School of Computer Science Technical Report Series

Series Type
Publication Series
Associated Organization(s)
Associated Organization(s)
Organizational Unit
Organizational Unit

Publication Search Results

Now showing 1 - 9 of 9
  • Item
    Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices
    (Georgia Institute of Technology, 2014) Carter, Henry ; Lever, Charles ; Traynor, Patrick
    Garbled circuits offer a powerful primitive for computation on a user’s personal data while keeping that data private. Despite recent improvements, constructing and evaluating circuits of any useful size remains expensive on the limited hardware resources of a smartphone, the primary computational device available to most users around the world. In this work, we develop a new technique for securely outsourcing the generation of garbled circuits to a Cloud provider. By outsourcing the circuit generation, we are able to eliminate the most costly operations from the mobile device, including oblivious transfers. After proving the security of our techniques in the malicious model, we experimentally demonstrate that our new protocol, built on this role reversal, decreases execution time by 98% and reduces network costs by as much as 63% compared to previous outsourcing protocols. In so doing, we demonstrate that the use of garbled circuits on mobile devices can be made nearly as practical as it is becoming for server-class machines.
  • Item
    One-Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokens
    (Georgia Institute of Technology, 2012-02) Dacosta, Italo ; Chakradeo, Saurabh ; Ahamad, Mustaque ; Traynor, Patrick
    HTTP cookies are the de facto mechanism for session authentication in web applications. However, their inherent security weaknesses allow attacks against the integrity of web sessions. HTTPS is often recommended to protect cookies, but deploying full HTTPS support can be challenging due to performance and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed in a variety of ways even when HTTPS is enabled. In this paper, we propose One-Time Cookies (OTC), a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by signing each user request with a session secret securely stored in the browser. Unlike other proposed solutions, OTC does not require expensive state synchronization in the web application, making it easily deployable in highly distributed systems. We implemented OTC as a plugin for the popular WordPress platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies - a negligible overhead for most web applications. Moreover, we show that OTC can be combined with HTTPS to effectively add another layer of security to web applications. In so doing, we demonstrate that One-Time Cookies can significantly improve the security of web applications with minimal impact on performance and scalability.
  • Item
    Secure Outsourced Garbled Circuit Evaluation for Mobile Devices
    (Georgia Institute of Technology, 2012) Carter, Henry ; Mood, Benjamin ; Traynor, Patrick ; Butler, Kevin
    Garbled circuits provide a powerful tool for jointly evaluating functions while preserving the privacy of each user’s inputs. While recent research has made the use of this primitive more practical, such solutions generally assume that participants are symmetrically provisioned with massive computing resources. In reality, most people on the planet only have access to the comparatively sparse computational resources associated with their mobile phones, and those willing and able to pay for access to public cloud computing infrastructure cannot be assured that their data will remain unexposed. We address this problem by creating a new SFE protocol that allows mobile devices to securely outsource the majority of computation required to evaluate a garbled circuit. Our protocol, which builds on the most efficient garbled circuit evaluation techniques, includes a new outsourced oblivious transfer primitive that requires significantly less bandwidth and computation than standard OT primitives and outsourced input validation techniques that force the cloud to prove that it is executing all protocols correctly. After showing that our extensions are secure in the malicious model, we conduct an extensive performance evaluation for a number of standard SFE test applications as well as a privacy-preserving navigation application designed specifically for the mobile use-case. Our system reduces execution time by 98.92% and bandwidth by 99.95% for the edit distance problem of size 128 compared to non-outsourced evaluation. These results show that even the least capable devices are capable of evaluating some of the largest garbled circuits generated for any platform.
  • Item
    One-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials
    (Georgia Institute of Technology, 2011) Dacosta, Italo ; Chakradeo, Saurabh ; Ahamad, Mustaque ; Traynor, Patrick
    Many web applications are vulnerable to session hijacking attacks due to the insecure use of cookies for session management. The most recommended defense against this threat is to completely replace HTTP with HTTPS. However, this approach presents several challenges (e.g., performance and compatibility concerns) and therefore, has not been widely adopted. In this paper, we propose “One-Time Cookies” (OTC), an HTTP session authentication protocol that is efficient, easy to deploy and resistant to session hijacking. OTC’s security relies on the use of disposable credentials based on a modified hash chain construction. We implemented OTC as a plug-in for the popular WordPress platform and conducted extensive performance analysis using extensions developed for both Firefox and Firefox for mobile browsers. Our experiments demonstrate the ability to maintain session integrity with a throughput improvement of 51% over HTTPS and a performance approximately similar to a cookie-based approach. In so doing, we demonstrate that one-time cookies can significantly improve the security of web sessions with minimal changes to current infrastructure.
  • Item
    On the Disparity of Display Security in Mobile and Traditional Web Browsers
