Cryptography and Security 30
★ LLM Hypnosis: Exploiting User Feedback for Unauthorized Knowledge Injection to All Users
We describe a vulnerability in language models (LMs) trained with user
feedback, whereby a single user can persistently alter LM knowledge and
behavior given only the ability to provide prompts and upvote / downvote
feedback on LM outputs. To implement the attack, the attacker prompts the LM to
stochastically output either a "poisoned" or benign response, then upvotes the
poisoned response or downvotes the benign one. When feedback signals are used
in a subsequent preference tuning behavior, LMs exhibit increased probability
of producing poisoned responses even in contexts without malicious prompts. We
show that this attack can be used to (1) insert factual knowledge the model did
not previously possess, (2) modify code generation patterns in ways that
introduce exploitable security flaws, and (3) inject fake financial news. Our
finding both identifies a new qualitative feature of language model preference
tuning (showing that it even highly restricted forms of preference data can be
used to exert fine-grained control over behavior), and a new attack mechanism
for LMs trained with user feedback (extending work on pretraining-time data
poisoning and deployment-time prompt injection).
★ Visual Contextual Attack: Jailbreaking MLLMs with Image-Driven Context Injection
With the emergence of strong visual-language capabilities, multimodal large
language models (MLLMs) have demonstrated tremendous potential for real-world
applications. However, the security vulnerabilities exhibited by the visual
modality pose significant challenges to deploying such models in open-world
environments. Recent studies have successfully induced harmful responses from
target MLLMs by encoding harmful textual semantics directly into visual inputs.
However, in these approaches, the visual modality primarily serves as a trigger
for unsafe behavior, often exhibiting semantic ambiguity and lacking grounding
in realistic scenarios. In this work, we define a novel setting: visual-centric
jailbreak, where visual information serves as a necessary component in
constructing a complete and realistic jailbreak context. Building on this
setting, we propose the VisCo (Visual Contextual) Attack. VisCo fabricates
contextual dialogue using four distinct visual-focused strategies, dynamically
generating auxiliary images when necessary to construct a visual-centric
jailbreak scenario. To maximize attack effectiveness, it incorporates automatic
toxicity obfuscation and semantic refinement to produce a final attack prompt
that reliably triggers harmful responses from the target black-box MLLMs.
Specifically, VisCo achieves a toxicity score of 4.78 and an Attack Success
Rate (ASR) of 85% on MM-SafetyBench against GPT-4o, significantly outperforming
the baseline, which performs a toxicity score of 2.48 and an ASR of 22.2%. The
code is available at https://github.com/Dtc7w3PQ/Visco-Attack.
comment: 16 pages
★ NVIDIA GPU Confidential Computing Demystified
Zhongshu Gu, Enriquillo Valdez, Salman Ahmed, Julian James Stephen, Michael Le, Hani Jamjoom, Shixuan Zhao, Zhiqiang Lin
GPU Confidential Computing (GPU-CC) was introduced as part of the NVIDIA
Hopper Architecture, extending the trust boundary beyond traditional CPU-based
confidential computing. This innovation enables GPUs to securely process AI
workloads, providing a robust and efficient solution for handling sensitive
data. For end users, transitioning to GPU-CC mode is seamless, requiring no
modifications to existing AI applications. However, this ease of adoption
contrasts sharply with the complexity of the underlying proprietary systems.
The lack of transparency presents significant challenges for security
researchers seeking a deeper understanding of GPU-CC's architecture and
operational mechanisms.
The challenges of analyzing the NVIDIA GPU-CC system arise from a scarcity of
detailed specifications, the proprietary nature of the ecosystem, and the
complexity of product design. In this paper, we aim to demystify the
implementation of NVIDIA GPU-CC system by piecing together the fragmented and
incomplete information disclosed from various sources. Our investigation begins
with a high-level discussion of the threat model and security principles before
delving into the low-level details of each system component. We instrument the
GPU kernel module -- the only open-source component of the system -- and
conduct a series of experiments to identify the security weaknesses and
potential exploits. For certain components that are out of reach through
experiments, we propose well-reasoned speculations about their inner working
mechanisms. We have responsibly reported all security findings presented in
this paper to the NVIDIA PSIRT Team.
★ Early Signs of Steganographic Capabilities in Frontier LLMs
Monitoring Large Language Model (LLM) outputs is crucial for mitigating risks
from misuse and misalignment. However, LLMs could evade monitoring through
steganography: Encoding hidden information within seemingly benign generations.
