AUGUST 15–17, 2018 BALTIMORE, MD, USA Wednesday, August 15 7:30 am–8:45 am Continental Breakfast 8:45 am–9:00 am Opening Remarks and Awards Program Co-Chairs: William Enck, North Carolina State University, and Adrienne Porter Felt, Google 9:00 am–10:00 am Keynote Address Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models James Mickens, Harvard University 10:00 am–10:30 am Break with Refreshments 10:30 am–12:10 pm Track 1 Track 2 Track 3 Security Impacting the Memory Defenses Censorship and Web Privacy Physical World ACES: Automatic Compartments for Fp-Scanner: The Privacy Implications of Fear the Reaper: Characterization and Fast Embedded Systems Browser Fingerprint Inconsistencies Detection of Card Skimmers Abraham A Clements, Purdue University and Antoine Vastel, Univ. Lille / Inria / Inria; Pierre Nolen Scaife, Christian Peeters, and Patrick Sandia National Labs; Naif Saleh Almakhdhub, Laperdrix, Stony Brook University; Walter Traynor, University of Florida Saurabh Bagchi, and Mathias Payer, Purdue Rudametkin, Univ. Lille / Inria / Inria; Romain BlackIoT: IoT Botnet of High Wattage University Rouvoy, Univ. Lille / Inria / IUF Devices Can Disrupt the Power Grid IMIX: In-Process Memory Isolation Who Left Open the Cookie Jar? A Saleh Soltan, Prateek Mittal, and H. Vincent EXtension Comprehensive Evaluation of Third-Party Poor, Princeton University Tommaso Frassetto, Patrick Jauernig, Cookie Policies Skill Squatting Attacks on Amazon Alexa Christopher Liebchen, and Ahmad-Reza Gertjan Franken, Tom Van Goethem, and Sadeghi, Technische Universität Darmstadt Wouter Joosen, imec-Distrinet, KU Leuven Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Adam HeapHopper: Bringing Bounded Model Effective Detection of Multimedia Protocol Bates, and Michael Bailey, University of Illinois, Checking to Heap Implementation Security Tunneling using Machine Learning Urbana-Champaign Moritz Eckert, Antonio Bianchi, and Ruoyu Diogo Barradas, Nuno Santos, and Luís CommanderSong: A Systematic Approach Wang, University of California, Santa Barbara; Rodrigues, INESC-ID, Instituto Superior Técnico, for Practical Adversarial Voice Recognition Yan Shoshitaishvili, Arizona State University; Universidade de Lisboa Christopher Kruegel and Giovanni Vigna, Xuejing Yuan, SKLOIS, Institute of Information Scalable Remote Measurement of University of California, Santa Barbara Engineering, Chinese Academy of Sciences. School Application-Layer Censorship of Cyber Security, University of Chinese Academy Guarder: An Efficient Heap Allocator with Benjamin VanderSloot, Allison McDonald, Will of Sciences.; Yuxuan Chen, Florida Institute Strongest and Tunable Security Scott, J. Alex Halderman, and Roya Ensafi, of Technology; Yue Zhao, SKLOIS, Institute of Sam Silvestro, Hongyu Liu, and Tianyi Liu, University of Michigan Information Engineering, Chinese Academy of University of Texas at San Antonio; Zhiqiang Lin, Sciences. School of Cyber Security, University Ohio State University; Tongping Liu, University of of Chinese Academy of Sciences.; Yunhui Long, Texas at San Antonio University of Illinois at Urbana-Champaign; Xiaokang Liu and Kai Chen, SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences. School of Cyber Security, University of Chinese Academy of Sciences.; Shengzhi Zhang, Florida Institute of Technology; Heqing Huang, IBM Thomas J. Watson Research Center; Xiaofeng Wang, Indiana University Bloomington; Carl A. Gunter, University of Illinois at Urbana-Champaign 12:10 pm–1:40 pm Lunch (on your own) The Career Luncheon for Students and Recent Grads will occur at this time. Wednesday, August 15 continues on next page ➜ Wednesday, August 15 (continued) 1:40 pm–3:20 pm Track 1 Track 2 Track 3 Understanding How Humans Vulnerability Discovery Invited Talks Authenticate ATtention Spanned: Comprehensive TBA Better managed than memorized? Studying Vulnerability Analysis of AT Commands the Impact of Managers on Password Within the Android Ecosystem Strength and Reuse Dave (Jing) Tian, Grant Hernandez, Joseph Sanam Ghorbani Lyastani, CISPA, Saarland Choi, Vanessa Frost, Christie Raules, Kevin University; Michael Schilling, Saarland University; Butler, and Patrick Traynor, University of Florida; Sascha Fahl, Leibniz University Hannover; Sven Hayawardh Vijayakumar, Lee Harrison, Amir Bugiel, CISPA, Saarland University; Michael Rahmati, and Mike Grace, Samsung Research Backes, CISPA Helmholtz Center i.G. America Forgetting of Passwords: Ecological Theory Charm: Facilitating Dynamic Analysis of and Data Device Drivers of Mobile Systems Xianyi Gao, Yulong Yang, Can Liu, Christos Seyed Mohammadjavad Seyed Talebi and Mitropoulos, and Janne Lindqvist, Rutgers