Presentation is loading. Please wait.

Presentation is loading. Please wait.

Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,

Published byCharleen Porter Modified over 9 years ago

Similar presentations

Presentation on theme: "Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,"— Presentation transcript:

1 Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang, Indiana University, Bloomington

2 Agenda 2  Overview  Assumption  Implementation  Experiment  Conclusion

3 Overview  For some command such as ps or top, they need some information about the process  The virtual file system procfs, which discloses such information, locates at /proc/ /stat  Our attack take advantage of the stack information of a process to infer keystrokes Specially ESP 、 EIP 3

4 Overview (cont.) 4  For some command such as ps or top, they need some information about the process  The virtual file system procfs, which discloses such information, locates at /proc/ /stat  Our attack take advantage of the stack information of a process to infer keystrokes Specially ESP 、 EIP Fig. 1: The sketch of keystroke extraction and recognition

5 Assumption  Capability to execute program  Multi-core system  Access to the victim’s information  Attacker can obtain some victim’s typing sample as training data 5

6 Implementation 6  Pattern extraction  Trace logging  Get inter-timing  Keystroke analysis Fig. 1: The sketch of keystroke extraction and recognition

7 Implementation 7  Pattern extraction  Trace logging  Get inter-timing  Keystroke analysis Fig. 2: Steps about keystroke pattern extraction

8 Implementation (cont.) 8  Pattern extraction  Trace logging  Get inter-timing  Keystroke analysis Fig. 3: Steps about trace logging and getting inter-timing

9 Implementation (cont.) 9  Pattern extraction  Trace logging  Get inter-timing  Keystroke analysis Fig. 4: Steps about keystroke analysis

10 Pattern extraction  Deterministic program Same input cause the same output, such as vim Use strace to get all system call sequences, then extract the difference False positive check  Non-deterministic program Same input could cause different outputs, almost all GUI programs are non-deterministic An instruction level analysis tool to the function gtk_main_do_event(event) to get it’s event 10

11 Trace logging 11  Attacker’s shadow program keep monitor on /proc/ /stat That’s why we need multi-core system However, the log won’t be complete  Avoid detection Decrease the sample rate Hide CPU usage Fig. 3: Steps about trace logging and getting inter-timing

12 Get inter-timing 12  Use Longest Common Subsequence (LCS) algorithm to compare log with pattern Ignore ASLR by normalize ESP pattern  Use a time duration to get only consecutive keystroke pattern Fig. 5: Pattern matchingFig. 6: Using time duration

13 Keystroke analysis 13  Now, we have got inter-timing sequences  We use Hidden Markov Model (HMM) to guess what victim input and list 4500 candidates N-Viterbi algorithm: use conditional probability Average all probabilities M-N-Viterbi algorithm: use conditional probability Fig. 4: Steps about keystroke analysis

14 Experiment  Environment Intel Core 2 Duo E6700, 3GB RAM Red Hat Linux Enterprise 4.0, Debian 4.0, and Ubuntu 8.04  Evaluation on three public server A Linux workstation in a public machine room (Server 1) A web server of Indiana University that allows SSH connections from its users (Server 2) A server for students’ course projects (Server 3) 72-hour monitoring on these servers that user number range from 1 to 24 14

15 Experiment (cont.) 15 Fig. 11: CPU usage of three real world server during 72 hours Fig. 10: Percentage of keystroke detected versus CPU usage

16 Experiment (cont.) 16  Speculating passwords Training: 15 training keys, each has 13 letters and 2 digits, totally 225 key pairs. We detect 45 inter- timings for each of these pairs from a user Evaluation: select 3 passwords from the space of all possible 8-bytes sequences formed by 15 characters. Our HMM output 4500 candidates

17 Experiment (cont.) 17  Speculating passwords Training: 15 training keys, each has 13 letters and 2 digits, totally 225 key pairs. We detect 45 inter-timings for each of these pairs from a user Evaluation: select 3 passwords from the space of all possible 8-bytes sequences formed by 15 characters. Our HMM output 4500 candidates Fig. 7: Percentage of space to search before find the right password

18 Experiment (cont.) 18  Guess English words Training: use the word frequency of British national corpus to compute transition probabilities Evaluation: random draw a word from 2103 known words with length 3 to 5, then type them Fig. 8: Time distribution of letter pairs

19 Experiment (cont.) 19  Guess English words Training: use the word frequency of British national corpus to compute transition probabilities Evaluation: random draw a word from 2103 known words with length 3 to 5, then type them Fig. 8: Time distribution of letter pairs Fig. 9: Success rate on English word

20 Conclusion  Information leak: one can get others’ keystrokes without any special permission  Trade-off between convenience and security  Contribute for keystrokes detection and extraction method on almost all distributions of Linux 20

21 Future work  More precise detection method for non- deterministic programs  Way to detect keystrokes when system calls are not immediately triggered by keystrokes  Better algorithm to identify English words  Utilize more information to infer other events, such as mouse moving 21

22 The End

Download ppt "Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,"

Similar presentations

Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.

Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.
Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.
LIBRA: Lightweight Data Skew Mitigation in MapReduce

LIBRA: Lightweight Data Skew Mitigation in MapReduce
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
4/2/2002HEP Globus Testing Request - Jae Yu x2814 1 Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from Process Footprints 33 rd Security & Privacy (May, 2012)

Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from Process Footprints 33 rd Security & Privacy (May, 2012)
Language Model based Information Retrieval: University of Saarland 1 A Hidden Markov Model Information Retrieval System Mahboob Alam Khalid.

Language Model based Information Retrieval: University of Saarland 1 A Hidden Markov Model Information Retrieval System Mahboob Alam Khalid.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
Network Redesign and Palette 2.0. The Mission of GCIS* Provide all of our users optimal access to GCC’s technology resources. *(GCC Information Services:

Network Redesign and Palette 2.0. The Mission of GCIS* Provide all of our users optimal access to GCC’s technology resources. *(GCC Information Services:
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
UNIX Chapter 01 Overview of Operating Systems Mr. Mohammad A. Smirat.

UNIX Chapter 01 Overview of Operating Systems Mr. Mohammad A. Smirat.
1 Engineering Problem Solving With C++ An Object Based Approach Fundamental Concepts Chapter 1 Engineering Problem Solving.

1 Engineering Problem Solving With C++ An Object Based Approach Fundamental Concepts Chapter 1 Engineering Problem Solving.
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Keystroke Biometric Studies Keystroke Biometric Identification and Authentication on Long-Text Input Book chapter in Behavioral Biometrics for Human Identification.

Keystroke Biometric Studies Keystroke Biometric Identification and Authentication on Long-Text Input Book chapter in Behavioral Biometrics for Human Identification.
1 Hidden Markov Model Instructor : Saeed Shiry  CHAPTER 13 ETHEM ALPAYDIN © The MIT Press, 2004.

1 Hidden Markov Model Instructor : Saeed Shiry  CHAPTER 13 ETHEM ALPAYDIN © The MIT Press, 2004.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
1 Security problems of your keyboard –Authentication based on key strokes –Compromising emanations consist of electrical, mechanical, or acoustical –Supply.

1 Security problems of your keyboard –Authentication based on key strokes –Compromising emanations consist of electrical, mechanical, or acoustical –Supply.
Keystroke Dynamics Jarmo Ilonen. Structure of presentation Introduction Keystroke dynamics for Verification Identification Commercial system: BioPassword.

Keystroke Dynamics Jarmo Ilonen. Structure of presentation Introduction Keystroke dynamics for Verification Identification Commercial system: BioPassword.

Similar presentations

Ads by Google