1.1 NDSS会议


1.2 S&P会议

IEEE Symposium on Security and Privacy(简称 S&P)创办于1980年,是信息安全领域四大顶级学术会议之一,也是信息安全领域历史最悠久的国际顶级学术会议。IEEE安全与隐私研讨会一直是介绍计算机安全和电子隐私发展的主要论坛,并将该领域的研究人员和从业者聚集在一起。该会议一直在美国加州Oakland举办,因此也被同行称为Oakland会议。



1.4 CSS会议

CCS(Computer and Communications Security),是国际计算机学会SIGSAC小组的年度会议。该会议在每年的10-11月份进行,地点大部分集中在美国,近年来也有在加拿大和英国举办。CCS会议主要集结了来自世界各地的信息安全研究人员、实践者、开发人员和用户,探索和交流计算机安全领域前沿的想法和最新成果。


2.1 NDSS 2020会议


1 Web

FUSE: Finding File Upload Bugs via Penetration Testing
该论文设计并实现了FUSE,这是第一个用于发现服务器端PHP web应用程序中的无限制文件上传(UFU)和不受限制的可执行文件上传(UEFU)漏洞的渗透测试工具。FUSE的目标是生成上传请求;每个请求都会成为一个可触发UFU或UEFU漏洞的攻击载荷。作者们通过精心设计对标准上传请求进行了改变,解决了一些技术挑战,使得改变后的操作可以绕过内容过滤检查,并且不会篡改上传文件的执行。FUSE发现了30个以前未报告的UEFU漏洞,包括33个真实web应用程序中的15个cve,从而证明了它通过文件上传查找代码执行错误的有效性。
Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites

Deceptive Previews: A Study of the Link Preview Trustworthiness in Social Platforms
Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks
Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting

2 Fuzzing

HYPER-CUBE: High-Dimensional Hypervisor Fuzzing
HFL: Hybrid Fuzzing on the Linux Kernel
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing
Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization

3 Censorship

Detecting Probe-resistant Proxies
Decentralized Control: A Case Study of Russia

Measuring the Deployment of Network Censorship Filters at Global Scale

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery

MassBrowser: Unblocking the Censored Web for the Masses, by the Masses

4 “Smart” Home

Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial Motion Sensor
Metamorph: Injecting Inaudible Commands into Over-the-air Voice Controlled Systems
SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Waves
Packet-Level Signatures for Smart Home Devices

5 Mobile & Smartphone Security

Learning-based Practical Smartphone Eavesdropping with Built-in Accelerometer

Automated Cross-Platform Reverse Engineering of CAN Bus Commands From Mobile Apps
Are You Going to Answer That? Measuring User Responses to Anti-Robocall Application Indicators
TKPERM: Cross-platform Permission Knowledge Transfer to Detect Overprivileged Third-party Applications
FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

6 Blockchains and MPC

Bobtail: Improved Blockchain Security with Low-Variance Mining
Snappy: Fast On-chain Payments with Practical Collaterals

The Attack of the Clones Against Proof-of-Authority
Broken Metre: Attacking Resource Metering in EVM

Finding Safety in Numbers with Secure Allegation Escrows

7 Future Networks

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN
Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

SVLAN: Secure & Scalable Network Virtualization

8 Software Defenses

µRAI: Securing Embedded Systems with Return Address Integrity
NoJITsu: Locking Down JavaScript Engines
SODA: A Generic Online Detection Framework for Smart Contracts

9 Network Crime and Privacy

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints
Designing a Better Browser for Tor with BLAST
Encrypted DNS --> Privacy? A Traffic Analysis Perspective

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways

10 Side Channels

ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures
PhantomCache: Obfuscating Cache Conflicts with Localized Randomization

Data-Driven Debugging for Functional Side Channels
Mind the Portability: A Warriors Guide through Realistic Profiled Side-channel Analysis

