Publications

2018

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing (to appear) Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. USENIX Security 2018.
@inproceedings{yun:qsym,
  title        = {{QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing (to appear)}},
  author       = {Insu Yun and Sangho Lee and Meng Xu and Yeongjin Jang and Taesoo Kim},
  booktitle    = {Proceedings of the 27th USENIX Security Symposium (Security)},
  month        = aug,
  year         = 2018,
  address      = {Baltimore, MD},
}

2017

SGX-Bomb: Locking Down the Processor via Rowhammer Attack Yeongjin Jang, Jaehyuk Lee, Sangho Lee, and Taesoo Kim. SysTEX 2017.

Intel Software Guard Extensions (SGX) provides a strongly isolated memory space, known as an enclave, for a user process, ensuring confidentiality and integrity against software and hardware attacks. Even the operating system and hypervisor cannot access the enclave because of the hardware-level isolation. Further, hardware attacks are neither able to disclose plaintext data from the enclave because its memory is always encrypted nor modify it because its integrity is always verified using an integrity tree. When the processor detects any integrity violation, it locks itself to prevent further damages; that is, a system reboot is necessary. The processor lock seems a reasonable solution against such a powerful hardware attacker; however, if a software attacker has a way to trigger integrity violation, the lock could result in a severe denial-of-service (DoS) attack.

In this paper, we introduce the SGX-Bomb attack that launches the Rowhammer attack against enclave memory to trigger the processor lockdown. The SGX-Bomb attack is simple yet alarming. Inside an enclave, this attack first finds conflicting row addresses at the same DRAM bank, and then repeatedly accesses them while bypassing the cache. If arbitrary bit flips have occurred inside the enclave because of the Rowhammer attack, any read attempts to the enclave memory results in a failure of integrity check so that the processor will be locked, and the system should be rebooted. The SGX-Bomb attack is a serious threat especially to the public cloud providers who are supposed to run unknown enclave programs received from their clients, which might shut down their servers shared with other clients. We evaluate the effectiveness of the SGX-Bomb attack in a real environment with DDR4 DRAM; it takes 283 s to hang the entire system with the default DRAM refresh rate, 64 ms.

@inproceedings{jang:sgx-bomb,
  title        = {{SGX-Bomb: Locking Down the Processor via Rowhammer Attack}},
  author       = {Yeongjin Jang and Jaehyuk Lee and Sangho Lee and Taesoo Kim},
  booktitle    = {Proceedings of the 2nd Workshop on System Software for Trusted Execution (SysTEX)},
  month        = oct,
  year         = 2017,
  address      = {Shanghai, China},
}
Hacking in Darkness: Return-oriented Programming against Secure Enclaves Jaehyuk Lee, Jinsoo Jang, Yeongjin Jang, Nohyun Kwak, Yeseul Choi, Changho Choi, Taesoo Kim, Marcus Peinado, and Brent B. Kang. USENIX Security 2017.

Intel Software Guard Extensions (SGX) is a hardware-based Trusted Execution Environment (TEE) that is widely seen as a promising solution to traditional security threats. While SGX promises strong protection to bug-free software, decades of experience show that we have to expect vulnerabilities in any non-trivial application. In a traditional environment, such vulnerabilities often allow attackers to take complete control of vulnerable systems. Efforts to evaluate the security of SGX have focused on side-channels. So far, neither a practical attack against a vulnerability in enclave code nor a proof-of-concept attack scenario has been demonstrated. Thus, a fundamental question remains: What are the consequences and dangers of having a memory corruption vulnerability in enclave code?

