Search

Your search keyword '"Tiffany Bao"' showing total 19 results
Start Over Author "Tiffany Bao" Database OpenAIRE
19 results on '"Tiffany Bao"'

1. I'm SPARTACUS, No, I'm SPARTACUS

Author

Penghui Zhang, Zhibo Sun, Sukwha Kyung, Hans Walter Behrens, Zion Leonahenahe Basque, Haehyun Cho, Adam Oest, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, Gail-Joon Ahn, and Adam Doupé

Published
2022
Full Text
View/download PDF

3. Cyber Autonomy in Software Security: Techniques and Tactics

Author

Yan Shoshitaishvili and Tiffany Bao

Subjects
Exploit, business.industry, Computer science, media_common.quotation_subject, Offensive, Vulnerability, Context (language use), Computer security, computer.software_genre, Software, Work (electrical), Software security assurance, business, computer, Autonomy, media_common
Abstract

Software security research traditionally focuses on the development of specific offense and defense techniques on software vulnerabilities. Software security techniques are useful in practice only to the extent they can be leveraged to achieve a goal. Different parties‐individuals, companies, or nations‐implement offensive and defensive techniques as components in holistic systems, and these systems strategically interact with each other.This chapter aims to introduce to the reader cyber autonomy in software security. We will offer a holistic view on this topic by presenting both techniques and tactics in software security. This chapter will introduce the high‐level model of cyber autonomy in software security and explain how techniques and tactics co‐work in software security, discuss current software security techniques (including vulnerability discovery, exploit generation, vulnerability patching, and vulnerability ricochet) and, once the readers have gained familiarity with the background and the context in software security that serves as the prerequisites for building a game theoretical model, will introduce the autonomous computer security game, which is the core of the chapter.

Published
2021
Full Text
View/download PDF

6. Context-Auditor: Context-sensitive Content Injection Mitigation

Author

Faezeh Kalantari, Mehrnoosh Zaeifi, Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, and Adam Doupé

Subjects
FOS: Computer and information sciences, Computer Science - Cryptography and Security, Cryptography and Security (cs.CR)
Abstract

Cross-site scripting (XSS) is the most common vulnerability class in web applications over the last decade. Much research attention has focused on building exploit mitigation defenses for this problem, but no technique provides adequate protection in the face of advanced attacks. One technique that bypasses XSS mitigations is the scriptless attack: a content injection technique that uses (among other options) CSS and HTML injection to infiltrate data. In studying this technique and others, we realized that the common property among the exploitation of all content injection vulnerabilities, including not just XSS and scriptless attacks, but also command injections and several others, is an unintended context switch in the victim program's parsing engine that is caused by untrusted user input. In this paper, we propose Context-Auditor, a novel technique that leverages this insight to identify content injection vulnerabilities ranging from XSS to scriptless attacks and command injections. We implemented Context-Auditor as a general solution to content injection exploit detection problem in the form of a flexible, stand-alone detection module. We deployed instances of Context-Auditor as (1) a browser plugin, (2) a web proxy (3) a web server plugin, and (4) as a wrapper around potentially-injectable system endpoints. Because Context-Auditor targets the root cause of content injection exploitation (and, more specifically for the purpose of our prototype, XSS exploitation, scriptless exploitation, and command injection), our evaluation results demonstrate that Context-Auditor can identify and block content injection exploits that modern defenses cannot while maintaining low throughput overhead and avoiding false positives.

Published
2022
Full Text
View/download PDF

7. SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning

Author

Giovanni Vigna, Lukas Dresel, Kyle Zeng, Tiffany Bao, Stefano Zanero, Mario Polino, Nicola Ruaro, Christopher Kruegel, Andrea Continella, Services, Cybersecurity & Safety, and Digital Society Institute

Subjects
Symbolic execution, Cybersecurity, Computer science, business.industry, media_common.quotation_subject, Vulnerability, Crash, Replicate, Machine learning, computer.software_genre, Path (graph theory), Vulnerability discovery, Leverage (statistics), The Symbolic, Artificial intelligence, business, Function (engineering), computer, media_common
Abstract

