steered towards a direction of when they could be easier implemented versus when it is almost impossible. Having said this, the reviewers were of the opinion that the reasons for accepting the paper outweigh this concern. - The paper presents interesting evaluation from a comparative point of view regarding the variability of IoT device traffic. - The study illustrates the practical application of MUD file-based defense (i.e., allowlisting) in real-world scenarios, while also delving into its potential shortcomings across various cases. - Experiments in the study are meticulously presented, offering clear, comprehensive descriptions and methodologies. - Authors plan to open-source their datasets

Abstract: The Single Sign-On based account linking process (SSOLinking in short) allows users to link their accounts at Service Provider (SP) websites to their Identity Providers (IdP) accounts. We focus on a serious (and overlooked) attack, namely an Account Hijack targeting the SSOLinking and relying on two CSRF vulnerabilities, one affecting the IdP and the other the SP. The former is an Authentication CSRF (also known as Login CSRF) and the latter is a CSRF on the button triggering the SSOLinking. We propose a security testing approach to help testers automatically detect such attacks. We implemented our testing technique as an extension (namely SSOLinking Checker) to the open-source penetration testing tool Micro-Id-Gym. To demonstrate the effectiveness of our approach and the pervasiveness of the SSOLinking Account Hijack, we conducted an experimental analysis against a selection of popular SPs that offer the SSOLinking with major IdPs. The results of our experiments are alarming: out of the 462 web sites we considered, 40 qualified for conducting our experiments and 19 of these suffered from SSOLinking vulnerability (i.e. 47.5%). Our findings (we responsibly disclosed to the affected vendors) include severe vulnerabilities among the web sites of Medium, Asos, Workable, etc.

Meta Review: The paper presents the first comprehensive look at CSRF linking vulnerabilities in the wild, using a semi-automated testing strategy. Even though, the inception of this attack vector goes back roughly a decade [Lundeen 2013 Blackhat], the paper presents us with a study unveiling 21 real-world issues in top sites that could be exploited by an attacker. Considering these findings the work was accepted as it makes a strong case for us as a community to go back to this issue and re-evaluate how we can sustainably address this attack vector and make the platform safer for Service Providers integrating with Identity Providers.

Abstract: Clickbait PDFs, an entry point for multiple Web attacks, are distributed via SEO poisoning and rank high in search results due to being massively uploaded on abused or compromised websites. The central role of these hosts in the distribution of clickbait PDFs remains understudied, and it is unclear whether attackers differentiate the types of hosting for PDF uploads, how long they rely on hosts, and how affected parties respond to abuse. To address this, we conducted real-time analyses on hosts, collecting data on 4,648,939 clickbait PDFs served by 177,835 hosts over 17 months. Our results revealed a diverse infrastructure, with hosts falling into three main hosting types. We also identified at scale the presence of eight software components which facilitate file uploads and which are likely exploited for clickbait PDF distribution. We contact affected parties to report the misuse of their resources via a large-scale vulnerability notification. While we observed some effectiveness in terms of number of cleaned-up PDFs following the notification, long-term improvement in this infrastructure remained insignificant. This finding raises questions about the hosting providers’ role in combating abuse and the actual impact of vulnerability notifications.

Meta Review: This is a large-scale and longer-term study to analyze the hosting infrastructure for so-called clickbait PDF attacks. Moreover, the authors undertook a notification effort towards the providers. The evaluation of the notification effort increases the value of the paper, contributing to important lessons in this area. While this solution is effective in reducing the volume of clickbait PDF volume in the short term, its effectiveness over the long term is unclear.

Author copy of paper

Abstract: Single Sign-On (SSO) with OAuth 2.0 and OpenID Connect 1.0 is essential for user authentication and authorization on the Internet. Billions of users rely on SSO services provided by Google, Facebook, and Apple. For large-scale measurements on the security of SSO, researchers need to reliably detect SSO implementations in the wild. In this paper, we survey the current state of 36 SSO measurement tools from prior work and discover gaps leading to blind spots in the SSO landscape that hinder the community from improving large-scale research. We observe unreliable measurements and a lack of reproducibility, making comparisons between studies difficult, if not impossible. We fill these gaps with SSO-Monitor, our open-source, modular, and highly extensible framework for large-scale SSO landscape and security measurements. SSO-Monitor achieves a high accuracy of 93% and, compared to prior tools, significantly improves the reliability of SSO measurements by 19%. It continuously takes snapshots of SSO implementations on the top 1M websites to compose an SSO archive that is reproducible by design. Therefore, it passively monitors the SSO flows and provides an extensive set of landscape and security insights on sso-monitor.me. Our SSO archive allows researchers to conduct comprehensive measurements over time and even beyond the scope of SSO. We use the data in our SSO archive to measure the security of 89k SSO authentication flows on the top 1M websites. Thereby, we discover 33k violations of the OAuth Security Best Current Practices and 339 severe security vulnerabilities. They include 30 username and password leaks and 28 token leaks that enable full account takeovers.

Meta Review: This paper presents a systematic evaluation of Single Sign-On (SSO) research conducted over the past decade, offering valuable insights and guidance for future studies in the field. The paper introduces an SSO detection framework and monitoring system to address the limitations of prior research efforts. By continuously monitoring the top 1M websites, the paper also provides a large, publicly accessible SSO dataset. The entire infrastructure is open source and reproducible, enabling other researchers to build on top of it. This work's technical rigor and scientific validity, combined with the topic's timeliness, make this paper a strong contribution relevant to a broad audience interested in SSO security.

Abstract: The Ethereum Global Network (EGN) hosts a complete ecosystem of decentralized services, including blockchains such as Ethereum mainnet but also exchange markets, content delivery networks, and many more. Service discovery is a fundamental mechanism in the EGN, allowing new nodes to look up and connect to participants to one of the services. The current service discovery of the EGN, DISCv4, is not scalable and efficient enough to support the current and future needs of the ecosystem. We present DISC-NG, a novel service discovery protocol for the EGN that is scalable, efficient, and secure. DISC-NG leverages the EGN-wide DHT to allow service participation advertisements to meet service discovery requests. DISC-NG compensates the unbalance in service popularity and minimizes the potential for abuse by malicious nodes. We implement DISC-NG in devp2p, the network stack used by the majority of clients connecting to the EGN, as well as in a large-scale simulator. We show that DISC-NG can discover services in the EGN faster than DISCv4, while being more robust to malicious nodes. DISC-NG is now in a staging phase and scheduled for deployment in future versions of devp2p.

Meta Review: All the reviewers expressed favorable opinions about the paper. This paper introduced DISC-NG. DISC-NG addresses the limitations of the current DISCv4 protocol by enhancing scalability, efficiency, and security. It is also interesting to note the integration of an EGN-wide DHT to facilitate service discovery, effectively mitigating issues such as unbalanced service popularity and potential abuse by malicious nodes. Therefore, the paper has been accepted.

Abstract: Public randomness is a fundamental component in many cryptographic protocols and distributed systems and often plays a crucial role in ensuring their security, fairness, and transparency properties. Driven by the surge of interest in blockchain and cryptocurrency platforms and the usefulness of such a building block in those areas, designing secure protocols to generate public randomness in a distributed manner has received considerable attention in recent years. This paper presents a systematization of knowledge on the topic of public randomness with a focus on cryptographic tools providing public verifiability and key themes underlying these systems. We provide concrete insights on how state-of-the-art protocols achieve this task efficiently in an adversarial setting and present various research gaps that may be of interest for future research.

Meta Review: This paper led to a lively discussion among the reviewers. Everyone agreed that this is a well-written paper with interesting insights. The main concern of the reviewers was that there already is a SoK paper on public randomness (Choi et al., IEEE S&P 2023). The submitted paper version discussed this 2023 paper and described how the structure of the submitted SoK is complementary to the 2023 paper. The reviewers asked the authors to further strengthen this part and the final version of the submitted makes it clear that it provides a substantially different view on SoK compared to the 2023 paper. This convinced the reviewers to accept the paper.