In this paper, we evaluate the steganography capabilities in frontier LLMs to
better understand the risk they pose. We focus on two types of steganography:
passing encoded messages and performing encoded reasoning. We find that current
models are unable to encode short messages in their outputs without a monitor
noticing under standard affordances. They can succeed, however, if given
additional affordances such as using an unmonitored scratchpad and coordinating
on what encoding scheme to use. We additionally find early signs that models
can perform basic encoded reasoning in a simple state-tracking problem. This
includes some ability to reason with their own and pre-defined schemes,
including encoding schemes such as Hexadecimal. Despite this, they can rarely
hide reasoning subtly within a cover task to fool a monitor. Overall, our
results indicate that current LLMs exhibit nascent steganographic capabilities.
While these capabilities are likely insufficient to bypass well-designed
monitors at present, this could change in the future.
★ Meta SecAlign: A Secure Foundation LLM Against Prompt Injection Attacks
Prompt injection attacks pose a significant security threat to LLM-integrated
applications. Model-level defenses have shown strong effectiveness, but are
currently deployed into commercial-grade models in a closed-source manner. We
believe open-source models are needed by the AI security community, where
co-development of attacks and defenses through open research drives scientific
progress in mitigation against prompt injection attacks. To this end, we
develop Meta SecAlign, the first open-source and open-weight LLM with built-in
model-level defense that achieves commercial-grade model performance. We
provide complete details of our training recipe, which utilizes an improved
version of the SOTA SecAlign defense. Evaluations on 9 utility benchmarks and 7
security benchmarks show that Meta SecAlign, despite being trained on a generic
instruction-tuning dataset, confers security in unseen downstream tasks,
including tool-calling and agentic web navigation, in addition general
instruction-following. Our best model -- Meta-SecAlign-70B -- achieves
state-of-the-art robustness against prompt injection attacks and comparable
utility to closed-source commercial LLM with model-level defense.
★ Quantifying Classifier Utility under Local Differential Privacy
Local differential privacy (LDP) provides a rigorous and quantifiable privacy
guarantee for personal data by introducing perturbation at the data source.
However, quantifying the impact of these perturbations on classifier utility
remains a theoretical challenge, particularly for complex or black-box
classifiers.
This paper presents a framework for theoretically quantifying classifier
utility under LDP mechanisms. The key insight is that LDP perturbation is
concentrated around the original data with a specific probability, transforming
utility analysis of the classifier into its robustness analysis in this
concentrated region. Our framework connects the concentration analysis of LDP
mechanisms with the robustness analysis of classifiers. It treats LDP
mechanisms as general distributional functions and classifiers as black-box
functions, thus applicable to any LDP mechanism and classifier. A direct
application of our utility quantification is guiding the selection of LDP
mechanisms and privacy parameters for a given classifier. Notably, our analysis
shows that a piecewise-based mechanism leads to better utility compared to
alternatives in common scenarios.
Using this framework alongside two novel refinement techniques, we conduct
case studies on utility quantification for typical mechanism-classifier
combinations. The results demonstrate that our theoretical utility
quantification aligns closely with empirical observations, particularly when
classifiers operate in lower-dimensional input spaces.
★ Control at Stake: Evaluating the Security Landscape of LLM-Driven Email Agents
The increasing capabilities of LLMs have led to the rapid proliferation of
LLM agent apps, where developers enhance LLMs with access to external resources
to support complex task execution. Among these, LLM email agent apps represent
one of the widely used categories, as email remains a critical communication
medium for users. LLM email agents are capable of managing and responding to
email using LLM-driven reasoning and autonomously executing user instructions
via external email APIs (e.g., send email). However, despite their growing
deployment and utility, the security mechanism of LLM email agent apps remains
underexplored. Currently, there is no comprehensive study into the potential
security risk within these agent apps and their broader implications.
In this paper, we conduct the first in-depth and systematic security study of
LLM email agents. We propose the Email Agent Hijacking (EAH) attack, which
overrides the original prompts of the email agent via external email resources,
allowing attackers to gain control of the email agent remotely and further
perform specific attack scenarios without user awareness.
To facilitate the large-scale evaluation, we propose EAHawk, a pipeline to
evaluate the EAH attack of LLM email agent apps. By EAHawk, we performed an
empirical study spanning 14 representative LLM agent frameworks, 63 agent apps,
12 LLMs, and 20 email services, which led to the generation of 1,404 real-world
email agent instances for evaluation. Experimental results indicate that all
1,404 instances were successfully hijacked; on average, only 2.03 attack
attempts are required to control an email agent instance. Even worse, for some
LLMs, the average number of attempts needed to achieve full agent control drops
to as few as 1.23.