To answer this question, we comprehensively analyze exploitation techniques against vulnerabilities inside enclaves. We demonstrate a practical exploitation technique, called Dark-ROP, which can completely disarm the security guarantees of SGX. Dark-ROP exploits a memory corruption vulnerability in the enclave software through return-oriented programming (ROP). However Dark-ROP differs significantly from traditional ROP attacks because the target code runs under solid hardware protection. We overcome the problem of exploiting SGX-specific properties and obstacles by formulating a novel ROP attack scheme against SGX under practical assumptions. Specifically, we build several oracles that inform the attacker about the status of enclave execution. This enables him to launch the ROP attack while both code and data are hidden. In addition, we exfiltrate the enclave’s code and data into a shadow application to fully control the execution environment. This shadow application emulates the enclave under the complete control of the attacker, using the enclave (through ROP calls) only to perform SGX operations such as reading the enclave’s SGX crypto keys.

The consequences of Dark-ROP are alarming; the attacker can completely breach the enclave’s memory protections and trick the SGX hardware into disclosing the enclave’s encryption keys and producing measurement reports that defeat remote attestation. This result strongly suggests that SGX research should focus more on traditional security mitigations rather than on making enclave development more convenient by expanding the trusted computing base and the attack surface (e.g., Graphene, Haven).

@inproceedings{lee:dark-rop,
  title        = {{Hacking in Darkness: Return-oriented Programming against Secure Enclaves}},
  author       = {Jaehyuk Lee and Jinsoo Jang and Yeongjin Jang and Nohyun Kwak and Yeseul Choi and Changho Choi and Taesoo Kim and Marcus Peinado and
    Brent B. Kang},
  booktitle    = {Proceedings of the 26th USENIX Security Symposium (Security)},
  month        = aug,
  year         = 2017,
  address      = {Vancouver, Canada},
}
Building Trust in the User I/O in Computer Systems Yeongjin Jang. Georgia Institute of Technology, August 2017.

User input plays an essential role in computer security because it can control system behavior and make security decisions in the system. System output to users, or user output, is also important because it often contains security-critical information that must be protected regarding its integrity and confidentiality, such as passwords and user’s private data. Despite the importance of user input and output (I/O), modern computer systems often fail to provide necessary security guarantees on them, which could result in serious security breaches.

This dissertation aims to build trust in the user I/O in computer systems to keep the systems secure from attacks on the user I/O. To this end, we analyze the user I/O paths on popular platforms including desktop operating systems, mobile operating systems, and trusted execution environments such as Intel SGX, and identified that threats and attacks on the user I/O can be blocked by guaranteeing three key security properties of user I/O: integrity, confidentiality, and authenticity.

First, GYRUS addresses the integrity of user input by matching the user’s original input with the content of outgoing network traffic to authorize user-intended network transactions. Second, M-AEGIS addresses the confidentiality of user I/O by implementing an encryption layer on top of user interface layer that provides user-to-user encryption. Third, the A11Y ATTACK addresses the importance of verifying user I/O authenticity by demonstrating twelve new attacks, all of which stem from missing proper security checks that verify input sources and output destinations on alternative user I/O paths in operating systems. Finally, to establish trust in the user I/O in a commodity computer system, I built a system called SGX-USB, which combines all three security properties to ensure the assurance of user I/O. SGX-USB establishes a trusted communication channel between the USB controller and an enclave instance of Intel SGX. The implemented system supports common user input devices such as a keyboard and a mouse over the trusted channel, which guarantees the assurance of user input.

Having assurance in user I/O allows the computer system to securely handle commands and data from the user by eliminating attack pathways to a system’s I/O paths.

@article{jang:thesis,
  title        = {{Building Trust in the User I/O in Computer Systems}},
  author       = {Yeongjin Jang},
  school       = {{Georgia Institute of Technology}},
  journal      = {{Georgia Institute of Technology}},
  year         = 2017,
  month        = aug,
}

2016

Breaking Kernel Address Space Layout Randomization with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim. CCS 2016.

Kernel hardening has been an important topic since many applications and security mechanisms often consider the kernel as part of their Trusted Computing Base (TCB). Among various hardening techniques, Kernel Address Space Layout Randomization (KASLR) is the most effective and widely adopted defense mechanism that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory leak vulnerability exists and high entropy is ensured.