Hamid Tavakoli, UC Irvine; Hang Zhang and University; Antti Oulasvirta, Aalto University Zheng Zhang, UC Riverside; Ardalan Amiri Sani, The Rewards and Costs of Stronger UC Irvine; Zhiyun Qian, UC Riverside Passwords in a University: Linking Inception: System-wide Security Testing of Password Lifetime to Strength Real-World Embedded Systems Software Ingolf Becker, Simon Parkin, and M. Angela Nassim Corteggiani, EURECOM, Maxim Sasse, University College London Integrated; Giovanni Camurati and Aurélien Rethinking Authentication and Access Francillon, EURECOM Control for the Home Internet of Things Acquisitional Rule-based Engine for (IoT) Discovering Internet-of-Thing Devices Weijia He, University of Chicago; Maximilian Xuan Feng, Beijing Key Laboratory of IOT Golla, Ruhr-University Bochum; Roshni Padhi Information Security Technology, Institute of and Jordan Ofek, University of Chicago; Markus Information Engineering, CAS, China; Qiang Li, Dürmuth, Ruhr-University Bochum; Earlence School of Computer and Information Technology, Fernandes, University of Washington; Blase Ur, Beijing Jiaotong University, China; Haining University of Chicago Wang, Department of Electrical and Computer Engineering, University of Delaware, USA; Limin Sun, Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, China 3:20pm–3:50 pm Break with Refreshments 3:50 pm–5:30 pm Track 1 Track 2 Track 3 Web Applications Anonymity Invited Talks A Sense of Time for JavaScript and Node. How do Tor users interact with onion TBA js: First-Class Timeouts as a Cure for Event services? Handler Poisoning Philipp Winter, Anne Edmundson, Laura M. James C. Davis, Eric R. Williamson, and Roberts, Marshini Chetty, and Nick Feamster, Dongyoon Lee, Virginia Tech Princeton University Freezing the Web: A Study of ReDoS Towards Predicting Efficient and Vulnerabilities in JavaScript-based Web Anonymous Tor Circuits Servers Armon Barton, University of Texas at Arlington; Cristian-Alexandru Staicu and Michael Pradel, Matthew Wright, Rochester Institute of TU Darmstadt Technology; Jiang Ming and Mohsen Imani, NAVEX: Precise and Scalable Exploit University of Texas at Arlington Generation for Dynamic Web Applications BurnBox: Self-Revocable Encryption in a Abeer Alhuzali, Rigel Gjomemo, Birhanu World Of Compelled Access Eshete, and V.N. Venkatakrishnan, UIC Nirvan Tyagi, Cornell Tech; Muhammad Haris Rampart: Protecting Web Applications from Mughees, Cornell Tech and UIUC; Thomas CPU-Exhaustion Denial-of-Service Attacks Ristenpart and Ian Miers, Cornell Tech Wei Meng, Chinese University of Hong An Empirical Analysis of Anonymity in Kong; Chenxiong Qian, Georgia Institute of Zcash Technology; Shuang Hao, University of Texas George Kappos, Haaroon Yousaf, Mary Maller, at Dallas; Kevin Borgolte, Giovanni Vigna, and and Sarah Meiklejohn, University College Christopher Kruegel, University of California, London Santa Barbara; Wenke Lee, Georgia Institute of Technology Wednesday, August 15 continues on next page ➜ Wednesday, August 15 (continued) 6:00 pm–7:30 pm USENIX Security ’18 Symposium Reception Mingle with fellow attendees at the USENIX Security ‘18 Reception, featuring dinner, drinks, and the chance to connect with other attendees, speakers, and symposium organizers. 7:30 pm–8:30 pm USENIX Security ’18 Lightning Talks This is intended as an informal session for short and engaging presentations on recent unpublished results, work in progress, or other topics of interest to USENIX Security attendees. As in the past, talks do not always need to be serious and funny talks are encouraged! This year, USENIX will generously sponsor awards for the most engaging talks. Bragging rights and small cash prizes can be yours for a great talk! For full consideration, submit your lightning talk via the lighting talk submission form, which will be available here soon, through July 27, 2018. Only talks submitted by this deadline will be considered for the awards. You can continue submitting talks via the submission form or by emailing [email protected] until Wednesday, August 15, 2018, 12:00 pm EDT. Thursday, August 16 8:00 am–9:00 am Continental Breakfast 9:00 am–10:30 am Track 1 Track 2 Track 3 Privacy in a Digital World Attacks on Crypto & Crypto Invited Talks Unveiling and Quantifying Facebook Libraries TBA Exploitation of Sensitive Personal Data for Efail: Breaking S/MIME and OpenPGP Email Advertising Purposes Encryption using Exfiltration Channels José González Cabañas, Ángel Cuevas, and Damian Poddebniak, Münster University of Rubén Cuevas, Department of Telematic Applied Sciences; Jens Müller, Ruhr University Engineering, Universidad Carlos III de Madrid Bochum; Christian Dresen,