★ SAT-BO: Verification Rule Learning and Optimization for FraudTransaction Detection
Electronic payment platforms are estimated to process billions oftransactions
daily, with the cumulative value of these transactionspotentially reaching into
the trillions. Even a minor error within thishigh-volume environment could
precipitate substantial financiallosses. To mitigate this risk, manually
constructed verification rules,developed by domain experts, are typically
employed to identifyand scrutinize transactions in production environments.
However,due to the absence of a systematic approach to ensure the robust-ness
of these verification rules against vulnerabilities, they remainsusceptible to
exploitation.To mitigate this risk, manually constructed verification rules,
de-veloped by domain experts, are typically employed to identify andscrutinize
transactions in production environments. However, dueto the absence of a
systematic approach to ensure the robustness ofthese verification rules against
vulnerabilities, they remain suscep-tible to exploitation. To ensure data
security, database maintainersusually compose complex verification rules to
check whether aquery/update request is valid. However, the rules written by
ex-perts are usually imperfect, and malicious requests may bypassthese rules.
As a result, the demand for identifying the defects ofthe rules systematically
emerges.
★ Access Control Threatened by Quantum Entanglement
Access control is a cornerstone of computer security that prevents
unauthorised access to resources. In this paper, we study access control in
quantum computer systems. We present the first explicit scenario of a security
breach when a classically secure access control system is straightforwardly
adapted to the quantum setting. The breach is ultimately due to that quantum
mechanics allows the phenomenon of entanglement and violates Mermin inequality,
a multi-party variant of the celebrated Bell inequality. This reveals a threat
from quantum entanglement to access control if existing computer systems
integrate with quantum computing. To protect against such threat, we propose
several new models of quantum access control, and rigorously analyse their
security, flexibility and efficiency.
comment: 23 pages, 10 figures
★ Alleviating Attack Data Scarcity: SCANIA's Experience Towards Enhancing In-Vehicle Cyber Security Measures
The digital evolution of connected vehicles and the subsequent security risks
emphasize the critical need for implementing in-vehicle cyber security measures
such as intrusion detection and response systems. The continuous advancement of
attack scenarios further highlights the need for adaptive detection mechanisms
that can detect evolving, unknown, and complex threats. The effective use of
ML-driven techniques can help address this challenge. However, constraints on
implementing diverse attack scenarios on test vehicles due to safety, cost, and
ethical considerations result in a scarcity of data representing attack
scenarios. This limitation necessitates alternative efficient and effective
methods for generating high-quality attack-representing data. This paper
presents a context-aware attack data generator that generates attack inputs and
corresponding in-vehicle network log, i.e., controller area network (CAN) log,
representing various types of attack including denial of service (DoS), fuzzy,
spoofing, suspension, and replay attacks. It utilizes parameterized attack
models augmented with CAN message decoding and attack intensity adjustments to
configure the attack scenarios with high similarity to real-world scenarios and
promote variability. We evaluate the practicality of the generated
attack-representing data within an intrusion detection system (IDS) case study,
in which we develop and perform an empirical evaluation of two deep neural
network IDS models using the generated data. In addition to the efficiency and
scalability of the approach, the performance results of IDS models, high
detection and classification capabilities, validate the consistency and
effectiveness of the generated data as well. In this experience study, we also
elaborate on the aspects influencing the fidelity of the data to real-world
scenarios and provide insights into its application.
★ De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks ICML 2025
The rapid advancement of speech generation models has heightened privacy and
security concerns related to voice cloning (VC). Recent studies have
investigated disrupting unauthorized voice cloning by introducing adversarial
perturbations. However, determined attackers can mitigate these protective
perturbations and successfully execute VC. In this study, we conduct the first
systematic evaluation of these protective perturbations against VC under
realistic threat models that include perturbation purification. Our findings
reveal that while existing purification methods can neutralize a considerable
portion of the protective perturbations, they still lead to distortions in the
feature space of VC models, which degrades the performance of VC. From this
perspective, we propose a novel two-stage purification method: (1) Purify the
perturbed speech; (2) Refine it using phoneme guidance to align it with the
clean speech distribution. Experimental results demonstrate that our method
outperforms state-of-the-art purification methods in disrupting VC defenses.
