Cybersecurity and Privacy Work by Faculty and Students on Full Display at CCS’22

This week, researchers from around the globe gathered in Los Angeles, California for the ACM Conference on Computer and Communications Security (ACM CCS), where they will present discoveries on the cutting edge of cybersecurity and privacy. 

The conference is a top tier research venue, and this year the Georgia Institute of Technology has six papers authored and co-authored by faculty and students from the School of Cybersecurity and Privacy (SCP). Each work represents a collaborative effort from across universities and institutions over the course of several years. 

Here is a sample of the five public papers being presented at the flagship annual conference. 

Guarding Against Remote Cyberattacks 

A research team from Georgia Tech and Fudan University conducted the first systematic study of XRCE, a remote cyberattack on devices caused by injected malware, in cross-platform applications. Several high-profile platforms, such as Microsoft Teams and Slack, have been susceptible to injection issues, but XRCE has not been closely studied nor has its root cause been understood. 

The team built a generic model of applications compatible with multiple operating systems to define XRCE’s attack scenarios, surfaces, and behaviors. They took what they learned and compared it to current cyber defenses of 640 real-world platforms and noted their weaknesses to this type of threat. They discovered that 75% of the platforms studied may be affected by XRCE, including Microsoft Teams. 

To solve this problem, the group of researchers developed XGuard, a defense technology that will automatically mitigate XRCE attacks and all possible variants identified from the study. Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem is the first research paper studying and preventing XRCE, the team hopes their work will raise awareness on the new cross-platform application vulnerabilities they uncovered. SCP Ph.D. students Feng Xiao, Zheng Yang, and Joey Allen were leading authors on the paper along with Assistant Professor Guangliang Yang of Fudan University, Georgia Tech Research Security Specialist Grant Williams, and SCP Professor Wenke Lee.  

Bug Hunting in Self-driving Cars

Autonomous driving systems (ADS) are steadily becoming a reality, and experts expect them to be safer than human drivers. Unfortunately, there continues to be cases of accidents, including fatal ones, caused by flaws in ADS. A systematic approach to find and eliminate bugs in ADS is needed but did not exist.

Georgia Tech Ph.D. student Seulbae Kim first authored a research paper that designed an automated fuzz-testing framework, DriveFuzz, that repeatedly tests an ADS under realistic driving scenarios that evolve over iterations. Fuzz testing is known to be effective in finding bugs in traditional software systems. Kim and his colleagues demonstrated that fuzz testing can be applied to a non-traditional system, such as ADS, a cyber-physical system, to reveal unknown bugs.

Specifically, DriveFuzz mutates the system’s map, mission (initial position and goal position), actors (other vehicles and pedestrians), puddles, and weather of the scenario to stress the ADS. It looks for safety-critical vehicular misbehaviors, such as collisions and various traffic infractions. By testing two industry-grade open-source ADS, the team found 30 new bugs that lead to misbehaviors.

DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided Fuzzing Detection was written by SCP Ph.D. student Seulbae Kim, Major Liu (University of Texas at Dallas), Junghwan "John" Rhee (University of Central Oklahoma), Yuseok Jeon (UNIST), Yonghwi Kwon (University of Virginia), and Chung Hwan Kim (University of Texas at Dallas). 

Separating the Good Onions from the Bad

The Onion Router (Tor) network provides anonymity to users by routing traffic through many computers across the globe. Users can also host websites anonymously on the Tor network without revealing their personal identifiable information. The Tor network has helped many journalists, activists, and whistleblowers in their dangerous line of work. However, the Tor network has also been used by malicious attackers to operate large cybercriminal enterprises. 

Differentiating between legitimate Tor users and malicious Tor users is extremely challenging since the Tor network encrypts and anonymizes all traffic between end hosts and servers, which makes traditional security detection systems ineffective. Researchers at Georgia Tech have found a way to identify when malicious software (malware) like ransomware uses the Tor network. The technique uses statistical network packet features and machine learning algorithms to differentiate between malware and legitimate users. The novel approach can be incorporated into traditional security systems to supercharge their capabilities and help identify malicious use of the Tor network. 

Exposing the Rat in the Tunnel: Using Traffic Analysis for Tor-based Malware Detection was written by Priyanka Dodia and Mashael AlSabah of Qatar Computing Research Institute; SCP Ph.D. student Omar Alrawi, and Tao Wang of Simon Fraser University. 

Brining the Hammer Down

A rowhammer attack causes a binary digit, or bit, to flip in memory cells without directly accessing them. This side channel attack was used by SCP Associate Professor Daniel Genkin and a team of researchers from across the country to access the private session key from FrodoKEM. This security software was developed to keep encryption keys safe from quantum computers, however the process was corrupted by the team’s attacks. 

When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer was written by Michael Fahr (University of Arkansas), Hunter Kippen (University of Maryland), Andrew Kwong (University of Michigan), Thinh Dang (George Washington University), Jacob Lichtinger (NIST), Dana Dachman-Soled (University of Maryland), Daniel Genkin (Georgia Tech), Alexander H. Nelson (University of Arkansas),Ray Perlner (NIST), Arkady Yerukhimovich (George Washington University), and Daniel Apon (The MITRE Corporation). 

Another paper being presented this week on rowhammer attacks is HammerScope, written in collaboration with researchers from SCP, Israel, and Australia. The research explores the correlation of rowhammer attacks with the instantaneous power consumption of the memory which the attack needs to succeed. This correlation is used to mount various software-based power analysis attacks on memory. 

The team showed how this can be used to compromise secret information in certain scenarios. HammerScope demonstrates yet another adversarial consequence of rowhammer which signifies the need for more robust and secure memory units in the future.

HammerScope: Observing DRAM Power Consumption Using Rowhammer was written by Yaakov Cohen (Ben-Gurion University of the Negev & Intel Corporation), SCP Ph.D. student Kevin Sam Tharayil, Arie Haenel (Jerusalem College of Technology & Intel Corporation), Genkin, Professor Angelos D. Keromytis with the School of Electrical & Computer Engineering at Georgia Tech, Yossi Oren (Ben-Gurion University of the Negev & Intel Corporation), and Yuval Yarom (University of Adelaide).