Practical Attacks Research Articles

A novel Evil Twin MiTM attack through 802.11v protocol exploitation

In recent years, especially where 802.11 networks are involved, we have seen a rise in Man in the Middle (MiTM) attacks. In this work, we propose a novel method that maliciously exploits the BSS Transition Management frames IEEE 802.11v protocol and demonstrates how such an attack can be performed, by utilizing roaming 802.11 protocols. To the best of our knowledge, this kind of approach has not been examined in the past. Our testbed results suggest that the proposed method is successful, regardless of the legitimate and rogue access point signal strengths provided to the terminal under attack. This is not the case for other MiTM attack methods, where the signal strength provided by the rogue access point to the terminal under attack must be stronger than the legitimate access point signal strength. During the experimentation phase with our testbed, several mobile phone models were used to demonstrate the suggested technique. After demonstrating the validity of the method through the testbed, further analysis is performed with a realistic ray tracing simulator to determine practical attack distance limits in an urban environment under investigation and how an adversary can manipulate a device to connect to a rogue access point.

False-Data-Injection-Enabled Network Parameter Modifications in Power Systems: Attack and Detection

Due to the close relevance to the reliability and efficiency of power systems, network parameters such as branch admittance have been the target of various cyberattacks. However, existing attack models are generally based on the impractical assumption that attackers can directly modify the data of network parameter stored in well-secured control centers. This article proposes a practical attack model and designs an optimal strategy to detect malicious modification of critical network parameters. Specifically, the vulnerability of network parameter error processing is discovered and exploited to indirectly modify the data of network parameter without accessing to the well-secured control center. A model of false-data-injection-enabled network parameter modification is proposed, which significantly reduces the requirements on attackers’ capability and system information. An optimal detection strategy is designed based on the analysis of the minimal protection set at a single branch, which can significantly reduce the number of protected measurements in detecting malicious modification of critical network parameters. Finally, numerical simulations are carried out on the PJM 5-bus and the IEEE 118-bus test systems to validate the theoretical results.

Practical Attacks on Full-round FRIET

FRIET is a duplex-based authenticated encryption scheme proposed at EUROCRYPT 2020. It follows a novel design approach for built-in countermeasures against fault attacks. By a judicious choice of components, the designers propose the permutation FRIET-PC that can be used to build an authenticated encryption cipher denoted as FRIET-AE. And FRIET-AE provides a 128-bit security claim for integrity and confidentiality. In this paper, we research the propagation of pairs of differences and liner masks through the round function of FRIET-PC. For the full-round FRIET-PC, we can construct a differential distinguisher whose probability is 1 and a linear distinguisher whose absolute value of correlation is 1. Moreover, we use the differential distinguisher with probability 1 to construct a set consisting of valid tags and ciphertexts which are not created by legal users. This breaks FRIET-AE’s security claim for integrity and confidentiality. As far as we know, this is the first practical attack that threatens the security of FRIET-AE.

Counteracting Adversarial Attacks in Autonomous Driving

This article studies the robust deep stereo vision in autonomous driving systems and counteracting adversarial attacks. The autonomous system operation requires real-time processing of measurement data which often contain significant uncertainties and noise. Adversarial attacks have been widely studied to simulate these perturbations in recent years. To counteract the practical attacks in autonomous systems, novel methods based on simulated attacks are proposed in this article. Univariate and multivariate functions are adopted to represent the relationships between the left and right input images and the deep stereo model. A stereo regularizer is proposed to guide the model to learn the implicit relationship between the images and characterize the loss function’s local smoothness. The attacks are generated by maximizing the regularizer term to break the linearity and smoothness. The model then defends the attacks by minimizing the loss and regularization terms. Two techniques are developed in this article. The first technique, <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SmoothStereo</monospace> , explores the basic knowledge from the physical world and smoothness, while the second technique, <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SmoothStereoV2</monospace> , improves <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SmoothStereo</monospace> through leveraging the smooth activation functions during the defense. <monospace xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SmoothStereoV2</monospace> can learn and utilize the gradient information concerning the attacks. The gradients of the smooth activation functions can handle attacks for improving the model robustness. Numerical experiments on KITTI datasets demonstrate that the proposed methods offer superior performance.

