David Wagner

David Wagner
Technische Universität Braunschweig · Institute for Educational Sciences

About

210
Publications
82,921
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
37,853
Citations

Publications

Publications (210)
Preprint
In successful enterprise attacks, adversaries often need to gain access to additional machines beyond their initial point of compromise, a set of internal movements known as lateral movement. We present Hopper, a system for detecting lateral movement based on commonly available enterprise logs. Hopper constructs a graph of login activity among inte...
Chapter
We present a large-scale characterization of attacker activity across 111 real-world enterprise organizations. We develop a novel forensic technique for distinguishing between attacker activity and benign activity in compromised enterprise accounts that yields few false positives and enables us to perform fine-grained analysis of attacker behavior....
Chapter
Deep learning image classification is widely used yet is vulnerable to adversarial attack, which can change the computer classification without changing how humans classify the image. This is possible even if the attacker changes just a small patch of the image. We propose a defense against patch attacks based on partially occluding the image aroun...
Preprint
We present a large-scale characterization of attacker activity across 111 real-world enterprise organizations. We develop a novel forensic technique for distinguishing between attacker activity and benign activity in compromised enterprise accounts that yields few false positives and enables us to perform fine-grained analysis of attacker behavior....
Preprint
Deep learning image classification is vulnerable to adversarial attack, even if the attacker changes just a small patch of the image. We propose a defense against patch attacks based on partially occluding the image around each candidate patch location, so that a few occlusions each completely hide the patch. We demonstrate on CIFAR-10, Fashion MNI...
Article
Full-text available
As devices with always-on microphones located in people’s homes, smart speakers have significant privacy implications. We surveyed smart speaker owners about their beliefs, attitudes, and concerns about the recordings that are made and shared by their devices. To ground participants’ responses in concrete interactions, rather than collecting their...
Preprint
The problem of adversarial examples, evasion attacks on machine learning classifiers, has proven extremely difficult to solve. This is true even when, as is the case in many practical settings, the classifier is hosted as a remote service and so the adversary does not have direct access to the model parameters. This paper argues that in such settin...
Conference Paper
Millions of smartphones are stolen in the United States every year, putting victims' personal information at risk since many users often do not lock their phones. To protect individuals' smartphones and the private data stored on them, we developed a system that automatically detects pickpocket and grab-and-run theft, in which a thief grabs the pho...
Conference Paper
Modern mobile operating systems implement an ask-on-first-use policy to regulate applications' access to private user data: the user is prompted to allow or deny access to a sensitive resource the first time an app attempts to use it. Prior research shows that this model may not adequately capture user privacy preferences because subsequent request...
Conference Paper
We propose monotonic classification with selection of monotonic features as a defense against evasion attacks on classifiers for malware detection. The monotonicity property of our classifier ensures that an adversary will not be able to evade the classifier by adding more features. We train and test our classifier on over one million executables c...
Article
We identify obfuscated gradients as a phenomenon that leads to a false sense of security in defenses against adversarial examples. While defenses that cause obfuscated gradients appear to defeat optimization-based attacks, we find defenses relying on this effect can be circumvented. For each of the three types of obfuscated gradients we discover, w...
Article
We construct targeted audio adversarial examples on automatic speech recognition. Given any audio waveform, we can produce another that is over 99.9% similar, but transcribes as any phrase we choose (at a rate of up to 50 characters per second). We apply our iterative optimization-based attack to Mozilla's implementation DeepSpeech end-to-end, and...
Article
Current smartphone operating systems employ permission systems to regulate how apps access sensitive resources. These systems are not well-aligned with users’ privacy expectations: users often have no idea how often and under what circumstances their personal data is accessed. We conducted a 131-person field study to devise ways to systematically r...
Article
MagNet and "Efficient Defenses..." were recently proposed as a defense to adversarial examples. We find that we can construct adversarial examples that defeat these defenses with only a slight increase in distortion.
Conference Paper
Background: Evidence for the relationship between code review process and software security (and software quality) has the potential to help improve code review automation and tools, as well as provide a better understanding of the economics for improving software security and quality. Prior work in this area has primarily been limited to case stud...
Conference Paper
Neural networks are known to be vulnerable to adversarial examples: inputs that are close to natural inputs but classified incorrectly. In order to better understand the space of adversarial examples, we survey ten recent proposals that are designed for detection and compare their efficacy. We show that all can be defeated by constructing new loss...
Article
Full-text available
Although Tor has state-of-the art anticensorship measures, users in heavily censored environments will not be able to connect to Tor if they cannot configure their connections. We perform the first usability evaluation of Tor Launcher, the graphical user interface (GUI) that Tor Browser uses to configure connections to Tor. Our study shows that 79%...