11 Network Defenses

Hold the Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft
该论文提出了一种RF指纹识别方法(HODOR,HOld the DOoR)来检测对无钥匙进入系统的攻击,这是在汽车领域首次尝试利用RF指纹技术。HODOR被设计为一种子认证方法,它支持现有的无钥匙进入系统的认证系统,并且不需要对主系统进行任何修改。通过一系列的实验,结果表明HODOR能够有效、可靠地检测到对无钥匙进入系统的攻击。HODOR的平均误报率(FPR)为0.27%,对模拟攻击的检测误报率(FNR)为0%。HODOR在保持方便性的同时,为无钥匙进入系统提供安全服务。
Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches

EASI: Edge-Based Sender Identification on Resource-Constrained Platforms for Automotive Networks
BLAG: Improving the Accuracy of Blacklists
DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power Grids' Cyber-Physical Infrastructures

12 Oblivious Computation

Revisiting Leakage Abuse Attacks
Metal: A Metadata-Hiding File-Sharing System

MACAO: A Maliciously-Secure and Client-Efficient Active ORAM Framework

Heterogeneous Private Information Retrieval
Dynamic Searchable Encryption with Small Client Storage

13 Network Attacks

Withdrawing the BGP Re-Routing Curtain: Understanding the Security Impact of BGP Poisoning through Real-World Measurements
IMP4GT: IMPersonation Attacks in 4G NeTworks

Practical Traffic Analysis Attacks on Secure Messaging Applications
CDN Judo: Breaking the CDN DoS Protection with Itself

14 Program Analysis

DeepBinDiff: Learning Program-Wide Code Representations for Binary Diffing
Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison

15 Malware

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis
OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis
Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem
When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features

UIScope: Accurate, Instrumentation-free, and Visible Attack Investigation for GUI Applications

16 Private Computation and Learning

Trident: Efficient 4PC Framework for Privacy Preserving Machine Learning
Secure Sublinear Time Differentially Private Median Computation
CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples

BLAZE: Blazing Fast Privacy-Preserving Machine Learning

17 Authentication

OcuLock: Exploring Human Visual System for Authentication in Virtual Reality Head-mounted Display
该论文提出了一个基于EOG的虚拟现实认证框架,通过视觉刺激来触发HVS的响应,并收集EOG来表征HVS。作者设计了一个记录比较驱动的认证方案,在该方案中,提取了不同的行为和生理特征,并做出了准确的认证决策。作者还对提议的OcuLock系统进行了广泛的评估,包括身份验证的可靠性性能、针对多种攻击的安全分析以及VR HMD身份验证的用户研究。
On the Resilience of Biometric Authentication Systems against Random Inputs
Strong Authentication without Temper-Resistant Hardware and Application to Federated Identities

18 Case Studies & Human Factors

A View from the Cockpit: Exploring Pilot Reactions to Attacks on Avionic Systems
Genotype Extraction and False Relative Attacks: Security Risks to Third-Party Genetic Genealogy Services Beyond Identity Inference
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies
Into the Deep Web: Understanding E-commerce Fraud from Autonomous Chat with Cybercriminals

Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security Standards

19 Crypto

Let's Revoke: Scalable Global Certificate Revocation
该论文提出了一种可伸缩的全局吊销策略Let's Revoke,它解决了当前撤销检查的问题。Let's Revoke为每个证书引入一个新的唯一标识符,它作为包含吊销状态信息的动态大小的位向量的索引。位向量方法为客户端和证书颁发机构提供了更有效的吊销检查。作者将Let's Revoke与现有的吊销方案进行了比较,发现它比其他系统需要更少的存储和网络带宽。
Post-Quantum Authentication in TLS 1.3: A Performance Study
DISCO: Sidestepping RPKI's Deployment Barriers

Proof of Storage-Time: Efficiently Checking Continuous Data Availability
20 Hardware & Speculative Attacks
SPEECHMINER: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities
ProtectIOn: Root-of-Trust for IO in Compromised Platforms
ConTExT: A Generic Approach for Mitigating Spectre