Chosen Plaintext Combined Attack against SM4 Algorithm

The SM4 algorithm is widely used to ensure the security of data transmission. The traditional chosen plaintext power attacks against SM4 usually need to analyze four rounds power traces in turn to recover the secret key. In this paper, we propose a new combined chosen plaintext power analysis, which combines the chosen plaintext power attack and the differential characteristics of the substitution box (S-box) in SM4. In our attack, only the second and fourth round S-box outputs of SM4 algorithm are used as attack points, and some sensitive fixed intermediate values are obtained by power analysis when inputting specific plaintext. Then the differential analysis of these sensitive intermediate values is carried out to calculate the difference between the input and output of the S-box, and the key can be recovered from the differential characteristics of S-box. Compared with the traditional chosen plaintext power analysis, which requires four rounds of analysis, our analysis reduces the number of attack rounds into two rounds, and adopts the nonlinear S-box with obvious leakage information as the attack intermediate value, which effectively improves the feasibility of attack. Finally, a practical attack experiment is carried out on a Field Programmable Gate Array (FPGA) based implementation of SM4 algorithm, and the results show that our method is feasible and effective for real experiments.

Practical Attacks on Machine Learning: A Case Study on Adversarial Windows Malware

While machine learning is vulnerable to adversarial examples, it still lacks systematic procedures and tools for evaluating its security in different contexts. We discuss how to develop automated and scalable security evaluations of machine learning using practical attacks, reporting a use case on Windows malware detection.

Practical Attacks of Round-Reduced SIMON Based on Deep Learning

Abstract At CRYPTO’19, Gohr built a bridge between deep learning and cryptanalysis. Based on deep neural networks, he trained neural distinguishers of SPECK32/64. Besides, with the help of neural distinguishers, he attacked 11-round SPECK32/64 using Bayesian optimization. Compared with the traditional attack, its complexity was reduced. Although his work opened a new direction of machine learning aided cryptanalysis, there are still two research gaps that researchers are eager to fill in. (i) Can the attack using neural distinguishers be used to other block ciphers? (ii) Are there effective key recovery attacks on large-size block ciphers adopting neural distinguishers? In this paper, our core target is to propose an effective neural-aided key recovery policy to attack large-size block ciphers. For large-size block ciphers, it costs too much time in pre-computation, especially in wrong key response profile, which is the main reason why there are almost no neural aided attacks on large-size block ciphers. Fortunately, we find that there is a fatal flaw in the wrong key profile. In the some experiments of SIMON32/64 and SIMON48/96, there is a regular of change in response profiles, which implies that we can use partial response instead of the complete response. Based on this, we propose a generic key recovery attack scheme which can attack large-size block ciphers. As an application, we perform a key recovery attack on 13-round SIMON64/128, which is the first practical attack using neural distinguishers to large-size ciphers. In addition, we also attack 13-round SIMON32/64 and SIMON48/96, which also shows that the neural distinguishers can be used to other block ciphers.

Practical attacks on Login CSRF in OAuth

OAuth 2.0 is an important and well studied protocol. However, despite the presence of guidelines and best practices, the current implementations are still vulnerable and error-prone. This research mainly focused on the Cross-Site Request Forgery (CSRF) attack. This attack is one of the dangerous vulnerabilities in OAuth protocol, which has been mitigated through state parameter. However, despite the presence of this parameter in the OAuth deployment, many websites are still vulnerable to the OAuth-CSRF (OCSRF) attack. We studied one of the most recurrent type of OCSRF attack through a variety range of novel attack strategies based on different possible implementation weaknesses and the state of the victim’s browser at the time of the attack. In order to validate them, we designed a repeatable methodology and conducted a large-scale analysis on 395 high-ranked sites to assess the prevalence of OCSRF vulnerabilities. Our automated crawler discovered about 36% of targeted sites are still vulnerable and detected about 20% more well-hidden vulnerable sites utilizing the novel attack strategies. Based on our experiment, there was a significant rise in the number of OCSRF protection compared to the past scale analyses and yet over 25% of sites are exploitable to at least one proposed attack strategy. Despite a standard countermeasure exists to mitigate the OCSRF, our study shows that lack of awareness about implementation mistakes is an important reason for a significant number of vulnerable sites.