    (Georgia Institute of Technology, 2011) Amrutkar, Chaitrali ; Singh, Kapil ; Verma, Arunabh ; Traynor, Patrick
    Mobile web browsers now provide nearly equivalent features when compared to their desktop counterparts. However, smaller screen size and optimized features for constrained hardware make the web experience on mobile browsers significantly different. In this paper, we present the first comprehensive study of the display-related security issues in mobile browsers. We identify two new classes of display-related security problems in mobile browsers and devise a range of real world attacks against them. Additionally, we identify an existing security policy for display on desktop browsers that is inappropriate on mobile browsers. Our analysis is comprised of eight mobile and five desktop browsers. We compare security policies for display in the candidate browsers to infer that desktop browsers are significantly more compliant with the policies as compared to mobile browsers. We conclude that mobile browsers create new security challenges and are not simply miniature versions of their desktop counterparts.
  • Item
    Efficient Oblivious Computation Techniques for Privacy-Preserving Mobile Applications
    (Georgia Institute of Technology, 2011) Carter, Henry ; Amrutkar, Chaitrali ; Dacosta, Italo ; Traynor, Patrick
    The growth of smartphone capability has led to an explosion of new applications. Many of the most useful apps use context-sensitive data, such as GPS location or social network information. In these cases, users may not be willing to release personal information to untrusted parties. Currently, the solutions to performing computation on encrypted inputs use garbled circuits combined with a variety of optimizations. However, the capability of resource-constrained smartphones for evaluating garbled circuits in any variation is uncertain in practice. In [1], it is shown that certain garbled circuit evaluations can be optimized by using homomorphic encryption. In this paper, we take this concept to its logical extreme with Efficient Mobile Oblivious Computation (EMOC), a technique that completely replaces garbled circuits with homomorphic operations on ciphertexts. We develop applications to securely solve the millionaire’s problem, send tweets based on location, and compute common friends in a social network, then prove equivalent privacy guarantees to analogous constructions using garbled circuits. We then demonstrate up to 68% runtime reduction from the most efficient garbled circuit implementation. In so doing, we demonstrate a practical technique for developing privacy-preserving applications on the mobile platform.
  • Item
    An Empirical Evaluation of Security Indicators in Mobile Web Browsers
    (Georgia Institute of Technology, 2011) Amrutkar, Chaitrali ; Traynor, Patrick ; van Oorschot, Paul C.
    Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real-estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate nine mobile and two tablet browsers, representing over 90% of the market share, against the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. We show where and how these failures on mobile browsers eliminate clues previously designed for, and still present in, desktop browsers to detect attacks such as phishing and man-in-the-middle. Finally, we offer advice on where current standards are unclear or incomplete.¹
  • Item
    Replacing Oblivious Computation with Private Search for Context Sensitive Communications
    (Georgia Institute of Technology, 2010) Amrutkar, Chaitrali ; Naik, Rishikesh ; Dacosta, Italo ; Traynor, Patrick
    Context aware applications provide users with an increasingly rich set of services. From services such as interactive maps to restaurant guides and social networking tools, the use of information including location, activity and time can greatly enhance the ways users interact with their surroundings. Unfortunately, the dissemination and use of such information also potentially exposes private information about the user themselves. In this paper, we present Themis, a framework for developing two-party applications capable of making decisions based on context sensitive information without revealing either participants' inputs. Themis uses private stream searching to replace the memory and computationally intensive oblivious computation associated with related techniques. We compare the security guarantees and performance profile of our approach against Fairplay and show not only as much as a 96% improvement in execution time, but also the ability to efficiently run applications with complex inputs on both desktop computers and mobile phones. In so doing, we demonstrate the ability to create efficient context-sensitive applications based on private searching.
  • Item
    Evaluating Bluetooth as a Medium for Botnet Command and Control
    (Georgia Institute of Technology, 2009) Jain, Nehil ; Lee, Wenke ; Sangal, Samrit ; Singh, Kapil ; Traynor, Patrick
    Malware targeting mobile phones is being studied with increasing interest by the research community. While such attention has previously focused on viruses and worms, many of which use near-field communications in order to propagate, none have investigated whether more complex malware such as botnets can effectively operate in this environment. In this paper, we investigate the challenges of constructing and maintaining mobile phone-based botnets communicating nearly exclusively via Bluetooth. Through extensive large-scale simulation based on publicly available Bluetooth traces, we demonstrate that such a malicious infrastructure is possible in many areas due to the largely repetitive nature of human daily routines. In particular, we demonstrate that command and control messages can propagate to approximately 2/3 of infected nodes within 24 hours of being issued by the botmaster. We then explore how traditional defense mechanisms can be modified to take advantage of the same information to more effectively mitigate such systems. In so doing, we demonstrate that mobile phone-based botnets are a realistic threat and that defensive strategies should be modified to consider them.