<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" version="XHTML+RDFa 1.0" dir="ltr" xmlns:og="http://ogp.me/ns#" xmlns:article="http://ogp.me/ns/article#" xmlns:book="http://ogp.me/ns/book#" xmlns:profile="http://ogp.me/ns/profile#" xmlns:video="http://ogp.me/ns/video#" xmlns:product="http://ogp.me/ns/product#"> <head profile="http://www.w3.org/1999/xhtml/vocab"> <script type="text/javascript" id="Cookiebot" src="https://consent.cookiebot.com/uc.js" data-cbid="694f6fb4-ca29-459f-a9b6-c1deccf2eaca" async="async"></script> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><script type="text/javascript">(window.NREUM||(NREUM={})).init={ajax:{deny_list:["bam.nr-data.net"]}};(window.NREUM||(NREUM={})).loader_config={licenseKey:"d823139095",applicationID:"509444"};;/*! For license information please see nr-loader-rum-1.281.0.min.js.LICENSE.txt */ (()=>{var e,t,r={122:(e,t,r)=>{"use strict";r.d(t,{a:()=>i});var n=r(944);function i(e,t){try{if(!e||"object"!=typeof e)return(0,n.R)(3);if(!t||"object"!=typeof t)return(0,n.R)(4);const r=Object.create(Object.getPrototypeOf(t),Object.getOwnPropertyDescriptors(t)),o=0===Object.keys(r).length?e:r;for(let a in o)if(void 0!==e[a])try{if(null===e[a]){r[a]=null;continue}Array.isArray(e[a])&&Array.isArray(t[a])?r[a]=Array.from(new Set([...e[a],...t[a]])):"object"==typeof e[a]&&"object"==typeof t[a]?r[a]=i(e[a],t[a]):r[a]=e[a]}catch(e){(0,n.R)(1,e)}return r}catch(e){(0,n.R)(2,e)}}},555:(e,t,r)=>{"use strict";r.d(t,{Vp:()=>c,fn:()=>s,x1:()=>u});var n=r(384),i=r(122);const o={beacon:n.NT.beacon,errorBeacon:n.NT.errorBeacon,licenseKey:void 0,applicationID:void 0,sa:void 0,queueTime:void 0,applicationTime:void 0,ttGuid:void 0,user:void 0,account:void 0,product:void 0,extra:void 0,jsAttributes:{},userAttributes:void 0,atts:void 0,transactionName:void 0,tNamePlain:void 0},a={};function s(e){try{const t=c(e);return!!t.licenseKey&&!!t.errorBeacon&&!!t.applicationID}catch(e){return!1}}function c(e){if(!e)throw new Error("All info objects require an agent identifier!");if(!a[e])throw new Error("Info for ".concat(e," was never set"));return a[e]}function u(e,t){if(!e)throw new Error("All info objects require an agent identifier!");a[e]=(0,i.a)(t,o);const r=(0,n.nY)(e);r&&(r.info=a[e])}},217:(e,t,r)=>{"use strict";r.d(t,{D0:()=>h,gD:()=>b,xN:()=>v});r(860).K7.genericEvents;const n="experimental.marks",i="experimental.measures",o="experimental.resources";var a=r(993);const s=e=>{if(!e||"string"!=typeof e)return!1;try{document.createDocumentFragment().querySelector(e)}catch{return!1}return!0};var c=r(614),u=r(944),l=r(384),d=r(122);const f="[data-nr-mask]",g=()=>{const e={feature_flags:[],experimental:{marks:!1,measures:!1,resources:!1},mask_selector:"*",block_selector:"[data-nr-block]",mask_input_options:{color:!1,date:!1,"datetime-local":!1,email:!1,month:!1,number:!1,range:!1,search:!1,tel:!1,text:!1,time:!1,url:!1,week:!1,textarea:!1,select:!1,password:!0}};return{ajax:{deny_list:void 0,block_internal:!0,enabled:!0,autoStart:!0},distributed_tracing:{enabled:void 0,exclude_newrelic_header:void 0,cors_use_newrelic_header:void 0,cors_use_tracecontext_headers:void 0,allowed_origins:void 0},get feature_flags(){return e.feature_flags},set feature_flags(t){e.feature_flags=t},generic_events:{enabled:!0,autoStart:!0},harvest:{interval:30},jserrors:{enabled:!0,autoStart:!0},logging:{enabled:!0,autoStart:!0,level:a.p_.INFO},metrics:{enabled:!0,autoStart:!0},obfuscate:void 0,page_action:{enabled:!0},page_view_event:{enabled:!0,autoStart:!0},page_view_timing:{enabled:!0,autoStart:!0},performance:{get capture_marks(){return e.feature_flags.includes(n)||e.experimental.marks},set capture_marks(t){e.experimental.marks=t},get capture_measures(){return e.feature_flags.includes(i)||e.experimental.measures},set capture_measures(t){e.experimental.measures=t},capture_detail:!0,resources:{get enabled(){return e.feature_flags.includes(o)||e.experimental.resources},set enabled(t){e.experimental.resources=t},asset_types:[],first_party_domains:[],ignore_newrelic:!0}},privacy:{cookies_enabled:!0},proxy:{assets:void 0,beacon:void 0},session:{expiresMs:c.wk,inactiveMs:c.BB},session_replay:{autoStart:!0,enabled:!1,preload:!1,sampling_rate:10,error_sampling_rate:100,collect_fonts:!1,inline_images:!1,fix_stylesheets:!0,mask_all_inputs:!0,get mask_text_selector(){return e.mask_selector},set mask_text_selector(t){s(t)?e.mask_selector="".concat(t,",").concat(f):""===t||null===t?e.mask_selector=f:(0,u.R)(5,t)},get block_class(){return"nr-block"},get ignore_class(){return"nr-ignore"},get mask_text_class(){return"nr-mask"},get block_selector(){return e.block_selector},set block_selector(t){s(t)?e.block_selector+=",".concat(t):""!==t&&(0,u.R)(6,t)},get mask_input_options(){return e.mask_input_options},set mask_input_options(t){t&&"object"==typeof t?e.mask_input_options={...t,password:!0}:(0,u.R)(7,t)}},session_trace:{enabled:!0,autoStart:!0},soft_navigations:{enabled:!0,autoStart:!0},spa:{enabled:!0,autoStart:!0},ssl:void 0,user_actions:{enabled:!0,elementAttributes:["id","className","tagName","type"]}}},p={},m="All configuration objects require an agent identifier!";function h(e){if(!e)throw new Error(m);if(!p[e])throw new Error("Configuration for ".concat(e," was never set"));return p[e]}function v(e,t){if(!e)throw new Error(m);p[e]=(0,d.a)(t,g());const r=(0,l.nY)(e);r&&(r.init=p[e])}function b(e,t){if(!e)throw new Error(m);var r=h(e);if(r){for(var n=t.split("."),i=0;i<n.length-1;i++)if("object"!=typeof(r=r[n[i]]))return;r=r[n[n.length-1]]}return r}},371:(e,t,r)=>{"use strict";r.d(t,{V:()=>f,f:()=>d});var n=r(122),i=r(384),o=r(154),a=r(324);let s=0;const c={buildEnv:a.F3,distMethod:a.Xs,version:a.xv,originTime:o.WN},u={customTransaction:void 0,disabled:!1,isolatedBacklog:!1,loaderType:void 0,maxBytes:3e4,onerror:void 0,ptid:void 0,releaseIds:{},appMetadata:{},session:void 0,denyList:void 0,timeKeeper:void 0,obfuscator:void 0,harvester:void 0},l={};function d(e){if(!e)throw new Error("All runtime objects require an agent identifier!");if(!l[e])throw new Error("Runtime for ".concat(e," was never set"));return l[e]}function f(e,t){if(!e)throw new Error("All runtime objects require an agent identifier!");l[e]={...(0,n.a)(t,u),...c},Object.hasOwnProperty.call(l[e],"harvestCount")||Object.defineProperty(l[e],"harvestCount",{get:()=>++s});const r=(0,i.nY)(e);r&&(r.runtime=l[e])}},324:(e,t,r)=>{"use strict";r.d(t,{F3:()=>i,Xs:()=>o,xv:()=>n});const n="1.281.0",i="PROD",o="CDN"},154:(e,t,r)=>{"use strict";r.d(t,{OF:()=>c,RI:()=>i,WN:()=>l,bv:()=>o,gm:()=>a,mw:()=>s,sb:()=>u});var n=r(863);const i="undefined"!=typeof window&&!!window.document,o="undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self.navigator instanceof WorkerNavigator||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis.navigator instanceof WorkerNavigator),a=i?window:"undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis),s=Boolean("hidden"===a?.document?.visibilityState),c=/iPad|iPhone|iPod/.test(a.navigator?.userAgent),u=c&&"undefined"==typeof SharedWorker,l=((()=>{const e=a.navigator?.userAgent?.match(/Firefox[/\s](\d+\.\d+)/);Array.isArray(e)&&e.length>=2&&e[1]})(),Date.now()-(0,n.t)())},687:(e,t,r)=>{"use strict";r.d(t,{Ak:()=>c,Ze:()=>d,x3:()=>u});var n=r(836),i=r(606),o=r(860),a=r(646);const s={};function c(e,t){const r={staged:!1,priority:o.P3[t]||0};l(e),s[e].get(t)||s[e].set(t,r)}function u(e,t){e&&s[e]&&(s[e].get(t)&&s[e].delete(t),g(e,t,!1),s[e].size&&f(e))}function l(e){if(!e)throw new Error("agentIdentifier required");s[e]||(s[e]=new Map)}function d(e="",t="feature",r=!1){if(l(e),!e||!s[e].get(t)||r)return g(e,t);s[e].get(t).staged=!0,f(e)}function f(e){const t=Array.from(s[e]);t.every((([e,t])=>t.staged))&&(t.sort(((e,t)=>e[1].priority-t[1].priority)),t.forEach((([t])=>{s[e].delete(t),g(e,t)})))}function g(e,t,r=!0){const o=e?n.ee.get(e):n.ee,s=i.i.handlers;if(!o.aborted&&o.backlog&&s){if(r){const e=o.backlog[t],r=s[t];if(r){for(let t=0;e&&t<e.length;++t)p(e[t],r);Object.entries(r).forEach((([e,t])=>{Object.values(t||{}).forEach((t=>{t[0]?.on&&t[0]?.context()instanceof a.y&&t[0].on(e,t[1])}))}))}}o.isolatedBacklog||delete s[t],o.backlog[t]=null,o.emit("drain-"+t,[])}}function p(e,t){var r=e[1];Object.values(t[r]||{}).forEach((t=>{var r=e[0];if(t[0]===r){var n=t[1],i=e[3],o=e[2];n.apply(i,o)}}))}},836:(e,t,r)=>{"use strict";r.d(t,{P:()=>c,ee:()=>u});var n=r(384),i=r(990),o=r(371),a=r(646),s=r(607);const c="nr@context:".concat(s.W),u=function e(t,r){var n={},s={},l={},d=!1;try{d=16===r.length&&(0,o.f)(r).isolatedBacklog}catch(e){}var f={on:p,addEventListener:p,removeEventListener:function(e,t){var r=n[e];if(!r)return;for(var i=0;i<r.length;i++)r[i]===t&&r.splice(i,1)},emit:function(e,r,n,i,o){!1!==o&&(o=!0);if(u.aborted&&!i)return;t&&o&&t.emit(e,r,n);for(var a=g(n),c=m(e),l=c.length,d=0;d<l;d++)c[d].apply(a,r);var p=v()[s[e]];p&&p.push([f,e,r,a]);return a},get:h,listeners:m,context:g,buffer:function(e,t){const r=v();if(t=t||"feature",f.aborted)return;Object.entries(e||{}).forEach((([e,n])=>{s[n]=t,t in r||(r[t]=[])}))},abort:function(){f._aborted=!0,Object.keys(f.backlog).forEach((e=>{delete f.backlog[e]}))},isBuffering:function(e){return!!v()[s[e]]},debugId:r,backlog:d?