Practical attacks on a class of secret image sharing schemes based on Chinese Remainder Theorem

Chinese Remainder Theorem based secret image sharing schemes provide an efficient way to store secret image files securely in a distributed manner. Two basic properties required for designing such schemes are — availability and confidentiality. The first property ensures the retrieval of secret image from a qualified subset of shares and the latter guarantees the secrecy of the image against a coalition of non-qualified subset of shares. To model practical attacks on such schemes, in this paper, more powerful active adversaries are considered who can tamper with some shares to modify the reconstructed secret image. We show that an active adversary can tamper with one single share to make the honest parties reconstruct a false secret image of her choice. Our mathematical analysis along with the experimental data exhibit the practicality of our attacks for large class of existing schemes.

Reachability-Based False Data Injection Attacks and Defence Mechanisms for Cyberpower System

With the push for higher efficiency and reliability, an increasing number of intelligent electronic devices (IEDs) and associated information and communication technology (ICT) are integrated into the Internet of Things (IoT)-enabled smart grid. These advanced technologies and IEDs also bring potential vulnerabilities to the intelligent cyber–physical smart grid. State estimation, as a primary step of system monitoring and situational awareness, is a potential target for attackers. A number of other smart grid applications, such as voltage stability assessment and contingency screening, utilize state estimation results as input data. False data injection (FDI) is a specific way to attack state estimation by manipulating input data. Existing research mainly focuses on the mathematical analysis of FDI attacks; however, in these methods, discussions of reachability requirements to compromise measurements considering cyberinfrastructure are limited. Reachability is defined as a measure that estimates the number of hosts to compromise for the possible FDI. Most of the existing FDI attack methods require the simultaneous manipulation on multiple measurement devices in different substations, in order to bypass the bad data detection, which may be impractical. In this paper, a new type of reachability-based FDI attack considering the cybernetwork with a practical attack is proposed and validated on two IEEE test systems. The corresponding defence mechanisms are (a) decentralized state estimation (DSE), (b) DSE with additional backup computational nodes, (c) communication network rerouting, and (d) intrusion detection system, and they were developed and presented with validation for two IEEE test systems with superior performance for an IoT-enabled intelligent smart grid system.

DDoS attack resisting authentication protocol for mobile based online social network applications

The rapid development of smartphone technology and the Internet services in mobile devices facilitates easy access to online social networking (OSN) sites anytime, anywhere. At the same time, this allures the adversaries to exploit the OSNs as a soft target for easy execution of various attacks that can quickly spread to a large number of users. In distributed denial-of-service (DDoS) attacks, an adversary aims to overwhelm the normal traffic of a targeted server with a flood of fake login messages so that the associated Internet service or website turns inoperable. In this paper, we propose a secure and lightweight authentication scheme (PRDoS) that resists DDoS and other security attacks in mobile OSN environments. We provide a multi-faceted solution towards the remedy of DDoS attacks in the OSN environment. After a certain threshold, the scheme discards further user login attempts and blocks an adversary who intends to overload the network server. We use the pre-loaded shadow identity and emergency key pairs, and a key-refilling strategy that rebuilds the essential synchronization between a blocked naive user and the OSN server. This technique restores the intended un-linkability property of the protocol. Using NS3 simulation, we study the impact of DDoS attackers on network throughput and network delay. Moreover, we validate and compare the proposed scheme against state-of-the-art solutions using the real attacks and benign datasets. We use the Canadian Institute for Cybersecurity (CIC) DoS dataset 2017, which is generated by capturing the normal and DoS attack packets separately with subsequent pre-processed for testing. We also use the machine learning (ML) algorithms, such as K-Nearest Neighbor (KNN), Gaussian Naive Bayes, and Multilayer Perceptron (MLP) to demonstrate the performance of the proposed solution in a practical attack detection scenario. We observe that these algorithms provide 97.05%, 95.48%, and 96.6% DDoS attack detection accuracy, respectively.