Our study reveals the limitations of adversarial perturbation-based VC defenses
and underscores the urgent need for more robust solutions to mitigate the
security and privacy risks posed by VC. The code and audio samples are
available at https://de-antifake.github.io.
comment: Accepted by ICML 2025
★ Real-Time Monitoring and Transparency in Pizza Production Using IoT and Blockchain
This paper presents a blockchain-based Internet of Things (IoT) system for
monitoring pizza production in restaurants. IoT devices track temperature and
humidity in real-time, while blockchain ensures secure and tamper-proof data. A
Raspberry Pi processes sensor data, captures images, triggers alerts, and
interacts with smart contracts. The system detects abnormal conditions,
enabling quick responses. Blockchain adds transparency and traceability,
supporting compliance and audits. Experiments show improved ingredient
management, reduced waste, and increased kitchen efficiency.
comment: 2 pages
★ A 10-bit S-box generated by Feistel construction from cellular automata
We propose a new 10-bit S-box generated from a Feistel construction. The
subpermutations are generated by a 5-cell cellular automaton based on a unique
well-chosen rule and bijective affine transformations. In particular, the
cellular automaton rule is chosen based on empirical tests of its ability to
generate good pseudorandom output on a ring cellular automaton. Similarly,
Feistel's network layout is based on empirical data regarding the quality of
the output S-box. We perform cryptanalysis of the generated 10-bit S-box, and
we find security properties comparable to or sometimes even better than those
of the standard AES S-box. We believe that our S-box could be used to replace
the 5-bit substitution of ciphers like ASCON.
★ Effectively Identifying Wi-Fi Devices through State Transitions
Wi-Fi management frames reveal structured communication patterns that persist
even under randomization of MAC addresses. Prior approaches to associating
randomized MAC addresses with devices primarily focus on probe requests,
overlooking the broader set of management frames and their transition dynamics.
This narrow focus limits their robustness in dense, real-world environments
with high device mobility, where probe activity alone fails to yield stable and
distinctive signatures. In this paper, we present a novel framework for
fingerprinting Wi-Fi devices based on behavioral dynamics extracted from
passively observed management frames. We model each device's behavior as a
finite state machine and introduce matrix-based representations that encode
both structural (state transition frequencies) and temporal (inter-state
delays) characteristics. These matrices are embedded into compact feature
vectors, enabling efficient similarity comparison. Through extensive evaluation
in diverse real-world settings, our method achieves over 86% identification
accuracy for non-randomized devices using only Wi-Fi management frames, with
further improvements observed through temporal burst aggregation. Our findings
are sufficient to uniquely and consistently characterize devices at scale,
outperforming the state-of-the-art.
★ CyberRAG: An agentic RAG cyber attack classification and reporting tool
Intrusion Detection and Prevention Systems (IDS/IPS) in large enterprises can
generate hundreds of thousands of alerts per hour, overwhelming security
analysts with logs that demand deep, rapidly evolving domain expertise.
Conventional machine-learning detectors trim the alert volume but still yield
high false-positive rates, while standard single-pass Retrieval-Augmented
Generation (RAG) pipelines often retrieve irrelevant context and fail to
justify their predictions. To overcome these shortcomings, we present CyberRAG,
a modular, agent-based RAG framework that delivers real-time classification,
explanation, and structured reporting for cyber-attacks. A central LLM agent
orchestrates (i) a pool of fine-tuned specialized classifiers, each tailored to
a distinct attack family; (ii) tool adapters for enrichment and alerting; and
(iii) an iterative retrieval-and-reason loop that continuously queries a
domain-specific knowledge base until the evidence is both relevant and
self-consistent. Unlike traditional RAG systems, CyberRAG embraces an agentic
design that enables dynamic control flow and adaptive reasoning. This
agent-centric architecture refines its threat labels and natural-language
justifications autonomously, reducing false positives and enhancing
interpretability. The framework is fully extensible: new attack types can be
supported by simply adding a classifier without retraining the core agent.
CyberRAG has been evaluated achieving over 94% accuracy per class and pushing
final classification accuracy to 94.92% through semantic orchestration.
Generated explanations score up to 0.94 in BERTScore and 4.9/5 in GPT-4-based
expert evaluation. These results show that agentic, specialist-oriented RAG can
pair high detection accuracy with trustworthy, SOC-ready prose, offering a
practical and scalable path toward semi-autonomous cyber-defence workflows.