{}:t&&"object"==typeof t.backlog?t.backlog:{},isolatedBacklog:d};return Object.defineProperty(f,"aborted",{get:()=>{let e=f._aborted||!1;return e||(t&&(e=t.aborted),e)}}),f;function g(e){return e&&e instanceof a.y?e:e?(0,i.I)(e,c,(()=>new a.y(c))):new a.y(c)}function p(e,t){n[e]=m(e).concat(t)}function m(e){return n[e]||[]}function h(t){return l[t]=l[t]||e(f,t)}function v(){return f.backlog}}(void 0,"globalEE"),l=(0,n.Zm)();l.ee||(l.ee=u)},646:(e,t,r)=>{"use strict";r.d(t,{y:()=>n});class n{constructor(e){this.contextId=e}}},908:(e,t,r)=>{"use strict";r.d(t,{d:()=>n,p:()=>i});var n=r(836).ee.get("handle");function i(e,t,r,i,o){o?(o.buffer([e],i),o.emit(e,t,r)):(n.buffer([e],i),n.emit(e,t,r))}},606:(e,t,r)=>{"use strict";r.d(t,{i:()=>o});var n=r(908);o.on=a;var i=o.handlers={};function o(e,t,r,o){a(o||n.d,i,e,t,r)}function a(e,t,r,i,o){o||(o="feature"),e||(e=n.d);var a=t[o]=t[o]||{};(a[r]=a[r]||[]).push([e,i])}},878:(e,t,r)=>{"use strict";function n(e,t){return{capture:e,passive:!1,signal:t}}function i(e,t,r=!1,i){window.addEventListener(e,t,n(r,i))}function o(e,t,r=!1,i){document.addEventListener(e,t,n(r,i))}r.d(t,{DD:()=>o,jT:()=>n,sp:()=>i})},607:(e,t,r)=>{"use strict";r.d(t,{W:()=>n});const n=(0,r(566).bz)()},566:(e,t,r)=>{"use strict";r.d(t,{LA:()=>s,bz:()=>a});var n=r(154);const i="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx";function o(e,t){return e?15&e[t]:16*Math.random()|0}function a(){const e=n.gm?.crypto||n.gm?.msCrypto;let t,r=0;return e&&e.getRandomValues&&(t=e.getRandomValues(new Uint8Array(30))),i.split("").map((e=>"x"===e?o(t,r++).toString(16):"y"===e?(3&o()|8).toString(16):e)).join("")}function s(e){const t=n.gm?.crypto||n.gm?.msCrypto;let r,i=0;t&&t.getRandomValues&&(r=t.getRandomValues(new Uint8Array(e)));const a=[];for(var s=0;s<e;s++)a.push(o(r,i++).toString(16));return a.join("")}},614:(e,t,r)=>{"use strict";r.d(t,{BB:()=>a,H3:()=>n,g:()=>u,iL:()=>c,tS:()=>s,uh:()=>i,wk:()=>o});const n="NRBA",i="SESSION",o=144e5,a=18e5,s={STARTED:"session-started",PAUSE:"session-pause",RESET:"session-reset",RESUME:"session-resume",UPDATE:"session-update"},c={SAME_TAB:"same-tab",CROSS_TAB:"cross-tab"},u={OFF:0,FULL:1,ERROR:2}},863:(e,t,r)=>{"use strict";function n(){return Math.floor(performance.now())}r.d(t,{t:()=>n})},944:(e,t,r)=>{"use strict";function n(e,t){"function"==typeof console.debug&&console.debug("New Relic Warning: https://github.com/newrelic/newrelic-browser-agent/blob/main/docs/warning-codes.md#".concat(e),t)}r.d(t,{R:()=>n})},284:(e,t,r)=>{"use strict";r.d(t,{t:()=>c,B:()=>s});var n=r(836),i=r(154);const o="newrelic";const a=new Set,s={};function c(e,t){const r=n.ee.get(t);s[t]??={},e&&"object"==typeof e&&(a.has(t)||(r.emit("rumresp",[e]),s[t]=e,a.add(t),function(e={}){try{i.gm.dispatchEvent(new CustomEvent(o,{detail:e}))}catch(e){}}({loaded:!0})))}},990:(e,t,r)=>{"use strict";r.d(t,{I:()=>i});var n=Object.prototype.hasOwnProperty;function i(e,t,r){if(n.call(e,t))return e[t];var i=r();if(Object.defineProperty&&Object.keys)try{return Object.defineProperty(e,t,{value:i,writable:!0,enumerable:!1}),i}catch(e){}return e[t]=i,i}},389:(e,t,r)=>{"use strict";function n(e,t=500,r={}){const n=r?.leading||!1;let i;return(...r)=>{n&&void 0===i&&(e.apply(this,r),i=setTimeout((()=>{i=clearTimeout(i)}),t)),n||(clearTimeout(i),i=setTimeout((()=>{e.apply(this,r)}),t))}}function i(e){let t=!1;return(...r)=>{t||(t=!0,e.apply(this,r))}}r.d(t,{J:()=>i,s:()=>n})},289:(e,t,r)=>{"use strict";r.d(t,{GG:()=>o,sB:()=>a});var n=r(878);function i(){return"undefined"==typeof document||"complete"===document.readyState}function o(e,t){if(i())return e();(0,n.sp)("load",e,t)}function a(e){if(i())return e();(0,n.DD)("DOMContentLoaded",e)}},384:(e,t,r)=>{"use strict";r.d(t,{NT:()=>o,US:()=>l,Zm:()=>a,bQ:()=>c,dV:()=>s,nY:()=>u,pV:()=>d});var n=r(154),i=r(863);const o={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net"};function a(){return n.gm.NREUM||(n.gm.NREUM={}),void 0===n.gm.newrelic&&(n.gm.newrelic=n.gm.NREUM),n.gm.NREUM}function s(){let e=a();return e.o||(e.o={ST:n.gm.setTimeout,SI:n.gm.setImmediate,CT:n.gm.clearTimeout,XHR:n.gm.XMLHttpRequest,REQ:n.gm.Request,EV:n.gm.Event,PR:n.gm.Promise,MO:n.gm.MutationObserver,FETCH:n.gm.fetch,WS:n.gm.WebSocket}),e}function c(e,t){let r=a();r.initializedAgents??={},t.initializedAt={ms:(0,i.t)(),date:new Date},r.initializedAgents[e]=t}function u(e){let t=a();return t.initializedAgents?.[e]}function l(e,t){a()[e]=t}function d(){return function(){let e=a();const t=e.info||{};e.info={beacon:o.beacon,errorBeacon:o.errorBeacon,...t}}(),function(){let e=a();const t=e.init||{};e.init={...t}}(),s(),function(){let e=a();const t=e.loader_config||{};e.loader_config={...t}}(),a()}},843:(e,t,r)=>{"use strict";r.d(t,{u:()=>i});var n=r(878);function i(e,t=!1,r,i){(0,n.DD)("visibilitychange",(function(){if(t)return void("hidden"===document.visibilityState&&e());e(document.visibilityState)}),r,i)}},434:(e,t,r)=>{"use strict";r.d(t,{Jt:()=>o,YM:()=>c});var n=r(836),i=r(607);const o="nr@original:".concat(i.W);var a=Object.prototype.hasOwnProperty,s=!1;function c(e,t){return e||(e=n.ee),r.inPlace=function(e,t,n,i,o){n||(n="");const a="-"===n.charAt(0);for(let s=0;s<t.length;s++){const c=t[s],u=e[c];l(u)||(e[c]=r(u,a?c+n:n,i,c,o))}},r.flag=o,r;function r(t,r,n,s,c){return l(t)?t:(r||(r=""),nrWrapper[o]=t,function(e,t,r){if(Object.defineProperty&&Object.keys)try{return Object.keys(e).forEach((function(r){Object.defineProperty(t,r,{get:function(){return e[r]},set:function(t){return e[r]=t,t}})})),t}catch(e){u([e],r)}for(var n in e)a.call(e,n)&&(t[n]=e[n])}(t,nrWrapper,e),nrWrapper);function nrWrapper(){var o,a,l,d;try{a=this,o=[...arguments],l="function"==typeof n?n(o,a):n||{}}catch(t){u([t,"",[o,a,s],l],e)}i(r+"start",[o,a,s],l,c);try{return d=t.apply(a,o)}catch(e){throw i(r+"err",[o,a,e],l,c),e}finally{i(r+"end",[o,a,d],l,c)}}}function i(r,n,i,o){if(!s||t){var a=s;s=!0;try{e.emit(r,n,i,t,o)}catch(t){u([t,r,n,i],e)}s=a}}}function u(e,t){t||(t=n.ee);try{t.emit("internal-error",e)}catch(e){}}function l(e){return!(e&&"function"==typeof e&&e.apply&&!e[o])}},993:(e,t,r)=>{"use strict";r.d(t,{ET:()=>o,p_:()=>i});var n=r(860);const i={ERROR:"ERROR",WARN:"WARN",INFO:"INFO",DEBUG:"DEBUG",TRACE:"TRACE"},o="log";n.K7.logging},969:(e,t,r)=>{"use strict";r.d(t,{TZ:()=>n,XG:()=>s,rs:()=>i,xV:()=>a,z_:()=>o});const n=r(860).K7.metrics,i="sm",o="cm",a="storeSupportabilityMetrics",s="storeEventMetrics"},630:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewEvent},782:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewTiming},344:(e,t,r)=>{"use strict";r.d(t,{G4:()=>i});var n=r(614);r(860).K7.sessionReplay;const i={RECORD:"recordReplay",PAUSE:"pauseReplay",REPLAY_RUNNING:"replayRunning",ERROR_DURING_REPLAY:"errorDuringReplay"};n.g.ERROR,n.g.FULL,n.g.OFF},234:(e,t,r)=>{"use strict";r.d(t,{W:()=>o});var n=r(836),i=r(687);class o{constructor(e,t){this.agentIdentifier=e,this.ee=n.ee.get(e),this.featureName=t,this.blocked=!1}deregisterDrain(){(0,i.x3)(this.agentIdentifier,this.featureName)}}},603:(e,t,r)=>{"use strict";r.d(t,{j:()=>K});var n=r(860),i=r(555),o=r(371),a=r(908),s=r(836),c=r(687),u=r(289),l=r(154),d=r(944),f=r(969),g=r(384),p=r(344);const m=["setErrorHandler","finished","addToTrace","addRelease","recordCustomEvent","addPageAction","setCurrentRouteName","setPageViewName","setCustomAttribute","interaction","noticeError","setUserId","setApplicationVersion","start",p.G4.RECORD,p.G4.PAUSE,"log","wrapLogger"],h=["setErrorHandler","finished","addToTrace","addRelease"];var v=r(863),b=r(614),y=r(993);var w=r(646),A=r(434);const R=new Map;function _(e,t,r,n){if("object"!=typeof t||!t||"string"!=typeof r||!r||"function"!=typeof t[r])return(0,d.R)(29);const i=function(e){return(e||s.ee).get("logger")}(e),o=(0,A.YM)(i),a=new w.y(s.P);a.level=n.level,a.customAttributes=n.customAttributes;const c=t[r]?.[A.Jt]||t[r];return R.set(c,a),o.inPlace(t,[r],"wrap-logger-",(()=>R.get(c))),i}function E(){const e=(0,g.pV)();m.forEach((t=>{e[t]=(...r)=>function(t,...r){let n=[];return Object.values(e.initializedAgents).forEach((e=>{e&&e.api?e.exposed&&e.api[t]&&n.push(e.api[t](...r)):(0,d.R)(38,t)})),n.length>1?n:n[0]}(t,...r)}))}const x={};function N(e,t,g=!1){t||(0,c.Ak)(e,"api");const m={};var w=s.ee.get(e),A=w.get("tracer");x[e]=b.g.OFF,w.on(p.G4.REPLAY_RUNNING,(t=>{x[e]=t}));var R="api-",E=R+"ixn-";function N(t,r,n,o){const a=(0,i.Vp)(e);return null===r?delete a.jsAttributes[t]:(0,i.x1)(e,{...a,jsAttributes:{...a.jsAttributes,[t]:r}}),j(R,n,!0,o||null===r?"session":void 0)(t,r)}function k(){}m.log=function(e,{customAttributes:t={},level:r=y.p_.INFO}={}){(0,a.p)(f.xV,["API/log/called"],void 0,n.K7.metrics,w),function(e,t,r={},i=y.p_.INFO){(0,a.p)(f.xV,["API/logging/".concat(i.toLowerCase(),"/called")],void 0,n.K7.metrics,e),(0,a.p)(y.ET,[(0,v.t)(),t,r,i],void 0,n.K7.logging,e)}(w,e,t,r)},m.wrapLogger=(e,t,{customAttributes:r={},level:i=y.p_.INFO}={})=>{(0,a.p)(f.xV,["API/wrapLogger/called"],void 0,n.K7.metrics,w),_(w,e,t,{customAttributes:r,level:i})},h.forEach((e=>{m[e]=j(R,e,!0,"api")})),m.addPageAction=j(R,"addPageAction",!0,n.K7.genericEvents),m.recordCustomEvent=j(R,"recordCustomEvent",!0,n.K7.genericEvents),m.setPageViewName=function(t,r){if("string"==typeof t)return"/"!