n 2 n

Welcome Message

On behalf of the Organizing Committee, we would like to welcomeyou to the 19th International Symposium on Research in Attacks,Intrusions and Defenses (RAID 2016).

Organizing a meeting of this size would not be possible without thededicated efforts of many individuals and organizations. To namethem all in this short message is not possible. However, we wouldlike to thank everyone who has given her or his time, energy andideas to this event. This includes all the authors for providing thecontent of the program; the PC members and external reviewers,who worked in reviewing papers and providing feedback for authors;all the external and local volunteers who selflessly assisted the Or-ganizing Committee; Télécom SudParis, for hosting the event; andour distinguished keynote speaker, Prof. Ahmad-Reza Sadeghi, whohas agreed to address the symposium attendees.

We are indebted to Hervé Debar and Manos Antonakakis for theirtireless efforts in securing sponsorship for RAID 2016; to GregoryBlanc and Françoise Abad for handling the local arrangements; toChristophe Kiennert for the job with the website; to Yazan Boshmaffor widely publicizing the call for participation and related notices;and to Murray Anderegg, for taking care of the submission server.

We hope you find this symposium to be a rewarding learning andpartnership experience!

Joaquin Garcia-AlfaroGeneral Chair

Fabian MonroseProgram Chair

Marc DacierProgram Co-Chair

Program Committee

n Magnus Almgren, Chalmers University, Swedenn Johanna Amann, International Computer Science Institute, USn Manos Antonakakis, Georgia Institute of Technology, USnMichael Bailey, University of Illinois at Urbana-Champaign, USn Lucas Ballard, Google, USn Leyla Bilge, Symantec, USn Lucas Davi, Technische Universität Darmstadt, Germanyn Hervé Debar, Télécom SudParis, Francen Petros Efstathopoulos, Symantec, USn Manuel Egele, Boston University, USnWilliam Enck, North Carolina State University, USn Vasileios Kemerlis, Brown University, USn Andrea Lanzi, University of Milan, Italyn Pavel Laskov, Huawei European Research Center, Germanyn Zhiqiang Lin, University of Texas at Dallas, USn Daniela Oliveira, University of Florida, USn Roberto Perdisci, University of Georgia, USn Michalis Polychronakis, Stony Brook University, USn Konrad Rieck, TU Braunschweig, Germanyn Christian Rossow, Saarland University, Germanyn Stelios Sidiroglou-Douskos, Massachusetts Institute of Technology, US

n Kapil Singh, IBM T.J. Watson, USn Kevin Snow, Zeropoint, USn Cynthia Sturton, University of North Carolina at Chapel Hill, USn Dongyan Xu, Purdue University, US

n 3 n

Steering Committee

n Chair: Marc Dacier, Qatar Computing Research Institute /HBKU, Qatar

n Davide Balzarotti, Eurécom, Francen Hervé Debar, Télécom SudParis, Francen Deborah Frincke, DoD Research, USn Ming-Yuh Huang, Northwest Security Institute, USn Somesh Jha, University of Wisconsin, USn Erland Jonsson, Chalmers, Swedenn Engin Kirda, Northeastern University, USn Christopher Kruegel, UC Santa Barbara, USnWenke Lee, Georgia Tech, USn Richard Lippmann, MIT Lincoln Laboratory, USn Ludovic Mé, CentraleSupélec, Francen Robin Sommer, ICSI/LBNL, USn Angelos Stavrou, George Mason University, USn Alfonso Valdes, SRI International, USn Giovanni Vigna, UC Santa Barbara, USn Andreas Wespi, IBM Research, Switzerlandn S. Felix Wu, UC Davis, USn Diego Zamboni, CFEngine AS, Mexico

n 4 n

External Reviewers

n Matteo Dell’Amico, Symantec, USn Anderson Nascimento, University of Washington, US