★ Privacy-preserving Preselection for Face Identification Based on Packing
Face identification systems operating in the ciphertext domain have garnered
significant attention due to increasing privacy concerns and the potential
recovery of original facial data. However, as the size of ciphertext template
libraries grows, the face retrieval process becomes progressively more
time-intensive. To address this challenge, we propose a novel and efficient
scheme for face retrieval in the ciphertext domain, termed Privacy-Preserving
Preselection for Face Identification Based on Packing (PFIP). PFIP incorporates
an innovative preselection mechanism to reduce computational overhead and a
packing module to enhance the flexibility of biometric systems during the
enrollment stage. Extensive experiments conducted on the LFW and CASIA datasets
demonstrate that PFIP preserves the accuracy of the original face recognition
model, achieving a 100% hit rate while retrieving 1,000 ciphertext face
templates within 300 milliseconds. Compared to existing approaches, PFIP
achieves a nearly 50x improvement in retrieval efficiency.
comment: This paper has been accepted for publication in SecureComm 2025
★ Evaluating Language Models For Threat Detection in IoT Security Logs
Log analysis is a relevant research field in cybersecurity as they can
provide a source of information for the detection of threats to networks and
systems. This paper presents a pipeline to use fine-tuned Large Language Models
(LLMs) for anomaly detection and mitigation recommendation using IoT security
logs. Utilizing classical machine learning classifiers as a baseline, three
open-source LLMs are compared for binary and multiclass anomaly detection, with
three strategies: zero-shot, few-shot prompting and fine-tuning using an IoT
dataset. LLMs give better results on multi-class attack classification than the
corresponding baseline models. By mapping detected threats to MITRE CAPEC,
defining a set of IoT-specific mitigation actions, and fine-tuning the models
with those actions, the models are able to provide a combined detection and
recommendation guidance.
★ PII Jailbreaking in LLMs via Activation Steering Reveals Personal Information Leakage
This paper investigates privacy jailbreaking in LLMs via steering, focusing
on whether manipulating activations can bypass LLM alignment and alter response
behaviors to privacy related queries (e.g., a certain public figure's sexual
orientation). We begin by identifying attention heads predictive of refusal
behavior for private attributes (e.g., sexual orientation) using lightweight
linear probes trained with privacy evaluator labels. Next, we steer the
activations of a small subset of these attention heads guided by the trained
probes to induce the model to generate non-refusal responses. Our experiments
show that these steered responses often disclose sensitive attribute details,
along with other private information about data subjects such as life events,
relationships, and personal histories that the models would typically refuse to
produce. Evaluations across four LLMs reveal jailbreaking disclosure rates of
at least 95%, with more than 50% on average of these responses revealing true
personal information. Our controlled study demonstrates that private
information memorized in LLMs can be extracted through targeted manipulation of
internal activations.
comment: Preprint
★ Rethinking Broken Object Level Authorization Attacks Under Zero Trust Principle
RESTful APIs facilitate data exchange between applications, but they also
expose sensitive resources to potential exploitation. Broken Object Level
Authorization (BOLA) is the top vulnerability in the OWASP API Security Top 10,
exemplifies a critical access control flaw where attackers manipulate API
parameters to gain unauthorized access. To address this, we propose BOLAZ, a
defense framework grounded in zero trust principles. BOLAZ analyzes the data
flow of resource IDs, pinpointing BOLA attack injection points and determining
the associated authorization intervals to prevent horizontal privilege
escalation. Our approach leverages static taint tracking to categorize APIs
into producers and consumers based on how they handle resource IDs. By mapping
the propagation paths of resource IDs, BOLAZ captures the context in which
these IDs are produced and consumed, allowing for precise identification of
authorization boundaries. Unlike defense methods based on common authorization
models, BOLAZ is the first authorization-guided method that adapts defense
rules based on the system's best-practice authorization logic. We validate
BOLAZ through empirical research on 10 GitHub projects. The results demonstrate
BOLAZ's effectiveness in defending against vulnerabilities collected from CVE
and discovering 35 new BOLA vulnerabilities in the wild, demonstrating its
practicality in real-world deployments.
★ Linearly Homomorphic Ring Signature Scheme over Lattices
Homomorphic ring signature schemes combine the strong anonymity of ring
signatures with the computability of homomorphic signatures, demonstrating
significant potential in scenarios requiring both anonymous data provenance and
verifiable homomorphic computation (e.g., confidential blockchain transactions
and secure multi-party computation). However, no feasible homomorphic ring
signature scheme currently exists.
In this work, we propose the first lattice-based linearly homomorphic ring
signature scheme. Proven secure in the standard model under the small integer
solution (SIS) assumption, our scheme achieves strong anonymity under full key
exposure and unforgeability against insider corruption attacks. As the first
unified framework for ring signatures and linear homomorphic signatures, this
construction provides a post-quantum-secure solution for the aforementioned
applications, advancing the development of privacy-enhanced homomorphic
computation.