==t.charAt(0)&&(t="/"+t),(0,o.f)(e).customTransaction=(r||"http://custom.transaction")+t,j(R,"setPageViewName",!0)()},m.setCustomAttribute=function(e,t,r=!1){if("string"==typeof e){if(["string","number","boolean"].includes(typeof t)||null===t)return N(e,t,"setCustomAttribute",r);(0,d.R)(40,typeof t)}else(0,d.R)(39,typeof e)},m.setUserId=function(e){if("string"==typeof e||null===e)return N("enduser.id",e,"setUserId",!0);(0,d.R)(41,typeof e)},m.setApplicationVersion=function(e){if("string"==typeof e||null===e)return N("application.version",e,"setApplicationVersion",!1);(0,d.R)(42,typeof e)},m.start=()=>{try{(0,a.p)(f.xV,["API/start/called"],void 0,n.K7.metrics,w),w.emit("manual-start-all")}catch(e){(0,d.R)(23,e)}},m[p.G4.RECORD]=function(){(0,a.p)(f.xV,["API/recordReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.RECORD,[],void 0,n.K7.sessionReplay,w)},m[p.G4.PAUSE]=function(){(0,a.p)(f.xV,["API/pauseReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.PAUSE,[],void 0,n.K7.sessionReplay,w)},m.interaction=function(e){return(new k).get("object"==typeof e?e:{})};const T=k.prototype={createTracer:function(e,t){var r={},i=this,o="function"==typeof t;return(0,a.p)(f.xV,["API/createTracer/called"],void 0,n.K7.metrics,w),g||(0,a.p)(E+"tracer",[(0,v.t)(),e,r],i,n.K7.spa,w),function(){if(A.emit((o?"":"no-")+"fn-start",[(0,v.t)(),i,o],r),o)try{return t.apply(this,arguments)}catch(e){const t="string"==typeof e?new Error(e):e;throw A.emit("fn-err",[arguments,this,t],r),t}finally{A.emit("fn-end",[(0,v.t)()],r)}}}};function j(e,t,r,i){return function(){return(0,a.p)(f.xV,["API/"+t+"/called"],void 0,n.K7.metrics,w),i&&(0,a.p)(e+t,[r?(0,v.t)():performance.now(),...arguments],r?null:this,i,w),r?void 0:this}}function I(){r.e(296).then(r.bind(r,778)).then((({setAPI:t})=>{t(e),(0,c.Ze)(e,"api")})).catch((e=>{(0,d.R)(27,e),w.abort()}))}return["actionText","setName","setAttribute","save","ignore","onEnd","getContext","end","get"].forEach((e=>{T[e]=j(E,e,void 0,g?n.K7.softNav:n.K7.spa)})),m.setCurrentRouteName=g?j(E,"routeName",void 0,n.K7.softNav):j(R,"routeName",!0,n.K7.spa),m.noticeError=function(t,r){"string"==typeof t&&(t=new Error(t)),(0,a.p)(f.xV,["API/noticeError/called"],void 0,n.K7.metrics,w),(0,a.p)("err",[t,(0,v.t)(),!1,r,!!x[e]],void 0,n.K7.jserrors,w)},l.RI?(0,u.GG)((()=>I()),!0):I(),m}var k=r(217),T=r(122);const j={accountID:void 0,trustKey:void 0,agentID:void 0,licenseKey:void 0,applicationID:void 0,xpid:void 0},I={};var S=r(284);const O=e=>{const t=e.startsWith("http");e+="/",r.p=t?e:"https://"+e};let P=!1;function K(e,t={},r,n){let{init:a,info:c,loader_config:u,runtime:d={},exposed:f=!0}=t;d.loaderType=r;const p=(0,g.pV)();c||(a=p.init,c=p.info,u=p.loader_config),(0,k.xN)(e.agentIdentifier,a||{}),function(e,t){if(!e)throw new Error("All loader-config objects require an agent identifier!");I[e]=(0,T.a)(t,j);const r=(0,g.nY)(e);r&&(r.loader_config=I[e])}(e.agentIdentifier,u||{}),c.jsAttributes??={},l.bv&&(c.jsAttributes.isWorker=!0),(0,i.x1)(e.agentIdentifier,c);const m=(0,k.D0)(e.agentIdentifier),h=[c.beacon,c.errorBeacon];P||(m.proxy.assets&&(O(m.proxy.assets),h.push(m.proxy.assets)),m.proxy.beacon&&h.push(m.proxy.beacon),E(),(0,g.US)("activatedFeatures",S.B),e.runSoftNavOverSpa&&=!0===m.soft_navigations.enabled&&m.feature_flags.includes("soft_nav")),d.denyList=[...m.ajax.deny_list||[],...m.ajax.block_internal?h:[]],d.ptid=e.agentIdentifier,(0,o.V)(e.agentIdentifier,d),e.ee=s.ee.get(e.agentIdentifier),void 0===e.api&&(e.api=N(e.agentIdentifier,n,e.runSoftNavOverSpa)),void 0===e.exposed&&(e.exposed=f),P=!0}},374:(e,t,r)=>{r.nc=(()=>{try{return document?.currentScript?.nonce}catch(e){}return""})()},860:(e,t,r)=>{"use strict";r.d(t,{$J:()=>u,K7:()=>s,P3:()=>c,XX:()=>i,qY:()=>n,v4:()=>a});const n="events",i="jserrors",o="browser/blobs",a="rum",s={ajax:"ajax",genericEvents:"generic_events",jserrors:i,logging:"logging",metrics:"metrics",pageAction:"page_action",pageViewEvent:"page_view_event",pageViewTiming:"page_view_timing",sessionReplay:"session_replay",sessionTrace:"session_trace",softNav:"soft_navigations",spa:"spa"},c={[s.pageViewEvent]:1,[s.pageViewTiming]:2,[s.metrics]:3,[s.jserrors]:4,[s.spa]:5,[s.ajax]:6,[s.sessionTrace]:7,[s.softNav]:8,[s.sessionReplay]:9,[s.logging]:10,[s.genericEvents]:11},u={[s.pageViewEvent]:a,[s.pageViewTiming]:n,[s.ajax]:n,[s.spa]:n,[s.softNav]:n,[s.metrics]:i,[s.jserrors]:i,[s.sessionTrace]:o,[s.sessionReplay]:o,[s.logging]:"browser/logs",[s.genericEvents]:"ins"}}},n={};function i(e){var t=n[e];if(void 0!==t)return t.exports;var o=n[e]={exports:{}};return r[e](o,o.exports,i),o.exports}i.m=r,i.d=(e,t)=>{for(var r in t)i.o(t,r)&&!i.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},i.f={},i.e=e=>Promise.all(Object.keys(i.f).reduce(((t,r)=>(i.f[r](e,t),t)),[])),i.u=e=>"nr-rum-1.281.0.min.js",i.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),e={},t="NRBA-1.281.0.PROD:",i.l=(r,n,o,a)=>{if(e[r])e[r].push(n);else{var s,c;if(void 0!==o)for(var u=document.getElementsByTagName("script"),l=0;l<u.length;l++){var d=u[l];if(d.getAttribute("src")==r||d.getAttribute("data-webpack")==t+o){s=d;break}}if(!s){c=!0;var f={296:"sha512-zqOtfbjYsGTkQScey1O8Hh9fA1+m2RFxLpfv7BWqqTivgQ6iM13v6QJ4d5xykyDwx1GoMFmngC4SKpFn6VciYg=="};(s=document.createElement("script")).charset="utf-8",s.timeout=120,i.nc&&s.setAttribute("nonce",i.nc),s.setAttribute("data-webpack",t+o),s.src=r,0!==s.src.indexOf(window.location.origin+"/")&&(s.crossOrigin="anonymous"),f[a]&&(s.integrity=f[a])}e[r]=[n];var g=(t,n)=>{s.onerror=s.onload=null,clearTimeout(p);var i=e[r];if(delete e[r],s.parentNode&&s.parentNode.removeChild(s),i&&i.forEach((e=>e(n))),t)return t(n)},p=setTimeout(g.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=g.bind(null,s.onerror),s.onload=g.bind(null,s.onload),c&&document.head.appendChild(s)}},i.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.p="https://js-agent.newrelic.com/",(()=>{var e={374:0,840:0};i.f.j=(t,r)=>{var n=i.o(e,t)?e[t]:void 0;if(0!==n)if(n)r.push(n[2]);else{var o=new Promise(((r,i)=>n=e[t]=[r,i]));r.push(n[2]=o);var a=i.p+i.u(t),s=new Error;i.l(a,(r=>{if(i.o(e,t)&&(0!==(n=e[t])&&(e[t]=void 0),n)){var o=r&&("load"===r.type?"missing":r.type),a=r&&r.target&&r.target.src;s.message="Loading chunk "+t+" failed.\n("+o+": "+a+")",s.name="ChunkLoadError",s.type=o,s.request=a,n[1](s)}}),"chunk-"+t,t)}};var t=(t,r)=>{var n,o,[a,s,c]=r,u=0;if(a.some((t=>0!==e[t]))){for(n in s)i.o(s,n)&&(i.m[n]=s[n]);if(c)c(i)}for(t&&t(r);u<a.length;u++)o=a[u],i.o(e,o)&&e[o]&&e[o][0](),e[o]=0},r=self["webpackChunk:NRBA-1.281.0.PROD"]=self["webpackChunk:NRBA-1.281.0.PROD"]||[];r.forEach(t.bind(null,0)),r.push=t.bind(null,r.push.bind(r))})(),(()=>{"use strict";i(374);var e=i(944),t=i(344),r=i(566);class n{agentIdentifier;constructor(){this.agentIdentifier=(0,r.LA)(16)}#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}addPageAction(e,t){return this.#e("addPageAction",e,t)}recordCustomEvent(e,t){return this.#e("recordCustomEvent",e,t)}setPageViewName(e,t){return this.#e("setPageViewName",e,t)}setCustomAttribute(e,t,r){return this.#e("setCustomAttribute",e,t,r)}noticeError(e,t){return this.#e("noticeError",e,t)}setUserId(e){return this.#e("setUserId",e)}setApplicationVersion(e){return this.#e("setApplicationVersion",e)}setErrorHandler(e){return this.#e("setErrorHandler",e)}addRelease(e,t){return this.#e("addRelease",e,t)}log(e,t){return this.#e("log",e,t)}}class o extends n{#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}start(){return this.#e("start")}finished(e){return this.#e("finished",e)}recordReplay(){return this.#e(t.G4.RECORD)}pauseReplay(){return this.#e(t.G4.PAUSE)}addToTrace(e){return this.#e("addToTrace",e)}setCurrentRouteName(e){return this.#e("setCurrentRouteName",e)}interaction(){return this.#e("interaction")}wrapLogger(e,t,r){return this.#e("wrapLogger",e,t,r)}}var a=i(860),s=i(217);const c=Object.values(a.K7);function u(e){const t={};return c.forEach((r=>{t[r]=function(e,t){return!0===(0,s.gD)(t,"".concat(e,".enabled"))}(r,e)})),t}var l=i(603);var d=i(687),f=i(234),g=i(289),p=i(154),m=i(384);const h=e=>p.RI&&!0===(0,s.gD)(e,"privacy.cookies_enabled");function v(e){return!!(0,m.dV)().o.MO&&h(e)&&!0===(0,s.gD)(e,"session_trace.enabled")}var b=i(389);class y extends f.W{constructor(e,t,r=!0){super(e.agentIdentifier,t),this.auto=r,this.abortHandler=void 0,this.featAggregate=void 0,this.onAggregateImported=void 0,!1===e.init[this.featureName].autoStart&&(this.auto=!1),this.auto?(0,d.Ak)(e.agentIdentifier,t):this.ee.on("manual-start-all",(0,b.J)((()=>{(0,d.Ak)(e.agentIdentifier,this.featureName),this.auto=!0,this.importAggregator(e)})))}importAggregator(t,r={}){if(this.featAggregate||!this.auto)return;let n;this.onAggregateImported=new Promise((e=>{n=e}));const o=async()=>{let o;try{if(h(this.agentIdentifier)){const{setupAgentSession:e}=await i.e(296).then(i.bind(i,861));o=e(t)}}catch(t){(0,e.R)(20,t),this.ee.emit("internal-error",[t]),this.featureName===a.K7.sessionReplay&&this.abortHandler?.()}try{if(!this.