The mF mode of authenticated encryption with associated data

Abstract In recent years, the demand for lightweight cryptographic protocols has grown immensely. To fulfill this necessity, the National Institute of Standards and Technology (NIST) has initiated a standardization process for lightweight cryptographic encryption. NIST’s call for proposal demands that the scheme should have one primary member that has a key length of 128 bits, and it should be secure up to 2 50 − 1 {2}^{50}-1 byte queries and 2 112 {2}^{112} computations. In this article, we propose a tweakable block cipher (TBC)-based authenticated encryption with associated data (AEAD) scheme, which we call mF {\mathsf{mF}} . We provide authenticated encryption security analysis for mF {\mathsf{mF}} under some weaker security assumptions (stated in the article) on the underlying TBC. We instantiate a TBC using block cipher and show that the TBC achieves these weaker securities, provided the key update function has high periodicity. mixFeed {\mathsf{mixFeed}} is a round 2 candidate in the aforementioned lightweight cryptographic standardization competition. When we replace the key update function with the key scheduling function of Advanced Encryption Standard (AES), the mF {\mathsf{mF}} mode reduces to mixFeed {\mathsf{mixFeed}} . Recently, the low periodicity of AES key schedule is shown. Exploiting this feature, a practical attack on mixFeed {\mathsf{mixFeed}} is reported. We have shown that multiplication by primitive element satisfies the high periodicity property, and we have a secure instantiation of mF {\mathsf{mF}} , a secure variant of mixFeed {\mathsf{mixFeed}} .

Automatic Search of Cubes for Attacking Stream Ciphers

Cube attack was proposed by Dinur and Shamir, and it has become an important tool for analyzing stream ciphers. As the problem that how to recover the superpolys accurately was resolved by Hao et al. in EUROCRYPT 2020, another important problem is how to find “good” superpolys, which is equivalent to finding “good” cubes. However, there are two difficulties in finding “good” cubes. Firstly, the number of candidate cubes is enormous and most of the cubes are not “good”. Secondly, it is costly to evaluate whether a cube is “good”.In this paper, we present a new algorithm to search for a kind of “good” cubes, called valuable cubes. A cube is called valuable, if its superpoly has (at least) a balanced secret variable. A valuable cube is “good”, because its superpoly brings in 1 bit of information about the key. More importantly, the superpolys of valuable cubes could be used in both theoretical and practical analyses. To search for valuable cubes, instead of testing a set of cubes one by one, the new algorithm deals with the set of cubes together, such that the common computations can be done only once for all candidate cubes and duplicated computations are avoided. Besides, the new algorithm uses a heuristic method to reject useless cubes efficiently. This heuristic method is based on the divide-and-conquer strategy as well as an observation.For verifications of this new algorithm, we applied it to Trivium and Kreyvium, and obtained three improvements. Firstly, we found two valuable cubes for 843-round Trivium, such that we proposed, as far as we know, the first theoretical key-recovery attack against 843-round Trivium, while the previous highest round of Trivium that can be attacked was 842, given by Hao et al. in EUROCRYPT 2020. Secondly, by finding many small valuable cubes, we presented practical attacks against 806- and 808-round Trivium for the first time, while the previous highest round of Trivium that can be attacked practically was 805. Thirdly, based on the cube used to attack 892-round Kreyvium in EUROCRYPT 2020, we found more valuable cubes and mounted the key-recovery attacks against Kreyvium to 893-round.