In this paper, we introduce a highly stable timing attack against KASLR, called DrK, that can precisely de-randomize the memory layout of the kernel without violating any such assumptions. DrK exploits a hardware feature called Intel Transactional Synchronization Extension (TSX) that is readily available in most modern commodity CPUs. One surprising behavior of TSX, which is essentially the root cause of this security loophole, is that it aborts a transaction without notifying the underlying kernel even when the transaction fails due to a critical error, such as a page fault or an access violation, which traditionally requires kernel intervention. DrK turned this property into a precise timing channel that can determine the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged kernel address space. In addition to its surprising accuracy and precision, DrK is universally applicable to all OSes, even in virtualized environments, and generates no visible footprint, making it difficult to detect in practice. We demonstrated that DrK can break the KASLR of all major OSes (i.e., Windows, Linux, and OS X) with near-perfect accuracy in under a second. Finally, we propose potential countermeasures that can effectively prevent or mitigate the DrK attack.

We urge our community to be aware of the potential threat of having Intel TSX, which is present in most recent Intel CPUs -- 100% in workstation and 60% in high-end Intel CPUs since Skylake -- and is even available on Amazon EC2 (X1).

@inproceedings{jang:drk-ccs,
  title        = {{Breaking Kernel Address Space Layout Randomization with Intel TSX}},
  author       = {Yeongjin Jang and Sangho Lee and Taesoo Kim},
},
  booktitle    = {Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS)},
  month        = oct,
  year         = 2016,
  address      = {Vienna, Austria},
}
APISAN: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, and Mayur Naik. USENIX Security 2016.

API misuse is a well-known source of bugs. Some of them (e.g., incorrect use of SSL API, and integer overflow of memory allocation size) can cause serious security vulnerabilities (e.g., man-in-the-middle (MITM) attack, and privilege escalation). Moreover, modern APIs, which are large, complex, and fast evolving, are error-prone. However, existing techniques to help finding bugs require manual effort by developers (e.g., providing specification or model) or are not scalable to large real-world software comprising millions of lines of code.

In this paper, we present APISAN, a tool that automatically infers correct API usages from source code without manual effort. The key idea in APISAN is to extract likely correct usage patterns in four different aspects (e.g., causal relation, and semantic relation on arguments) by considering semantic constraints. APISAN is tailored to check various properties with security implications. We applied APISAN to 92 million lines of code, including Linux Kernel, and OpenSSL, found 76 previously unknown bugs, and provided patches for all the bugs.

@inproceedings{yun:apisan,
  title        = {{APISAN: Sanitizing API Usages through Semantic Cross-checking}},
  author       = {Insu Yun and Changwoo Min and Xujie Si and Yeongjin Jang and Taesoo Kim and Mayur Naik},
  booktitle    = {Proceedings of the 25th USENIX Security Symposium (Security)},
  month        = aug,
  year         = 2016,
  address      = {Austin, TX},
}
Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques Meng Xu, Chengyu Song, Yang ji, Ming-Wei Shih, Kangjie Lu, Cong Zheng, Ruian Duan, Yeongjin Jang, Byoungyoung Lee, Chenxiong Qian, Sangho Lee, and Taesoo Kim. ACM Computing Surveys (CSUR) 49(2), August 2016.

The openness and extensibility of Android have made it a popular platform for mobile devices and a strong candidate to drive the Internet-of-Things. Unfortunately, these properties also leave Android vulnerable, attracting attacks for profit or fun. To mitigate these threats, numerous issue-specific solutions have been proposed. With the increasing number and complexity of security problems and solutions, we believe this is the right moment to step back and systematically re-evaluate the Android security architecture and security practices in the ecosystem. We organize the most recent security research on the Android platform into two categories: the software stack and the ecosystem. For each category, we provide a comprehensive narrative of the problem space; highlight the limitations of the proposed solutions; and identify open problems for future research. Based on our collection of knowledge, we envision a blueprint for engineering a secure, next-generation Android ecosystem.

