Joye M.,Content Security
Designs, Codes, and Cryptography | Year: 2011
This paper considers strong-RSA signature schemes built from the scheme of Cramer and Shoup. We present a basic scheme encompassing the main features of the Cramer-Shoup scheme. We analyze its security in both the random oracle model and the standard model. This helps us to spot potential security flaws. As a result, we show that a seemingly secure signature scheme (Tan in Int J Security Netw 1(3/4): 237-242, 2006) is universally forgeable under a known-message attack. In a second step, we discuss how to turn the basic scheme into a fully secure signature scheme. Doing so, we rediscover several known schemes (or slight variants thereof). © 2010 Springer Science+Business Media, LLC.
Karroumi M.,Content Security
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2011
In order to protect AES software running on untrusted platforms, Chow et al. (2002) designed a white-box implementation. However, Billet et al. (2004) showed that the secret key can be extracted with a time complexity of 2 30. In this paper, we present an improved white-box implementation of AES. We use dual ciphers to modify the state and key representations in each round as well as two of the four classical AES operations, SubBytes and MixColumns. We show that, with 61200 possible dual ciphers the complexity of Billet et al. attack is raised to 2 91. Interestingly, our white-box implementation does not require more memory space than that of Chow et al. implementation. © 2011 Springer-Verlag.
Feng X.,University College London |
Cox I.J.,University College London |
Doerr G.,Content Security
IEEE Transactions on Multimedia | Year: 2012
We propose a new method to detect resampled imagery. The method is based on examining the normalized energy density present within windows of varying size in the second derivative of the image in the frequency domain, and exploiting this characteristic to derive a 19-D feature vector that is used to train a SVM classifier. Experimental results are reported on 7500 raw images from the BOSS database. Comparison with prior work reveals that the proposed algorithm performs similarly for resampling rates greater than 1, and is superior to prior work for resampling rates less than 1. Experiments are performed for both bilinear and bicubic interpolations, and qualitatively similar results are observed for each. Results are also provided for the detection of resampled imagery with noise corruption and JPEG compression. As expected, some degradation in performance is observed as the noise increases or the JPEG quality factor declines. © 2012 IEEE.
Joye M.,Content Security
Proceedings - IEEE CS Security and Privacy Workshops, SPW 2012 | Year: 2012
Until recently, known fault attacks against (non-CRT) exponentiation-based cryptosystems were supposed to be of rather theoretical nature, as they require a precise fault injection, e.g., a bit flip. However, Schmidt and Herbst (FDTC 2008) reported practical fault-attacks against RSA in standard mode using low-cost equipment. Although their attacks were described against RSA, they readily extend to any other exponentiation-based cryptosystem. This paper describes an efficient method to prevent those new attacks. © 2012 IEEE.
News Article | August 14, 2015
Update: Apple yesterday patched a critical privilege escalation vulnerability in OS X 10.10 that was disclosed in early July. The flaw in OS X’s dynamic linker called dyld was specific to a new feature that allowed for error logging to arbitrary files. Researcher Stefan Esser shared details of the vulnerability and source code for a kernel extension that mitigated the vulnerability until Apple’s patch was made publicly available yesterday. Esser’s July 7 report said the OS X 10.10 supported a new DYLD_PRINT_TO_FILE variable which lacked “safeguards” that are generally included when new variables are added to the DYLD. “Normally for security reasons the dynamic linker should reject all environment variables passed to it in case of restricted files. This is automatically handled when new environment variables are added to the processDyldEnvironmentVariable() function,” Esser wrote. “However in the DYLD_PRINT_TO_FILE case the code was directly added to the _main function of dyld.” Esser wrote that DYLD accepts the new variable even for restricted binaries such as SUID root binaries. “This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not openes with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries,” he wrote. “This can be easily exploited for privilege escalation.” The DYLD patch was part of a monster security release yesterday that patched not only dozens of bugs in OS X, but also in OS X Server, iOS and Safari. OS X Yosemite 10.10.5 includes patches for numerous code execution, denial of service, information disclosure, and memory-corruption vulnerabilities leading to RCE or crashes. Missing from the list is a patch for the UEFI EDK2 vulnerabilities related to the Thunderstrike 2 firmware attack; researchers Xeno Kovah and Trammell Hudson said that some extensions in OS X can be abused in attacks, despite the fact that the main firmware attacks used in Thunderstrike 2 were patched in OS X 10.10.4. Thunderstrike 2 is an attack against Apple firmware and, unlike its predecessor, can be exploited remotely and self-replicates through peripheral devices. The researchers disclosed a half-dozen vulnerabilities to Apple months ago, and some are patched while others remain on the drawing board. The flaws have been patched on the reference implementation for UEFI on other Intel platforms. In the case of Apple, the company has said in the past its firmware was not impacted; all the firmware in question, however, is derived from the same Intel reference implementation, the researchers said. Apple’s mobile iOS platform has been upgraded to version 8.4.1 and include the usual long list of WebKit code-execution, information (cookie) leakage, and Content Security Policy vulnerabilities. The iOS update also includes patches for ImageIO, a library that provides an interface to read and write image data. Google researcher Michal Zalewski reported bugs in ImageIO where a malicious .TIFF file could corrupt memory during processing and lead to code execution. The update also patches a problem with ImageIO’s handling of PNG images that could result, Apple said, in the disclosure of process memory to a website hosting an exploit. Apple also updated its Safari browser, releasing versions 8.0.8, 7.1.8 and 6.2.8. Most of the vulnerabilities addressed in the update reside in WebKit and result in code execution or exposure of cookie information if exploited. The OS X Server update to version 4.1.5 addresses a recently patched vulnerability in BIND that could lead to server crashes. BIND patched the vulnerability in the way it handled TKEY queries, which was remotely exploitable, on July 29. The flaw affected all versions of BIND’s DNS software from 9.1.0 through 9.9.7. The vulnerability is in the way that BIND handles certain queries related to transaction key records, and it affected recursive and authoritative servers. The bug is fixed in BIND versions 9.9.7-P2 and P3. BIND is the most widely deployed name server software on the Internet and the TKEY flaw is an especially problematic one for administrators running name servers; its handlers at the Internet System Consortium said there is no real workaround, and defending against the bug can be quite difficult. This article was updated with clarifications around the Thunderstrike 2 patch.