Aubrey Alston

Aubrey Alston, Yanrong Wo

While the reliable use of some NP-complete problem in tandem with the assumption that P is not equal to NP has eluded cryptographers due to lack of results showing average-case hardness, one alternative which has been explored is reliance on assumptions that solving certain NP-hard optimization problems within some degree of accuracy is computationally difficult in specific instance classes. In this work, we explore one such example of this effort which attempts to provide cryptographic primitives by relying on the planted clique conjecture. More specifically, we (1) present this construction in summary, (2) propose a simple cryptanalytic method using only approximation algorithms, and (3) consider the feasibility of such cryptanalysis in the context of existing approximation algorithms for the maximum clique problem. We ultimately find that recent advances in the area of combinatoric approximation algorithms fatally hinders the prospect of any serious application of existing candidate constructions based upon the planted clique conjecture.

Aubrey Alston

Steganography is the task of concealing a message within a medium such that the presence of the hidden message cannot be detected. Beyond the standard scope of private-key steganography, steganography is also potentially interesting from other perspectives; for example, the prospect of steganographic parallels to components in public-key cryptography is particularly interesting. In this project, I begin with an exploration of public-key steganography, and I continue by condensing existing work into a unifying design paradigm that (a) admits provably secret public- and private-key constructions and (b) provides for a conceptual decoupling of channel considerations and steganographic goals, ultimately implying both universal constructions and constructions with channel-specific optimizations. This work is by-and-large a survey of applications of this paradigm: specifically, I use the framework to achieve provably secure distributed steganography, obtain new public-key steganographic constructions using alternative assumptions, and give discussion of channel-specific optimizations allowed by cryptography as a channel and natural language channels and challenges facing practical deployment of steganographic systems at scale.

Aubrey Alston

Steganography is the task of concealing a message within a medium such that the presence of the hidden message cannot be detected. Though the prospect of steganography is conceivably interesting in many contexts, and though work has been done both towards formalizing steganographic security and providing provably secure constructions, little work exists attempting to provide efficient and provably secure steganographic schemes in specific, useful domains. Beginning from the starting point of the initial definition of steganographic security, I have engaged in an exploration which has developed to include two primary tasks, both pointing towards the realization of efficient and secure steganographic systems in practice: (a) investigating the syntactic and semantic applicability of the current formalism of steganographic security to a broader range of potentially interesting domains and (b) constructing and implementing provably secure (symmetric-key) steganographic schemes in domains which are well-suited to the current formalism.

Aubrey Alston

Attribute-based encryption is a form of encryption which offers the capacity to encrypt data such that it is only accessible to individuals holding a satisfactory configuration of attributes. As cloud and distributed computing become more pervasive in both private and public spheres, attribute-based encryption holds potential to address the issue of achieving secure authentication, authorization, and transmission in these environments where performance must scale with security while also supporting fine-grained access control among a massively large number of consumers. With this work, we offer an example generic configurable stateless protocol for secure attribute-based authentication, authorization, storage, and transmission in distributed storage systems based upon ciphertext-policy attribute-based encryption (CP-ABE), discuss the experience of implementing a distributed storage system around this protocol, and present future avenues of work enabled by such a protocol. The key contribution of this work is an illustration of a means by which any CP-ABE system may be utilized in a black-box manner for attribute-based authentication and cryptographically enforced attribute-based access control in distributed storage systems.

Aubrey Alston

A commonly shared component of antivirus suites is a local database of malware signatures that is used during the static analysis process. Despite possible encryption, heuristic obfuscation, or attempts to hide this database from malicious end-users (or competitors), a currently avoidable eventuality for offline static analysis is a need to use the contents of the database in local computation to detect malicious files. This work serves as a preliminary exploration of the use of concolic execution as a general-case technique for reverse-engineering malware signature database contents: indeed, the existence of a practical technique to such an end would certainly require the use of true (in the sense of provable security) obfuscation in order for malware databases to remain private against capable attackers--a major obstacle given the scarcity of truly practical secure obfuscation constructions. Our work, however, only shows that existing tools (at the time of this report) for concolic execution have severe limitations which prevent the realization of this strategy.

Aubrey Alston

Given a desired goal of testing the capabilities of mainstream antivirus software against evasive malicious payloads delivered via drive-by download, this work aims to extend the functionality of Metasploit--the penetration testing suite of choice--in a three-fold manner: (1) to allow it to dynamically generate evasive forms of Metasploit-packaged malicious binaries, (2) to provide an evasive means of delivering said executables through a drive-by download-derived attack vector, and (3) to coordinate the previous two functionalities in a manner which can be used to produce reproducible tests within the SPICE framework