Article
Neural networks are known to be vulnerable to adversarial examples: inputs that are close to valid inputs but classified incorrectly. We investigate the security of ten recent proposals that are designed to detect adversarial examples. We show that all can be defeated, even when the adversary does not know the exact parameters of the detector. We c...
Article
Full-text available
Current smartphone operating systems regulate application permissions by prompting users on an ask-on-first-use basis. Prior research has shown that this method is ineffective because it fails to account for context: the circumstances under which an application first requests access to data may be vastly different than the circumstances under which...
Conference Paper
Cameras have become nearly ubiquitous with the rise of smartphones and laptops. New wearable devices, such as Google Glass, focus directly on using live video data to enable augmented reality and contextually enabled services. However, granting applications full access to video data exposes more information than is necessary for their functionality...
Article
We consider how to measure the robustness of a neural network against adversarial examples. We introduce three new attack algorithms, tailored to three different distance metrics, to find adversarial examples: given an image x and a target class, we can find a new image x' that is similar to x but classified differently. We show that our attacks ar...
Article
We show that defensive distillation is not secure: it is no more resistant to targeted misclassification attacks than unprotected neural networks.
Conference Paper
We examine the security of home smart locks: cyber-physical devices that replace traditional door locks with deadbolts that can be electronically controlled by mobile devices or the lock manufacturer's remote servers. We present two categories of attacks against smart locks and analyze the security of five commercially-available locks with respect...
Article
Wearable devices, or "wearables," bring great benefits but also potential risks that could expose users' activities with- out their awareness or consent. In this paper, we report findings from the first large-scale survey conducted to investigate user security and privacy concerns regarding wearables. We surveyed 1,782 Internet users in order to id...
Conference Paper
Most laptops and personal computers have webcams with LED indicators to notify users when they are recording. Because hackers use surreptitiously captured webcam recordings to extort users, we explored the effectiveness of these indicators under varying circumstances and how they could be improved. We observed that, on average, fewer than half of o...
Article
Full-text available
Due to the amount of data that smartphone applications can potentially access, platforms enforce permission systems that allow users to regulate how applications access protected resources. If users are asked to make security decisions too frequently and in benign situations, they may become habituated and approve all future requests without regard...
Article
In addition to storing a plethora of sensitive personal and work information, smartphones also store sensor data about users and their daily activities. In order to understand users' behaviors and attitudes towards the security of their smartphone data, we conducted 28 qualitative interviews. We examined why users choose (or choose not) to employ l...
Article
In Apple's iOS 6, when an app requires access to a protected resource (e.g., location or photos), the user is prompted with a permission request that she can allow or deny. These permission request dialogs include space for developers to optionally include strings of text to explain to the user why access to the resource is needed. We examine how a...
Conference Paper
WebViews allow Android developers to embed a webpage within an application, seamlessly integrating native application code with HTML and JavaScript web content. While this rich interaction simplifies developer support for multiple platforms, it exposes applications to attack. In this paper, we explore two WebView vulnerabilities: excess authorizati...
Article
Under certain circumstances, consumers are willing to pay a premium for privacy. We explore how choice architecture affects smartphone users' stated willingness to install applications that request varying permissions. We performed two experiments to gauge smartphone users' stated willingness to pay premiums to limit their personal information expo...
Conference Paper
We perform an empirical study to better understand two well-known vulnerability rewards programs, or VRPs, which software vendors use to encourage community participation in finding and responsibly disclosing software vulnerabilities. The Chrome VRP has cost approximately $580,000 over 3 years and has resulted in 501 bounties paid for the identific...
Article
Full-text available
Smartphone applications pose interesting security problems because the same resources they use to enhance the user experience may also be used in ways that users might find objectionable. We performed a set of experiments to study whether attribution mechanisms could help users understand how smartphone applications access device resources. First,...
Conference Paper
With the rise of the web as a dominant application platform, web security vulnerabilities are of increasing concern. Ideally, the web application development process would detect and correct these vulnerabilities before they are released to the public. This research aims to quantify the effectiveness of software developers at security code review a...
Conference Paper
The complexity of Android's message-passing system has led to numerous vulnerabilities in third-party applications. Many of these vulnerabilities are a result of developers confusing inter-application and intra-application communication mechanisms. Consequently, we propose modifications to the Android platform to detect and protect inter-applicatio...
Conference Paper
Smartphone operating systems warn users when third-party applications try to access sensitive functions or data. However, all of the major smartphone platforms warn users about different application actions. To our knowledge, their selection of warnings was not grounded in user research; past research on mobile privacy has focused exclusively on th...
Conference Paper
Current smartphone platforms provide ways for users to control access to information about their location. For instance, on the iPhone, when an application requests access to location information, the operating system asks the user whether to grant location access to this application. In this paper, we study how users are using these controls. Do i...