#t(this.featureName,o))return(0,d.Ze)(this.agentIdentifier,this.featureName),void n(!1);const{lazyFeatureLoader:e}=await i.e(296).then(i.bind(i,103)),{Aggregate:a}=await e(this.featureName,"aggregate");this.featAggregate=new a(t,r),t.runtime.harvester.initializedAggregates.push(this.featAggregate),n(!0)}catch(t){(0,e.R)(34,t),this.abortHandler?.(),(0,d.Ze)(this.agentIdentifier,this.featureName,!0),n(!1),this.ee&&this.ee.abort()}};p.RI?(0,g.GG)((()=>o()),!0):o()}#t(e,t){switch(e){case a.K7.sessionReplay:return v(this.agentIdentifier)&&!!t;case a.K7.sessionTrace:return!!t;default:return!0}}}var w=i(630);class A extends y{static featureName=w.T;constructor(e,t=!0){super(e,w.T,t),this.importAggregator(e)}}var R=i(908),_=i(843),E=i(878),x=i(782),N=i(863);class k extends y{static featureName=x.T;constructor(e,t=!0){super(e,x.T,t),p.RI&&((0,_.u)((()=>(0,R.p)("docHidden",[(0,N.t)()],void 0,x.T,this.ee)),!0),(0,E.sp)("pagehide",(()=>(0,R.p)("winPagehide",[(0,N.t)()],void 0,x.T,this.ee))),this.importAggregator(e))}}var T=i(969);class j extends y{static featureName=T.TZ;constructor(e,t=!0){super(e,T.TZ,t),this.importAggregator(e)}}new class extends o{constructor(t){super(),p.gm?(this.features={},(0,m.bQ)(this.agentIdentifier,this),this.desiredFeatures=new Set(t.features||[]),this.desiredFeatures.add(A),this.runSoftNavOverSpa=[...this.desiredFeatures].some((e=>e.featureName===a.K7.softNav)),(0,l.j)(this,t,t.loaderType||"agent"),this.run()):(0,e.R)(21)}get config(){return{info:this.info,init:this.init,loader_config:this.loader_config,runtime:this.runtime}}run(){try{const t=u(this.agentIdentifier),r=[...this.desiredFeatures];r.sort(((e,t)=>a.P3[e.featureName]-a.P3[t.featureName])),r.forEach((r=>{if(!t[r.featureName]&&r.featureName!==a.K7.pageViewEvent)return;if(this.runSoftNavOverSpa&&r.featureName===a.K7.spa)return;if(!this.runSoftNavOverSpa&&r.featureName===a.K7.softNav)return;const n=function(e){switch(e){case a.K7.ajax:return[a.K7.jserrors];case a.K7.sessionTrace:return[a.K7.ajax,a.K7.pageViewEvent];case a.K7.sessionReplay:return[a.K7.sessionTrace];case a.K7.pageViewTiming:return[a.K7.pageViewEvent];default:return[]}}(r.featureName).filter((e=>!(e in this.features)));n.length>0&&(0,e.R)(36,{targetFeature:r.featureName,missingDependencies:n}),this.features[r.featureName]=new r(this)}))}catch(t){(0,e.R)(22,t);for(const e in this.features)this.features[e].abortHandler?.();const r=(0,m.Zm)();delete r.initializedAgents[this.agentIdentifier]?.api,delete r.initializedAgents[this.agentIdentifier]?.features,delete this.sharedAggregator;return r.ee.get(this.agentIdentifier).abort(),!1}}}({features:[A,k,j],loaderType:"lite"})})()})();</script> <link rel="shortcut icon" href="https://www.usenix.org/sites/default/files/waves_favicon.ico" type="image/vnd.microsoft.icon" /> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /> <meta name="rating" content="general" /> <meta name="generator" content="Drupal 7 (http://drupal.org)" /> <link rel="canonical" href="https://www.usenix.org/publications/loginonline/data-only-attacks-are-easier-you-think" /> <link rel="shortlink" href="https://www.usenix.org/node/299919" /> <meta property="og:type" content="website" /> <meta property="og:site_name" content="USENIX" /> <meta property="og:title" content="Data-Only Attacks Are Easier than You Think" /> <meta property="og:url" content="https://www.usenix.org/publications/loginonline/data-only-attacks-are-easier-you-think" /> <meta property="og:updated_time" content="2024-07-01T10:11:28-07:00" /> <meta property="og:image" content="https://www.usenix.org/sites/default/files/usenix_og_1200x630_2.png" /> <meta property="og:image:url" content="https://www.usenix.org/sites/default/files/usenix_og_1200x630_2.png" /> <meta property="og:image:type" content="image/png" /> <meta name="twitter:image:width" content="1200" /> <meta name="twitter:image:height" content="630" /> <meta property="article:published_time" content="2024-06-28T14:52:23-07:00" /> <meta property="article:modified_time" content="2024-07-01T10:11:28-07:00" /> <title>Data-Only Attacks Are Easier than You Think | USENIX</title> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_xE-rWrJf-fncB6ztZfd2huxqgxu4WO-qwma6Xer30m4.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_6Lm0rnfxqNW_dZrK-jiErWln-cm6IgixIkNMwxv7Ar4.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_nUFTrBzuSS1e6iNFoYIyAptja28IikBBh8IfX_l3-Jw.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_NhfuCP0ROKqhpwldXoTM4JcPh5nWD9lhOAJb1G88pjY.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://www.usenix.org/sites/default/files/css/css_mRbT5IPFSFuKfzZdgdvZZ85p2out8lpep9KzGqViarQ.css" media="all" /> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_fyV0VVkC6Q3xduxGurKMTFIU2dMmArUrbAdZORL-9WQ.js"></script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_s7yA-hwRxnKty__ED6DuqmTMKG39xvpRyrtyCrbWH4M.js"></script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_DjF-Bb20xeeKeAY25OYUCrKu9mAURkrZnvUmdejl3_I.js"></script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_gHk2gWJ_Qw_jU2qRiUmSl7d8oly1Cx7lQFrqcp3RXcI.js"></script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_RTrWEAPrEyH6RHoUPa_GRU_NbHR0-rQewtCeJl7Faa4.js"></script> <script type="text/javascript"> <!--//--><![CDATA[//><!-- var _paq = _paq || [];(function(){var u=(("https:" == document.location.protocol) ? "https://usenix.matomo.cloud/" : "http://usenix.matomo.cloud/");_paq.push(["setSiteId", "2"]);_paq.push(["setTrackerUrl", u+"matomo.php"]);_paq.push(["setDocumentTitle", "Data-Only%20Attacks%20Are%20Easier%20than%20You%20Think"]);_paq.push(["setDownloadExtensions", "pdf|epub|mobi|zip|7z|tar|tgz|gz|gzip"]);_paq.push(["setDoNotTrack", 1]);_paq.push(["trackPageView"]);_paq.push(["setIgnoreClasses", ["no-tracking","colorbox"]]);_paq.push(["enableLinkTracking"]);var d=document,g=d.createElement("script"),s=d.getElementsByTagName("script")[0];g.type="text/javascript";g.defer=true;g.async=true;g.src=u+"matomo.js";s.parentNode.insertBefore(g,s);})(); //--><!]]> </script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_4uimch3jbwkBM_rQkLGsREMhoXGquBbBD04tk1HbzYc.js"></script> <script type="text/javascript" src="https://js.stripe.com/v3"></script> <script type="text/javascript"> <!--//--><![CDATA[//><!-- window.a2a_config=window.a2a_config||{};window.da2a={done:false,html_done:false,script_ready:false,script_load:function(){var a=document.createElement('script'),s=document.getElementsByTagName('script')[0];a.type='text/javascript';a.async=true;a.src='https://static.addtoany.com/menu/page.js';s.parentNode.insertBefore(a,s);da2a.script_load=function(){};},script_onready:function(){da2a.script_ready=true;if(da2a.html_done)da2a.init();},init:function(){for(var i=0,el,target,targets=da2a.targets,length=targets.length;i<length;i++){el=document.getElementById('da2a_'+(i+1));target=targets[i];a2a_config.linkname=target.title;a2a_config.linkurl=target.url;if(el){a2a.init('page',{target:el});el.id='';}da2a.done=true;}da2a.targets=[];}};(function ($){Drupal.behaviors.addToAny = {attach: function (context, settings) {if (context !== document && window.da2a) {if(da2a.script_ready)a2a.init_all();da2a.script_load();}}}})(jQuery);a2a_config.callbacks=a2a_config.callbacks||[];a2a_config.callbacks.push({ready:da2a.script_onready});a2a_config.overlays=a2a_config.overlays||[];a2a_config.templates=a2a_config.templates||{}; //--><!]]> </script> <script type="text/javascript" src="https://www.usenix.org/sites/default/files/js/js_ZO6lBzNCyArV9XKBSrkUh7Vi0Hl4xwt03mPiMaTMGPA.js"></script> <script type="text/javascript"> <!--//--><![CDATA[//><!-- jQuery.extend(Drupal.settings, {"basePath":"\/","pathPrefix":"","setHasJsCookie":0,"ajaxPageState":{"theme":"cotija","theme_token":"-Ip8Su1e9qQxf49xXGBJjXkXcYamIFMv-_STF7-AbU8","js":{"0":1,"https:\/\/www.usenix.org\/sites\/default\/files\/google_tag\/usenix\/google_tag.script.js":1,"sites\/all\/modules\/jquery_update\/replace\/jquery\/1.8\/jquery.min.js":1,"misc\/jquery-extend-3.4.0.js":1,"misc\/jquery-html-prefilter-3.5.0-backport.js":1,"misc\/jquery.once.js":1,"misc\/drupal.js":1,"sites\/all\/modules\/beautytips\/js\/jquery.bt.min.js":1,"sites\/all\/modules\/beautytips\/js\/beautytips.min.js":1,"sites\/all\/modules\/jquery_update\/replace\/ui\/external\/jquery.cookie.js":1,"sites\/all\/libraries\/mmenu\/dist\/mmenu.js":1,"sites\/all\/modules\/entityreference\/js\/entityreference.js":1,"sites\/all\/modules\/behavior_weights\/behavior_weights.js":1,"sites\/all\/modules\/cookiebot\/js\/cookiebot.js":1,"sites\/all\/modules\/matomo\/matomo.js":1,"1":1,"sites\/all\/modules\/usenix\/usenix_blocks\/js\/mobile-menu.js":1,"sites\/all\/modules\/field_group\/field_group.js":1,"https:\/\/js.stripe.com\/v3":1,"2":1,"sites\/all\/themes\/custom\/cotija\/cotija.js":1},"css":{"modules\/system\/system.base.css":1,"modules\/system\/system.menus.css":1,"modules\/system\/system.messages.css":1,"modules\/system\/system.theme.css":1,"sites\/all\/libraries\/mmenu\/dist\/mmenu.css":1,"modules\/comment\/comment.css":1,"modules\/field\/theme\/field.css":1,"modules\/node\/node.css":1,"modules\/poll\/poll.css":1,"modules\/search\/search.css":1,"sites\/all\/modules\/usenix\/usenix_conference\/css\/timezone-picker.css":1,"modules\/user\/user.css":1,"sites\/all\/modules\/workflow\/workflow_admin_ui\/workflow_admin_ui.css":1,"sites\/all\/modules\/views\/css\/views.css":1,"sites\/all\/modules\/cookiebot\/css\/cookiebot.css":1,"sites\/all\/modules\/media\/modules\/media_wysiwyg\/css\/media_wysiwyg.base.css":1,"sites\/all\/modules\/ctools\/css\/ctools.css":1,"sites\/all\/modules\/geshifilter\/geshifilter.css":1,"sites\/all\/modules\/biblio\/biblio.css":1,"sites\/all\/modules\/usenix\/usenix_blocks\/css\/mobile-menu.css":1,"sites\/all\/modules\/date\/date_api\/date.css":1,"sites\/all\/modules\/field_collection\/field_collection.theme.css":1,"sites\/all\/modules\/addtoany\/addtoany.css":1,"sites\/all\/themes\/custom\/cotija\/css\/normalize.css":1,"sites\/all\/themes\/custom\/cotija\/css\/style.css":1,"sites\/all\/themes\/custom\/cotija\/fonts\/fontawesome\/css\/all.min.css":1}},"beautytipStyles":{"default":{"fill":"#F4F4F4","strokeStyle":"#666666","spikeLength":20,"spikeGirth":10,"width":350,"overlap":0,"centerPointY":1,"cornerRadius":0,"cssStyles":{"fontFamily":"\u0026quot;Lucida