Author copy of paper

Abstract: Most blockchain platforms from Ethereum onwards render smart contracts as stateful reactive objects that update their state and transfer crypto-assets in response to transactions. A drawback of this design is that when users submit a transaction, they cannot predict in which state it will be executed. This exposes them to transaction-ordering attacks, a widespread class of attacks where adversaries with the power to construct blocks of transactions can extract value from smart contracts (the so-called MEV attacks). The UTXO model is an alternative blockchain design that thwarts these attacks by requiring new transactions to spend past ones: since transactions have unique identifiers, reordering attacks are ineffective. Currently, the blockchains following the UTXO model either provide contracts with limited expressiveness (Bitcoin), or require complex run-time environments (Cardano). We present ILLUM, an Intermediate-Level Language for the UTXO Model. ILLUM can express real-world smart contracts, e.g. those found in Decentralized Finance. We define a compiler from ILLUM to a bare-bone UTXO blockchain with loop-free scripts. Our compilation target only requires minimal extensions to Bitcoin Script: in particular, we exploit covenants, a mechanism for preserving scripts along chains of transactions. We prove the security of our compiler: namely, any attack targeting the compiled contract is also observable at the ILLUM level. Hence, the compiler does not introduce new vulnerabilities that were not already present in the source ILLUM contract. Finally, we discuss the suitability of ILLUM as a compilation target for higher-level contract languages.

Meta Review: The paper provides a more expressive intermediate language ILLUM, to write contracts for UTXO models that thwart transaction re-ordering attacks. It does not have a gas mechanism that avoids the unpredictable behavior of the incentive mechanism used to execute transactions in the network. The ILLUM language design comes with a comprehensive formal model and extensive proofs to support the security properties of the ILLUM compiler. The authors also provided a prototype compiler for a toy language HELLUM that compiles to ILLUM.

Author copy of paper

Abstract: Cryptocurrencies and blockchain technology provide an innovative model for reshaping digital services. Driven by the movement toward Web 3.0, recent systems started to provide distributed services, such as computation outsourcing or file storage, on top of the currency exchange medium. By allowing anyone to join and collect cryptocurrency payments for serving others, these systems create decentralized markets for trading digital resources. Yet, there is still a big gap between the promise of these markets and their practical viability. Existing initiatives are still early-stage and have already encountered security and efficiency obstacles. At the same time, existing work around promising ideas, specifically sidechains, fall short in exploiting their full potential in addressing these problems. To bridge this gap, we propose chainBoost, a secure performance booster for decentralized resource markets. It expedites service related operations, reduces the blockchain size, and supports flexible service-payment exchange modalities at low overhead. At its core, chainBoost employs a sidechain, that has a (security and semantic) mutual-dependence with the mainchain, to which the system offloads heavy/frequent operations. To enable it, we develop a novel sidechain architecture composed of temporary and permanent blocks, a block suppression mechanism to prune the sidechain, a syncing protocol to permit arbitrary data exchange between the two chains, and an autorecovery protocol to support robustness and resilience. We analyze the security of chainBoost, and implement a proof-of-concept prototype for a distributed file storage market as a use case. For a market handling around 2000 transactions per round, our experiments show up to 11x improvement in throughput and 94% reduction in confirmation time. They also show that chainBoost can reduce the main blockchain size by around 90%.

Meta Review: This paper proposes chainBoost, which offloads frequent/heavy service-related transactions to a sidechain for better performance regarding throughput, delays, and storage usage. The sidechain is managed by a committee with members dynamically elected from the mainchain miners running PBFT consensus. The clients and servers (or service providers) interact through two phases: market matching and service-payment exchange. Once matched and service provided, a server submits proofs of service and payment requests to the sidechain (as an escrow), which verifies the proofs and approves payments sent to the server account. - Despite concerns about the novelty of individual components, chainBoost's overall architecture and its integration into a functioning system demonstrate an advancement in blockchain technology. - The proposal of chainBoost can improve the scalability of Blockchain networks while supporting security measures. - Several "optimizations" (e.g., a suppression mechanism for reducing storage, syncing and auto-recovery protocols to handle rollbacks for robustness) are employed/proposed. - The study provided a comprehensive implementation for a distributed file storage market. The results demonstrated notable performance improvements over the case without chainBoost.

Abstract: We introduce NTRU-PIR and NTRU-PIR-Free, two single-server PIR protocols that offer new trade-offs in terms of storage, communication, and computation. Both of the protocols rely on the toolkit we developed for efficient homomorphic operations and ciphertext conversion algorithms on NTRU and an NTRU-based GSW-like scheme. Across a broad range of database configurations, NTRU-PIR simultaneously achieves a 4.3−39x reduction in public parameter size and a 3.1−6x increase in server throughput compared to previous counterparts. NTRU-PIR-Free, a variant of NTRU-PIR by removing the query compression technique, eliminates the storage burden on the server. In the streaming setting, when the previous best-performing scheme SpiralStreamPack reaches its highest throughput, NTRU-PIR-Free achieves a slightly higher throughput with a query size of only 8 MB (compared to 30 MB for SpiralStreamPack) and without requiring public parameters (compared to 125 MB for SpiralStreamPack).

Meta Review: The paper introduces NTRU-PIR, a single-server FHE-based PIR solution. NTRU-PIR switches out the (R)LWE-based approaches in existing FHE-based PIR schemes for an NTRU-based approach, similar to how FINAL/NTRU-ν-um adapt FHE encryption to the NTRU setting. The paper provides a detailed exposition of the necessary adaptions and introduces a series of optimization techniques, including adaptations of (R)LWE-GSW external product tricks from the CGGI encryption scheme to an NTRU setting. This produces a competitive single-server PIR solution that improves in certain performance metrics over prior work, especially throughput.

Author copy of paper

Abstract: Memory tagging allows to establish memory safety for software developed in C/C++. It is an effective mechanism with low architectural complexity and therefore ISA extensions, like ARM MTE or SPARC ADI, integrate memory tagging on the architectural level for commodity computer systems. Despite being in high demand, memory tagging features are currently absent in modern x86 processors. This work presents IntegriTag, a memory tagging solution for commodity x86 CPUs. We leverage the Intel Total Memory Encryption-Multi-Key (TME-MK) hardware feature that was initially envisioned for virtual machine isolation to instead provide memory tagging capabilities on off-the-shelf x86 processors. Unlike ARM MTE and SPARC ADI, our design does not require the integration of a separate tagged memory architecture, which would increase the overall system complexity. Instead, our solution allows us to implicitly enforce the desired security policies by incorporating them into the existing memory encryption integrity checks. In addition, our design addresses security issues that affect tagged memory architectures with small tag spaces. TME-MK allows for a greater number of key identifier bits, thus offering significantly stronger security compared to the 4-bit tags of ARM MTE and SPARC ADI. We implement a holistic software framework based on TME-MK, supporting several software-controlled and hardware-enforced memory safety policies. Moreover, we evaluate the performance overhead and security properties of our design, underlining the practicability and efficacy of our approach. Our design imposes an overhead of 32–41% for providing both temporal and spatial memory safety, which is significantly lower than the overheads of memory safety schemes in software on commodity hardware that provide comparable security properties.

Meta Review: This paper presents IntegriTag, which utilizes Intel's TME-MK hardware feature to protect commodity x86 CPUs against temporal and spatial memory safety issues. Unlike most memory tagging techniques that require significant hardware modifications, IntegriTag leverages TME-MK to securely encrypt memory pages. IntegriTag utilizes this engine to encrypt memory pages with a key derived from the page's physical address, enabling implicit memory access checks based on the TME-MK memory encryption engine. IntegriTag's approach surpasses dedicated hardware tagging features like ARM MTE mainly because of its efficient tagging schemes. The open-source implementation encourages further research in this area.

Abstract: The cloud computing landscape has evolved significantly in recent years, embracing various sandboxes to meet the diverse demands of modern cloud applications. These sandboxes encompass container-based technologies like Docker and gVisor, microVM-based solutions like Firecracker, and security-centric sandboxes relying on Trusted Execution Environments (TEEs) such as Intel SGX and AMD SEV. However, the practice of placing multiple tenants on shared physical hardware raises security and privacy concerns, most notably side-channel attacks. In this paper, we investigate the possibility of fingerprinting containers through CPU frequency reporting sensors in Intel and AMD CPUs. One key enabler of our attack is that the current CPU frequency information can be accessed by user-space attackers. We demonstrate that Docker images exhibit a unique frequency signature, enabling the distinction of different containers with up to 84.5% accuracy even when multiple containers are running simultaneously in different cores. Additionally, we assess the effectiveness of our attack when performed against several sandboxes deployed in cloud environments, including Google's gVisor, AWS' Firecracker, and TEE-based platforms like Gramine (utilizing Intel SGX) and AMD SEV. Our empirical results show that these attacks can also be carried out successfully against all of these sandboxes in less than 40 seconds, with an accuracy of over 70% in all cases. Finally, we discuss possible countermeasures to mitigate the proposed attack.