Conference Paper
Application platforms provide applications with access to hardware (e.g., GPS and cameras) and personal data. Modern platforms use permission systems to protect access to these resources. The nature of these permission systems vary widely across platforms. Some platforms obtain user consent as part of installation, while others display runtime cons...
Conference Paper
We present OpenCount: a system that tabulates scanned ballots from an election by combining computer vision algorithms with focused operator assistance. OpenCount is designed to support risk-limiting audits and to be scalable to large elections, robust to conditions encountered using typical scanner hardware, and general to a wide class of ballot t...
Conference Paper
Full-text available
The voting audit logs produced by electronic voting systems contain data that could be useful for uncovering procedural errors and election anomalies, but they are currently unwieldy and difficult for election officials to use in post-election audits. In this work, we develop new methods to analyze these audit logs for the detection of both procedu...
Article
Full-text available
Android's permission system is intended to inform users about the risks of installing applications. When a user installs an application, he or she has the opportunity to review the application's permission requests and cancel the installation if the permissions are excessive or objectionable. We examine whether the Android permission system is effe...
Article
Full-text available
In order to direct and build an effective, secure mobile ecosystem, we must first understand user attitudes toward security and privacy for smartphones and how they may differ from attitudes toward more traditional computing systems. What are users' comfort levels in performing different tasks? How do users select applications? What are their overa...
Article
Full-text available
Advertising is a critical part of the Android ecosystem— many applications use one or more advertising services as a source of revenue. To use these services, developers must bundle third-party, binary-only libraries into their applications. In this model, applications and their adver-tising libraries share permissions. Advertising-supported applic...
Article
We assess the risk of phishing on mobile platforms. Mobile operating systems and browsers lack secure application iden-tity indicators, so the user cannot always identify whether a link has taken her to the expected application. We conduct a systematic analysis of ways in which mobile applications and web sites link to each other. To evaluate the r...
Article
Full-text available
Vulnerabilities in browser extensions put users at risk by providing a way for website and network attackers to gain access to users' private data and credentials. Ex-tensions can also introduce vulnerabilities into the web-sites that they modify. In 2009, Google Chrome intro-duced a new extension platform with several features intended to prevent...
Conference Paper
Full-text available
Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with...
Article
Full-text available
Mobile malware is rapidly becoming a serious threat. In this paper, we survey the current state of mobile malware in the wild. We analyze the incentives behind 46 pieces of iOS, Android, and Symbian malware that spread in the wild from 2009 to 2011. We also use this data set to evaluate the effectiveness of techniques for preventing and identifying...
Conference Paper
Full-text available
Optical scan ballot systems are widely used in elections today. However, deployed optical scan systems may not always interpret write-in votes correctly. For instance, if a voter writes in a name but forgets to shade in the corresponding voting target, an optical scanner may not detect the write-in, which could lead to a lost vote. In this paper, w...
Conference Paper
How should software engineers choose which tools to use to develop secure web applications? Different developers have different opinions regarding which language, framework, or vulnerability-finding tool tends to yield more secure software than another; some believe that there is no difference at all between such tools. This paper adds quantitative...
Conference Paper
Traditional user-based permission systems assign the user's full privileges to all applications. Modern platforms are transitioning to a new model, in which each application has a different set of permissions based on its requirements. Application permissions offer several advantages over traditional user-based permissions, but these benefits rely...
Conference Paper
In previous work Hicks et al. proposed a method called Unused Circuit Identification (UCI) for detecting malicious backdoors hidden in circuits at design time. The UCI algorithm essentially looks for portions of the circuit that go unused during design-time testing and flags them as potentially malicious. In this paper we construct circuits that ha...
Conference Paper
Full-text available
Modern smartphone operating systems support the development of third-party applications with open system APIs. In addition to an open API, the Android operating system also provides a rich inter-application message passing system. This encourages inter-application collaboration and reduces developer burden by facilitating component reuse. Unfortuna...
Conference Paper
Full-text available
Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, we argue that database data should be subject to limitations such that each section...
Article
Optical scan voting systems are ubiquitous. Unfortu-nately, optical scan technology is vulnerable to failures that can result in miscounted votes and lost confidence. While manual counts may be able to detect these failures, counting all the ballots by hand is in many situations im-practical and prohibitively expensive. In this paper, we present a...
Conference Paper
Full-text available
We present a programming model for building web applications with security properties that can be confidently verified during a security review. In our model, applications are divided into isolated, privilege-separated components, enabling rich security policies to be enforced in a way that can be checked by reviewers. In our model, the web framewo...
Conference Paper
We present Joe-E, a language designed to support the development of secure software systems. Joe-E is a subset of Java that makes it easier to architect and implement pro- grams with strong security properties that can be checked during a security review. It enables programmers to ap- ply the principle of least privilege to their programs; imple- m...