Grande\u0026quot;,Helvetica,Arial,Verdana,sans-serif","fontSize":"12px","padding":"10px 14px"},"shadow":1,"shadowColor":"rgba(0,0,0,.5)","shadowBlur":8,"shadowOffsetX":4,"shadowOffsetY":4},"plain":[],"netflix":{"positions":["right","left"],"fill":"#FFF","padding":5,"shadow":true,"shadowBlur":12,"strokeStyle":"#B9090B","spikeLength":50,"spikeGirth":60,"cornerRadius":10,"centerPointY":0.1,"overlap":-8,"cssStyles":{"fontSize":"12px","fontFamily":"arial,helvetica,sans-serif"}},"facebook":{"fill":"#F7F7F7","padding":8,"strokeStyle":"#B7B7B7","cornerRadius":0,"cssStyles":{"fontFamily":"\u0022lucida grande\u0022,tahoma,verdana,arial,sans-serif","fontSize":"11px"}},"transparent":{"fill":"rgba(0, 0, 0, .8)","padding":20,"strokeStyle":"#CC0","strokeWidth":3,"spikeLength":40,"spikeGirth":40,"cornerRadius":40,"cssStyles":{"color":"#FFF","fontWeight":"bold"}},"big-green":{"fill":"#00FF4E","padding":20,"strokeWidth":0,"spikeLength":40,"spikeGirth":40,"cornerRadius":15,"cssStyles":{"fontFamily":"\u0022lucida grande\u0022,tahoma,verdana,arial,sans-serif","fontSize":"14px"}},"google-maps":{"positions":["top","bottom"],"fill":"#FFF","padding":15,"strokeStyle":"#ABABAB","strokeWidth":1,"spikeLength":65,"spikeGirth":40,"cornerRadius":25,"centerPointX":0.9,"cssStyles":[]},"hulu":{"fill":"#F4F4F4","strokeStyle":"#666666","spikeLength":20,"spikeGirth":10,"width":350,"overlap":0,"centerPointY":1,"cornerRadius":0,"cssStyles":{"fontFamily":"\u0022Lucida Grande\u0022,Helvetica,Arial,Verdana,sans-serif","fontSize":"12px","padding":"10px 14px"},"shadow":true,"shadowColor":"rgba(0,0,0,.5)","shadowBlur":8,"shadowOffsetX":4,"shadowOffsetY":4}},"beautytips":{".beautytips":{"cssSelect":".beautytips","style":"default"}},"jcarousel":{"ajaxPath":"\/jcarousel\/ajax\/views"},"cookiebot":{"message_placeholder_cookieconsent_optout_marketing_show":false,"message_placeholder_cookieconsent_optout_marketing":"\u003Cdiv class=\u0022cookiebot cookieconsent-optout-marketing\u0022\u003E\r\n\t\u003Cdiv class=\u0022cookieconsent-optout-marketing__inner\u0022\u003E\r\n\t\tPlease \u003Ca href=\u0022!cookiebot_renew\u0022 class=\u0022cookieconsent-optout-marketing__cookiebot-renew\u0022\u003Eaccept marketing-cookies\u003C\/a\u003E to view this embedded content from \u003Ca href=\u0022!cookiebot_from_src_url\u0022 target=\u0022_blank\u0022 class=\u0022cookieconsent-optout-marketing__from-src-url\u0022\u003E!cookiebot_from_src_url\u003C\/a\u003E\t\u003C\/div\u003E\r\n\u003C\/div\u003E\r\n"},"matomo":{"trackMailto":0},"field_group":{"fieldset":"full","div":"full"}}); //--><!]]> </script> </head> <body class="html not-front not-logged-in no-sidebars page-node page-node- page-node-299919 node-type-login-online user-is-non-member" > <div id="skip-link"> <a href="#main-content" class="element-invisible element-focusable">Skip to main content</a> </div> <noscript aria-hidden="true"><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WQSPGJT" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div id="page-wrapper"><div id="page"> <div id="header"> <div class="section clearfix"> <div class="region region-header"> <div id="block-usenix-blocks-usenix-logo-1" class="block block-usenix-blocks usenix-logo-1"> <div class="content"> <a href="/" title="Home" rel="home"><img src="https://www.usenix.org/sites/all/themes/custom/cotija/images/logo.svg" alt="Home" /></a> </div> </div> <div id="block-system-main-menu" class="block block-system block-menu main-menu"> <div class="content"> <ul class="menu"><li class="first collapsed"><a href="/about">About</a></li> <li class="collapsed"><a href="/conferences">Conferences</a></li> <li class="collapsed"><a href="/publications" title="Publications from USENIX">Publications</a></li> <li class="leaf"><a href="/membership">Membership</a></li> <li class="collapsed"><a href="/students" title="Student Programs">Students</a></li> <li class="leaf hidden-medium-up"><a href="/search/site" class="search-link">Search</a></li> <li class="last leaf"><a href="https://www.usenix.org/donate" class="btn">Donate Today</a></li> </ul> </div> </div> <div id="block-system-user-menu" class="block block-system block-menu user-menu"> <div class="content"> <ul class="menu"><li class="first leaf"><a href="/user/login" class="login-link">Sign In</a></li> <li class="last leaf hidden-medium-down"><a href="/search/site" class="search-link">Search</a></li> </ul> </div> </div> <div id="block-usenix-blocks-usenix-mobile-menu" class="block block-usenix-blocks usenix-mobile-menu"> <div class="content"> <a href="#mobile-menu" id="mobile-menu-toggle"><i class="fas fa-bars"></i><i class="fas fa-times"></i></a><div id="mobile-menu"><ul class="menu"><li class="first expanded"><a href="/about">About</a><ul class="menu"><li class="first leaf"><a href="/board" title="USENIX Board of Directors">USENIX Board</a></li> <li class="leaf"><a href="/staff" title="Usenix Staff">Staff</a></li> <li class="leaf"><a href="/newsroom">Newsroom</a></li> <li class="leaf"><a href="/good-works-program" title="Good Works Program">Good Works</a></li> <li class="leaf"><a href="/blog">Blog</a></li> <li class="leaf"><a href="/about/governance-financials">Governance and Financials</a></li> <li class="leaf"><a href="/about/awards">USENIX Awards</a></li> <li class="leaf"><a href="/supporters">USENIX Supporters</a></li> <li class="leaf"><a href="/board/elections24">2024 Board Election</a></li> <li class="collapsed"><a href="/board-meeting-minutes">Board Meeting Minutes</a></li> <li class="last leaf"><a href="https://www.usenix.org/donate" title="USENIX Annual Fund">Donate</a></li> </ul></li> <li class="expanded"><a href="/conferences">Conferences</a><ul class="menu"><li class="first collapsed"><a href="/conferences/upcoming">Upcoming</a></li> <li class="leaf"><a href="/conferences/byname" title="">By Name</a></li> <li class="leaf"><a href="/conferences/calls-for-papers">Calls for Papers</a></li> <li class="leaf"><a href="/conferences/grants">Grants</a></li> <li class="leaf"><a href="/conferences/sponsorship" title="Sponsorship Opportunities">Sponsorship</a></li> <li class="leaf"><a href="/conferences/best-papers">Best Papers</a></li> <li class="leaf"><a href="/conferences/test-of-time-awards">Test of Time Awards</a></li> <li class="leaf"><a href="/conferences/multimedia">Multimedia</a></li> <li class="leaf"><a href="/conferences/faq">Conference FAQ</a></li> <li class="leaf"><a href="/conferences/policies-resources">Conference Policies</a></li> <li class="last leaf"><a href="/conferences/coc">Code of Conduct</a></li> </ul></li> <li class="expanded"><a href="/publications" title="Publications from USENIX">Publications</a><ul class="menu"><li class="first leaf"><a href="/publications/proceedings">Proceedings</a></li> <li class="collapsed"><a href="/conferences/author-resources">Author Resources</a></li> <li class="leaf"><a href="/publications/loginonline">;login: Online</a></li> <li class="leaf"><a href="/publications/loginonline/writing">Writing for ;login: Online</a></li> <li class="last leaf"><a href="/publications/login">;login: Archive</a></li> </ul></li> <li class="leaf"><a href="/membership">Membership</a></li> <li class="expanded"><a href="/students" title="Student Programs">Students</a><ul class="menu"><li class="first leaf"><a href="/students/fees">Conference Fees</a></li> <li class="last leaf"><a href="/students/grants">Student Grant Program</a></li> </ul></li> <li class="leaf hidden-medium-up"><a href="/search/site" class="search-link">Search</a></li> <li class="last leaf"><a href="https://www.usenix.org/donate" class="btn">Donate Today</a></li> </ul></div> </div> </div> </div> </div> </div> <!-- /.section, /#header --> <div id="sub-menu-wrapper"></div> <div id="postheader"> <div class="region region-postheader"> <div id="block-block-162" class="block block-block login-v2-article-header-block 162"> <div class="content"> <div class="login-v2-article-header"> <div class="login-v2-discussion"> <div class="login-v2-discussion-text"> <a href="#comments"><span class="login-icon-chat"></span>Join the conversation</a><br /> <a href="/publications/loginonline">Back to ;login: Online</a> </div> </div> </div> </div> </div> <div id="block-addtoany-addtoany-button" class="block block-addtoany addtoany-button"> <div class="content"> <span class="a2a_kit a2a_kit_size_32 a2a_target addtoany_list" id="da2a_1"> <a class="a2a_button_print"></a> <a class="a2a_button_facebook"></a> <a class="a2a_button_twitter"></a> <a class="a2a_button_linkedin"></a> </span> <script type="text/javascript"> <!