21 Privacy

Towards Plausible Graph Anonymization

Adversarial Classification Under Differential Privacy
Locally Differentially Private Frequency Estimation with Consistency

DESENSITIZATION: Privacy-Aware and Attack-Preserving Crash Report

2.2 S&P 2020录取情况

IEEE Symposium on Security and Privacy(简称 S&P)是信息安全领域四大顶级学术会议之一,始于1980年,今年是第41届。S&P 2020共录取104篇论文。

1 Machine Learning

AdGraph: A Graph-Based Approach to Ad and Tracker Blocking
Throwing Darts in the Dark? Detecting Bots with Limited Data Using Neural Data Augmentation

2 Blockchains

OHIE: Blockchain Scaling Made Simple
FlyClient: Super-Light Clients for Cryptocurrencies

Replicated State Machines without Replicated Execution

Flash Boys 2.0: Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability

VerX: Safety Verification of Smart Contracts

VeriSmart: A Highly Precise Safety Verifier for Ethereum Smart Contracts

3 Privacy Protect

SoK: Differential Privacy as a Causal Property
Privacy Risks of General-Purpose Language Models
Are Anonymity-Seekers Just like Everybody Else? An Analysis of Contributions to Wikipedia from To

The Value of Collaboration in Convex Machine Learning with Differential Privacy
Private Resource Allocators and Their Applications
Enabling Rack-scale Confidential Computing Using Heterogeneous Trusted Execution Environment

Breaking and (Partially) Fixing Provably Secure Onion Routing
xMP: Selective Memory Protection for Kernel and User Space
Ask the Experts: What Should Be on an IoT Privacy and Security Label?
Automated Reverse Engineering and Privacy Analysis of Modern Cars
Towards Effective Differential Privacy Communication for Users’ Data Sharing Decision and Comprehension
Automatically Detecting Bystanders in Photos to Reduce Privacy Risks

4 User Behavior Analysis

Can Voters Detect Malicious Manipulation of Ballot Marking Devices?
Influencing Photo Sharing Decisions on Social Media: A Case of Paradoxical Findings
How Not to Prove Your Election Outcome

5 Security Analysis

Message Time of Arrival Codes: A Fundamental Primitive for Secure Distance Measurement
Security Update Labels: Establishing Economic Incentives for Security Patching of IoT Consumer Products

Cornucopia: Temporal Safety for CHERI Heaps
Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers
SEVurity: No Security Without Integrity - Breaking Integrity-Free Memory Encryption with Minimal Assumptions
Tactical Provenance Analysis for Endpoint Detection and Response Systems

SPECTECTOR: Principled Detection of Speculative Information Flows
Towards a Natural Perspective of Smart Homes for Practical Security and Safety Analyses

A Tale of Sea and Sky: On the Security of Maritime VSAT Communications
Transys: Leveraging Common Security Properties across Hardware Designs
A Security Analysis of the Facebook Ad Library

6 Program Analysis

Semantic Understanding of Smart Contracts: Executable Operational Semantics of Solidity

Rigorous Engineering for Hardware Security: Formal Modelling and Proof in the CHERI Design and Implementation Process

MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages

A Programming Framework for Differential Privacy with Accuracy Concentration Bounds

JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation

Burglars' IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds
TRRespass: Exploiting the Many Sides of Target Row Refresh

7 Network Security

A Stealthier Partitioning Attack against Bitcoin Peer-to-Peer Network
Do Cookie Banners Respect My Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework
NetCAT: Practical Cache Attacks from the Network

ICLab: A Global, Longitudinal Internet Censorship Measurement Platform
Tactical Provenance Analysis for Endpoint Detection and Response Systems
Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics

SoK: Cyber Insurance - Technical Challenges and a System Security Roadmap

8 Web

Browsing Unicity: On the Limits of Anonymizing Web Tracking Data
Unexpected Data Dependency Creation and Chaining: A New Attack to SDN