Organizing Committee

n General Chair: Joaquin Garcia-Alfaro, Télécom SudParis,France

n PC Chair: Fabian Monrose, University of North Carolina at Chapel Hill, US

n PC Co-Chair: Marc Dacier, Qatar Computing Research Institute/ HBKU, Qatar

n Publicity Chair: Yazan Boshmaf, Qatar Computing Research Institute/HBKU, Qatar

n Sponsor Chair: Hervé Debar, Télécom SudParis, Francen Local Arrangement Chair: Grégory Blanc, Télécom SudParis,France

n Local Arrangement Co-Chair: Françoise Abad, Télécom SudParis, France

nWebmaster: Christophe Kiennert, Télécom SudParis, France

n 5 n

Program

Monday, September 19, 2016

n 13:15 – 14:00 Registration & Welcome Coffeen 14:00 – 14:30 Opening Remarksn 14:30 – 15:30 Keynote by Ahmad-Reza Sadeghin 15:30 – 16:00 Coffee Breakn 16:00 – 18:00 Session 1: Systems Securityn 18:00 – 20:00 Cocktail and Poster Session

n 6 n

Tuesday, September 20, 2016

n 9:30 – 10:30 Session 2: Low-level Attacks and Defensesn 10:30 – 11:00 Coffee Breakn 11:00 – 12:30 Session 3: Measurement Studiesn 12:30 – 14:00 Lunch Breakn 14:00 – 15:30 Session 4: Malware Analysisn 15:30 – 16:30 Coffee Breakn 16:30 Social Event (shuttle from Evry to Vaux-le-Vicomte)

Wednesday, September 21, 2016

n 9:30 – 10:30 Session 5: Network Securityn 10:30 – 11:00 Coffee Breakn 11:00 – 12:30 Session 6: Systemization of Knowledge and

Experience Reportsn 12:30 – 13:30 Lunch Breakn 13:30 – 15:30 Session 7: Web & Mobile Securityn 15:30 Closing Remarks & Farewell Coffee

n 7 n

Monday, September 19, 2016

REGISTRATION 13:15 – 14:00 Registration & Welcome CoffeeOPENING 14:00 – 14:30 Opening Remarks

KEYNOTE

14:30 – 15:30 Everything You Code Can and Will be Re-usedAgainst You: On the Challenges of Mitigating Code-Reuse Ex-ploits Ahmad-Reza Sadeghi (Technische Universität Darmstadt)

Bio: Ahmad-Reza Sadeghi is a full professor ofComputer Science at the TU Darmstadt, Germany. Heis the head of the Systems Security Lab at the Cyber-security Research Center of TU Darmstadt. Since Ja-nuary 2012 he is also the director of the IntelCollaborative Research Institute for Secure Compu-ting (ICRI-SC) at TU Darmstadt. He holds a Ph.D. inComputer Science from the University of Saarland,Germany. Prior to academia, he worked in R&D of Te-lecommunications enterprises, amongst others Ericsson Telecommuni-cations. He has been continuously contributing to security and privacyresearch. For his influential research on Trusted and Trustworthy Com-puting he received the renowned German “Karl Heinz Beckurts” award.This award honors excellent scientific achievements with high impact onindustrial innovations in Germany.

He is Editor-In-Chief of IEEE Security and Privacy Magazine, and on theeditorial board of ACM Books. He served 5 years on the editorial board ofthe ACM Transactions on Information and System Security (TISSEC), andwas guest editor of the IEEE Transactions on Computer-Aided Design(Special Issue on Hardware Security and Trust).

n 8 n

Abstract: Memory corruption and memory disclosure vulnerabilities arestill a persistent source of threats against software systems, althoughknown for over two decades. The main problem is that modern softwarestill contains vast amount of unsafe, legacy code. Moreover, exploitationtechniques are rapidly evolving and often incorporate increasingly sophis-ticated techniques, which can be used to bypass all widely deployed coun-termeasures such as Data Execution Prevention (DEP) or Address SpaceLayout Randomization (ASLR). This has recently motivated many resear-chers in academia and industry to make considerable efforts on improvingdefenses against modern code-reuse exploits. It seems that there is astrong desire in our community to build secure systems from unsafe code!Hence, many software-hardening solutions have been proposed, some ofwhich are based on hardware support. Recently Intel has released newspecification on Control-Flow Enforcement Technology (CET) for x86/x64to mitigate code-reuse techniques.

However, even though these solutions significantly raise the bar for ex-ploitation, new attacks are continually discovered, and no ultimate solutionseems to be in sight.

This talk gives an overview of the continuing arms race between code-reuse attacks and mitigation techniques and their nuances, particularlythe hardware-based defenses. We then highlight and discuss the effecti-veness and usefulness of recent approaches. The game is not over yet.

