Visible to the public Biblio

Filters: Author is Lindemann, Jens  [Clear All Filters]
2019-01-31
Lindemann, Jens, Fischer, Mathias.  2018.  A Memory-Deduplication Side-Channel Attack to Detect Applications in Co-Resident Virtual Machines. Proceedings of the 33rd Annual ACM Symposium on Applied Computing. :183–192.

Virtualization offers the possibility of hosting services of multiple customers on shared hardware. When more than one Virtual Machine (VM) run on the same host, memory deduplication can save physical memory by merging identical pages of the VMs. However, this comes at the cost of leaking information between VMs. Based on that, we propose a novel timing-based side-channel attack that allows to identify software versions running in co-resident VMs or on the host. Our attack tests for the existence of memory pages in co-resident VMs that are unique among all versions of the respective software. Our evaluation results indicate that with few repetitions of our attack we can precisely identify software versions within reasonable time frames.

2017-06-05
Kirchler, Matthias, Herrmann, Dominik, Lindemann, Jens, Kloft, Marius.  2016.  Tracked Without a Trace: Linking Sessions of Users by Unsupervised Learning of Patterns in Their DNS Traffic. Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. :23–34.

Behavior-based tracking is an unobtrusive technique that allows observers to monitor user activities on the Internet over long periods of time – in spite of changing IP addresses. Previous work has employed supervised classifiers in order to link the sessions of individual users. However, classifiers need labeled training sessions, which are difficult to obtain for observers. In this paper we show how this limitation can be overcome with an unsupervised learning technique. We present a modified k-means algorithm and evaluate it on a realistic dataset that contains the Domain Name System (DNS) queries of 3,862 users. For this purpose, we simulate an observer that tries to track all users, and an Internet Service Provider that assigns a different IP address to every user on every day. The highest tracking accuracy is achieved within the subgroup of highly active users. Almost all sessions of 73% of the users in this subgroup can be linked over a period of 56 days. 19% of the highly active users can be traced completely, i.e., all their sessions are assigned to a single cluster. This fraction increases to 40% for shorter periods of seven days. As service providers may engage in behavior-based tracking to complement their existing profiling efforts, it constitutes a severe privacy threat for users of online services. Users can defend against behavior-based tracking by changing their IP address frequently, but this is cumbersome at the moment.