CyLab faculty, students to present at NDSS Symposium 2025

Carnegie Mellon faculty and students will present on a wide range of topics at the 32nd Annual Network and Distributed System Security (NDSS) Symposium. Held at Wyndham San Diego Bayside from February 24th through the 28th, the event fosters information exchange among researchers and practitioners of network and distributed system security.

Bringing together hundreds of security educators, researchers and practitioners from all over the world, the NDSS Symposium encourages and enables the Internet community to apply, deploy, and advance the state of available security technologies.

Here, we've compiled a list of the papers co-authored by CyLab Security and Privacy Institute members that are being presented at the event.

Heimdall: Towards Risk-Aware Network Management Outsourcing

Yuejie Wang, Peking University; Qiutong Men, New York University; Yongting Chen, New York University Shanghai; Jiajin Liu, New York University Shanghai; Gengyu Chen, Carnegie Mellon University; Ying Zhang, Meta; Guyue Liu, Peking University; Vyas Sekar, Carnegie Mellon University

Abstract: Enterprises are increasingly outsourcing network management (e.g., troubleshooting routing issues) to reduce cost and improve efficiency, either by hiring third-party contractors or by outsourcing to third-party vendors. Unfortunately, recent events have shown that this outsourcing model has become a new source of network incidents in customer networks. In this work, we argue that a risk-aware outsourcing approach is needed that enables customers to measure and assess risk transparently and make informed decisions to minimize harm. We first concretely define the notion of risk in the context of outsourced network management and then present an end-to-end framework, called Heimdall, which enables enterprises to assess, monitor, and respond to risk. Heimdall automatically builds a dependency graph to accurately assess the risk of an outsourced task, and uses a fine-grained reference monitor to monitor and mitigate potential risks during operation. Our expert validation results show that Heimdall effectively controls risk for outsourced network operations, resolving 92% of practical issues at the minimal risk level while incurring only a marginal timing overhead of approximately 7%.

Transparency or Information Overload? Evaluating Users’ Comprehension and Perceptions of the iOS App Privacy Report

Xiaoyuan Wu, Lydia Hu, Eric Zeng, Hana Habib, Lujo Bauer, Carnegie Mellon University

Abstract: Apple’s App Privacy Report (“privacy report”), released in 2021, aims to inform iOS users about apps’ access to their data and sensors (e.g., contacts, camera) and, unlike other privacy dashboards, what domains are contacted by apps and websites. To evaluate the effectiveness of the privacy report, we conducted semi-structured interviews (\textit{n} = 20) to examine users’ reactions to the information, their understanding of relevant privacy implications, and how they might change their behavior to address privacy concerns. Participants easily understood which apps accessed data and sensors at certain times on their phones, and knew how to remove an app’s permissions in case of unexpected access. In contrast, participants had difficulty understanding apps’ and websites’ network activities. They were confused about how and why network activities occurred, overwhelmed by the number of domains their apps contacted, and uncertain about what remedial actions they could take against potential privacy threats. While the privacy report and similar tools can increase transparency by presenting users with details about how their data is handled, we recommend providing more interpretation or aggregation of technical details, such as the purpose of contacting domains, to help users make informed decisions.

The Kids Are All Right: Investigating the Susceptibility of Teens and Adults to YouTube Giveaway Scams

Elijah Bouma-Sims, Lily Klucinec, Mandy Lanyon, Julie Downs, Lorrie Faith Cranor, Carnegie Mellon University

Abstract: Fraudsters often use the promise of free goods as a lure for victims who are convinced to complete online tasks but ultimately receive nothing. Despite much work characterizing these “giveaway scams,” no human subjects research has investigated how users interact with them or what factors impact victimization. We conducted a scenario-based experiment with a sample of American teenagers (n = 85) and adult crowd workers (n = 205) in order to investigate how users reason about and interact with giveaway scams advertised in YouTube videos and to determine whether teens are more susceptible than adults. We found that most participants recognized the fraudulent nature of the videos, with only 9.2% believing the scam videos offered legitimate deals. Teenagers did not fall victim to the scams more frequently than adults but reported more experience searching for terms that could lead to victimization. This study is among the first to compare the interactions of adult and teenage users with internet fraud and sheds light on an understudied area of social engineering.

NodeMedic-FINE: Automatic Detection and Exploit Synthesis for Node.js Vulnerabilities

Darion Cassel, Carnegie Mellon University; Nuno Sabino, IST and Carnegie Mellon University; Min-Chien Hsu, Ruben Martins, Limin Jia, Carnegie Mellon University

Abstract: The Node.js ecosystem comprises millions of packages written in JavaScript. Many packages suffer from vulnerabilities such as arbitrary code execution (ACE) and arbitrary command injection (ACI). Prior work has developed automated tools based on dynamic taint tracking to detect potential vulnerabilities, and to synthesize proof-of-concept exploits that confirm them, with limited success.

One challenge these tools face is that expected inputs to package APIs often have varied types and object structure. Failure to call these APIs with inputs of the correct type and with specific fields leads to unsuccessful exploit generation and missed vulnerabilities. Generating inputs that can successfully deliver the desired exploit payload despite manipulation performed by the package is also difficult.

To address these challenges, we use a type and object-structure aware fuzzer to generate inputs to explore more execution paths during dynamic taint analysis. We leverage information generated by the taint analysis to infer the types and structure of the inputs, which are then used by the exploit synthesis engine to guide exploit generation. We implement NodeMedic-FINE and evaluate it on 33,011 npm packages that contain calls to ACE and ACI sinks. Our tool finds 2257 potential flows and automatically synthesizes working exploits in 766 packages.