Exploring many execution paths in a binary program is essential to discover new vulnerabilities. Dynamic Symbolic Execution (DSE) is useful to trigger complex input conditions and enables an accurate exploration of a program while providing extensive crash replayability and semantic insights. However, scaling this type of analysis to complex binaries is difficult. Current methods suffer from the path explosion problem, despite many attempts to mitigate this challenge (e.g., by merging paths when appropriate). Still, in general, this challenge is not yet surmounted, and most bugs discovered through such techniques are shallow. We propose a novel approach to address the path explosion problem: A smart triaging system that leverages supervised machine learning techniques to replicate human expertise, leading to vulnerable path discovery. Our approach monitors the execution traces in vulnerable programs and extracts relevant features - register and memory accesses, function complexity, system calls - to guide the symbolic exploration. We train models to learn the patterns of vulnerable paths from the extracted features, and we leverage their predictions to discover interesting execution paths in new programs. We implement our approach in a tool called SyML, and we evaluate it on the Cyber Grand Challenge (CGC) dataset - a well-known dataset of vulnerable programs - and on 3 real-world Linux binaries. We show that the knowledge collected from the analysis of vulnerable paths, without any explicit prior knowledge about vulnerability patterns, is transferrable to unseen binaries, and leads to outperforming prior work in path prioritization by triggering more, and different, unique vulnerabilities.

Published
2021
Full Text
View/download PDF

8. CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing

Author

Brad Wardman, Yan Shoshitaishvili, Gail-Joon Ahn, Zhibo Sun, Haehyun Cho, RC Johnson, Alexandros Kapravelos, Tiffany Bao, Adam Oest, Adam Doupé, Shaown Sarker, Ruoyu Wang, and Penghui Zhang

Subjects
Computer Networks and Communications, business.industry, Computer science, Cloaking, Evasion (network security), Client-side, Computer security, computer.software_genre, Internet security, JavaScript, Phishing, Key (cryptography), Dynamic program analysis, ComputingMilieux_COMPUTERSANDSOCIETY, Electrical and Electronic Engineering, business, Law, computer, computer.programming_language
Abstract

Phishing is a critical threat to Internet users. Although an extensive ecosystem serves to protect users, phishing websites are growing in sophistication, and they can slip past the ecosystem’s detection systems—and subsequently cause real-world damage—with the help of evasion techniques. Sophisticated client-side evasion techniques, known as cloaking, leverage JavaScript to enable complex interactions between potential victims and the phishing website, and can thus be particularly effective in slowing or entirely preventing automated mitigations. Yet, neither the prevalence nor the impact of client-side cloaking has been studied.In this paper, we present CrawlPhish, a framework for automatically detecting and categorizing client-side cloaking used by known phishing websites. We deploy CrawlPhish over 14 months between 2018 and 2019 to collect and thoroughly analyze a dataset of 112,005 phishing websites in the wild. By adapting state-of-the-art static and dynamic code analysis, we find that 35,067 of these websites have 1,128 distinct implementations of client-side cloaking techniques. Moreover, we find that attackers’ use of cloaking grew from 23.32% initially to 33.70% by the end of our data collection period. Detection of cloaking by our framework exhibited low false-positive and false-negative rates of 1.45% and 1.75%, respectively. We analyze the semantics of the techniques we detected and propose a taxonomy of eight types of evasion across three high-level categories: User Interaction, Fingerprinting, and Bot Behavior.Using 150 artificial phishing websites, we empirically show that each category of evasion technique is effective in avoiding browser-based phishing detection (a key ecosystem defense). Additionally, through a user study, we verify that the techniques generally do not discourage victim visits. Therefore, we propose ways in which our methodology can be used to not only improve the ecosystem’s ability to mitigate phishing websites with client-side cloaking, but also continuously identify emerging cloaking techniques as they are launched by attackers.

Published
2021
Full Text
View/download PDF

9. Scam Pandemic: How Attackers Exploit Public Fear through Phishing

Author

Ruoyu Wang, Penghui Zhang, Haehyun Cho, Yan Shoshitaishvili, Adam Doupé, Marzieh Bitaab, Rana Pourmohamad, Zhibo Sun, Adam Oest, Gail-Joon Ahn, Tiffany Bao, and Doowon Kim

Subjects
FOS: Computer and information sciences, Government, Computer Science - Cryptography and Security, Exploit, business.industry, Internet privacy, Phishing, Market research, Web traffic, Pandemic, Key (cryptography), The Internet, business, Cryptography and Security (cs.CR)
Abstract

As the COVID-19 pandemic started triggering widespread lockdowns across the globe, cybercriminals did not hesitate to take advantage of users' increased usage of the Internet and their reliance on it. In this paper, we carry out a comprehensive measurement study of online social engineering attacks in the early months of the pandemic. By collecting, synthesizing, and analyzing DNS records, TLS certificates, phishing URLs, phishing website source code, phishing emails, web traffic to phishing websites, news articles, and government announcements, we track trends of phishing activity between January and May 2020 and seek to understand the key implications of the underlying trends. We find that phishing attack traffic in March and April 2020 skyrocketed up to 220\% of its pre-COVID-19 rate, far exceeding typical seasonal spikes. Attackers exploited victims' uncertainty and fear related to the pandemic through a variety of highly targeted scams, including emerging scam types against which current defenses are not sufficient as well as traditional phishing which outpaced the ecosystem's collective response., 10 pages, Accepted to eCrime 2020