15:30 – 16:00 Coffee Break

n 9 n

SESSION 1: SYSTEMS SECURITY

SESSION CHAIR: PETROS EFSTATHOPOULOS

16:00 – 16:30 GRIM: Leveraging GPUs for Kernel IntegrityMonitoring Lazaros Koromilas, Giorgos Vasiliadis (Qatar Computing ResearchInstitute, HBKU), Elias Athanasopoulos (VU University Amsterdam),Sotiris Ioannidis (FORTH)

16:30 – 17:00 Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench (Eurecom), Fabio Pagani (Eurecom), Yan Shoshitaishvili(University of California, Santa Barbara), Christopher Kruegel (Universityof California, Santa Barbara), Giovanni Vigna (University of California,Santa Barbara), Davide Balzarotti (Eurecom)

17:00 – 17:30 Automatic Uncovering of Tap Points FromKernel ExecutionsJunyuan Zeng (University of Texas at Dallas), Yangchun Fu (University ofTexas at Dallas), Zhiqiang Lin (University of Texas at Dallas)

17:30 – 18:00 Detecting Stack Layout Corruptions with RobustStack UnwindingYangchun Fu (University of Texas at Dallas), Junghwan Rhee (NECLaboratories America), Zhiqiang Lin (University of Texas at Dallas),Zhichun Li (NEC Laboratories America), Hui Zhang (NEC LaboratoriesAmerica), Guofei Jiang (NEC Laboratories America)

COCKTAIL & POSTER SESSION

18:00 – 20:00 Cocktail & Poster Session

n 10 n

Tuesday, September 20, 2016

SESSION 2: LOW-LEVEL ATTACKS AND DEFENSES

SESSION CHAIR: HERVÉ DEBAR

09:30 – 10:00 APDU-level attacks in PKCS#11 devicesClaudio Bozzato (Ca’ Foscari University, Venice), Riccardo Focardi (Ca’Foscari University, Venice and Cryptosense, Paris), Francesco Palmarini(Ca’ Foscari University, Venice), Graham Steel (Cryptosense, Paris)

10:00 – 10:30 CloudRadar: A Real-Time Side-Channel AttackDetection System in Clouds Tianwei Zhang (Princeton University), Yinqian Zhang (Ohio StateUniversity), Ruby B. Lee (Princeton University)

10:30 – 11:00 Coffee Break

SESSION 3: MEASUREMENT STUDIES

SESSION CHAIR: ROBERTO PERDISCI

11:00 – 11:30 The Abuse Sharing Economy: Understandingthe Limits of Threat Exchanges Kurt Thomas (Google), Rony Amira (Google), Adi Ben-Yoash (Google),Ari Berger (Google), Ori Folger (Google), Amir Hardon (Google),Elie Bursztein (Google), Michael Bailey (University of Illinois atUrbana-Champaign)

n 11 n

11:30 – 12:00 SANDPRINT: Fingerprinting MalwareSandboxes to Provide Intelligence for Sandbox Evasion Akira Yokoyama (Yokohama National University), Kou Ishii (YokohamaNational University), Rui Tanabe (Yokohama National University), YinminPapa (Yokohama National University), Katsunari Yoshioka (YokohamaNational University), Tsutomu Matsumoto (Yokohama NationalUniversity), Takahiro Kasama (National Institute of Information andCommunications Technology), Daisuke Inoue (National Institute ofInformation and Communications Technology), Michael Brengel (CISPA,Saarland University), Michael Backes (CISPA, Saarland University &MPI-SWS), Christian Rossow (CISPA, Saarland University)

12:00 – 12:30 Enabling Network Security Through Active DNSDatasetsAthanasios Kountouras (Georgia Institute of Technology), PanagiotisKintis (Georgia Institute of Technology), Chaz Lever (Georgia Instituteof Technology), Yizheng Chen (Georgia Institute of Technology), YacinNadji (Netrisk), David Dagon (Georgia Institute of Technology), ManosAntonakakis (Georgia Institute of Technology), Rodney Joffe (Neustar)

12:30 – 14:00 Lunch Break

SESSION 4: MALWARE ANALYSIS

SESSION CHAIR: ZHIQIANG LIN

14:00 – 14:30 A Formal Framework for EnvironmentallySensitive MalwareJeremy Blackthorne (Rensselaer Polytechnic Institute), Benjamin Kaiser(Rensselaer Polytechnic Institute), Bülent Yener (Rensselaer PolytechnicInstitute)

n 12 n

14:30 – 15:00 AVClass: A Tool for Massive Malware LabelingMarcos Sebastián (IMDEA Software Institute), Richard Rivera (IMDEASoftware Institute & Universidad Politécnica de Madrid), Platon Kotzias(IMDEA Software Institute & Universidad, Politécnica de Madrid), JuanCaballero (IMDEA Software Institute)