@article{xu:android-survey,
  title        = {{Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques}},
  author       = {Meng Xu and Chengyu Song and Yang ji and Ming-Wei Shih and Kangjie Lu and Cong Zheng and Ruian Duan and Yeongjin Jang and
    Byoungyoung Lee and Chenxiong Qian and Sangho Lee and Taesoo Kim},
  journal      = {ACM Computing Surveys (CSUR)},
  volume       = 49,
  number       = 2,
  month        = aug,
  year         = 2016,
}
Breaking Kernel Address Space Layout Randomization with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim. BlackHat USA 2016.

Kernel hardening has been an important topic, as many applications and security mechanisms often consider the kernel as part of their Trusted Computing Base (TCB). Among various hardening techniques, Kernel Address Space Layout Randomization (KASLR) is the most effective and widely adopted defense mechanism that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory leak vulnerability exists and high entropy is ensured.

In this paper, we introduce a novel timing attack against KASLR, called DrK, that can precisely de-randomize the memory layout of the kernel without violating any such assumptions. DrK exploits a hardware feature called Intel Transactional Synchronization Extension (TSX) that is readily available in most modern commodity CPUs. One surprising behavior of TSX, which is essentially the root cause of this security loophole, is that it aborts a transaction without notifying the underlying kernel even when the transaction fails due to a critical error, such as a page fault or an access violation, which traditionally requires kernel intervention. DrK turned this property into a precise timing channel that can determine the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged, kernel address space. In addition to its surprising accuracy and precision, DrK is universally applicable to all OSes, even on a virtualized environment, and generates no visible footprint, making it difficult to detect in practice.

We demonstrated that DrK could break KASLR of all major OSes (i.e., Windows, Linux, and OS X) with near-perfect accuracy in under a second. Finally, we propose a few potential countermeasures that can effectively prevent or mitigate the DrK attack. We urge our community to be aware of the potential threat of having Intel TSX, which is present in most recent Intel CPUs -- 100% in workstation and 60% in high-end Intel CPUs since Skylake -- and is even available on Amazon EC2 (X1).

@inproceedings{jang:drk-bh,
  title        = {{Breaking Kernel Address Space Layout Randomization with Intel TSX}},
  author       = {Yeongjin Jang and Sangho Lee and Taesoo Kim},
  booktitle    = {Black Hat USA Briefings 2016},
  month        = aug,
  year         = 2016,
  address      = {Las Vegas, NV},
}

2015

UCognito: Private Browsing without Tears Meng Xu, Yeongjin Jang, Xinyu Xing, Taesoo Kim, and Wenke Lee. CCS 2015.

While private browsing is a standard feature, its implementation has been inconsistent among the major browsers. More seriously, it often fails to provide the adequate or even the intended privacy protection. For example, as shown in prior research, browser extensions and addons often undermine the goals of private browsing. In this paper, we first present our systematic study of private browsing. We developed a technical approach to identify browser traces left behind by a private browsing session, and showed that Chrome and Firefox do not correctly clear some of these traces. We analyzed the source code of these browsers and discovered that the current implementation approach is to decide the behaviors of a browser based on the current browsing mode (i.e., private or public); but such decision points are scattered throughout the code base. This implementation approach is very problematic because developers are prone to make mistakes given the complexities of browser components (including extensions and add-ons).

Based on this observation, we propose a new and general approach to implement private browsing. The main idea is to overlay the actual filesystem with a sandbox filesystem when the browser is in private browsing mode, so that no unintended leakage is allowed and no persistent modification is stored. This approach requires no change to browsers and the OS kernel because the layered sandbox filesystem is implemented by interposing system calls. We have implemented a prototype system called UCOGNITO on Linux. Our evaluations show that UCOGNITO, when applied to Chrome and Firefox, stops all known privacy leaks identified by prior work and our current study. More importantly, UCOGNITO incurs only negligible performance overhead: e.g., 0%-2.5% in benchmarks for standard JavaScript and webpage loading.

