Biometric systems are widely used for authentication and identification. The False Match Rate (FMR) quantifies the probability of matching a biometric template to a non-corresponding template and serves as an indicato...
详细信息
ISBN:
(纸本)9798400714764
Biometric systems are widely used for authentication and identification. The False Match Rate (FMR) quantifies the probability of matching a biometric template to a non-corresponding template and serves as an indicator of the system robustness against security threats. We analyze biometric systems through two main contributions. First, we study untargeted attacks, where an adversary aims to impersonate any user in the database. We compute the number of trials needed for a successful impersonation and derive the critical population size ( i.e., the maximum database size) and critical (FMR) required to maintain security against untargeted attacks as the database grows. Second, we address the biometric birthday problem, which quantifies the probability that there exists two distinct users that collide ( i.e., can impersonate each other). We compute approximate and exact probabilities of collision and derive the associated critical population size and critical (FMR) to bound the risk of biometric collisions, particularly in large-scale databases. These thresholds provide actionable insights for designing biometric systems that mitigate the risks of impersonation and biometric collisions, particularly in large-scale databases. Nevertheless, our findings show that current systems fail to meet the required security level against untargeted attacks, even in small databases, and face significant challenges with the biometric birthday problem as databases grow.
security measurement helps identify deployment gaps and present extremely valuable research opportunities. However, such research is often deemed as not novelty by academia. I will first share my research journey desi...
详细信息
ISBN:
(纸本)9781450381437
security measurement helps identify deployment gaps and present extremely valuable research opportunities. However, such research is often deemed as not novelty by academia. I will first share my research journey designing and producing a high precision tool CryptoGuard for scanning cryptographic vulnerabilities in large Java projects. That work led us to publish two benchmarks used for systematically assessing state-of-the-art academic and commercial solutions, as well as help Oracle Labs integrate our detection in their routine scanning. Other specific measurement and deployment cases to discuss include the Payment Card Industry datasecurity Standard, which was involved in high-profile data breach incidents, and fine-grained Address Space Layout Randomization (ASLR). The talk will also point out the need for measurement in AI development in the context of code repair. Broadening research styles by accepting and encouraging deployment-related work will facilitate our field to progress towards maturity.
Smart contracts in Decentralized Finance (DeFi) platforms are attractive targets for attacks as their vulnerabilities can lead to massive amounts of financial losses. Flash loan attacks, in particular, pose a major th...
详细信息
ISBN:
(纸本)9798400714764
Smart contracts in Decentralized Finance (DeFi) platforms are attractive targets for attacks as their vulnerabilities can lead to massive amounts of financial losses. Flash loan attacks, in particular, pose a major threat to DeFi protocols that hold a Total Value Locked (TVL) exceeding 106 billion. These attacks use the atomicity property of blockchains to drain funds from smart contracts in a single transaction. While existing research primarily focuses on price manipulation attacks, such as oracle manipulation, mitigating non-price flash loan attacks that often exploit smart contracts' zero-day vulnerabilities remains largely unaddressed. These attacks are challenging to detect because of their unique patterns, time sensitivity, and complexity. In this paper, we present FlashGuard, a runtime detection and mitigation method for non-price flash loan attacks. Our approach targets smart contract function signatures to identify attacks in real-time and counterattack by disrupting the attack transaction atomicity by leveraging the short window when transactions are visible in the mempool but not yet confirmed. When FlashGuard detects an attack, it dispatches a stealthy dusting counterattack transaction to miners to change the victim contract's state which disrupts the attack's atomicity and forces the attack transaction to revert. We evaluate our approach using 20 historical attacks and several unseen attacks. FlashGuard achieves an average real-time detection latency of 150.31ms, a detection accuracy of over 99.93%, and an average disruption time of 410.92ms. FlashGuard could have potentially rescued over \405.71 million in losses if it were deployed prior to these attack instances. FlashGuard demonstrates significant potential as a DeFi security solution to mitigate and handle rising threats of non-price flash loan attacks.
暂无评论