--//--><![CDATA[//><!-- if(window.da2a)da2a.script_load(); //--><!]]> </script> </div> </div> </div> </div> <!-- /#postheader --> <div id="main-wrapper"><div id="main" class="clearfix"> <div id="content-header" class="column"><div class="section"> <div class="tabs"></div> <h1 class="title" id="page-title">Data-Only Attacks Are Easier than You Think</h1> </div></div> <!-- /.section, /#content-header --> <div id="content" class="column"><div class="section"> <div class="region region-content"> <div id="block-block-156" class="block block-block block-usenix-donate 156"> <div class="content"> <!--<a class="btn" href="https://connect.clickandpledge.com/w/Form/a9f96acc-aa05-4c52-a9b4-e12ab505abdf" target="_blank">Donate Today</a>--> <a class="btn" href="https://www.usenix.org/ways-to-give" target="_blank">Donate Today</a> </div> </div> <div id="block-system-main" class="block block-system main"> <div class="content"> <div id="node-299919" class="node node-login-online view-mode-full view-mode-full--node view-mode-full--node--login_online clearfix"> <div class="content"> <div class="group-article-body-wrapper field-group-div"><div class="field field-name-field-lv2-publication-date field-type-datetime field-label-hidden"><div class="field-items"><div class="field-item odd"><span class="date-display-single">July 1, 2024</span></div></div></div><div class="field field-name-field-lv2-article-type field-type-taxonomy-term-reference field-label-hidden"><div class="field-items"><div class="field-item odd">Research</div></div></div><div class="field field-label-inline clearfix field-type-text-long field-pseudo-field field-pseudo-field--author-list"><div class="field-label">Authors:&nbsp;</div><div class="field-items"><a href="#Brian Johannesmeyer" title="Brian Johannesmeyer">Brian Johannesmeyer</a>, <a href="#Herbert Bos" title="Herbert Bos">Herbert Bos</a>, <a href="#Cristiano Giuffrida" title="Cristiano Giuffrida">Cristiano Giuffrida</a>, <a href="#Asia Slowinska" title="Asia Slowinska">Asia Slowinska</a></div> </div><div class="field field-name-field-lv2-shepherds field-type-user-reference field-label-inline clearfix"><div class="field-label">Article shepherded by:&nbsp;</div><div class="field-items"><div class="field-item odd"><span class="usenix-user-reference-names">Rik Farrow</span></div></div></div> <div class="paragraphs-items paragraphs-items-field-lv2-body paragraphs-items-field-lv2-body-full paragraphs-items-full"> <div class="field field-name-field-lv2-body field-type-paragraphs field-label-hidden"><div class="field-items"><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text paragraphs-first-text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><strong>Data-only attacks, those that do not affect a program’s control flow, have long been considered too sophisticated and niche to pose a practical threat. With our research, however, we have built a tool that automatically generates them with surprising ease. We explain how such attacks work, and why our tool, Einstein, calls upon both researchers and vendors alike to rethink their mitigation strategies.</strong></p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><div></div><div><p>Suppose you are a hacker and you just found a bug that allows you to overwrite data in a victim program. Such a scenario is not uncommon: Microsoft, Google, and Mozilla report that about 70% of their security bugs are indeed such <em>memory safety</em> bugs [<a href="#reference-1" rel="nofollow">1</a>, <a href="#reference-2" rel="nofollow">2</a>, <a href="#reference-3" rel="nofollow">3</a>]. The question then becomes, as a hacker, how do you weaponize this bug into a real exploit?</p><p>In the past, it would have been relatively straightforward: you could, for example, use the bug to conduct a <em>control-flow hijacking attack</em>, overwriting code pointers in the program [<a href="#reference-4" rel="nofollow">4</a>], forcing it to execute your own <em>malicious code</em>. However, due to decades of research (resulting in defenses such as DEP, CFI, CPI, etc.), it is now very difficult to divert a program’s control flow away from the code that it intends to execute. Hence, weaponizing the bug in such a way is now often infeasible in practice.</p><p>In our recently published paper at USENIX Security 2024 [<a href="#reference-5" rel="nofollow">5</a>], we present a practical approach to an entirely different method of exploitation: letting the program execute all of its intended code (e.g., any benign functions, system calls, etc.), but with <em>malicious data</em>. These so-called <em>data-only attacks</em> have been known for quite some time [<a href="#reference-6" rel="nofollow">6</a>], but were assumed to be too application-specific or complex to pose any practical threat [<a href="#reference-7" rel="nofollow">7</a>]. In our work, we show that such assumptions are not justified. In particular, we implemented a scalable and automated solution, Einstein, that demonstrates that building data-only attacks is easy — well within reach of low-effort attackers. In this article, we will discuss the insights that allow Einstein to automatically generate such exploits with surprising ease, and the implications of our findings on software vendors.</p></div></div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">An example data-only attack</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Let us first walk through one of the classic data-only attacks described in the literature, which exploits a victim web server </span>[<a href="#reference-6" rel="nofollow">6</a>] (simplified for clarity). At start up, the server reads its configuration file to initialize its data. One such configuration option is the CGI-BIN path, which is the directory it uses to execute external programs. In our example, the server sets its <strong>cgi_bin_path</strong> variable to "<strong>/usr/local/server/cgi-bin</strong>". We assume that the server has a program in its CGI-BIN directory, <strong>sort_script</strong>, that a client can use to sort numbers. Moreover, the server has a memory safety bug that allows a malicious client to overflow some buffer and overwrite, for instance, the contents of the <strong>cgi_bin_path</strong> variable to "<strong>/bin</strong>":</p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-article-image view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--article_image"> <div class="content"> <div class="field field-name-field-article-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/article_embedded/public/bug.jpg?itok=YJG7Zluu" width="1440" height="359" alt="" /></div></div></div><div class="field field-name-field-article-image-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Figure 1: An example memory safety bug that allows the attacker to modify the CGI-BIN path.</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>Of course, the low-level details of the memory safety bug could differ from this (e.g., it could be a use-after-free rather than a buffer overflow), but nonetheless, the question arises: how could an attacker weaponize such a bug? To answer this question, we will show first how the server interacts with a benign client, then how it interacts with a malicious client:</p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-article-image view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--article_image"> <div class="content"> <div class="field field-name-field-article-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/article_embedded/public/example.jpg?itok=k2Wg4kOt" width="1440" height="493" alt="" /></div></div></div><div class="field field-name-field-article-image-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Figure 2: An example data-only attack that corrupts a server’s CGI-BIN path to execute arbitrary code.</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>After the server initializes (Fig. 2a), it begins processing requests. A benign client interacts with it as follows (Fig. 2b):</p><ul><li>➊ The client sends a “<strong>POST sort-script</strong>” request with the unsorted numbers “<strong>2 1 3</strong>” in the request body.</li><li>➋ The server concatenates the CGI-BIN path and the request’s path to determine the program to be executed, “<strong>/usr/local/server/cgi-bin/sort-script</strong>”.</li><li>➌ The server executes the program, i.e., the sort script, and passes in  “<strong>2 1 3</strong>” as its input. It does so by invoking the <strong>execve</strong> system call, which instructs the operating system to run the script on behalf of the server.</li><li>➍ The script sorts the numbers and outputs “<strong>1 2 3</strong>”, which the server forwards to the client in its HTTP response.