SoK: Cyber Insurance - Technical Challenges and a System Security Roadmap
Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers
TARDIS: Rolling Back the Clock on CMS-Targeting Cyber Attacks

9 Crypto

EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider
Automatic Uncovering of Hidden Behaviors from Input Validation in Mobile Apps
Gesture Authentication for Smartphones: Evaluation of Gesture Password Selection Policies
Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication
The Last Mile: High-Assurance and High-Speed Cryptographic Implementations
ZEXE: Enabling Decentralized Private Computation
Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level
HydRand: Efficient Continuous Distributed Randomness
Path Oblivious Heap: Optimal and Practical Oblivious Priority Queue

Efficient and Secure Multiparty Computation from Fixed-Key Block Ciphers

10 wireless network

Even Black Cats Cannot Stay Hidden in the Dark: Full-band De-anonymization of Bluetooth Classic Devices
BIAS: Bluetooth Impersonation AttackS

****11 Side Channel
Leveraging EM Side-Channel Information to Detect Rowhammer Attacks
该论文研究了某些电磁发射与rowchammer攻击之间的相关性,在此基础上提出了一种系统的rowchammer攻击检测方法RADAR(Rowchammer Attack Detection Via Radio)。该论文提出了一种方法来逆转扩频时钟对计算设备中高频时钟发出的EM侧信道信息的散射效应。并已经使用一个价值299美元的软件无线电设备实现了一个雷达原型,评估了不同场景下基于EM的rowhammer攻击检测的有效性和鲁棒性。

WaveSpy: Remote and Through-wall Screen Attack via mmWave Sensing
Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

12 Sensor System

Detection of Electromagnetic Interference Attacks on Sensor Systems
SoK: A Minimalist Approach to Formalizing Analog Sensor Security

13 Fuzzing

Fuzzing JavaScript Engines with Aspect-Preserving Mutation
该论文提倡了一种新的方面保持突变方法,旨在保持种子输入的期望属性和前提条件。还开发了一个成熟的JavaScript fuzzer DIE,通过使用轻量级静态和动态类型分析实现了两种新的变异策略,即结构和类型保留。并且报告了48个新的bug,38个在负责任的公开过程中被修复。
IJON: Exploring Deep State Spaces via Fuzzing

SAVIOR: Towards Bug-Driven Hybrid Testing
RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization
Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction

Krace: Data Race Fuzzing for Kernel File Systems
High Precision Open-World Website Fingerprinting
RAMBleed: Reading Bits in Memory without Accessing Them
****14 Protocol Analysis
TextExerciser: Feedback-Driven Text Input Exercising for Android Applications
该论文提出了第一个反馈驱动的输入练习器,它使用基于目标应用程序提示的约束求解器迭代生成文本输入,实现了一个文本输入练习器的原型,评估了TextExerciser在流行的Google Play应用程序上的性能。评估结果表明,textextexerciser比现有的动态分析工具实现了更高的代码覆盖率,并发现了更多的隐私泄露和漏洞。
SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation

Ex-vivo Dynamic Analysis Framework for Android Device Drivers
Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS
KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware
CrypTFlow : Secure TensorFlow Inference

15 cryptographic protocol

Transparent Polynomial Delegation and Its Applications to Zero Knowledge Proof
Sync HotStuff: Simple and Practical Synchronous State Machine Replication
Towards Scalable Threshold Cryptosystems

16 Mobile and Malware

PMP: Cost-Effective Forced Execution with Probabilistic Memory Pre-planning
An Analysis of Pre-installed Android Software
SPIDER: Enabling Fast Patch Propagation in Related Software Repositories
This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
Intriguing Properties of Adversarial ML Attacks in the Problem Space

ICAS: An Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans
Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics
The Many Kinds of Creepware Used for Interpersonal Attacks

15 BUG

Flaw Label: Exploiting IPv6 Flow Label
Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd
Humpty Dumpty: Controlling Word Meanings via Corpus Modifications
SPECCFI: Mitigating Spectre Attacks Using CFI Informed Speculation
C3APSULe: Cross-FPGA Covert-Channel Attacks through Power Supply Unit Leakage
LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection

Plundervolt: Software-Based Fault Injection Attacks against Intel SGX
The State of the Uniform: Attacks on Encrypted Databases beyond the Uniform Query Distribution
SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-Assisted TEE Systems

16 Neural Network

HopSkipJumpAttack: A Query-Efficient Decision-Based Attack
Neutaint: Efficient Dynamic Taint Analysis with Neural Networks

OAT: Attesting Operation Integrity of Embedded Devices

2.3 USENIX会议

USENIX Security是信息安全领域四大顶级学术会议之一,始于上世纪90年代初,USENIX Security 2020 按照春夏秋冬4期论文提交截止日期收录论文,共录取156篇论文。

1 Wireless Security (5篇)

A Formal Analysis of IEEE 802.11's WPA2: Countering the Kracks Caused by Cracking the Counters
该论文指出,IEEE 802.11 WPA2协议涉及各种以微妙的方式彼此交互的机制,也许正因为如此,不存在正式或加密的论据来表明核心协议的补丁确实阻止了相应的攻击。作者解决了这种情况,并提出了WPA2协议设计的广泛形式分析。该模型是第一个足够详细以检测KRACK攻击的模型;它包括诸如四次握手,组密钥握手,WNM睡眠模式,数据机密协议及其复杂交互之类的机制。作者分析提供了任何形式上的第一个安全性论证,即面对复杂的现代攻击,修补的WPA2协议可以满足其所声称的安全性保证。
Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets
Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks
You Are What You Broadcast: Identification of Mobile and IoT Devices from (Public) WiFi
Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE

2 Human Factors (5篇)

A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web
Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It
Empirical Measurement of Systemic 2FA Usability
What Twitter Knows: Characterizing Ad Targeting Practices, User Perceptions, and Ad Explanations Through Users' Own Twitter Data
The Impact of Ad-Blockers on Product Search and Purchase Behavior: A Lab Experiment

3 Software Security and Verification(11篇)

Symbolic execution with SymCC: Don't interpret, compile!
该论文提出了一种基于编译的符号执行方法,其性能比最新的实现要好几个数量级。作者介绍了SymCC,这是一种基于LLVM的C和C ++编译器,可以在二进制文件中构建concolic执行。软件开发人员可以将其用作clang和的替代产品。 与KLEE相比,SymCC的速度提高了三个数量级,平均因子为12。它也优于Qsym,该系统最近在性能上比其他实施方案有了很大提高,提高了两个数量级和平均因子。
Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code
Everything Old is New Again: Binary Security of WebAssembly
AURORA: Statistical Crash Analysis for Automated Root Cause Explanation
SmartVerif: Push the Limit of Automation Capability of Verifying Security Protocols by Dynamic Strategies
Datalog Disassembly
KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
Automatic Techniques to Systematically Discover New Heap Exploitation Primitives
The Industrial Age of Hacking
BScout: Direct Whole Patch Presence Test for Java Executables
MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures

4 Mobile and Malware(10篇)

BigMAC: Fine-Grained Policy Analysis of Android Firmware
该论文开发了一个新的框架BIGMAC,从静态固件图片中提取、绘制和查询Android安全策略,而不需要根设备,并通过实例化进程、文件和IPC对象以98%的准确率恢复运行时的安全状态。作者结合了MAC、DAC、功能和标记的外部输入源,创建了一个支持数百万边缘的实例化、细粒度的整个系统攻击图。然后作者使用Prolog引擎提供了一个交互式用户界面来查询攻击图。作者评估了BIGMAC与三星S8+和LG G7 Firmware的对比。
From Needs to Actions to Secure Apps? The Effect of Requirements and Developer Practices on App Security
FANS: Fuzzing Android Native System Services via Automated Interface Analysis
Chaperone: Real-time Locking and Loss Prevention for Smartphones