Meta Review: This paper demonstrates that dynamic frequency scaling enables fingerprinting of Docker containers: an attacker monitoring CPU frequency can infer which container is run by a co-located victim. A thorough experimental evaluation demonstrates the effectiveness of the attacks in a wide range of scenarios including: several sandboxes and TEE-based environments, different microarchitectures, co-location with other containers, different container versions and arguments, etc. The data and code will be made open-source, fostering future research on the topic, for instance on exploring more realistic attack scenarios (e.g., in which parameters are evaluated in combination and not separately). Finally, the paper discusses possible countermeasures against the attack and evaluates a noise injection countermeasure. Overall, this paper contributes to further the understanding of the implications of dynamic frequency-based side channel attacks.

Abstract: Graphic Processing Units (GPUs) have transcended their traditional use-case of rendering graphics and nowadays also serve as a powerful platform for accelerating ubiquitous, non-graphical rendering tasks. One prominent task is interference of neural networks, which process vast amounts of personal data, such as audio, text or images. Thus, GPUs became integral components for handling vast amounts of potentially confidential data, which has awakened the interest of security researchers. This lead to the discovery of various vulnerabilities in GPUs in recent years.\\ In this paper, we uncover yet another vulnerability class in GPUs: We found that some GPU implementations lack proper register initialization routines before shader execution, leading to unintended register content leakage of previously executed shader kernels. We showcase the existence of the aforementioned vulnerability on products of 3 major vendors - Apple, NVIDIA and Qualcomm. The vulnerability poses unique challenges to an adversary due to black-box scheduling and register remapping algorithms present in the GPU firmware, complicating the reconstruction of leaked data. In order to illustrate the real-world impact of this flaw, we showcase how these challenges can be solved for attacking various workloads on the GPU. First, we showcase how uninitialized registers leak arbitrary pixel data processed by fragment shaders. We further implement information leakage attacks on intermediate data of Convolutional Neural Networks (CNNs) and present the attack's capability to leak and reconstruct the output of Large Language Models (LLMs).

Meta Review: This paper presents uninitialized register reads as a GPU-based exploit vector, which is capable of leaking data from neural networks such as image-processing and LLMs. The paper identifies an impactful vulnerability -This paper shows real-world attacks on GPU with information leakage, and concrete PoC attacks are demonstrated via CNN and LLMs. - The identified attacks can be demonstrated across multiple GPU vendors including Apple, NVIDIA, and Qualcomm.

Abstract: Sensing data integrity in a cyber-physical system (CPS) is critical to its safe operation. Intolerable performance effects can potentially lead to very hazardous consequences. Numerous countermeasures have proven capable of protecting sensitive circuitry, cabling, and their signals from the effects of electromagnetic interference (EMI). However, in the case of intentional electromagnetic interference (IEMI), existing countermeasures possess limited efficacy. IEMI-capable adversaries attack the signal processing circuits and signal paths between sensors/actuators and the controller, seeking to manipulate the signals and falsify data. On a printed circuit board (PCB), the traces carrying these signals act as an unintentional antenna to a time-varying electromagnetic field generated by an adversary. In this paper, we demonstrate IEMI attacks on the PCBs used in electric vehicle (EV) charging systems, a very safety-critical CPS. To mitigate these attacks, we implement passive PCB-level countermeasures, namely, differential signaling, via-fencing, and optical fiber for interconnects. In addition, we propose and implement a multiplexer-based countermeasure that dynamically changes the route path and evades the adversary. All four countermeasures have been extensively evaluated against multiple adversarial setups and ranked based on their impact. Further, adaptive attacker strategies have been proposed to circumvent the effective countermeasures.

Meta Review: The committee chose to accept this paper since it provides a good summary of existing IEMI attacks and PCB-level IEMI countermeasures, contains both a theoretical and a practical analysis of their effectiveness, and points the way toward future research in this topic. While the paper could have been made stronger by evaluating the attacks on a commercial design, instead of only on a PCB designed by the authors, the committee feels that the experiments and simulations run on this author-provided platform are still sufficient and thus merit acceptance.

Abstract: As the need for secure systems grows, the exploration of secure hardware like Morello, based on the Capability Hardware Enhanced RISC Instructions (CHERI) architecture, becomes crucial. As Morello navigates towards market induction, establishing systematic approaches for transitioning software to its pure capability mode emerges as a crucial research endeavor. This paper investigates two main areas: a comparison with CERT guidelines and an exploitation analysis on the Morello platform. The comparison aims to identify potential developer-induced vulnerabilities and compiler limitations, elucidating how the Morello-llvm compiler behaves when there are CERT rule violations. Our exploitation analysis explores the limitations of the Morello-llvm compiler toolchain and the developer errors that could bypass Morello’s advanced security features. The findings highlight that despite advancements in toolchains, developer-induced vulnerabilities remain a significant issue, emphasizing the importance of adhering to established programming standards like CERT guidelines.

Meta Review: This paper provides an extensive and comprehensive study of potential security issues associated with porting existing software to a CHERI-enabled architecture using ARM's Morello as the current architecture prototype. In addition, the paper clearly classifies potential security issues and includes a manual exploitation analysis. The study systematically analyzes how the Morello-llvm compiler behaves on programs containing CERT rule violations and identifies remaining compiler limitations. It also provides development guidelines and explicit takeaways. Overall, the paper makes an important contribution to the security field; especially developers gain a good overview of the remaining challenges.

Abstract: Single Input Functionality (SIF) is a special case of MPC, where only one distinguished party called dealer holds the secret input. SIF allows the dealer to complete a computation task and send to other parties their respective outputs without revealing any additional information about its secret input. SIF has many applications, including multiple-verifier zero-knowledge and verifiable relation sharing, etc. Recently, several works devote to round-efficient realization of SIF, and achieve 2-round communication in the honest majority setting (Applebaum \emph{et al.}, Crypto 2022; Baum \emph{et al.}, CCS 2022; Yang and Wang, Asiacrypt 2022). In this work, we focus on concrete efficiency and propose \emph{the first} practical construction for SIF against \emph{a dishonest majority} in the preprocessing model; moreover, the online phase of our protocol is only 2-round and is highly efficient as it requires no cryptographic operations and achieves information theoretical security. For SIF among 5 parties, our scheme takes 152.34ms (total) to evaluate an AES-128 circuit with 7.36ms online time. Compared to the state-of-the-art (honest majority) solution (Baum \emph{et al.}, CCS 2022), our protocols is roughly 2$\times$ faster in the online phase, although more preprocessing time is needed. Compared to the state-of-the-art generic MPC against a dishonest majority (Wang \emph{et al.}, CCS 2017; Cramer \emph{et al.}, Crypto 2018), our protocol outperforms them w.r.t. both total running time and online running time.

Meta Review: The paper introduces a practical protocol for Single Input Functionality (SIF) in the dishonest majority setting, marking an advancement by offering efficient solutions for primitives like MVZK, VRS, and VSS. Despite addressing security concerns against dishonest majority, the protocol maintains practical round efficiency and faster online run times compared to existing protocols for weaker honest majority settings. The implementation evaluation is robust and well-justified, highlighting the protocol's efficacy. The paper also discusses the differences in security models and complexities among related works and the proposed protocol.

Abstract: Asymmetric Password-Authenticated Key Exchange (aPAKE) protocols, particularly Strong aPAKE (saPAKE) have enjoyed significant attention, both from academia and industry, with the well-known OPAQUE protocol currently undergoing standardization. In (s)aPAKE, a client and a server collaboratively establish a high-entropy key, relying on a previously exchanged password for authentication. A main feature is its resilience against offline and precomputation (for saPAKE) attacks. OPAQUE, as well as most other aPAKE protocols, have been designed and analyzed in a single-user setting, i.e., modelling that only a single user interacts with the server. By the composition framework of UC, security for the actual multi-user setting is then conjectured. As any real-world (s)aPAKE instantiation will need to cater multiple users, this introduces a dangerous gap in which developers are tasked to extend the single-user protocol securely and in a UC-compliant manner. In this work, we extend the (s)aPAKE definition to directly model the multi-user setting, and explicitly capture the impact that a server compromise has across user accounts. We show that the currently standardized multi-user version of OPAQUE might not provide the expected security, as it is insecure against offline attacks as soon as the file for one user in the system is compromised. This is due to using shared state among different users, which violates the UC composition framework. When extending the aPAKE security in the multi-client setting, we notice that the widely used security definition captures significantly weaker security guarantees than what is offered by many protocols. Essentially, the aPAKE definition assumes that the server stores \emph{unsalted} password-hashes, whereas several protocols explicitly use a salt to protect against precomputation attacks. We therefore propose a definitional framework that captures different salting approaches -- thus showing that the security gap between aPAKE and saPAKE can be smaller than expected.