@inproceedings{xu:ucognito,
  title        = {{UCognito: Private Browsing without Tears}},
  author       = {Meng Xu and Yeongjin Jang and Xinyu Xing and Taesoo Kim and Wenke Lee},
  booktitle    = {Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS)},
  month        = oct,
  year         = 2015,
  address      = {Denver, Colorado},
}
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim, Dongkwan Kim, Minhee Kwon, Hyungseok Han, Yeongjin Jang, Dongsu Han, Taesoo Kim, and Yongdae Kim. CCS 2015.

Long Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE network, operators have introduced Voice-over-LTE (VoLTE), which dramatically changes how voice calls are handled, both from user equipment and infrastructure perspectives. We find that this dramatic shift opens up a number of new attack surfaces that have not been previously explored. To call attention to this matter, this paper presents a systematic security analysis.

Unlike the traditional call setup, the VoLTE call setup is controlled and performed at the Application Processor (AP), using the SIP over IP. A legitimate user who has control over the AP can potentially control and exploit the call setup process to establish a VoLTE channel. This combined with the legacy accounting policy (e.g., unlimited voice and the separation of data and voice) leads to a number of free data channels. In the process of unveiling the free data channels, we identify a number of additional vulnerabilities of early VoLTE implementations, which lead to serious exploits, such as caller spoofing, over-billing, and denial-of-service attacks. We identify the nature of these vulnerabilities and concrete exploits that directly result from the adoption of VoLTE. We also propose immediate countermeasures that can be employed to alleviate the problems. However, we believe that the nature of the problem calls for a more comprehensive solution that eliminates the root causes at mobile devices, mobile platforms, and the core network.

@inproceedings{kim:volte,
  title        = {{Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations}},
  author       = {Hongil Kim and Dongkwan Kim and Minhee Kwon and Hyungseok Han and Yeongjin Jang and Dongsu Han and Taesoo Kim and Yongdae Kim},
  booktitle    = {Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS)},
  month        = oct,
  year         = 2015,
  address      = {Denver, Colorado},
}
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. NDSS 2015.

Many system components and network applications are written in languages that are prone to memory corruption vulnerabilities. There have been countless cases where simple mistakes by developers resulted in memory corruption vulnerabilities and consequently security exploits. While there have been tremendous research efforts to mitigate these vulnerabilities, use-after-free still remains one of the most critical and popular attack vectors because existing proposals have not adequately addressed the challenging program analysis and runtime performance issues.

In this paper we present DangNull, a system that detects temporal memory safety violations --- in particular, use-after-free and double-free --- during runtime. DangNull relies on the key observation that the root cause of these violations is that pointers are not nullified after the target object is freed. Based on this observation, DangNull automatically traces the object's relationships via pointers and automatically nullifies all pointers when the target object is freed. DangNull offers several benefits. First, DangNull addresses the root cause of temporal memory safety violations. It does not rely on the side effects of violations, which can vary and may be masked by attacks. Thus, DangNull is effective against even the most sophisticated exploitation techniques. Second, DangNull checks object relationship information using runtime object range analysis on pointers, and thus is able to keep track of pointer semantics more robustly even in complex and large scale software. Lastly, DangNull does not require numerous explicit sanity checks on memory accesses because it can detect a violation with implicit exception handling, and thus its detection capabilities only incur moderate performance overhead.

@inproceedings{lee:dangnull,
  title        = {{Preventing Use-after-free with Dangling Pointers Nullification}},
  author       = {Byoungyoung Lee and Chengyu Song and Yeongjin Jang and Tielei Wang and Taesoo Kim and Long Lu and Wenke Lee},
  booktitle    = {Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS)},
  month        = feb,
  year         = 2015,
  address      = {San Diego, CA},
}

2014

A11y Attacks: Exploiting Accessibility in Operating Systems Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. CCS 2014.