★ EIM-TRNG: Obfuscating Deep Neural Network Weights with Encoding-in-Memory True Random Number Generator via RowHammer
Ranyang Zhou, Abeer Matar A. Almalky, Gamana Aragonda, Sabbir Ahmed, Filip Roth Trønnes-Christensen, Adnan Siraj Rakin, Shaahin Angizi
True Random Number Generators (TRNGs) play a fundamental role in hardware
security, cryptographic systems, and data protection. In the context of Deep
NeuralNetworks (DNNs), safeguarding model parameters, particularly weights, is
critical to ensure the integrity, privacy, and intel-lectual property of AI
systems. While software-based pseudo-random number generators are widely used,
they lack the unpredictability and resilience offered by hardware-based TRNGs.
In this work, we propose a novel and robust Encoding-in-Memory TRNG called
EIM-TRNG that leverages the inherent physical randomness in DRAM cell behavior,
particularly under RowHammer-induced disturbances, for the first time. We
demonstrate how the unpredictable bit-flips generated through carefully
controlled RowHammer operations can be harnessed as a reliable entropy source.
Furthermore, we apply this TRNG framework to secure DNN weight data by encoding
via a combination of fixed and unpredictable bit-flips. The encrypted data is
later decrypted using a key derived from the probabilistic flip behavior,
ensuring both data confidentiality and model authenticity. Our results validate
the effectiveness of DRAM-based entropy extraction for robust, low-cost
hardware security and offer a promising direction for protecting machine
learning models at the hardware level.
♻ ★ Anamorphic Cryptography using Baby-Step Giant-Step Recovery
In 2022, Persianom, Phan and Yung outlined the creation of Anamorphic
Cryptography. With this, we can create a public key to encrypt data, and then
have two secret keys. These secret keys are used to decrypt the cipher into
different messages. So, one secret key is given to the Dictator (who must be
able to decrypt all the messages), and the other is given to Alice. Alice can
then decrypt the ciphertext to a secret message that the Dictator cannot see.
This paper outlines the implementation of Anamorphic Cryptography using ECC
(Elliptic Curve Cryptography), such as with the secp256k1 curve. This gives
considerable performance improvements over discrete logarithm-based methods
with regard to security for a particular bit length. Overall, it outlines how
the secret message sent to Alice is hidden within the random nonce value, which
is used within the encryption process, and which is cancelled out when the
Dictator decrypts the ciphertext. It also shows that the BSGS (Baby-step
Giant-step) variant significantly outperforms unoptimised elliptic curve
methods.
♻ ★ Nebula: Efficient, Private and Accurate Histogram Estimation
We present \textit{Nebula}, a system for differentially private histogram
estimation on data distributed among clients. \textit{Nebula} allows clients to
independently decide whether to participate in the system, and locally encode
their data so that an untrusted server only learns data values whose
multiplicity exceeds a predefined aggregation threshold, with
$(\varepsilon,\delta)$ differential privacy guarantees. Compared to existing
systems, \textit{Nebula} uniquely achieves: \textit{i)} a strict upper bound on
client privacy leakage; \textit{ii)} significantly higher utility than standard
local differential privacy systems; and \textit{iii)} no requirement for
trusted third-parties, multi-party computation, or trusted hardware. We provide
a formal evaluation of \textit{Nebula}'s privacy, utility and efficiency
guarantees, along with an empirical assessment on three real-world datasets. On
the United States Census dataset, clients can submit their data in just 0.0036
seconds and 0.0016 MB (\textbf{efficient}), under strong
$(\varepsilon=1,\delta=10^{-8})$ differential privacy guarantees
(\textbf{private}), enabling \textit{Nebula}'s untrusted aggregation server to
estimate histograms with over 88\% better utility than existing local
differential privacy deployments (\textbf{accurate}). Additionally, we describe
a variant that allows clients to submit multi-dimensional data, with similar
privacy, utility, and performance. Finally, we provide an implementation of
\textit{Nebula}.
♻ ★ Stealtooth: Breaking Bluetooth Security Abusing Silent Automatic Pairing
Bluetooth is a pervasive wireless communication technology used by billions
of devices for short-range connectivity. The security of Bluetooth relies on
the pairing process, where devices establish shared long-term keys for secure
communications. However, many commercial Bluetooth devices implement automatic
pairing functions to improve user convenience, creating a previously unexplored
attack surface.
We present Stealtooth, a novel attack that abuses unknown vulnerabilities in
the automatic pairing functions in commercial Bluetooth devices to achieve
completely silent device link key overwriting. The Stealtooth attack leverages
the fact that Bluetooth audio devices automatically transition to pairing mode
under specific conditions, enabling attackers to hijack pairing processes
without user awareness or specialized tools. We also extend the attack into the
MitM Stealtooth attack, combining automatic pairing abuse with power-saving
mode techniques to enable man-in-the-middle attacks.