Published
2021

10. Everything You Ever Wanted to Know About Bitcoin Mixers (But Were Afraid to Ask)

Author

Ruoyu Wang, Jaswant Pakki, Tiffany Bao, Adam Doupé, and Yan Shoshitaishvili

Subjects
Deep Web, Cryptocurrency, Ask price, Computer science, business.industry, Obfuscation, Internet privacy, Fungibility, Transactional analysis, business, Mixing (physics), Anonymity
Abstract

The lack of fungibility in Bitcoin has forced its userbase to seek out tools that can heighten their anonymity. Third-party Bitcoin mixers use obfuscation techniques to protect participants from blockchain transaction analysis. In recent years, various centralized and decentralized Bitcoin mixing methods were proposed in academic literature (e.g., CoinJoin, CoinShuffle). Although these methods strive to create a threat-free environment for users to preserve their anonymity, public Bitcoin mixers continue to be associated with theft and poor implementation. This paper explores the public Bitcoin mixer ecosystem to identify if today’s mixing services have adopted academia’s proposed solutions. We perform real-world interactions with publicly available mixers to analyze both implementation and resistance to common threats in the mixing landscape. We present data from 21 publicly available mixing services on the deep web and clearnet.

Published
2021
Full Text
View/download PDF

13. HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems

Author

Yan Shoshitaishvili, Tiffany Bao, Adam Doupé, Gail-Joon Ahn, Ruoyu Wang, Carlos E. Rubio-Medrano, and Efrén López-Morales

Subjects
Service (systems architecture), Honeypot, business.industry, Computer science, Programmable logic controller, Context (language use), Industrial control system, computer.software_genre, Computer security, Malware, Attack patterns, The Internet, business, computer
Abstract

Industrial Control Systems (ICS) provide management and control capabilities for mission-critical utilities such as the nuclear, power, water, and transportation grids. Within ICS, Programmable Logic Controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds, e.g., controlling centrifuge machines in nuclear power plants. The critical roles that ICS and PLCs play have made them the target of sophisticated cyberattacks that are designed to disrupt their operation, which creates both social unrest and financial losses. In this context, honeypots have been shown to be highly valuable tools for collecting real data, e.g., malware payload, to better understand the many different methods and strategies that attackers use. However, existing state-of-the-art honeypots for PLCs lack sophisticated service simulations that are required to obtain valuable data. Worse, they cannot adapt while ICS malware keeps evolving, and attack patterns become more sophisticated. To overcome these shortcomings, we present HoneyPLC, a high-interaction, extensible, and malware collecting honeypot supporting a broad spectrum of PLCs models and vendors. Results from our experiments show that HoneyPLC exhibits a high level of camouflaging: it is identified as real devices by multiple widely used reconnaissance tools, including Nmap, Shodan's Honeyscore, the Siemens Step7 Manager, PLCinject, and PLCScan, with a high level of confidence. We deployed HoneyPLC on Amazon AWS and recorded a large amount of interesting interactions over the Internet, showing not only that attackers are in fact targeting ICS systems, but also that HoneyPLC can effectively engage and deceive them while collecting data samples for future analysis.

Published
2020
Full Text
View/download PDF

16. Matched and Mismatched SOCs

Author

Tiffany Bao, Yan Shoshitaishvili, Ananta Soneji, Ziming Zhao, Gail-Joon Ahn, Adam Doupé, and Faris Bugra Kokulu

Subjects
021110 strategic, defence & security studies, Focus (computing), Knowledge management, Computer science, business.industry, 0211 other engineering and technologies, 020206 networking & telecommunications, 02 engineering and technology, Interview data, Work (electrical), 0202 electrical engineering, electronic engineering, information engineering, Research studies, Incident management (ITSM), business, Qualitative research, Security operations center
Abstract

Organizations, such as companies and governments, created Security Operations Centers (SOCs) to defend against computer security attacks. SOCs are central defense groups that focus on security incident management with capabilities such as monitoring, preventing, responding, and reporting. They are one of the most critical defense components of a modern organization's defense. Despite their critical importance to organizations, and the high frequency of reported security incidents, only a few research studies focus on problems specific to SOCs. In this study, to understand and identify the issues of SOCs, we conducted 18 semi-structured interviews with SOC analysts and managers who work for organizations from different industry sectors. Through our analysis of the interview data, we identified technical and non-technical issues that exist in SOC. Moreover, we found inherent disagreements between SOC managers and their analysts that, if not addressed, could entail a risk to SOC efficiency and effectiveness. We distill these issues into takeaways that apply both to future academic research and to SOC management. We believe that research should focus on improving the efficiency and effectiveness of SOCs.