Towards HTTPS Everywhere on Android: We Are Not There Yet
On Training Robust PDF Malware Classifiers
Measuring and Modeling the Label Dynamics of Online Anti-Malware Engines
FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware
Automatic Hot Patch Generation for Android Kernels
iOS, Your OS, Everybody's OS: Vetting and Analyzing Network Services of iOS Applications

5 Phishing, Spam, and Threat Intelligence(5篇)

Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale
该论文通过测量大规模网络钓鱼攻击的端到端生命周期来隔离和识别这些检测漏洞。作者开发了一个独特的框架Golden Hour,它允许被动地测量网络钓鱼页面的受害者流量,同时在此过程中主动保护数以万计的帐户。在一年的时间里,作者的网络监视器记录了480万访问钓鱼网页的受害者,不包括爬虫流量。作者使用这些事件和相关的数据源来剖析网络钓鱼活动:从它们第一次上线到电子邮件分发,到访客流量,再到生态系统检测,再到最终的账户泄露。作者发现从一开始到最后一个受害者平均只需要21个小时。
PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists
Who's Calling? Characterizing Robocalls through Audio and Metadata Analysis
See No Evil: Phishing for Permissions with False Transparency
A different cup of TI? The added value of commercial threat intelligence

6 Trusted Execution Environments(11篇)

HybCache: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments
CopyCat: Controlled Instruction-Level Attacks on Enclaves
An Off-Chip Attack on Hardware Enclaves via the Memory Bus
Civet: An Efficient Java Partitioning Framework for Hardware Enclaves
BesFS: A POSIX Filesystem for Enclaves with a Mechanized Safety Proof
SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients
APEX: A Verified Architecture for Proofs of Execution on Remote Devices under Full Software Compromise
PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation
PHMon: A Programmable Hardware Monitor and Its Security Use Cases
Horizontal Privilege Escalation in Trusted Applications
TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves

7 Network Security-网络安全(6篇)

EPIC: Every Packet Is Checked in the Data Plane of a Path-Aware Internet
ShadowMove: A Stealthy Lateral Movement Strategy
Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices
Programmable In-Network Security for Context-aware BYOD Policies
A Longitudinal and Comprehensive Study of the DANE Ecosystem in Email
NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities

8 Web Security and Privacy(6篇)

Shim Shimmeny: Evaluating the Security and Privacy Contributions of Link Shimming in the Modern Web
Cached and Confused: Web Cache Deception in the Wild
A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web
Retrofitting Fine Grain Isolation in the Firefox Renderer
Zero-delay Lightweight Defenses against Website Fingerprinting
Achieving Keyless CDNs with Conclaves

9 Automotive and Drone Security(6篇)

Stealthy Tracking of Autonomous Vehicles with Cache Side Channels
Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures
SAVIOR: Securing Autonomous Vehicles with Robust Physical Invariants
From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with MAYDAY
Drift with Devil: Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under GPS Spoofing
Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT

10 Privacy Enhancing Technologies(5篇)

PCKV: Locally Differentially Private Correlated Key-Value Data Collection with Optimized Utility
Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck
Walking Onions: Scaling Anonymity Networks while Protecting Users
Differentially-Private Control-Flow Node Coverage for Software Usage Analysis
Visor: Privacy-Preserving Video Analytics as a Cloud Service

11 Embedded/IoT Security(6篇)

Shattered Chain of Trust: Understanding Security Risks in Cross-Cloud IoT Access Delegation
HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation
Silhouette: Efficient Protected Shadow Stacks for Embedded Systems
P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling
COUNTERFOIL: Verifying Provenance of Integrated Circuits using Intrinsic Package Fingerprints and Inexpensive Cameras
Hall Spoofing: A Non-Invasive DoS Attack on Grid-Tied Solar Inverter