We evaluate the attacks against 10 commercial Bluetooth devices from major
manufacturers, demonstrating widespread vulnerabilities across diverse device
types and manufacturers. Our practical implementation requires only commodity
hardware and open-source software, highlighting the low barrier to entry for
attackers.
We propose defenses both device and protocol levels, including enhanced user
notifications and standardized automatic pairing guidelines. Our findings
reveal a critical tension between security and usability, showing that current
automatic pairing implementations create systematic vulnerabilities. We
responsibly disclosed our findings to affected vendors, with several already
releasing patches.
comment: 13 pages, 6 figures. We plan to extend our evaluation to additional
device categories. Responsible disclosure completed
♻ ★ H$_2$O$_2$RAM: A High-Performance Hierarchical Doubly Oblivious RAM
The combination of Oblivious RAM (ORAM) with Trusted Execution Environments
(TEE) has found numerous real-world applications due to their complementary
nature. TEEs alleviate the performance bottlenecks of ORAM, such as network
bandwidth and roundtrip latency, and ORAM provides general-purpose protection
for TEE applications against attacks exploiting memory access patterns. The
defining property of this combination, which sets it apart from traditional
ORAM designs, is its ability to ensure that memory accesses, both inside and
outside of TEEs, are made oblivious, thus termed doubly oblivious RAM
(O$_2$RAM). Efforts to develop O$_2$RAM with enhanced performance are ongoing.
In this work, we propose H$_2$O$_2$RAM, a high-performance doubly oblivious
RAM construction. The distinguishing feature of our approach, compared to the
existing tree-based doubly oblivious designs, is its first adoption of the
hierarchical framework that enjoys inherently better data locality and
parallelization. While the latest hierarchical solution, FutORAMa, achieves
concrete efficiency in the classic client-server model by leveraging a relaxed
assumption of sublinear-sized client-side private memory, adapting it to our
scenario poses challenges due to the conflict between this relaxed assumption
and our doubly oblivious requirement. To this end, we introduce several new
efficient oblivious components to build a high-performance hierarchical
O$_2$RAM (H$_2$O$_2$RAM). We implement our design and evaluate it on various
scenarios. The results indicate that H$_2$O$_2$RAM reduces execution time by up
to $\sim 10^3$ times and saves memory usage by $5\sim44$ times compared to
state-of-the-art solutions.
♻ ★ An average case efficient algorithm for solving two-variable linear Diophantine equations
Solving two-variable linear Diophantine equations has applications in many
cryptographic protocols such as RSA and Elliptic curve cryptography. The
Extended Euclid's algorithm is the most widely used algorithm to solve these
equations. We revisit two algorithms to solve two-variable linear Diophantine
equations. We write the iterative version of one of the revisited algorithms.
For another, we do a fine-grained analysis of the number of recursive calls and
arrive at a periodic function that represents the number of recursive calls. We
find the period and use it to derive an accurate closed-form expression for the
average number of recursive calls incurred by that algorithm. We find multiple
loose upper bounds on the average number of recursive calls in different cases
based on whether a solution exists or not. We find that for a fixed value of
$a,b$ and a varying $c$, such that the equation $ax+by=c$ (where $a > b$) is
solvable, we can find the solution in $O\left(\frac{\log b}{gcd(a,b)}\right)$
average number of recursions or steps. We computationally evaluate this bound
as well as one more upper bound and compare them with the average number of
recursive calls in Extended Euclid's algorithm on a number of random $512$-bit
inputs. We observe that the average number of iterations in the analyzed
algorithm decreases with an increase in $gcd(a,b)$. We propose an iterative
version of the algorithm. We implement this algorithm and find that the average
number of iterations by our algorithm is less than that of two existing
algorithms.
♻ ★ UniNet: A Unified Multi-granular Traffic Modeling Framework for Network Security
As modern networks grow increasingly complex--driven by diverse devices,
encrypted protocols, and evolving threats--network traffic analysis has become
critically important. Existing machine learning models often rely only on a
single representation of packets or flows, limiting their ability to capture
the contextual relationships essential for robust analysis. Furthermore,
task-specific architectures for supervised, semi-supervised, and unsupervised
learning lead to inefficiencies in adapting to varying data formats and
security tasks. To address these gaps, we propose UniNet, a unified framework
that introduces a novel multi-granular traffic representation (T-Matrix),
integrating session, flow, and packet-level features to provide comprehensive
contextual information. Combined with T-Attent, a lightweight attention-based
model, UniNet efficiently learns latent embeddings for diverse security tasks.