A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB

OCB3 is one of the winners of the CAESAR competition and is among the most popular authenticated encryption schemes. In this paper, we put forward a fine-grain study of its security against side-channel attacks. We start from trivial key recoveries in settings where the mode can be attacked with standard Differential Power Analysis (DPA) against some block cipher calls in its execution (namely, initialization, processing of associated data or last incomplete block and decryption). These attacks imply that at least these parts must be strongly protected thanks to countermeasures like masking. We next show that if these block cipher calls of the mode are protected, practical attacks on the remaining block cipher calls remain possible. A first option is to mount a DPA with unknown inputs. A more efficient option is to mount a DPA that exploits horizontal relations between consecutive input whitening values. It allows trading a significantly reduced data complexity for a higher key guessing complexity and turns out to be the best attack vector in practical experiments performed against an implementation of OCB3 in an ARM Cortex-M0. Eventually, we consider an implementation where all the block cipher calls are protected. We first show that exploiting the leakage of the whitening values requires mounting a Simple Power Analysis (SPA) against linear operations. We then show that despite being more challenging than when applied to non-linear operations, such an SPA remains feasible against 8-bit implementations, leaving its generalization to larger implementations as an interesting open problem. We last describe how recovering the whitening values can lead to strong attacks against the confidentiality and integrity of OCB3. Thanks to this comprehensive analysis, we draw concrete requirements for side-channel resistant implementations of OCB3.

Practical Attacks on Reduced-Round 3D and Saturnin

Abstract 3D, an advanced encryption standard-like cipher employed three-dimensional structure, was proposed in 2008. Its recommended number of rounds is 22. Although the longest key recovery attack can currently reach 13 rounds, the complexity of existing attacks for &amp;gt;6 rounds seems to exceed the practically feasible complexity. Thus, a practical attack for 7-round 3D has yet to be developed. Recently, a lightweight block cipher called Saturnin has been selected as a second-round candidate in the National Institute of Standards and Technology standardization for lightweight cryptography. Saturnin also employs a three-dimensional structure and provides high security against quantum and classic attacks. In this paper, we investigate the yoyo attack on these two ciphers. Combined with the meet-in-the-middle technique, we apply the yoyo trick to 7-round 3D and recover the whole 512-bit secret key with $2^{15}$ plaintexts and adaptively chosen ciphertexts and $2^{16.5}$ complexity of full encryptions. To our best knowledge, it is the first practical key recovery attack for 7-round 3D to date. For Saturnin, we found a minor typo in its design report. The designers intended to make a super round containing two S-layers, but one was inadvertently omitted in the algorithm description. We propose a 5-super-round key recovery attack, which is suitable for both one-S-layer version and two-S-layer version. Since the round function of Saturnin has better diffusion, which leads that the meet-in-the-middle technique cannot be applied to this cipher directly. For the one-S-layer version, we address this problem by proposing a new technique called reducing key sets. This technique will fail on the other version, which proves the necessity of containing two S-layers in one-super-round. Finally, our attack requires $2^{39.1}$ plaintext pairs and adaptively chosen ciphertext pairs and $2^{46}$ one-round encryptions.

CRank: Reusable Word Importance Ranking for Text Adversarial Attack

Deep learning models have been widely used in natural language processing tasks, yet researchers have recently proposed several methods to fool the state-of-the-art neural network models. Among these methods, word importance ranking is an essential part that generates text adversarial examples, but suffers from low efficiency for practical attacks. To address this issue, we aim to improve the efficiency of word importance ranking, making steps towards realistic text adversarial attacks. In this paper, we propose CRank, a black box method utilized by our innovated masking and ranking strategy. CRank improves efficiency by 75% at the ’cost’ of only a 1% drop of the success rate when compared to the classic method. Moreover, we explore a new greedy search strategy and Unicode perturbation methods.

A Proposed Modification on RC4 Algorithm by Increasing its Randomness

Wired Equivalent Privacy (WEP) protocol was adopted as security protocol to protect IEEE 802.11 Wireless LAN from unauthorized access, eavesdropping and other attacks. Over the past few years, several serious security flaws discovered in WEP protocol and its underlying cryptographic primitives (data integrity and encryption algorithms). These flaws lead to a number of practical attacks that demonstrate that WEP fails to achieve its security goals. In this research an attempt is accomplish to improve the encryption algorithm “Standard RC4” of WEP protocol through proposing an enhanced algorithm named as “Proposed RC4+S” that would overcome the security flaws and strengthen the level of security and protection for WEP protocol. Then evaluate the proposed algorithm “RC4+S” to prove the advance of research proposal, which illustrated through the following result: the proposed RC4+S algorithm increases (secret-key) the randomness by approximately more than (20%), thus leading to improve output (ciphertext) randomness of modified WEP protocol compared to standard protocol.

