USENIX Security may not be the most glamorous security conference today, but I cannot remember the last time I've looked over the proceedings and said oh well, nothing interesting happened this year. And USENIX Security '18 is no exception.
USENIX graciously publishes all the papers presented at the conferences that it organizes, and the proceedings of USENIX Security '18 were just published. What better to do on a hot August afternoon, right?
There is plenty of interesting reading material in there, but eight papers in particular caught my attention.
ACES: Automatic Compartments for Embedded Systems is a paper about an interesting (if not entirely novel) approach to isolating runtime components through compile-time analysis and enforcement. ACES is more finely-grained than Mbed uVisor, probably the most widely-deployed solution in its league, and MINION, described by Kim et al. .
Effective Detection of Multimedia Protocol Tunneling using Machine Learning is not necessarily surprising, and (like anything that uses machine learning lately) may turn out to be hard to reproduce, but it is thought-provoking. Tunneling covert data through whitelisted protocols has been touted not only as a potential solution for users under oppressive regimes or whistleblowers, but also as a way to work around commercial limitations, unfair dataplans, or pseudo-open Internet plans, as promoted by some companies.
The Dangers of Key Reuse: Practical Attacks on IPsec IKE is interesting and practical (the work in the paper resulted in 4 CVEs, for 4 different vendors).
The Battle for New York: A Case Study of Applied Digital Threat Modeling at the Enterprise Level is interesting for the same reason: it's a very practical paper. While its results are inherently less definitive than the previous one's, it's nonetheless an interesting read. It never hurts to see what others are doing.
FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities initially looks like just another bit of incremental progress in the field of automatic exploit generation, but in-kernel UAF vulnerabilities are indeed among the hardest to figure out manually, and very challenging to exploit automatically. And yet these guys did it.
Return of Bleichenbacher's Oracle Threat (ROBOT) is a little depressing.
Malicious Management Unit: Why Stoppin Cache Attacks in Software is Harder Than You Think is interesting through its high-level approach. The paper includes only one proof of concept, via the MMU, but the authors propose additional methods in section 8.2.. The rabbit hole seems to run very deep.
The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX presents a refined method of extracting data from Intel SGX enclaves by exploiting memory corruption vulnerabilities within enclave code. Several attacks in this class are already known, but unlike this one, they require high-privileges and are difficult to mount in a stealthy manner.
I am not one to recycle closing remarks, but in this case, I will make an exception (and I make it every time I talk or write about conferences). Never stop learning. We are at the forefront of human creation, though I don't hesitate to call it "human progress" just because I want to avoid using two tired tropes in the same paragraph. There is still very little responsibility that is legally enforced upon our profession. It's up to us to enforce it, and knowledge and understanding are the fabric of responsibility.
Your average "Proceedings of the Umpteenth Conference on Something Something" might make it seem like there is not much knowledge or understanding to gain from reading papers. Some of these papers in these proceedings, too, are "academic" in the negative sense of the word. But this is how almost every successful crypto attack that we can mount today started.