EPFL at 2023 IEEE Symposium on Security and Privacy

Since 1980 the IEEE Symposium on Security and Privacy has brought together researchers and practitioners as the premier forum for presenting developments in the field. At this year’s edition, EPFL teams are presenting 7 papers across a broad range of topics representing key research topics across our security and privacy groups. These include software security defense, understanding attacks, privacy-preserving learning, and decentralized machine learning.

Software and systems security

Researchers with EPFL’s HexHive Laboratory are presenting four papers. The first, WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches, focuses on code-reuse attacks, dangerous threats that have attracted the attention of the security community for years. The paper proposes WarpAttack, a new attack vector that introduces a new pattern of compiler-introduced double-fetch optimizations that would allow an attacker to mount TOCTTOU attacks and bypass codereuse mitigations.

While Trusted Execution Environments in modern smartphones are intended to provide a safe haven for sensitive data and computations, they also pose a major security risk as privileged code running within the TEE has complete access to every aspect of the smartphone (e.g., cryptographic keys, hardware peripherals, and sensitive user data). The second paper, TEEzz: Fuzzing Trusted Applications on COTS Android Devices outlines TEEzz, the first TEE-aware fuzzing framework capable of effectively fuzzing trusted applications (TAs) in-situ on production smartphones.

Another fuzzing-framework for virtual devices being presented is VIDEZZO. It overcomes the limitations of existing virtual device fuzzers and boosts bug discovery in virtual devices. This research discovered several severe vulnerabilities in hypervisors that have now been fixed by the respective vendors.

In collaboration with PARSA, the fourth paper presents SecureCells, a novel virtual memory architecture for secure, efficient and flexible compartmentalization. Modern programs are monolithic, combining code of varied provenance without isolation, all the while running on network-connected devices. A vulnerability in any component may compromise code and data of all other components. SecureCells addresses the need of the hour as a secure, performant, and flexible mechanism on which developers can reliably implement an arsenal of compartmentalized software.

Privacy analysis and privacy preserving systems

The Security and Privacy Engineering Laboratory (SPRING) is presenting two papers. On the (In)security of Peer-to-Peer Decentralized Machine Learning outlines the first, in-depth, privacy analysis of decentralized learning and demonstrates that, contrary to what is claimed by those who propose the method, it does not offer any security advantage over federated learning. Rather, it increases the attack surface enabling any user in the system to perform privacy attacks such as gradient inversion, and even gain full control over honest users' local model.

The second paper, Not Yet Another Digital ID: Privacy-preserving Humanitarian Aid Distribution presents work undertaken in collaboration with the International Committee of the Red Cross to develop a safe aid-distribution system that protects the privacy of refugees and other people in need receiving humanitarian aid. The solution overcomes the weaknesses of traditional paper-based solutions that do not scale to large populations and are hard to secure, as well as existing digital solutions that are scalable but collect large amount of personal information, putting aid recipients at risk. This paper is the result of a Science and Technology for Humanitarian Action Challenges project managed by the EssentialTech Centre.

Data Security

Finally, researchers working with EPFL’s former Laboratory for Data Security are presenting their work on SF-PCA, a new end-to-end secure system for principal component analysis (PCA), an essential algorithm for dimensionality reduction in many data science domains. The work demonstrates the practical applicability of secure and federated PCA on private distributed datasets.

The 2023 IEEE Symposium is being held in San Francisco May 22^nd to the 25^th, marking the 44^th annual meeting of this flagship security conference.