Extensive evaluations across four key network security and privacy
problems--anomaly detection, attack classification, IoT device identification,
and encrypted website fingerprinting--demonstrate UniNet's significant
performance gain over state-of-the-art methods, achieving higher accuracy,
lower false positive rates, and improved scalability. By addressing the
limitations of single-level models and unifying traffic analysis paradigms,
UniNet sets a new benchmark for modern network security.
comment: 16 pages,6 figures, 12 tables; accepted for publication in IEEE
Transactions on Cognitive Communications and Networking, 2025
♻ ★ SecAlign: Defending Against Prompt Injection with Preference Optimization CCS 2025
Large language models (LLMs) are becoming increasingly prevalent in modern
software systems, interfacing between the user and the Internet to assist with
tasks that require advanced language understanding. To accomplish these tasks,
the LLM often uses external data sources such as user documents, web retrieval,
results from API calls, etc. This opens up new avenues for attackers to
manipulate the LLM via prompt injection. Adversarial prompts can be injected
into external data sources to override the system's intended instruction and
instead execute a malicious instruction. To mitigate this vulnerability, we
propose a new defense called SecAlign based on the technique of preference
optimization. Our defense first constructs a preference dataset with
prompt-injected inputs, secure outputs (ones that respond to the legitimate
instruction), and insecure outputs (ones that respond to the injection). We
then perform preference optimization on this dataset to teach the LLM to prefer
the secure output over the insecure one. This provides the first known method
that reduces the success rates of various prompt injections to <10%, even
against attacks much more sophisticated than ones seen during training. This
indicates our defense generalizes well against unknown and yet-to-come attacks.
Also, SecAlign models are still practical with similar utility to the one
before defensive training in our evaluations. Our code is at
https://github.com/facebookresearch/SecAlign
comment: ACM CCS 2025. Key words: prompt injection defense, LLM security,
LLM-integrated applications
♻ ★ USBIPS Framework: Protecting Hosts from Malicious USB Peripherals
Universal Serial Bus (USB)-based attacks have increased in complexity in
recent years. Modern attacks incorporate a wide range of attack vectors, from
social engineering to signal injection. The security community is addressing
these challenges using a growing set of fragmented defenses. Regardless of the
vector of a USB-based attack, the most important risks concerning most people
and enterprises are service crashes and data loss. The host OS manages USB
peripherals, and malicious USB peripherals, such as those infected with BadUSB,
can crash a service or steal data from the OS. Although USB firewalls have been
proposed to thwart malicious USB peripherals, such as USBFilter and USBGuard,
their effect is limited for preventing real-world intrusions. This paper
focuses on building a security framework called USBIPS within Windows OSs to
defend against malicious USB peripherals. This includes major efforts to
explore the nature of malicious behavior and achieve persistent protection from
USB-based intrusions. Herein, we first introduce an allowlisting-based method
for USB access control. We then present a behavior-based detection mechanism
focusing on attacks integrated into USB peripherals. Finally, we propose a
novel approach that combines cross-layer methods to build the first generic
security framework that thwarts USB-based intrusions. Within a centralized
threat analysis framework, the approach provides persistent protection and may
detect unknown malicious behavior. By addressing key security and performance
challenges, these efforts help modern OSs against attacks from untrusted USB
peripherals.
comment: Accepted 23 June 2025 by Computer Standards & Interfaces/Elsevier B.V
♻ ★ On Compression Functions over Groups with Applications to Homomorphic Encryption
Fully homomorphic encryption (FHE) enables an entity to perform arbitrary
computation on encrypted data without decrypting the ciphertexts. An ongoing
group-theoretical approach to construct an FHE scheme uses a certain
"compression" function $F(x)$ implemented by group operations on a given finite
group $G$, which satisfies that $F(1) = 1$ and $F(\sigma) = F(\sigma^2) =
\sigma$ where $\sigma \in G$ is some element of order $3$. The previous work
gave an example of such a function over the symmetric group $G = S_5$ by just a
heuristic approach. In this paper, we systematically study the possibilities of
such a function over various groups. We show that such a function does not
exist over any solvable group $G$ (such as an Abelian group and a smaller
symmetric group $S_n$ with $n \leq 4$). We also construct such a function over
the alternating group $G = A_5$ that has a shortest possible expression.
Moreover, by using this new function, we give a reduction of a construction of
an FHE scheme to a construction of a homomorphic encryption scheme over the
group $A_5$, which is more efficient than the previously known reductions.
comment: 14 pages