Meta Review: The authors considering different salting techniques and the level of security they provide in the context of aPAKE protocols. The authors have sufficiently addressed the main questions and promised to improve current weaknesses of the paper: prove which constructions securely instantiate the new UC functionality, and integrate formal analysis of ssOPAQUE. Overall the reviewers consider it a valuable contribution.

Abstract: We present a new construction for secure logistic regression training, which enables two parties to train a model on private secret-shared data. Our goal is to minimize online communication and round complexity, while still allowing for an efficient offline phase. As part of our construction we develop many building blocks of independent interest. These include a new approximation technique for the sigmoid function, which results in a secure protocol with better communication; secure spline evaluation and secure powers computation protocols for fixed-point values; and a new comparison protocol that optimizes online communication. We also present a new two-party protocol for generating keys for distributed point functions (DPFs) over arithmetic sharing, where previous constructions do this only for Boolean outputs. We implement our protocol in an end-to-end system and benchmark its efficiency. We can securely evaluate a sigmoid in $3.6$ ms online time and $0.5$ KB of online communication. Our system can train a model over a database with $70,000$ samples and $15$ features with online communication of $208.09$ MB and online time of $9.68$ minutes at the cost of $1.95$c over WAN. Our benchmarks demonstrate that we reduce online communication over state of the art by $\approx 10 \times$ for sigmoid and $\approx130\times$ for logistic regression training. We converge to virtually the same model as plaintext in all cases. We open-source our system and include extensive tests.

Meta Review: All the reviewers feel that the paper makes an important contribution for solving the problem of secure logistic regression in the 2PC setting and recommend acceptance. Specifically, the paper focuses on reducing the cost of the online phase. The paper cleverly puts together several cute technical ideas and present an improved sigmoid evaluation protocol. In particular, the paper proposes a new secure comparison protocol and key generation protocol for distributed point functions over arithmetic sharing which could be of independent interest. The evaluation results show promise.

Author copy of paper

Abstract: This paper presents MQ on my Mind (MQOM), a digital signature scheme based on the difficulty of solving multivariate systems of quadratic equations (MQ problem). MQOM has been submitted to the NIST call for additional post-quantum signature schemes. MQOM relies on the MPC-in-the-Head (MPCitH) paradigm to build a zero-knowledge proof of knowledge (ZK-PoK) for MQ which is then turned into a signature scheme through the Fiat-Shamir heuristic. The underlying MQ problem is non-structured in the sense that the system of quadratic equations defining an instance is drawn uniformly at random. This is one of the hardest and most studied problems from multivariate cryptography which hence constitutes a conservative choice to build candidate post-quantum cryptosystems. For the efficient application of the MPCitH paradigm, we design a specific MPC protocol to verify the solution of an MQ instance. Compared to other multivariate signature schemes based on non-structured MQ instances, MQOM achieves the shortest signatures (6.3--7.8 KB) while keeping very short public keys (few dozen of bytes). Other multivariate signature schemes are based on structured MQ problems (less conservative) which either have large public keys (e.g. UOV) or use recently proposed variants of these MQ problems (e.g. MAYO).

Meta Review: The reviewers came to a decision of acceptance. This MPC-in-the-head based post-quantum signature scheme was presented to the NIST call for additional post-quantum signature schemes. It has advantages in signature size over other schemes in the same family, and it is comparable in other metrics. Note that this work does not present a formal security proof in the QROM (relying instead on the paradigm of Fiat-Shamir in MPC-in-the-head), and does not address any recent attacks that are not included in the MQ estimator. Overall the reviewers believe this is a solid post-quantum signature scheme with a reasonable advantage over prior work.

Abstract: Recent speech-based services such as voice assistants and cloud computing services have brought security concerns, since those services constantly send user's speech data to the server. Speech data contain user's sensitive biometric data and spoken words and can be misused if it is leaked into wrong hands. In this context, Signal Processing in Encrypted Domain (SPED) can be a solution by mixing up Homomorphic Encryption (HE) with signal processing. Using HE enables computing on user's encrypted data without decrypting it, thus providing security and privacy. In this paper, we present a simple, but fast homomorphic Quantized Fourier Transform (QFT) with efficient packing of speech signals. Our work is based on the Fully Homomorphic Encryption (FHE) scheme TFHE, which was proposed by Chillotti et al. We then present a thorough noise analysis of our QFT that helps to keep a reasonable noise level. Also, considering the TFHE's bootstrapping manner, we statistically analyze the boundary of the QFT coefficients, and present a simple criteria for scaling up the coefficients. Our criteria helps to keep the message precision as high as possible during the TFHE bootstrapping. We use our criteria to evaluate the magnitude of QFT with low latency, but with reasonable precision. Finally, we provide a proof-of-concept implementation of our QFT. With a ring dimension of 1024 and TFHE parameters that achieve 106 bits of security, we show that the QFT can be evaluated in 35 milliseconds for a single ciphertext of length 1024. This result is 74.6 times faster than the previous work. We also built an homomorphic end-to-end speech processing framework that processes and classifies the gender (resp. vowel) of encrypted speech data from the VoxCeleb (resp. PCVC) dataset. Our implementation classifies the gender (resp. vowel) with more than 83\% (resp. 76\%) accuracy with minimum 0.51 (resp. 6.26) seconds.

Meta Review: This paper demonstrates a practical real world FHE application (speech classification), with practical latency, useful compatibility with non-private ML models, a reasonable security model, and a clear motivation for privacy (speech inputs). Although this paper provides only summary comparisons between this TFHE-based approach and CKKS-based approaches, rather than detailed end-to-end performance and accuracy comparisons, and some optimizations for resource-limited devices were described rather than implemented, this is still a well-motivated and practical approach for private speech analysis, and the FHE quantized Fourier transform method can also bring privacy to other private signal-processing problems.

Abstract: Software composition analysis (SCA) has attracted the attention of the industry and academic community in recent years. Given a piece of program source code, SCA facilitates extracting certain components from the input program and matching the extracted components with open-source software (OSS) libraries. Despite the prosperous development of SCA, binary SCA (BSCA) is highly challenging and still underdeveloped. Few available BSCA solutions are either closed source (for commercial usage) or suffer from low performance. Nevertheless, a related line of research, binary similarity analysis (BSA), which decides the similarity between two pieces of binary code, has been progressively developed in academia for decades. De facto BSA techniques, often based on deep learning, efficiently analyze large-scale executables with high accuracy. This study explores bridging the gap between state-of-the-art (SOTA) BSA and BSCA. We spent considerable manual effort building the first large real-world benchmark dataset, containing over 55 million lines of C/C++ code. Then, we establish our BSCA pipeline by extending and calibrating the SOTA SCA pipeline. Particularly, we concretize the key procedure of BSCA, namely matching a binary component with OSS using six SOTA BSA techniques. Evaluation using our benchmark dataset reveals that simply employing BSA in BSCA exhibits less desirable accuracy, as BSCA faces unique challenges. After inspecting the failed cases, we propose three enhancements whose hybrid usage improves the F1 score of BSCA by over 30% and outperforms SOTA commercial BSCA software. We discuss several open challenges and potential solutions to augment BSCA solutions.

Meta Review: The paper explores a new research direction, namely bridging the gap between state-of-the-art (SOTA) binary software analysis (BSA) and binary software composition analysis (BSCA) techniques. It evaluates why/why not BSA techniques can be applied in BSCA, and provides informative insights for future security practitioners and researchers. To demonstrate the security value of the work, the authors perform a vulnerability identification experiment.

Abstract: Machine learning (ML) is shifting from the cloud to the edge. Edge computing reduces the surface exposing private data and enables reliable throughput guarantees in real-time applications. Of the panoply of devices deployed at the edge of the network, resource-constrained microcontrollers (MCUs), e.g., Arm Cortex-M, are more prevalent, orders of magnitude cheaper, and less power-hungry than application processors (APUs) or GPUs. Thus, enabling intelligence at the so-called deep/extreme edge is the zeitgeist, with researchers focusing on unveiling novel approaches to deploy artificial neural networks (ANN) on these constrained devices. Quantization is a well-established technique that has proved effective, i.e., negligible impact on accuracy, in enabling the deployment of neural networks on MCUs; however, it is still an open question to understand the robustness of quantized neural networks (QNNs) in the face of well-known adversarial examples. To fill this gap, we empirically evaluate the effectiveness of attacks and defenses from (full-precision) ANNs on (constrained) QNNs. Our evaluation suite includes three QNNs targeting TinyML applications, ten attacks (six gradient-based and four gradient-free), and five defenses. With this study, we draw a set of interesting findings. First, quantization increases the point distance to the decision boundary and leads the gradient estimated by some attacks to explode or vanish. Second, quantization can act as a noise attenuator or amplifier, depending on the noise magnitude, and causes gradient misalignment. Regarding adversarial defenses, we conclude that input pre-processing defenses show impressive results on small perturbations; however, they fall short as the perturbation increases. At the same time, train-based defenses increase adversarial robustness by increasing the average point distance to the decision boundary, which holds even after quantization. However, we argue that train-based defenses still need to smooth the quantization-shift and gradient misalignment phenomenons to counteract adversarial example transferability to QNNs. All artifacts will be open-sourced to enable independent validation of results and encourage further exploration of the robustness of QNNs.