</li></ul><p>Let us now sketch how a malicious client could exploit this (Fig. 2c):</p><ul><li>➎ The client exploits the bug to set the <strong>cgi_bin_path</strong> to the string “<strong>/bin</strong>” (Fig. 1).</li><li>➏ The client sends a “<strong>POST /sh</strong>” request with “<strong>touch /tmp/attacker-was-here</strong>” in the request body.</li><li>➐ The server concatenates the CGI-BIN path and the request’s path to determine the program to be executed,  “<strong>/bin/sh</strong>”.</li><li>➑ The server executes the program, i.e., the system shell, and passes in “<strong>touch /tmp/attacker-was-here</strong>” as its input. It does so by invoking the <strong>execve</strong> system call, which instructs the operating system to run the shell on behalf of the server.</li><li>➒ The shell creates the file <strong>/tmp/attacker-was-here</strong>.</li></ul></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-callout view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--callout"> <div class="content"> <div class="field field-name-field-callout-subtitle field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">There are two important takeaways here.</div></div></div><div class="field field-name-field-callout-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>First, the victim server does not execute any <em>malicious code</em> provided by the client; all harmful actions are triggered by <em>malicious data</em>. The attack effectively modifies <em>only</em> the arguments of the <strong>execve</strong> syscall. Other than that, the benign and malicious <em>executions</em> are equivalent — when handling a request, the victim server performs the same steps, and executes the same functions, albeit with different arguments.</p><p>Second, this attack is very powerful, as it allows the attacker to execute arbitrary programs on the victim machine. In our example, the client only creates the file <strong>/tmp/attacker-was-here</strong>, but any shell command is possible, e.g., to install a malicious program or to exfiltrate data.</p></div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Why data-only attacks are considered difficult</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Despite the discovery of data-only attacks almost two decades ago, conventional wisdom says they rarely pose a practical threat, either because they are too application-specific or too complex.</span></p><p><span><strong>Application-specific</strong>. As pointed out by the authors of the example attack, building such an attack “require[s] sophisticated knowledge about program semantics”. In other words, an attacker has to become so familiar with the server’s inner-workings — either through reverse-engineering its code, or studying its protocols, etc. — that they know that out of all the program’s data, the <strong>cgi_bin_path</strong> variable specifically is security-critical, and that a <strong>POST</strong> request that is malformed in a very specific way can exploit it. In all likelihood, this kind of labor-intensive, application-specific analysis is prohibitively expensive, and hence, according to conventional wisdom, such data-only attacks are too niche to pose a practical threat.</span></p><p><span><strong>Complex</strong>. Recent approaches to building data-only attacks foray into complex territory, under the assumption that simpler attacks — such as the example attack — are not generally at reach. In particular, they assume the need either to solve complex data-flow constraints using heavyweight analyses, or to deviate the victim program away from the code it intends to execute to circumvent a variety of defenses. Several approaches even go so far as to construct highly complicated, Turing-complete machines — something real-world attackers rarely need.</span></p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-callout view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--callout"> <div class="content"> <div class="field field-name-field-callout-subtitle field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">In our work, we show that these assumptions are all false:</div></div></div><div class="field field-name-field-callout-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Exploitation requires neither extensive knowledge of the program semantics, nor the solving of complex data-flow constraints, nor the diversion of the control flow in a complicated (or even any) way.</span></p></div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Einstein: “As simple as possible, but not simpler”</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Inspired by the quote attributed to Albert Einstein, we present a simple (but not too simple) data-only attack exploitation pipeline, named Einstein, that builds attacks with surprising ease. It generates data-only attacks using an application-agnostic technique, proving that such attacks are well within reach of low-effort attackers.</span></p><p><span><strong>Application-agnostic</strong>. Rather than attempting to understand application-specific semantics (e.g., the corner cases of the HTTP protocol), Einstein targets a universal interface used by any program to communicate with the operating system kernel: its syscalls. In particular, we track the data that ends up in syscall arguments, determining whether an attacker can corrupt them to e.g., execute arbitrary code via <strong>execve</strong> or modify files in the filesystem via <strong>write</strong>.</span></p><p><span><strong>Simple</strong>. Moreover, Einstein abstracts away unnecessary complexities and, instead, targets the exploits that are not only the simplest to identify, but also the most promising for an attacker. In particular, Einstein automatically generates exploits for the security-sensitive syscalls along a program’s (already valid) runtime path, and whose arguments are (simply) copied verbatim from attacker-controllable data. As detailed later, this simple approach can automatically generate a surprisingly large number of practical data-only exploits in popular real-world programs.</span></p><h3><span>How Einstein builds the example attack</span></h3><p><span>To explain how Einstein works, we walk through each step of how it builds the example attack and how it crafts the arguments of a security sensitive system call. We assume that the attacker has access to a program that is equivalent to the one deployed by their prospective victim, so they can run the server locally for analysis. Einstein takes the victim program as input, and operates in two stages: first, it generates <em>candidate exploits</em>; and second, it confirms whether each candidate exploit is indeed a <em>working exploit</em>. For an explanation of the finer points of the design beyond the scope of this example — e.g., how Einstein tracks unbounded data, chains together multiple syscalls, etc. — please refer to our paper </span>[<a href="#reference-5" rel="nofollow">5</a>].</p><p><strong>Candidate exploit generation</strong>. To generate candidate exploits, Einstein tracks all attacker-corruptible data at runtime, determining which can influence the arguments of security-sensitive syscalls. To facilitate this, we first start the server with Einstein’s binary-level instrumentation (Fig. 3a, ➊). The instrumentation adds support for dynamic taint analysis, which allows us to track any “tainted” program data at runtime [<a href="#reference-8" rel="nofollow">8</a>]. The server starts up, initializes its <strong>cgi_bin_path</strong>, and starts waiting for requests. Einstein models an attacker exploiting the memory safety bug by uniquely tainting any data that it could potentially corrupt, e.g., the string “<strong>/usr/local/server/cgi-bin</strong>”, but also all other data within reach of it. Additionally, we record the tainted data in a memory snapshot (➋).</p><p><span>Next, Einstein continues executing the program and tracks how the tainted data propagates throughout the program’s execution as the server handles a workload consisting of benign requests (➌). For instance, it sends the “<strong>POST /sort-script</strong>” request from Fig. 2b. Then, while handling the request, the server passes the tainted string as an argument to the <strong>execve</strong> syscall. Einstein identifies this flow of attacker-controllable data into a security-sensitive syscall, and records information about it, such as the arguments and their taintedness (➍).</span></p><p><span>Then, Einstein determines that <strong>execve</strong>’s <strong>pathname</strong> and <strong>argv</strong> parameters are not only tainted with an identifier that corresponds to <strong>cgi_bin_path</strong>, but they are in fact identical to <strong>cgi_bin_path</strong>. We refer to this kind of (very) straightforward data flow as an <em>identity data flow</em>. Einstein builds a candidate exploit for the identity data flow by generating <em>(address, value)</em> pairs that specify that the memory write bug could exploit the <strong>execve</strong> by overwriting the <strong>cgi_bin_path</strong> from "<strong>/usr/local/server/cgi-bin</strong>" to "<strong>/bin</strong>" (➎).