Published
2019
Full Text
View/download PDF

17. Understanding and Predicting Private Interactions in Underground Forums

Author

Gail-Joon Ahn, Zhibo Sun, Adam Doupé, Carlos E. Rubio-Medrano, Ziming Zhao, and Tiffany Bao

Subjects
Cybercrime, Adversarial system, Workflow, Computer science, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, ComputingMilieux_COMPUTERSANDSOCIETY, 020201 artificial intelligence & image processing, 02 engineering and technology, Robustness (economics), Data science
Abstract

The studies on underground forums and marketplaces have significantly advanced our understandings of cybercrime workflows and underground economies. Researchers of underground economies have conducted comprehensive studies on public interactions. However, little research focuses on private interactions. The lack of the investigation on private interactions may cause misunderstandings on underground economies, as users in underground forums and marketplaces tend to share the minimal amount of information in public interactions and resort to private messages for follow-up conversations. In this paper, we propose methods to investigate the underground private interactions and we analyze a recently leaked dataset from Nulled.io. We present analyses on the contents and purposes of private messages. In addition, we design machine learning-based models that only use the publicly available information to detect if two underground users privately communicate with each other. Finally, we perform adversarial analysis to evaluate the robustness of the detector to different types of attacks.

Published
2019
Full Text
View/download PDF

18. How Shall We Play a Game?: A Game-theoretical Model for Cyber-warfare Games

Author

Giovanni Vigna, Yan Shoshitaishvili, Christopher Kruegel, Tiffany Bao, David Brumley, and Ruoyu Wang

Subjects
021110 strategic, defence & security studies, Computer science, Process (engineering), Management science, 0211 other engineering and technologies, 02 engineering and technology, 010501 environmental sciences, 01 natural sciences, Bottleneck, Strategy development, Cyberwarfare, symbols.namesake, Work (electrical), Order (exchange), Human–computer interaction, Nash equilibrium, symbols, Game theory, 0105 earth and related environmental sciences
Abstract

Automated techniques and tools for finding, exploiting and patching vulnerabilities are maturing. In order to achieve an end goal such as winning a cyber-battle, these techniques and tools must be wielded strategically. Currently, strategy development in cyber - even with automated tools - is done manually, and is a bottleneck in practice. In this paper, we apply game theory toward the augmentation of the human decision-making process.,,Our work makes two novel contributions. First, previous work is limited by strong assumptions regarding the number of actors, actions, and choices in cyber-warfare. We develop a novel model of cyber-warfare that is more comprehensive than previous work, removing these limitations in the process. Second, we present an algorithm for calculating the optimal strategy of the players in our model. We show that our model is capable of finding better solutions than previous work within seconds, making computer-time strategic reasoning a reality. We also provide new insights, compared to previous models, on the impact of optimal strategies.

Published
2017
Full Text
View/download PDF

19. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits

Author

Yan Shoshitaishvili, Tiffany Bao, Ruoyu Wang, and David Brumley

Subjects
Shellcode, Test case, Exploit, Computer science, 020204 information systems, Distributed computing, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), 020207 software engineering, 02 engineering and technology, Tracing, PATH (variable), Vulnerability (computing)
Abstract

Developing a remote exploit is not easy. It requires a comprehensive understanding of a vulnerability and delicate techniques to bypass defense mechanisms. As a result, attackers may prefer to reuse an existing exploit and make necessary changes over developing a new exploit from scratch. One such adaptation is the replacement of the original shellcode (i.e., the attacker-injected code that is executed as the final step of the exploit) in the original exploit with a replacement shellcode, resulting in a modified exploit that carries out the actions desired by the attacker as opposed to the original exploit author. We call this a shellcode transplant. Current automated shellcode placement methods are insufficient because they over-constrain the replacement shellcode, and so cannot be used to achieve shellcode transplant. For example, these systems consider the shellcode as an integrated memory chunk and require that the execution path of the modified exploit must be same as the original one. To resolve these issues, we present ShellSwap, a system that uses symbolic tracing, with a combination of shellcode layout remediation and path kneading to achieve shellcode transplant. We evaluated the ShellSwap system on a combination of 20 exploits and 5 pieces of shellcode that are independently developed and different from the original exploit. Among the 100 test cases, our system successfully generated 88% of the exploits.

Published
2017
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results