Article
Joe-E is a subset of the Java language, with additional restrictions enforced by a static source-code verifier. We explore several se-mantic properties of classes relating to immutability and object identity that can be declared by the programmer and are checked by the Joe-E verifier. We present the simple, modular analyses we use to verify these p...
Article
Ballot-based auditing oers a much higher level of statistical confidence for any given number of bal- lots counted than does precinct-based auditing. Un- fortunately, it also comes with the problem of e- ciently finding any particular ballot so that it can be audited. Previous work on ballot-based auditing has required modifying the ballots to add...
Conference Paper
Full-text available
Recently, integer bugs, including integer overflow, width conversion, and signed/unsigned conversion errors, have risen to become a common root cause for serious security vulnerabilities. We introduce new methods for discover- ing integer bugs using dynamic test generation on x86 binaries, and we describe key design choices in efficient symbolic ex...
Conference Paper
Over 80% of web services are vulnerable to attack (4), and much of the danger arises from command injection vulner- abilities. We present an ecient character-level taint track- ing system for Java web applications and argue that it can be used to defend against command injection vulnerabili- ties. Our approach involves modication only to Java li- b...
Conference Paper
We present an approach for the design and analysis of an electronic voting machine based on a novel combination of formal verifica- tion and systematic testing. The system was designed specifically to enable verification and testing. In our architecture, the voting machine is a finite-state transducer that implements the bare es- sentials required...
Conference Paper
We introduce the notion of a conditioned-safe ceremony. A"ceremony"is similar totheconventional notionof apro- tocol, except that a ceremony explicitly includes human par- ticipants. Our formulation of a conditioned-safe ceremony draws on several ideas and lessons learned from the human factors and human reliability community: forcing functions, de...
Conference Paper
Proving that particular methods within a code base are functionally pure—deterministic and side-effect free—would aid verification of security properties including function invertibility, reproducibility of computation, and safety of untrusted code execution. Until now it has not been possible to automatically prove a method is func- tionally pure...
Article
Disclaimer: This is a draft version of the Joe-E specification, and is subject to change. Sections 5 -7 mention some (but not all) of the aspects of the Joe-E language that are future work or current works in progress.
Conference Paper
We present the design of a user study for comparing the security of two registration mechanisms for initializing credentials in machine authentication protocols, such as SiteKey. We discuss ethical and ecological validity chal- lenges we faced in designing our study.
Conference Paper
In light of the systemic vulnerabilities uncovered by re- cent reviews of deployed e-voting systems, the surest way to secure the voting process would be to scrap the existing systems and design new ones. Unfortunately, engineering new systems will take years, and many ju- risdictions are unlikely to be able to afford new equip- ment in the near fu...
Conference Paper
Audit logs are an important tool for post-election inves- tigations, in the event of an election dispute or problem. We propose a new approach to logging that is designed to provide a record of all interactions between each voter and the voting machine. Our audit logs provide a com- prehensive, trustworthy, replayable record of essentially everythi...
Article
The Secretary of State, California, has initiated a top-to-bottom review of the e-voting systems in order to provide an independent assessment of the voting systems. The results showed that the systems appeared not to be designed or implemented with security in mind. The design and implementation ignored basic vulnerabilities in all three vendor sy...
Article
We propose an approach that combines symbolic execution and run-time type inference from a sample program run to generate test cases, and we apply our approach to signed/unsigned conversion errors in programs. A signed/unsigned conversion error occurs when a program makes control o w decisions about a value based on treating it as a signed integer,...
Conference Paper
Full-text available
The informal goal of a watermarking scheme is to "mark" a digital object, such as a picture or video, in such a way that it is dicult for an adversary to remove the mark without destroying the content of the object. Although there has been considerable work proposing and breaking watermarking schemes, there has been little attention given to the fo...
Conference Paper
We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result,...
Conference Paper
TriStrata appears to have implemented a variation of Maurer’s randomised cipher. We define a variation of Maurer’s cipher that appears to be similar to the TriStrata version, and show several cryptanalytical attacks against our variant.
Article
Random audits are a powerful technique for sta-tistically verifying that an election was tabulated correctly. Audits are especially useful for check-ing the correctness of electronic voting machines when used in conjunction with a voter-veried paper audit trail (VVPAT). While laws in many states already require election audits, they gener-ally do n...
Conference Paper
Full-text available
We introduce new methods for detecting control-flow side channel attacks, transforming C source code to eliminate such attacks, and checking that the transformed code is free of control-flow side channels. We model control-flow side channels with a program counter transcript, in which the value of the program counter at each step is leaked to an ad...
Conference Paper
If trusted processes' secrets or privileged system objects such as file handles are leaked to an untrusted process, the result could be the loss of secrecy and integrity of the data produced by the program. The advent of privilege-separated programs has led to an additional risk: sensitive data or system objects may be leaked when the trusted proce...