Meta Review: Overall, the reviewers found that the paper addresses a relevant problem in the context of adversarial learning. The reviewers also appreciated the extensive empirical evaluation with ten attacks and five defenses for Quantized Neural Networks (QNNs), the comparison with previous work, and new insights into the robustness of QNNs under various attacks. Moreover, the code to reproduce the results in this paper is available in a public repository (https://gitlab.com/ESRGv3/QNN-Adversarial-Robustness), which may be a seed of new work in the area.

Abstract: We propose a Trojan horse-type attribute inference attack (AIA) against the gradient boosting decision trees (GBDT). Our Trojan AIA consists of a Trojan tree creation and an attribute inference. Both algorithms leverage the characteristics of the federated learning protocol for the GBDT training. First, the adversary creates a decision tree, a Trojan tree, that isolates a target data record from other data records. The adversary sends the Trojan tree to the server through the federated learning protocol at their round. Trojan tree forces the victim's tree to ``memorize'' a target data record's target attribute value that the adversary wants to know. The adversary can recover the target attribute value by observing the tree submitted by the victim if the victim uses the target data record for training the tree. For the regression task, we derive sufficient conditions for a successful attack. According to our theorem, if the target data record is distinct in the victim's dataset, the proposed attack is always successful. Experiments on multiple datasets and settings show results that align with the above theoretical analysis. Even if some conditions for theoretical analysis are relaxed, the proposed attack outperforms baseline attacks. To the best of our knowledge, this is the first study of an attribute inference attack against the GBDT in the federated learning setting.

Meta Review: This paper proposed an attribute inference attack against the gradient boosting decision trees (GBDT) in the federated learning (FL) setting. The value of this paper lies in several key aspects: firstly, the attack is both novel and effective, marking a significant advancement in the field. Additionally, the proposed attack is supported by thorough theoretical analysis and validated through real-world implementations, which illustrate potential risks and motivate the development of more robust GBDT-FL.

Abstract: Online scams pose a growing threat to the cyberspace, with cybercriminals frequently using fake evidence, such as identification and financial documents, to illicitly elevate their credibility in online activities. This deceptive trend is fueled by an emerging set of fake evidence generators (FEGENs). These FEGENs replicate the output of authoritative sources, such as official bank applications, to automatically generate large quantities of authentic-looking fake evidence. To the best of our knowledge, FEGENs, as effective tools for cybercriminals, have not been systematically analyzed in terms of their supply chain, including development, promotion, and delivery, as well as the risks and impacts they pose to end users. In this paper, we present the first systematic empirical analysis of FEGENs and related fake evidence. Our findings shed light on the FEGEN ecosystem, particularly the tactics employed by FEGEN developers and retailers to mimic authoritative sources and promote the use of FEGENs. We also evaluate the effectiveness of FEGENs and associated risks in cybercrime.

Meta Review:

Author copy of paper

Abstract: Today, DNS exfiltration attacks are detected by checking for anomalies present in the traffic, such as unusu- ally high transmission rates to a single domain and/or DNS query patterns that are very different from those in benign queries. While such approaches are seemingly robust, we show in this paper that our carefully designed and novel DNS exfiltration attack, DOLOS, that uses a generative adversarial network (GAN), can guide the encoding of sensitive data in a manner that both evades these detectors and significantly speeds up the exfiltration rate compared to prior methods. At its core, DOLOS divides the exfiltration data into smaller chunks, and projects each chunk into a representation that is very similar to benign queries. In addition, DOLOS adap- tively tunes its exfiltration rate to conform with benign DNS traffic from the compromised host, and introduces proper levels of spurious traffic to reduce entropy. Importantly, DOLOS evades machine learning (ML) based detectors with no prior knowledge of their architectures or training sets (i.e., it is a blackbox exfiltration). We perform extensive evaluations using multiple datasets and also have a real im- plementation of DOLOS. Our evaluations show that DOLOS has a 12% detection probability even if 6 out of the 9 state-of-the-art defenses that we consider, are jointly used to detect exfiltration; if any of today’s baseline exfiltration techniques try to achieve the same rate as DOLOS in this setting, they are almost surely detected. If we reduce the rates of the baselines to achieve even a low albeit slightly higher detection probability than DOLOS (0.15), we see that they take 25× longer to achieve the exfiltration. With the other three defenses, we find that baselines are almost surely detected while DOLOS remains relatively unaffected regardless of the rate of exfiltration

Meta Review: Since the limits of practical DNS exfiltration attacks against realistic defense deployments are understudied, the Reviewers believed that this paper was worthy of publication in IEEE EuroS&P proceedings. We appreciated that the GANs provide a novel opportunity to mimic benign traffic in exfiltration without easily matched signatures. Finally, the discussed evaluation was convincing enough to conclude that the proposed solution could make better tradeoffs between stealth attacks and detection efficiency. The three main points the Reviewers ask the Authors for further clarification were around: 1) Clarity on novelty claims we respect of previous work, 2) Clarity and reasoning behind empirically set numbers during the evaluation and 3) a discussion around the limitation of the system. All these points were adequately addressed by the Authors in their camera ready version. In conclusion, the lack of a real DNS dataset for additional evaluation of the proposed system remains the biggest weakness of this otherwise solid paper.

Abstract: Smart home devices collect and transmit user data to smart home Trigger Action Platforms (TAPs) for processing and executing automation rules. However, this data can also be used to infer user activities or other sensitive information. In this paper, we propose PTAP, a privacy- preserving approach based on adversarial example attacks. PTAP injects targeted perturbations into time-series sensor data, effectively confounding potentially malicious TAP clas- sifiers. Our approach significantly reduces the chance of user activity recognition for a malicious TAP while preserving the essential information for automation rule execution, thus safeguarding TAP utility. We evaluated PTAP using a real- world smart-home dataset and examined its effectiveness in preserving utility through the execution of various IoT applications. Our results demonstrate that PTAP effectively preserves user privacy (reducing the accuracy of a malicious classifier from 91 to 6 percent) while maintaining automa- tion rule integrity, providing a practical and effective solution to protect user privacy in smart-home environments.

Meta Review: The paper uses adversarial ML to reduce the effectiveness of TAP-based activity classifiers. Not only does this provide a practical solution, but the level of disturbances can be tuned, providing a finely configurable privacy filter for each potential activity. The reviewers accepted the paper for the following key reasons: - The paper focuses on the important problem of preserving privacy in the face of invasive data inferences by TAP classifiers - The idea of using adversarial perturbations to reduce the effectiveness of TAP classifiers is novel, and a practical solution relative to restricting a TAP's access to events and hence functionality. - PTAP does not affect the behavior of TAP applications by design, as the paper demonstrates with an extensive evaluation. The solution effectively reduces malicious TAP classifier accuracy on the real-world dataset.

Abstract: Cryptographic protocols play a crucial role in safeguarding network communications. However, it has been shown that many design flaws and implementation bugs in cryptographic protocols lie in plain sight, only to be dis- covered many years after their deployment. At design level, symbolic protocol provers, such as Tamarin and ProVerif, assume a symbolic or Dolev-Yao attacker model and are shown to be effective in ruling out logical errors in protocol specifications. However, little work has been done on auto- matically analyzing such security guarantees (secure under Dolev-Yao) for an existing protocol implementation. We present an automated and systematic framework, ProInspector, to uncover logic errors in protocol implemen- tations. Central to our approach is a tailored conformance testing algorithm which generates test cases, taking into consideration, a Dolev-Yao attacker. Our approach enables us to generate test cases that contain inputs from the attacker. ProInspector then uses generic symbolic provers to check if inconsistencies between the specification and implementation lead to exploits. We test ProInspector on popular TLS implementations and rediscover several CVEs

Meta Review: The authors presented a tool for finding logical bugs in protocol implementation by automatically generating test cases that verify that the implementation conforms to a specification (manually provided as a Mealy Machine). The key novelty of this conformance testing is that it generates test cases by mutating protocol message based on a Dolev-Yao attacker. It utilizes ProVerif to generate concrete attack traces for the failed test cases. The evaluation shows that the tool is generic and can test multiple protocol implementations with minimal changes. Finally, the tool will be made open-source to further drive progress in this area.

