“Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks”

The judges were impressed with the significant impact of this paper for the academic and industrial community. The paper led to several CVEs and advisories by Intel and Arm, new guidelines/mitigations from those CPU vendors, and also won an Intel Bounty Reward and a Pwnie Award Nomination for Epic Achievement. The paper in particular shows that current hardware countermeasures against Spectre v2 (the most critical variant of Spectre attacks) are insufficient to block cross-privilege attacks. As a result, they conclude that while software defenses are less efficient, they remain the only practical mitigation in the foreseeable future.

Runner-ups:

“Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel”

The paper presents a new approach, Kasper, for discovering a speculative execution gadget scanner that strikes a balance between pattern-matching and more principled and “semantic” program approaches. Kasper outperforms existing tools, which have a large false positive rate and would lead to substantial and unnecessary overhead when defending against such attacks. Kasper already had significant impact in practice by discovering more than one thousand previously unknown gadgets in the Linux kernel.

“DeepCASE: Semi-Supervised Contextual Analysis of Security Events”

The judges appreciated the paper’s massive undertaking, thanks to a good mix of international and industry collaborators. The core intuition presented in the paper is simple and elegant and helps SOC analysts by placing security events into context with preceding security events. This approach can potentially reduce the workload of SOC analysts by 90%, by reducing the deluge of false positives generated by traditional approaches.

MULTIDISCIPLINARY TRACK

The judges were impressed with the quality of all the submissions and extensively discussed each in a 1-hr remote meeting session.

Winner:

“I Still Know What You Watched Last Sunday: Privacy of the HbbTV Protocol in the European Smart TV Landscape”

The judges were impressed with the measurement methodology and its scale, spanning five EU countries. Theadditionaly survey on user perceptions the paper presents offers a complete, full stack view of the problem that was especially appreciated by the committee. The analysis is very thorough and well executed, providing clear, actionable results with a high potential for impact for end users. A consequential study revealing important issues to address at the policy and product levels.

Runner-ups:

“Know Your Cybercriminal: Evaluating Attacker Preferences by Measuring Profile Sales on an Active, Leading Criminal Market for User Impersonation at Scale”

Very detailed study providing new insights on the threat landscape and attacker preferences, with a strong reliance on multidisciplinary aspects including computer science, economics, criminology. The committee especially appreciated the insights the paper offers on the economic drivers behind the cybercrime economy, and theactionable insights on defences and exposure emerging from a robust analysis of very-hard-to-collect data. 

“Measuring Up to (Reasonable) Consumer Expectations: Providing an Empirical Basis for Holding IoT Manufacturers Legally Responsible”

The judges were impressed with the scale of the analysis and the framing of the problem from a user perspective, evaluating both what users thinks happens and what users think should happen. Relevant problem tackled rigorously and leading to practical recommendations for manufacturers and policymakers. The committee appreciated the well formualted statement of limitations, which speaks favourably to the rigorousness of the study.