Driven in part by federal law, accessibility (a11y) support for disabled users is becoming ubiquitous in commodity OSs. Some assistive technologies such as natural language user interfaces in mobile devices are welcomed by the general user population. Unfortunately, adding new features in modern, complex OSs usually introduces new security vulnerabilities. Accessibility support is no exception.

Assistive technologies can be defined as computing subsystems that either transform user input into interaction requests for other applications and the underlying OS, or transform application and OS output for display on alternative devices. Inadequate security checks on these new I/O paths make it possible to launch attacks from accessibility interfaces.

In this paper, we present the first security evaluation of accessibility support for four of the most popular computing platforms: Microsoft Windows, Ubuntu Linux, iOS, and Android. We identify twelve attacks that can bypass state-of-the-art defense mechanisms deployed on these OSs, including UAC, the Yama security module, the iOS sandbox, and the Android sandbox. Further analysis of the identified vulnerabilities shows that their root cause is that the design and implementation of accessibility support involves inevitable trade-offs among compatibility, usability, security, and (economic) cost. These trade-offs make it difficult to secure a system against misuse of accessibility support.

Based on our findings, we propose a number of recommendations to either make the implementation of all necessary security checks easier and more intuitive, or to alleviate the impact of missing/incorrect checks. We also point out open problems and challenges in automatically analyzing accessibility support and identifying security vulnerabilities.

@inproceedings{jang:a11y,
  title        = {{A11y Attacks: Exploiting Accessibility in Operating Systems}},
  author       = {Yeongjin Jang and Chengyu Song and Simon P. Chung and Tielei Wang and Wenke Lee},
  booktitle    = {Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS)},
  month        = nov,
  year         = 2014,
  address      = {Scottsdale, Arizona},
}
On the Feasibility of Large-Scale Infections of iOS Devices Tielei Wang, Yeongjin Jang, Yizheng Chen, Pak-Ho Chung, Billy Lau, and Wenke Lee. USENIX Security 2014.

While Apple iOS has gained increasing attention from attackers due to its rising popularity, very few large scale infections of iOS devices have been discovered because of iOS’ advanced security architecture. In this paper, we show that infecting a large number of iOS devices through botnets is feasible. By exploiting design flaws and weaknesses in the iTunes syncing process, the device provisioning process, and in file storage, we demonstrate that a compromised computer can be instructed to install Apple-signed malicious apps on a connected iOS device, replace existing apps with attacker-signed malicious apps, and steal private data (e.g., Facebook and Gmail app cookies) from an iOS device. By analyzing DNS queries generated from more than half a million anonymized IP addresses in known botnets, we measure that on average, 23% of bot IP addresses demonstrate iOS device existence and Windows iTunes purchases, implying that 23% of bots will eventually have connections with iOS devices, thus making a large scale infection feasible.

@inproceedings{wang:ios-botnet,
  title        = {{On the Feasibility of Large-Scale Infections of iOS Devices}},
  author       = {Tielei Wang and Yeongjin Jang and Yizheng Chen and Pak-Ho Chung and Billy Lau and Wenke Lee},
  booktitle    = {Proceedings of the 23rd USENIX Security Symposium (Security)},
  month        = aug,
  year         = 2014,
  address      = {San Diego, CA},
}
Mimesis Aegis: A Mimicry Privacy Shield Billy Lau, Pak Ho Chung, Chengyu Song, Yeongjin Jang, Wenke Lee, and Alexandra Boldyreva. USENIX Security 2014.

Users are increasingly storing, accessing, and exchanging data through public cloud services such as those provided by Google, Facebook, Apple, and Microsoft. Although users may want to have faith in cloud providers to provide good security protection, the confidentiality of any data in public clouds can be violated, and consequently, while providers may not be "doing evil", we can not and should not trust them with data confidentiality.