Abstract: Light Fidelity (LiFi) networks transmit information via light waves and are an interesting alternative to Radio Frequency networks: as light can be confined easily, LiFi provides better performance and makes eavesdropping attacks much more difficult. A core application of LiFi networks are self-contained and local networks among a group of autonomous devices, e.g., in industrial or medical environments. Cryptographic protocols are used to secure these network, however the key exchange sometimes relies solely on the confineability of light signals and sends key material in plain over the network. This is clearly not desirable from a security perspective and newer standards recommend key exchange protocols to establish shared keys. A crucial part in any authenticated key exchange protocol is how to bootstrap trust, e.g., by assuming a PKI, pre-installed keys or an out-of-band-channel. Well established solutions exist, but they are not ideal for the type of self-contained networks targeted by LiFi communication. In this work we investigate how the physical properties of a LiFi channel can be used to replace these mechanisms, resulting in a more convenient and also more efficient solution for key exchange. To this end we propose a new type of secret-less key exchange (SEKA) that does not rely on any pre-shared secrets, and instead runs in two phases: a short bootstrap phase where we make stronger assumptions on the physical security, ruling out active attacks. This can be realized by putting all devices in a closed room, taking advantage of the light’s confineability feature. The bootstrap phase is followed by a more classical key-exchange phase, where the actual key material gets exchanged in the presence of active attacks – relying on the shared states from the bootstrap phase. We formally define this new type of key-exchange protocol which offers authenticated key exchange with post-compromise security without relying on pre-shared secrets. We then show that a simpler and more efficient version of the signed Diffie-Hellmann protocol, now relying on MACs instead of signatures for the mutual authentication, can be proven secure in our model. Finally, a proof-of-concept implementation of the SEKA protocol is evaluated in a testbed demonstrating the efficiency gains of our approach.

Meta Review: The paper introduces the Secretless Key Exchange and Authentication (SEKA) protocol, an authenticated key exchange protocol for Light Fidelity (LiFi) networks that have the confineability property (i.e., can be confined in an isolated physical space). The SEKA protocol operates in two phases: (1) a bootstrap phase in which devices establish a pairwise secret state with each other in a confined room and (2) a key exchange phase in which devices exchange and update shared securely even in the presence of active adversaries. The reviewers have unanimously agreed to accept the paper for several reasons. - Firstly, the paper presents a compelling issue concerning key exchange among LiFi devices, demonstrating strong motivation. Although the practicality of confinement during the bootstrap phase in industrial environments was initially questioned, the authors effectively argued the feasibility of using temporary shielding for heavy machinery in their response. - Secondly, the paper provides detailed formal definitions, security objectives, and proofs for the SEKA protocol. It further includes an exhaustive assessment of both the security and performance of the SEKA prototype. Regrettably, the prototype is not available for open-source distribution. - Lastly, the paper is well-crafted and enjoyable to read. The authors have also incorporated the reviewers' suggestions for enhanced clarity and presentation.

Abstract: Synthetically generated benchmark datasets are vitally important for machine learning and network intrusion research. When producing intrusion datasets for research, providers make sensitive decisions that can affect data utility. Unfortunately, examining network data is difficult, so these decisions are rarely audited. We perform an in-depth manual analysis of six highly-cited benchmark datasets, discovering six bad patterns, which we term `data design smells' and design six heuristics to measure the prevalence of these issues. These design flaws cause severe experimental bias, which we demonstrate with four concrete examples. We then conduct an impact analysis of the wider literature that relies on these datasets. Our results suggest that bad design smells correlate with poor data diversity, murky labelling and poorly-defined generalisation criteria. Worryingly, we find that datasets can be entirely unfit for benchmarking purposes which, in turn, has severely limited the quality of intrusion detection research. Our work enables deeper understanding of the impact of improper data design in network intrusion datasets, informing the community on how to undertake qualitative research.

Meta Review: The paper tackles a problem that has been affecting an extremely popular research domain: the "issues" revolving around the usage of public "benchmark datasets" for Network Intrusion Detection Systems. There are several reasons that, in my opinion, make this paper stand out: - The underlying motivation of the paper is well founded, and the paper clearly shows this by considering datasets having been used by thousands of publications (including those in top-tier venues). A significant contribution in this domain could be tremendously helpful to advance the state of the art (indeed, there is a stark disconnection between research and practice in this domain). - The paper constructively tackles this problem by fairly accounting for the efforts of prior work (many papers have addressed the inadequacy of some benchmarks). Moreover, despite revealing "issues" in prior research, this is done in an ethical way and without "fingerpointing": among the messages broadcast by the paper is that the problem underlined by the paper is subtle, further increasing the value of this paper's contribution. - The paper provides new knowledge by formulating "design smells" in benchmark datasets that, if not accounted for by downstream research, may yield an improper evaluation to test potential claims. Such "smells" are then empirically demonstrated (by carrying out extensive analyses) in existing datasets, and even validated on an "unknown" dataset (this latter aspect emerged during the peer-review, and I consider this a major "meta-strength" of this paper). Altogether, these contributions are useful for future research. - The experiments carried out to validate the paper's claims are provided in a publicly available code repository, thereby increasing the transparency and soundness of the results (while also facilitating future research).

Abstract: Information and communication technology (ICT) is playing an expanding and critical role in our modern lives. Due to its proliferation and expansion in recent decades, ICT has a significant impact on global energy consumption, which in turn translates into air pollution, climate change, water pollution, etc. The proliferation of ICT has been accompanied by the emergence of cybersecurity technologies and solutions, which play an integral role in society's digitalization. Wherever there is ICT, there is a need to secure it, resulting in an increase in global cybersecurity energy consumption as well. This paper discusses the energy-related aspects of cybersecurity solutions and defines a ``Green Security" taxonomy. We highlight the inefficiencies stemming from various cybersecurity practices, such as processing the same data repeatedly. Within this context, we analyze cybersecurity solutions in common use cases while demonstrating the inherent energy consumption inefficiencies. In addition, we propose a method of measuring the energy consumed by cybersecurity solutions and present several optimization strategies that reduce the energy consumption of cybersecurity solutions. We evaluate our proposed optimization strategies and demonstrate their ability to reduce energy consumption while considering the organizational risk profile and maintaining the required security level.

Meta Review: The paper led to a lively discussion among the reviewers. While everyone agreed the paper is well-written and deals with an interesting and important topic, the reviewers had some concerns. The first was how to address scalability and enterprise-level application of the approach. The second was an inconsistency in the cost estimates. The last concern was about the claims of the approach’s applicability at the enterprise level. The authors worked with the shepherd and successfully addressed all concerns.

Author copy of paper

Abstract: Transport layer data leaks metadata unintentionally – such as who communicates with whom. While tools for strong transport layer privacy exist, they have adoption obstacles, including performance overheads incompatible with mobile devices. We posit that by changing the objective of metadata privacy for all traffic, we can open up a new design space for pragmatic approaches to transport layer privacy. As a first step in this direction, we propose using techniques from information flow control and present a principled approach to constructing formal models of systems with metadata privacy for some, deniable, traffic. We prove that deniable traffic achieves metadata privacy against strong adversaries – this constitutes the first bridging of information flow control and anonymous communication to our knowledge. Additionally, we show that existing state-of-the-art protocols can be extended to support metadata privacy, by designing a novel protocol for deniable instant messaging (DenIM), which is a variant of the Signal protocol. To show the efficacy of our approach, we implement and evaluate a proof-of-concept instant messaging system running DenIM on top of unmodified Signal. We empirically show that the DenIM on Signal can maintain low-latency for unmodified Signal traffic without breaking existing features, while at the same time supporting deniable Signal traffic.

Meta Review: This paper presents a formal approach to transform messaging applications metadata such some of the messages sent are unobservable at the network layer. All reviewers found the paper interesting and pleasant to read. Everyone appreciated very much the idea of using non-interference property to model metadata privacy, and that the formal approach taken in the paper, which enables to prove of the privacy properties the scheme provides. These theoretical findings are backed up by empirical experiments on a prototype build on top of Signal, which makes the paper very complete.