12 Machine Learning(11篇)

Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning
Exploring Connections Between Active Learning and Model Extraction
Hybrid Batch Attacks: Finding Black-box Adversarial Examples with Limited Queries
High Accuracy and High Fidelity Extraction of Neural Networks
Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning
TextShield: Robust Text Classification Based on Multimodal Embedding and Neural Machine Translation
Fawkes: Protecting Privacy against Unauthorized Deep Learning Models
Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference
Local Model Poisoning Attacks to Byzantine-Robust Federated Learning
Justinian's GAAvernor: Robust Distributed Learning with Gradient Aggregation Agent
Interpretable Deep Learning under Fire

13 Microarchitectural Attacks(6篇)

Data Recovery from “Scrubbed” NAND Flash Storage: Need for Analog Sanitization
PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis

V0LTpwn: Attacking x86 Processor Integrity from Software

DeepHammer: Depleting the Intelligence of Deep Neural Networks through Targeted Chain of Bit Flips
SpecFuzz: Bringing Spectre-type vulnerabilities to the surface

14 Financial Tech and Voting(5篇)

Security Analysis of Unified Payments Interface and Payment Apps in India
该论文对尚未发布的UPI 1.0协议进行了第一次深入的安全分析,该协议为印度许多流行的移动支付应用程序提供了一个通用的支付接口,并允许不同应用程序的用户之间进行银行间转账。作者展示了如何从无法访问UPI服务器的对手的角度系统地反向工程这一复杂的应用层协议。作者还在UPI协议中发现了一些细微的设计缺陷,对手可以利用安卓设计中已知的缺陷,利用attacker控制的应用程序来构建可伸缩的远程攻击。作者展示了对手如何在不知道用户的情况下进行攻击。作者讨论了在设计此类协议时应考虑的经验教训和潜在缓解策略。
Cardpliance: PCI DSS Compliance of Android Applications
The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections
VoteAgain: A scalable coercion-resistant voting system
Boxer: Preventing fraud by scanning credit cards

15 Systems Security(5篇)

(Mostly) Exitless VM Protection from Untrusted Hypervisor through Disaggregated Nested Virtualization
该论文介绍了CloudVisor-D,这是一种有效的嵌套虚拟机管理程序设计,同时包含强大的保护和高性能。CloudVisor-D的核心思想是通过将主要的保护逻辑与每个来宾VM隔离到受保护的Guardian-VM中来分解嵌套的虚拟机管理程序。Guardian-VM由嵌套的虚拟机管理程序安全地隔离和保护,并为来宾VM的大多数特权操作提供安全服务。通过利用最新的硬件功能,来宾VM的大多数特权操作都不需要退出嵌套虚拟机管理程序的VM,这是先前设计中性能下降的主要来源。实验评估表明,即使对于I / O密集型基准测试,CloudVisor-D所产生的性能开销也可以忽略不计。
Donky: Domain Keys – Efficient In-Process Isolation for RISC-V and x86
DECAF: Automatic, Adaptive De-bloating and Hardening of COTS Firmware
McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers
Temporal System Call Specialization for Attack Surface Reduction

16 Analysis of Crypto(6篇)

Big Numbers - Big Troubles: Systematically Analyzing Nonce Leakage in (EC)DSA Implementations
Estonian Electronic Identity Card: Security Flaws in Key Management
The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs
Automating the Development of Chosen Ciphertext Attacks

17 Specific User Populations(5篇)

An Observational Investigation of Reverse Engineers’ Processes
该论文的目的是为改进逆向工程工具的交互设计提供见解。作者介绍了反向工程师(N = 16)的半结构化观察访谈研究的结果。每个观察都调查了逆向工程师在探查程序时提出的问题,他们如何回答这些问题以及在整个逆向工程过程中做出的决策。从访谈回复中,作者提取了逆向工程过程的模型,分为三个阶段:概述,子组件扫描和重点实验。随着反向工程师的心理表述变得更加具体,每个分析阶段的结果将进入下一个阶段。作者发现,逆向工程师通常在前两个阶段使用静态方法,而在最后阶段使用动态方法,并在每个阶段都扮演着重要角色,但角色各不相同。基于这些结果,作者为逆向工程工具提供了五种交互设计指南。
The Tools and Tactics Used in Intimate Partner Surveillance: An Analysis of Online Infidelity Forums
DatashareNetwork: A Decentralized Privacy-Preserving Search Engine for Investigative Journalists
"I am uncomfortable sharing what I can't see": Privacy Concerns of the Visually Impaired with Camera Based Assistive Applications
'I have too much respect for my elders': Understanding South African Mobile Users' Perceptions of Privacy and Current Behaviors on Facebook and WhatsApp

