|9:00-9:45||钱志云||加州大学河滨分校助理教授||Android root 生态系统以及我们能做什么|
演讲主题：Android root 生态系统以及我们能做什么
很少有人讨论，Android 以开放的生态环境抢得今天的市场份额，其中隐性的代价其实是安全。多样而杂乱的Android系统导致了漏洞层出不穷以及安全维护的高成本。Android 一键 root 软件的应运而生就是一个佐证；这些软件合法而且可以有效利用各种内核/驱动漏洞而达到目的。这次报告中会揭秘这个鲜为人知的Android root生态系统，已经我们如何利用这些知识为恶意软件的检测做出贡献。
钱志云是加州大学河滨分校 (University of California, Riverside) 的助理教授 (Assistant Professor)。他的研究兴趣有系统网络安全网络，其中涉及到TCP/IP协议的设计与实现，安卓系统的漏洞挖掘/分析等。他在2016 geekpwn中凭借TCP远程劫持获得最大脑洞奖，在2017年获得NSF CAREER Award。
演讲主题: 新通用顶级域名(new gTLD)导致的域名冲突及一系列新的安全漏洞与攻击
MitM, Code Injection, Cred Theft, and More Found at the Scene of a Name Collision
The recent unprecedented delegation of new generic top-level domains (gTLDs) has exacerbated an existing, but fallow, problem called name collisions. In this talk, I will first discuss one concrete exploit of this problem, called the WPAD name collsion attack. In this attack, the attacker exploits the leaked service discovery queries for an internal web proxy service called WPAD, and can cause all web traffic of an Internet user to be redirected to an attacker’s proxy automatically right after the launching of a standard browser, making MitM attacks on web browsing easier than ever. Targeting this newly-exposed attack vector, we perform an in-depth study of the problem causes, and then define and quantify a candidate measure of attack surface to systematically characterize its vulnerability status in the wild. Our results show that 10% of the highly-vulnerable domains have already been registered and thus can be exploited at any time, providing a strong and urgent message to deploy proactive protection. We then discuss promising directions for remediation at the DNS ecosystem level with empirical data analysis.
While we have showed that the name collision problem is a real threat today, our understanding of its impact on the internal services is limited to the WPAD service. In fact, over 600 services are registered to support DNS-based service discovery, and thus the name collision problem may have much broader impact than the WPAD service alone. In the second part of the talk, I will present a follow-up work that performs a systematic study of the affected services under the name collision attack threat model, aiming at understanding the vulnerability status and the defense solution space at the service level. We first perform a measurement study that uncovers the wide spectrum of affected services, and then analyze their client implementations using a dynamic analysis framework. From our analysis, we find that nearly all of the affected services expose vulnerabilities in popular clients. To demonstrate the severity, we construct exploits and report our findings of many new name collision attacks with severe security implications including another MitM attack vector, document leakage, malicious library injection, and credential theft. We analyze the causes and find that the name collision problem broadly breaks common security assumptions made in today’s service software. Leveraging the insights from our analysis, we propose multiple service software level solutions.
Qi Alfred Chen is a PhD candicate in the EECS department at University of Michigan advised by Professor Z. Morley Mao. His research interest is computer network and systems security, and the major theme of his research is to address security challenges through systematic problem analysis and mitigation. He has been working on discovering and mitigating vulnerabilities in smartphone OSes (Usenix Security’14, FC’16), applications (Euro S&P’17), network protocols (CCS’15), DNS (IEEE S&P’16, CCS’17), and access control systems (NDSS’16, NDSS’17). His current research foci are security problems in smart systems and IoT, e.g., smart home systems, smart transportation systems, and autonomous vehicle systems.
Attack and Defense in Adversarial Machine Learning
Machine learning has been widely used in many areas. However, the robustness of these methods against motivated adversaries is uncertain. In this talk, I will introduce some practical attacks against the typical machine learning systems and the defense techniques. First, I will demonstrate how to evade state-of-the-art PDF malware classifiers, including the one used in Gmail. The irrelevant features used in a classification model is the root cause of adversarial examples. Therefore, we developed a defense solution named Feature Squeezing that coalesces many similar samples into a single example, which had been implemented for computer vision models. We also created a benchmarking and visualization toolbox named EvadeML-Zoo to help the researchers in this field.
Weilin Xu is a fifth year PhD student in the Computer Science department at the University of Virginia, co-advised by Prof. David Evans and Prof. Yanjun Qi. He received his bachelor degree in Computer Science and Technology from Beijing University of Posts and Telecommunications in 2012. Before joining UVa, he was an engineer at the Network and Information Security Lab at the Tsinghua University.
Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits
Developing a remote exploit is not easy. It requires a comprehensive understanding of a vulnerability and delicate techniques to bypass defense mechanisms. As a result, attackers may prefer to reuse an existing exploit and make necessary changes over developing a new exploit from scratch. One such adaptation is the replacement of the original shellcode (i.e., the attacker-injected code that is executed as the final step of the exploit) in the original exploit with a replacement shellcode, resulting in a modified exploit that carries out the actions desired by the attacker as opposed to the original exploit author. We call this a shellcode transplant.
In my talk, I will discuss the shellcode transplant problem and present ShellSwap, a system that uses symbolic tracing, with a combination of shellcode layout remediation and path kneading to achieve shellcode transplant. We show that previous method is insufficient in tackling the shellcode transplant problem, and that ShellSwap has better results in reusing exploits.
Tiffany Bao is a Ph.D. student in CyLab advised by Professor David Brumley. Her research interest is cyber autonomy, which includes both binary analysis technique and game-theoretic strategy for computer security. She completed her B.S. in Computer Science at Peking University, China.