Abstract: Modern Android apps consist of both host app code and third-party libraries. Traditional static analysis tools conduct taint analysis for API misuses on the entire app code, while third-party library (TPL) detection tools focus solely on library code. Both approaches, however, are prone to some inherent false negatives: taint analysis tools may neglect third-party libraries or face timeouts/errors in whole app-based analysis, and TPL detection tools are not designed for pinpointing specific vulnerable methods. These challenges underscore the need for enhanced identification of insecure methods in Android apps, particularly for app markets addressing open-source security incidents. In this paper, we aim to complement the identification of missed false negatives in both TPL detection and taint analysis by directly identifying clones of insecure methods, regardless of whether they are in the host app code or a shrunk library. We propose MtdScout, a novel cross-layer, method-level clone detection tool for Android apps. MtdScout generates bytecode signatures for flawed source methods using compiler-style interpretation and abstraction, and efficiently matches them with target app bytecode using signature-mapped search trees. Our experiment using ground-truth apps shows that MtdScout achieves the highest accuracy among three tested clone detection tools, with a precision of 92.5% and recall of 87.2%. A large-scale experiment with 23.9K apps from Google Play demonstrates MtdScout’s effectiveness in complementing both LibScout and CryptoGuard by identifying numerous false negatives they missed due to app shrinking, method-only cloning, and inherent timeouts and failures in expensive taint analysis. Additionally, our experiment uncovers four security findings that highlight the disparities between MtdScout’s method-level clone detection and package-level library detection.

Meta Review: The paper proposes a novel approach, MtdScout, to identify insecure methods in Android apps. MtdScout complements existing techniques for third-party library detection and static taint analysis by generating source-to-bytecode signatures and using a tree-based layered search for efficient matching. The reviewers appreciated the simplicity and effectiveness of the approach, the comprehensive evaluation (24K apps from the Google Play Store), and the impactful findings. However, the evaluation only focuses on cryptographic misuse vulnerabilities, requiring additional experiments to demonstrate the generalizability of the approach. Furthermore, while MtdScout is resilient to identifier obfuscation and specific code optimizations, it has limitations against more complex obfuscation techniques, e.g., instruction reordering and DEX code encryption.

Author copy of paper

Abstract: Smartphone app usage has steeply risen in India in the past decade. But limited efforts in the past assess the privacy aspects of these smartphone apps. Many of these are used for common utilities and handle sensitive user data. Such sensitive data leaks can have a wide variety of consequences when exposed to untrusted players (e.g., repressive governments, data/content hosting companies, and other third parties). These could range from mere embarrassment to personal targeting and surveillance. This paper presents a measurement study on the data collection and privacy considerations of some of the most popular apps on the Indian Google Play Store. We analyzed the apps’ data collection behavior on phones as well as the security of the servers to whom they send the data. We observed and categorized the data collected and transmitted to the backend hosting servers. This involved obfuscating the data transmitted and checking whether the app operations still function.Interestingly, for the non-government apps we found that extensive (mostly personally identifiable information), often “unnecessary”, data collection was being performed. In other words, we observed that a lot of these apps work fine even without these pieces of sensitive information. Furthermore, we found that often such sensitive data may be available in plaintext to the intermediate players managing/deploying the hosting infrastructure. We also found that while the governmental services-based apps collect fewer such unnecessary data users, they often store the data on web-fronted back-end databases with little to no user authentication mechanisms enabled. We expect our study to enable better understanding among both users and app developers about the privacy implications of these data collection practices.

Meta Review: The paper presents a measurement study focused on the data collection and privacy practices of the most popular apps on the Indian Google Play Store. The reviewers decided to accept the paper for the following reasons: - The paper performs a comprehensive security and privacy analysis of 24 critical apps in India with a focus on highly sensitive private data, considering several well-known attack vectors. - The study has uncovered extensive data collection in apps that are capable of functioning without the data (i.e., as they do, even when the data is not delivered or obfuscated). Some of the findings are quite alarming; e.g., critical vulnerabilities in government apps (e.g., MahaDiscom), and how extremely popular apps such as Mobikwik transmit sensitive data to untrusted (and somewhat suspicious) domains. - The paper correlates app behavior (i.e., data transmission) with their privacy policies, and also examines compliance with local privacy regulations.

Abstract: Android enforces access control checks to protect sensitive framework APIs. If not properly protected, APIs can open the door for malicious apps to access sensitive resources without possessing the necessary privilege. Unfortunately, as reported by the existing literature, such access control anomalies are prevalent in Android APIs, notably in those introduced by customization parties. Hence, various solutions have been proposed to detect the anomalies, particularly those due to inconsistencies. The solutions can be largely divided into two categories: convergence-based techniques and probabilistic inference approaches. In this paper, we are motivated by the promising application of using code constructs -- beyond convergence analysis as proposed by the recent probabilistic approaches, to recommend access control enforcement and detect inconsistencies. Specifically, we propose a deep learning-based approach that aims to automatically learn the correspondence between various code constructs and access control requirement. However, this task faces a significant challenges, particularly due the path-sensitive nature of Android access control implementation. To this end, we develop a static analysis pipeline that extracts and abstracts an API's implementation to succinct execution traces that can be correlated with access control labels. We then employ the statically derived features to fine-tune CodeBERT for our access control recommendation task. The fine-tuned model achieves an accuracy of 91\%, precision of 91\%, and recall of 92\% on AOSP data. Additionally, our evaluation on custom ROMs shows that the model is able to rediscover previously reported inconsistencies, and even discover new ones. Hence, demonstrating its complementary nature to the existing access control evaluation and recommendation systems.

Meta Review: This paper presents a deep learning approach to identify and recommend access control measures for Android APIs, achieving significant accuracy and uncovering new inconsistencies. - The paper is clearly motivated and introduces a deep learning approach to addressing access control inconsistencies in Android APIs. - It achieves high accuracy, precision, and recall, demonstrating the method's effectiveness. It also conducts an experimental comparison with state-of-the-art research solutions. - The approach successfully uncovers new inconsistencies, enriching the community's understanding of Android vulnerabilities. - It provides a complementary solution to existing access control evaluation and recommendation systems. This study's code and data are publicly available.

Abstract: Prior studies have shown that abusers of intimate partner violence can find plenty of technical advice, tools, and how-to guides online for covertly conducting intimate partner surveillance (IPS). However, it is unclear what online resources survivors seek aid from when defending themselves against IPS. Thus, we explore the topic by conducting a survey-based study over Prolific. Through a survey with 63 survivors (recruited using Prolific), we find that 27 (43%) survivors used any online resources; among them, 67% relied on online search engines. Little is known about the online resources survivors can find online. We, therefore, conduct a systematic crawling of Google search results to identify resources available for survivors. We found that the resources survivors can find online contain poor, inaccurate, and actionable advice. They are hard to understand and do not help mitigate IPS. To investigate whether the lack of useful resources is solely experienced by survivors, we also crawled resources that abusers will find online. We found that abusers can easily find resources recommending powerful tools such as spyware apps and hidden devices and often explicitly promote IPS. We also compare the understandability and actionability of the resources using an adopted Patient Education Materials Assessment Tool (PEMAT) score and conclude that resources available to abusers are significantly more understandable and actionable than those available to survivors.

Meta Review: This work presents online resources available to survivors and abusers in the context of technology-enabled intimate partner surveillance (IPS). The reviewers are glad to accept the paper for the following reasons: - This paper is well-motivated, providing useful resources to the survivors of IPV, as highlighted by previous studies showing how abusers exploit technology. - The research questions posed have significant societal merit and could greatly reduce harm and suffering for IPV victims. - The methodology is solid, beginning with the collection of queries from participants, followed by an empirical assessment. We also appreciate the sensitivity and additional measures taken to protect participants throughout the study, given the sensitive nature of this topic. - The paper presents innovation by adopting the PEMAT tool and collating an extensive list of existing spyware types. - The paper demonstrates that abusers are more likely to find advice that enables them to continue their abusive behaviors, compared to advice that helps survivors protect themselves. The results indicate that the understandability and actionability of resources significantly favor abusers, suggesting the need for some form of intervention.

Abstract: Oblivious RAM (ORAM) allows a client to outsource storage to a remote server while hiding the data access pattern from the server. Many ORAM designs have been proposed to reduce the computational overhead and bandwidth blowup for the client. A recent work, Onion Ring ORAM (CCS'19), is able to achieve $O(1)$ bandwidth blowup in the online phase using fully homomorphic encryption (FHE) techniques, at the cost of a computationally expensive client-side offline phase. Furthermore, such a scheme can be categorized as a stateful construction, meaning that the client has to locally maintain a dynamic state representing the order of remote database elements. We present \prot: a novel design of ORAM based on FHE techniques, that is non-interactive and stateless, achieves $O(1)$ bandwidth blowup, and does not require an expensive offline phase for the client to perform; in that sense, our design is the first of its kind among other ORAM designs. To provide the client with such performance benefits, our design delegates all expensive computation to the resourceful server. We additionally show how to boost the server performance significantly using \emph{probabilistic batch codes} at the cost of only 1.5x in additional bandwidth blowup and 3x expansion in server storage, but less amortized bandwidth. Our experimental results show that our design, with the batching technique, is practical in terms of server computation overhead as well. Specifically, for a database size of $2^{19}$, it takes only $1.16$ seconds of amortized computation time for a server to respond to a query. As a result of the statelessness and low computational overhead on the client, and reasonable computational overhead on the server, our design is very suitable to be deployed as a cloud-based privacy-preserving storage outsourcing solution with a portable client running on a lightweight device.