18 Side Channel Attacks(6篇)

RELOAD+REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks
该论文指出,如果不改变缓存状态并因此强制对所观察的进程进行驱逐,就不可能观察到共同驻留进程的缓存活动,这一事实有力地帮助了检测。我们证明了这种广泛持有的假设是不正确的。通过巧妙地使用高速缓存替换策略,可以跟踪受害者进程的高速缓存访问而无需强制逐出根据受害者的数据。因此,可以绕过依赖于这些驱逐的在线检测机制,因为它们不会检测到引入的RELOAD + REFRESH攻击,攻击需要对缓存替换策略有深刻的理解。作者提出了一种恢复替换策略的方法,并将其应用于最近五代英特尔处理器。通过进一步经验证明了,在加密实现上,RELOAD+REFRESH的性能与其他广泛使用的缓存攻击相媲美。
Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections

Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures
Certified Side Channels
NetWarden: Mitigating Network Covert Channels while Preserving Performance
TPM-FAIL: TPM meets Timing and Lattice Attacks

19 Implementations of Crypto(5篇)

Scaling Verifiable Computation Using Efficient Set Accumulators
Pixel: Multi-signatures for Consensus
SANNS: Scaling Up Secure Approximate k-Nearest Neighbors Search
MIRAGE: Succinct Arguments for Randomized Algorithms with Applications to Universal zk-SNARKs

Secure Multi-party Computation of Differentially Private Median

20 Authentication(5篇)

That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers
Composition Kills: A Case Study of Email Sender Authentication
Detecting Stuffing of a User’s Credentials at Her Own Accounts
Liveness is Not Enough: Enhancing Fingerprint Authentication with Behavioral Biometrics to Defeat Puppet Attacks
Human Distinguishable Visual Key Fingerprints
SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust
A Spectral Analysis of Noise: A Comprehensive, Automated, Formal Analysis of Diffie-Hellman Protocols

21 Fuzzing(11篇)

FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning
FuzzGen: Automatic Fuzzer Generation

ParmeSan: Sanitizer-guided Greybox Fuzzing
EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit
MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs
Analysis of DTLS Implementations Using Protocol State Fuzzing
Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints
USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation

GREYONE: Data Flow Sensitive Fuzzing

Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection
Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer

22 Data Security/ Secure Computation(5篇)

SEAL: Attack Mitigation for Encrypted Databases via Adjustable Leakage
Pancake: Frequency Smoothing for Encrypted Data Stores
Droplet: Decentralized Authorization and Access Control for Encrypted Data Streams
Secure parallel computation on national scale volumes of data
Delphi: A Cryptographic Inference Service for Neural Networks

23 Voice and Speech(5篇)

Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems
SkillExplorer: Understanding the Behavior of Skills in Large Scale
Devil’s Whisper: A General Approach for Physical Adversarial Attacks against Commercial Black-box Speech Recognition Devices
Void: A fast and light voice liveness detection system
Preech: A System for Privacy-Preserving Speech Transcription

24 Blockchains(5篇)

BlockSci: Design and applications of a blockchain analysis platform
Remote Side-Channel Attacks on Anonymous Transactions
ETHBMC: A Bounded Model Checker for Smart Contracts

TXSPECTOR: Uncovering Attacks in Ethereum from Transactions
An Ever-evolving Game: Evaluation of Real-world Attacks and Defenses in Ethereum Ecosystem

3 未来值得研究的方向

3.1 研究方向


4 总结