To better protect the privacy of user data stored in the cloud, in this paper we propose a privacy-preserving system called Mimesis Aegis (M-Aegis) that is suitable for mobile platforms. M-Aegis is a new approach to user data privacy that not only provides isolation but also preserves the user experience through the creation of a conceptual layer called Layer 7.5 (L-7.5), which is interposed between the application (OSI Layer 7) and the user (Layer 8). This approach allows M-Aegis to implement true end-to-end encryption of user data with three goals in mind: 1) complete data and logic isolation from untrusted entities; 2) the preservation of original user experience with target apps; and 3) applicable to a large number of apps and resilient to app updates.

In order to preserve the exact application workflow and look-and-feel, M-Aegis uses L-7.5 to put a transparent window on top of existing application GUIs to both intercept plaintext user input before transforming the input and feeding it to the underlying app, and to reversetransform the output data from the app before displaying the plaintext data to the user. This technique allows M-Aegis to transparently integrate with most cloud services without hindering usability and without the need for reverse engineering. We implemented a prototype of M-Aegis on Android and show that it can support a number of popular cloud services, e.g. Gmail, Facebook Messenger, WhatsApp, etc.

Our performance evaluation and user study show that users incur minimal overhead when adopting M-Aegis on Android: imperceptible encryption/decryption latency and a low and adjustable false positive rate when searching over encrypted data.

@inproceedings{lau:m-aegis,
  title        = {{Mimesis Aegis: A Mimicry Privacy Shield}},
  author       = {Billy Lau and Pak Ho Chung and Chengyu Song and Yeongjin Jang and Wenke Lee and Alexandra Boldyreva},
  booktitle    = {Proceedings of the 23rd USENIX Security Symposium (Security)},
  month        = aug,
  year         = 2014,
  address      = {San Diego, CA},
}
Exploiting Unpatched iOS Vulnerabilities for Fun and Profit Yeongjin Jang, Tielei Wang, Byoungyoung Lee, and Billy Lau. BlackHat USA 2014.

Patching all vulnerabilities for a modern, complex software system (i.e., Windows, iOS) is often difficult due to the volume of bugs and response time requirements. Instead, software vendors usually devise quick workarounds to mitigate the exploitation of a given vulnerability. However, those patches are sometimes incomplete, and attackers can utilize different attack vectors to re-exploit a patched vulnerability. iOS is no exception.

In this presentation, we will disclose our process for jailbreaking the latest version of iOS (version 7.1.1), running on any iOS device including the iPhone 5s as well as older iPads and iPods. We start by finding new ways to exploit vulnerabilities with incomplete patches. We then use these vulnerabilities to discover new avenues of attack. Finally, we chain together these vulnerabilities and new attacks to run unsigned code out of the sandbox with root permissions and to defeat mandatory code signing. We include a detailed disclosure of several new vulnerabilities and the exploit techniques that we developed.

@inproceedings{jang:ios-jailbreak,
  title        = {{Exploiting Unpatched iOS Vulnerabilities for Fun and Profit}},
  author       = {Yeongjin Jang and Tielei Wang and Byoungyoung Lee and Billy Lau},
  booktitle    = {Black Hat USA Briefings 2014},
  month        = aug,
  year         = 2014,
  address      = {Las Vegas, NV},
}
Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee, Yeongjin Jang, and Tielei Wang. BlackHat USA 2014.

The primary goal of ASLR is to effectively randomize a program's memory layout so that adversaries cannot easily infer such information. As ASLR is a critical defense against exploitation, there have been tremendous efforts to evaluate the mechanism's security. To date, previous attacks that bypass ASLR have focused mostly on exploiting memory leak vulnerabilities, or abusing non-randomized data structures.

In this presentation, we leverage vulnerabilities introduced by performance-oriented software design to reveal new ways in which ASLR can be bypassed. In addition to describing how vulnerabilities originate from such designs, we will present real attacks that exploit them.