Meta Review: The authors presented a novel design of non-interactive and stateless ORAM that achieves O(1) bandwidth blowup without requiring an expensive client-side offline phase as compared to prior work in the area. The paper address practical concerns for clients, including data loss, state synchronization, and unexpected drop-offs by not requiring the client to be online throughout the protocol execution. The authors prove the security (correctness) of their ORAM scheme. The paper also proposes approaches to amortize the computation cost by leveraging linear data structures and probabilistic batch codes in the context of ORAM, which have not been previously considered. The evaluation results are promising, and showcase the practicality and efficiency of the protocols in the context of moderately-sized databases.

Abstract: Computing the maximum from a list of secret inputs is a widely-used functionality that is employed either indirectly as a building block in secure computation frameworks, such as ABY (NDSS'15) or directly used in multiple applications that solve optimisation problems, such as secure machine learning or secure aggregation statistics. {\em Incremental distributed point functions} (I-DPFs) are a powerful cryptographic primitive (IEEE S\&P'21) that significantly reduces the client-to-server communication and are employed to efficiently and securely compute aggregation statistics. In this paper, we investigate whether I-DPFs can be used to improve the efficiency of secure two-party computation (2PC) with an emphasis on computing the maximum value and the k-th ranked value from a list of secret inputs. Our answer is affirmative, and we propose novel secure 2PC protocols that use I-DPFs as a building block, resulting in significant efficiency gains compared to the state-of-the-art. More precisely, our contributions are: {\em (i)} we propose novel protocols to compute the maximum value, the k-th ranked value and a protocol that checks if a secret value matches the maximum from a list of secret inputs; {\em (ii)} we provide variations of the proposed protocols that can perform batch computations and thus provide significant efficiency improvements; and {\em (iii)} for all proposed protocols, we provide an extensive evaluation of the performance. Our protocols have a communication complexity that is independent of the number of secret inputs and linear to the length of the secret input domain. Furthermore, experimental results show enhanced efficiency over the existing solutions we have implemented, particularly notable when handling large-scale inputs.

Meta Review: This paper proposes protocols for computing the maximum (MAX) or the kth ranked elements (KRE) of a private list secretly shared by two honest but curious servers. We endorse this paper as the proposed protocols provide enhanced communication efficiency over the state-of-the-art. This is achieved by leveraging incremental distributed point function (IDPF). While frameworks have been previously proposed for aggregating statistics over private data based on IDPF, they can not be directly applied to computing MAX or KRE, nor are they optimized with respect to online round complexity. The proposed protocols in this paper are then implemented and comprehensively evaluated. The evaluation results show that the protocols outperform existing approaches and achieve state-of-the-art online execution times and communication costs.

Abstract: Nextcloud is a leading cloud storage platform with more than 20 million users. Nextcloud offers an end-to-end encryption (E2EE) feature that is claimed to be able “to keep extremely sensitive data fully secure even in case of a full server breach”. They also claim that the Nextcloud server “has Zero Knowledge, that is, never has access to any of the data or keys in unencrypted form”. This is achieved by having encryption and decryption operations that are done using file keys that are only available to Nextcloud clients, with those file keys being protected by a key hierarchy that ultimately relies on long passphrases known exclusively to the users. We provide the first detailed documentation and security analysis of Nextcloud’s E2EE feature. Nextcloud’s strong security claims motivate conducting the analysis in the setting where the server itself is considered malicious. We present three distinct attacks against the feature in this setting. Each one enables the confidentiality and integrity of all user files to be compromised. All three attacks are fully practical and we have built proof-of-concept implementations for each. The vulnerabilities make it trivial for a malicious Nextcloud server to access and manipulate users’ data. We have responsibly disclosed the three vulnerabilities to Nextcloud. The second and third vulnerabilities have been remediated. The first was addressed by temporarily removing the file sharing feature from the E2EE feature until a redesign of the feature can be made. We reflect on broader lessons that can be learned for designers of E2EE systems.

Meta Review: This paper presents a security analysis of Nextcloud’s end-to-end encryption (E2EE) feature. It delves deep into Nextcloud’s documentation and implementation to uncover specification or implementation flaws. The analysis revealed three critical and practically exploitable security vulnerabilities compromising the confidentiality, integrity, and authenticity of E2EE-protected files. These vulnerabilities are exploitable by a malicious server, thereby undermining the security guarantee claimed by Nextcloud. Corresponding mitigations are also discussed in the paper. While the paper is highly specific to Nextcloud's E2EE scheme and does not easily generalize to other implementations, it remains insightful for anyone interested in commercial E2EE systems or potential E2EE users. This work has also been acknowledged by Nextcloud. The three vulnerabilities were disclosed to Nextcloud on January 2, 2023, and each vulnerability was assigned a CVE. Patches were released by Nextcloud on March 29, 2023. The vulnerable sharing feature was temporarily removed until a redesign could be implemented.

Abstract: Fully Homomorphic Encryption (FHE) schemes are widely used cryptographic primitives for performing arbitrary computations on encrypted data. However, FHE incorporates a computationally intensive mechanism called bootstrapping, that resets the noise in the ciphertext to a lower level allowing the computation on circuits of arbitrary depth. This process can take significant time, ranging from several minutes to hours. To address the above issue, in this work, we propose an Electronic Design Automation (EDA) framework FHEDA that generates efficient Boolean representations of circuits compatible with the Torus-FHE (ASIACRYPT 2020) scheme. To the best of our knowledge, this is the first work in the EDA domain of FHE. We integrate logic synthesis and gate optimization techniques into our FHEDA framework for reducing the total number of bootstrapping operations in a Boolean circuit, which leads to a significant (up to 50%) reduction in homomorphic computation time. Our FHEDA is built upon the observation that in Torus-FHE two consecutive Boolean gate evaluations over fresh encryptions require only one bootstrapping instead of two, based on appropriate parameter choices. By integrating this observation with logic replacement techniques into FHEDA, we could reduce the total number of bootstrapping operations along with the circuit depth. This eventually reduces the homomorphic evaluation time of Boolean circuits. In order to verify the efficacy of our approach, we assess the performance of the proposed EDA flow on a diverse set of representative benchmarks including privacy-preserving machine learning and different symmetric key block ciphers.

Meta Review: We are pleased to accept this paper with remarkable improvements in efficient circuit synthesis. This paper presents remarkable contributions to generating optimized circuits for Torus Fully Homomorphic Encryption (TFHE) evaluation. Their approach adequately addresses the limitations of TFHE in the expensive bootstrapping operations compared to Homomorphic Encryption (FHE), by leveraging the insight that only one bootstrapping is necessary for a 3-input gate. Throughout their comprehensive and illustrative evaluation, this paper demonstrates a potential 30% improvement in evaluation time for common functions, such as AES, and effectively presents real-world applicability through comparisons with the Google FHE Transpiler and experiments on LeNet-5.

Abstract: Privacy is a major concern in large-scale digital applications, such as cloud-computing, machine learning services, and access control. Users want to protect not only their plain data but also their associated attributes (e.g., age, location, etc). Functional encryption (FE) is a cryptographic tool that allows fine-grained access control over encrypted data. However, existing FE fall short as they are either inefficient and far from reality or they leak sensitive user-specific information. We propose SACfe, a novel attribute-based FE scheme that provides secure, fine-grained access control and hides both the user’s attributes and the function applied to the data, while preserving the data’s confidentiality. Moreover, it enables users to encrypt unbounded-length messages along with an arbitrary number of hidden attributes into ciphertexts. We design SACfe, a protocol for performing linear computation on encrypted data while enforcing access control based on inner product predicates. We show how SACfe can be used for online biometric authentication for privacy-preserving access control. As an additional contribution, we introduce an attribute-based linear FE for unbounded length of messages and functions where access control is realized by monotone span programs. We implement our protocols using the CiFEr cryptographic library and show its efficiency for practical settings.

Meta Review: All the reviewers feel that the novel attribute-based FE scheme proposed in the paper is a solid technical contribution and recommend the paper to be accepted. The paper provides a way to perform linear computations on encrypted data while enforcing access control based on inner product predicates which can be quite useful in many scenarios like biometric authentication.