15:00 – 15:30 Semantics-Preserving Dissection of JavaScriptExploits via Dynamic JS-Binary AnalysisXunchao Hu (Syracuse University), Aravind Prakash (BinghamtonUniversity), Jinghan Wang (Syracuse University), Rundong Zhou(Syracuse University), Yao Cheng (Syracuse University), Heng Yin(Syracuse University)

15:30 – 16:30 Coffee Break

SOCIAL EVENT

16:30 Departure to Vaux-le-Vicomte (shuttle from Evry toVaux-le-Vicomte, visit of the castle and conference dinner)

n 13 n

Wednesday, September 21, 2016

SESSION 5: NETWORK SECURITY

SESSION CHAIR: MARC DACIER

9:30 – 10:00 The Messenger Shoots Back: Network OperatorBased IMSI Catcher DetectionAdrian Dabrowski (SBA Research), Georg Petzl (T-Mobile Austria), EdgarR. Weippl (SBA Research)

10:00 – 10:30 On the Feasibility of TTL-based Filtering forDRDoS Mitigation Michael Backes (CISPA, Saarland University & MPI-SWS), Thorsten Holz(Horst Görtz Institute for IT-Security, Ruhr University Bochum), Chris-tian Rossow (CISPA, Saarland University), Teemu Rytilahti (Horst GörtzInstitute for IT-Security, Ruhr University Bochum), Milivoj Simeonovski(CISPA, Saarland University), Ben Stock (CISPA, Saarland University)

10:30 – 11:00 Coffee Break

SESSION 6: SYSTEMATIZATION OF KNOWLEDGEAND EXPERIENCE REPORTS

SESSION CHAIR: CHRISTIAN ROSSOW

11:00 – 11:30 A Look into 30 Years of Malware Developmentfrom a Software Metrics Perspective Alejandro Calleja (Universidad Carlos III de Madrid), Juan Tapiador(Universidad Carlos III de Madrid), Juan Caballero (IMDEA SoftwareInstitute)

11:30 – 12:00 Small Changes, Big Changes: An Updated Viewon the Android Permission System Yury Zhauniarovich (Qatar Computing Research Institute, HBKU), OlgaGadyatskaya (SnT, University of Luxembourg)

12:00 – 12:30 Who Gets the Boot? Analyzing Victimization byDDoS-as-a-ServiceArman Noroozian (Delft University of Technology, The Netherlands),Maciej Korczyński (Delft University of Technology, The Netherlands),Carlos Hernandez Gañan (Delft University of Technology, TheNetherlands), Daisuke Makita (Yokohama National University, NationalInstitute of Information and Communications Technology, Japan),Katsunari Yoshioka (Yokohama National University, Japan), Michel vanEeten (Delft University of Technology, The Netherlands)

12:30 – 13:30 Lunch Break

SESSION 7: WEB & MOBILE SECURITY

13:30 – 14:00 Uses and Abuses of Server-Side Requests Giancarlo Pellegrino (Saarland University), Onur Catakoglu (Eurecom),Davide Balzarotti (Eurecom), Christian Rossow (Saarland University)

14:00 – 14:30 Identifying Extension-based Ad Injection viaFine-grained Web Content Provenance Sajjad Arshad (Northeastern University), Amin Kharraz (NortheasternUniversity), William Robertson (Northeastern University)

n 14 n

14:30 – 15:00 Trellis: Privilege Separation for Multi-UserApplications Made Easy Andrea Mambretti (Northeastern University), Kaan Onarlioglu(Northeastern University), Collin Mulliner (Northeastern University),William Robertson (Northeastern University), Engin Kirda (NortheasternUniversity), Federico Maggi (Politecnico di Milano), Stefano Zanero(Politecnico di Milano)

15:00 – 15:30 Blender: Self-randomizing Address SpaceLayout for Android Apps Mingshen Sun (The Chinese University of Hong Kong), John C.S. Lui(The Chinese University of Hong Kong), Yajin Zhou (Qihoo 360 Techno-logy Co. Ltd.)

15:30 Closing Remarks & Farewell Coffee

n 15 n

Télécom SudParis

9 rue Charles Fourier91011 Evry Cedex France

Tel. : +33(0)1 60 76 40 40www.telecom-sudparis.eu