Lightweight Public Key Authenticated Encryption With Keyword Search Against Adaptively-Chosen-Targets Adversaries for Mobile Devices

Cloud storage services have grown extensively in recent years. For security and privacy purposes, sensitive data need to be outsourced to clouds in encrypted form. Searchable public key encryption (SPKE) enables data ciphertexts to be retrieved by keyword(s) without decryption. Unfortunately, most of the existing SPKE schemes cannot withstand the keyword guessing attack. To combat such attack, public key authenticated encryption with keyword search (PAEKS) was presented. However, the existing PAEKS schemes were proven secure under a designated-targets security model, in which an adversary only can attack a sender and a recipient designated by the challenger. Our cryptanalysis indicates that such a scheme may be insecure against the practical attacks where the adversaries choose their targets by themselves. To fight against adaptively-chosen-targets adversaries, we refine the adversary model for PAEKS by permitting the adversaries to choose their targets adaptively, and then formalize the security definitions under the improved security model. After that, we devise a lightweight PAEKS scheme that avoids the time-consuming bilinear pairing operations and give the security proofs. The comparisons show that it outperforms the existing bilinear pairing-based PAEKS schemes in both the computation and communication performance, and therefore is more suitable for the resource-constrained mobile devices.

A data independent approach to generate adversarial patches

Deep neural networks are vulnerable to adversarial examples, i.e., carefully perturbed inputs designed to mislead the network at inference time. Recently, adversarial patch, with perturbations confined to a small and localized patch, emerged for its easy accessibility in real-world attack. However, existing attack strategies require training data on which the deep neural networks were trained, which makes them unsuitable for practical attacks since it is unreasonable for an attacker to obtain the training data. In this paper, we propose a data independent approach to generate adversarial patches (DiAP). The goal is to craft adversarial patches that can fool the target model on most of the images without any knowledge about the training data distribution. In the absence of data, we carry out non-targeted attacks by fooling the features learned at multiple layers of the deep neural network, and then employ the potential information of non-targeted adversarial patches to craft targeted adversarial patches. Extensive experiments demonstrate impressive attack success rates for DiAP. Particularly in the blackbox setting, DiAP outperforms state-of-the-art adversarial patch attack methods. The patches generated by DiAP also function well in real physical scenarios, and could be created offline and then broadly shared.

Combining Optimization Objectives: New Modeling Attacks on Strong PUFs

Strong Physical Unclonable Functions (PUFs), as a promising security primitive, are supposed to be a lightweight alternative to classical cryptography for purposes such as device authentication. Most of the proposed candidates, however, have been plagued by modeling attacks breaking their security claims. The Interpose PUF (iPUF), which has been introduced at CHES 2019, was explicitly designed with state-of-the-art modeling attacks in mind and is supposed to be impossible to break by classical and reliability attacks. In this paper, we analyze its vulnerability to reliability attacks. Despite the increased difficulty, these attacks are still feasible, against the original authors’ claim. We explain how adding constraints to the modeling objective streamlines reliability attacks and allows us to model all individual components of an iPUF successfully. In order to build a practical attack, we give several novel contributions. First, we demonstrate that reliability attacks can be performed not only with covariance matrix adaptation evolution strategy (CMA-ES) but also with gradient-based optimization. Second, we show that the switch to gradient-based reliability attacks makes it possible to combine reliability attacks, weight constraints, and Logistic Regression (LR) into a single optimization objective. This framework makes modeling attacks more efficient, as it exploits knowledge of responses and reliability information at the same time. Third, we show that a differentiable model of the iPUF exists and how it can be utilized in a combined reliability attack. We confirm that iPUFs are harder to break than regular XOR Arbiter PUFs. However, we are still able to break (1,10)-iPUF instances, which were originally assumed to be secure, with less than 107 PUF response queries.