First, we analyze general hash table designs for various programming languages (JavaScript, Python, Ruby). To optimize object tracking for such languages, their interpreters may leak address information. Some hash table implementations directly store the address information in the table, whileothers permit inference of address information through repeated table scanning. We exhaustively examined several popular languages to see whether each of them has one or both of these problems, and present how they can be leveraged. As a concrete example, we demonstrate how address information can be leaked in the Safari web browser by simply running some JavaScript.

Second, we present an analysis of the Zygote process creation model, which is an Android operating system design for speeding up application launches. The results of our examination show that Zygote weakens ASLR because all applications are created with largely identical memory layouts. To highlight the severity of this issue, we demonstrate two different ASLR bypass attacks using real applications - Google Chrome and VLC Media Player.

@inproceedings{lee:bypass-aslr,
  title        = {{Abusing Performance Optimization Weaknesses to Bypass ASLR}},
  author       = {Byoungyoung Lee and Yeongjin Jang and Tielei Wang},
  booktitle    = {Black Hat USA Briefings 2014},
  month        = aug,
  year         = 2014,
  address      = {Las Vegas, NV},
}
Gyrus: A Framework for User-Intent Monitoring of Text-based Networked Applications Yeongjin Jang, Simon P. Chung, Bryan D. Payne, and Wenke Lee. NDSS 2014.

Traditional security systems have largely focused on attack detection. Unfortunately, accurately identifying the latest attack has proven to be a never-ending cycle. In this paper, we propose a way to break this cycle by ensuring that a system's behavior matches the user’s intent. Since our approach is attack agnostic, it will scale better than traditional security systems.There are two key components to our approach. First, we capture the user's intent through their interactions with an application. Second, we verify that the resulting system output can be mapped back to the user's interactions.

To demonstrate how this works we created Gyrus, a research prototype that observes user interactions for common tasks such as sending email, instant messaging, online social networking, and online financial services. Gyrus secures these applications from malicious behavior such as spam and wire fraud by allowing only outgoing traffic with content that matches the user's intent.

To understand how Gyrus captures user intent, consider the case of a textbased application. In this case the user’s input is displayed on the screen so the user can confirm that their input is correct. Gyrus builds on this concept by focusing on what is being displayed to the user instead of what the user has typed or clicked. We call this the "what you see is what you send (WYSIWYS)" policy.

We implemented Gyrus under a standard virtualization environment, and our prototype system successfully stops malware from sending unintended content over the network. Our evaluation shows that Gyrus is very efficient and introduces no noticeable delay to a users' interaction with the protected applications.

@inproceedings{jang:gyrus,
  title        = {{Gyrus: A Framework for User-Intent Monitoring of Text-based Networked Applications}},
  author       = {Yeongjin Jang and Simon P. Chung and Bryan D. Payne and Wenke Lee},
  booktitle    = {Proceedings of the 2014 Annual Network and Distributed System Security Symposium (NDSS)},
  month        = feb,
  year         = 2014,
  address      = {San Diego, CA},
}

2013

Mactans: Injecting Malware Into iOS Devices via Malicious Chargers Billy Lau, Yeongjin Jang, Chengyu Song, Tielei Wang, Pak Ho Chung, and Paul Royal. BlackHat USA 2013.

Apple iOS devices are considered by many to be more secure than other mobile offerings. In evaluating this belief, we investigated the extent to which security threats were considered when performing everyday activities such as charging a device. The results were alarming: despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software. All users are affected, as our approach requires neither a jailbroken device nor user interaction.

In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.

To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish. Finally, we recommend ways in which users can protect themselves and suggest security features Apple could implement to make the attacks we describe substantially more difficult to pull off.

@inproceedings{lau:mactans,
  title        = {{Mactans: Injecting Malware Into iOS Devices via Malicious Chargers}},
  author       = {Billy Lau and Yeongjin Jang and Chengyu Song and Tielei Wang and Pak Ho Chung and Paul Royal},
  booktitle    = {Black Hat USA Briefings 2013},
  month        = aug,
  year         = 2013,
  address      = {Las Vegas, NV},
}