</span></p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-article-image view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--article_image"> <div class="content"> <div class="field field-name-field-article-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/article_embedded/public/identification1.jpg?itok=L-j-_Pik" width="1440" height="664" alt="" /></div></div></div><div class="field field-name-field-article-image-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Figure 3a: First, Einstein generates a candidate exploit.</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span><strong>Exploit confirmation</strong>. Even though we have identified an identity data flow from attacker data into a syscall argument, we are not guaranteed that it is necessarily exploitable. For example, before executing the file, the server may double-check that it is within some preset, hard-coded directory, thereby mitigating the vulnerability. Hence, we confirm whether each candidate exploit is indeed a working exploit.</span></p><p><span>To confirm the exploit, we first restart the server (Fig. 3b, ➏). Then, at the point where an attacker may exploit the memory write bug, Einstein overwrites the data that is specified by the candidate exploit, changing <strong>cgi_bin_path</strong> to "<strong>/bin</strong>" (➐). Next, we send a workload to exploit the gadget — in this case, a “<strong>POST /sh</strong>” request with a shell command to create a file (➑). Finally, Einstein confirms that the file is indeed created, thereby confirming that the candidate exploit is indeed a working exploit (➒).</span></p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-article-image view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--article_image"> <div class="content"> <div class="field field-name-field-article-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/article_embedded/public/identification2.jpg?itok=SYlorhbD" width="1440" height="446" alt="" /></div></div></div><div class="field field-name-field-article-image-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Figure 3b: Second, Einstein confirms the candidate exploit to be a working exploit.</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><h3>Evaluation</h3><p><span>We have seen how Einstein can automatically build the example attack from almost two decades ago. Now, let us see how it performs against popular servers today. Although we follow previous work by targeting server applications, we note that other types of applications (e.g., those with more limited user-input interaction and few obviously dangerous syscalls) may well be at risk.</span></p><p><span>We target the web servers <strong>httpd</strong>, <strong>lighttpd</strong>, and <strong>nginx</strong>; and the database servers <strong>postgres</strong> and <strong>redis</strong> —  all of which have been shown to be at risk of weaponizable memory write bugs. To generate workloads for the target servers, we use their test suites. Moreover, because <strong>nginx</strong> is a common target for exploitation case studies, we confirm the candidate exploits that Einstein generates for <strong>nginx</strong>.</span></p><p><span>We first refer to Table 1, which presents the number of attacker-tainted syscalls per target program, and the percentage of those that have an identity data flow from attacker data. We observe that an attacker may corrupt many security-sensitive syscall arguments, and (with the exception of <strong>postgres</strong>) the high rate of identity flows (84–98%) allows us to generate candidate exploits for the vast majority of them. We refer to our paper [<a href="#reference-5" rel="nofollow">5</a>] for a full breakdown per syscall argument. Despite the test suites generating relatively low code coverage (27–49%), Einstein still uncovers many security-sensitive issues. Further work into increasing coverage would undoubtedly yield even more dire results.</span></p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-html-table view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--html_table"> <div class="content"> <div class="field field-name-field-table-contents field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><table> <tr> <th>Target program</th> <th>Security-sensitive syscalls with tainted arguments (% with an identity data flow from attacker data)</th> <th>Code coverage</th> </tr> <tr> <td>httpd</td> <td>1834 (97%)</td> <td>27.3%</td> </tr> <tr> <td>lighttpd</td> <td>92 (98%)</td> <td>27.8%</td> </tr> <tr> <td>nginx</td> <td>1623 (82%)</td> <td>49.1%</td> </tr> <tr> <td>postgres</td> <td>2105 (27%)</td> <td>46.5%</td> </tr> <tr> <td>redis</td> <td>218 (84%)</td> <td>33.6%</td> </tr> </table></div></div></div><div class="field field-name-field-table-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Table 1: Number of attacker-tainted syscalls per target program.</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Next, we refer to Table 2, which presents the number of confirmed exploits for <strong>nginx</strong>. We observe that the exploits offer many primitives to attacker: a vulnerable <strong>execve</strong> gives us a Code-Execution primitive, vulnerable file-configuring syscalls (e.g., <strong>openat</strong>) combined with vulnerable file-write syscalls (e.g., <strong>write</strong>) give us 17 Write-What-Where primitives, vulnerable socket-configuring syscalls (e.g., <strong>connect</strong>) combined with vulnerable socket-write syscalls (e.g., <strong>sendmsg</strong>) give us 41 Send-What-Where primitives, etc. We refer to our paper for a description of two such exploits that bypass state-of-the-art mitigations </span>[<a href="#reference-5" rel="nofollow">5</a>]<span>. Despite conventional wisdom dictating that data-only attacks are too complex or too niche to be practical, we can conclude that an attacker indeed has a diverse set of primitives at their disposal against popular server programs, even today.</span></p></div></div></div> </div> </div> </div><div class="field-item even"> <div class="entity entity-paragraphs-item paragraphs-item-html-table view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--html_table"> <div class="content"> <div class="field field-name-field-table-contents field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><table border="1"> <tr> <th>Attack Primitive</th> <th>Count</th> </tr> <tr> <td>Code-Execution</td> <td>1</td> </tr> <tr> <td>Write-What-Where</td> <td>17</td> </tr> <tr> <td>Write-What</td> <td>375</td> </tr> <tr> <td>Write-Where</td> <td>79</td> </tr> <tr> <td>Send-What-Where</td> <td>41</td> </tr> <tr> <td>Send-What</td> <td>372</td> </tr> <tr> <td>Send-Where</td> <td>59</td> </tr> <tr> <td>Total</td> <td>944</td> </tr> </table></div></div></div><div class="field field-name-field-table-caption field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Table 2: Confirmed exploits for nginx.</div></div></div> </div> </div> </div><div class="field-item odd"> <div class="entity entity-paragraphs-item paragraphs-item-single-column-text view-mode-full view-mode-full--paragraphs_item view-mode-full--paragraphs_item--single_column_text"> <div class="content"> <div class="field field-name-field-single-column-sub field-type-text field-label-hidden"><div class="field-items"><div class="field-item odd">Conclusion</div></div></div><div class="field field-name-field-single-column-text field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>We presented Einstein, a data-only attack exploitation pipeline, which automatically builds exploits against popular servers and bypasses state-of-the-art mitigations. The question, then, is how do we properly mitigate such attacks? To answer this, let us consider two features that a proper mitigation would provide: (1) <em>comprehensiveness</em>, i.e., mitigating an attack surface entirely; and (2) <em>practicality</em>, i.e., requiring little effort to deploy, and, therefore, being more amenable to practical adoption.</span></p><p><span>For control-flow hijacking attacks in the old days, the parameters were relatively well-defined: they would typically overwrite a code pointer, which would then corrupt an indirect branch (e.g., a return instruction). Hence, the mitigations for such attacks (e.g., DEP, CFI, CPI) can generally afford to be both <em>comprehensive</em> and <em>practical</em>.</span></p><p><span>On the other hand, data-only attacks present a unique challenge: they may overwrite any data (not just code pointers), which may then corrupt any operation (not just indirect branches, or even syscalls, for that matter). Hence, the mitigations for such attacks can generally afford only to be either </span><em>comprehensive</em><span> or </span><em>practical</em><span>. That is, </span><em>comprehensive</em><span> defenses (e.g., memory safety, DFI) are <em>impractical</em>, because they either incur poor performance or require onerous changes in the software or hardware. Meanwhile, </span><em>practical</em><span> defenses (e.g., memory error scanning, selective DFI, syscall filtering) are <em>noncomprehensive</em>, because, as Einstein demonstrates, they leave part of the attack surface vulnerable.</span></p><p><span>Generating exploits that trivially bypass the </span><em>practical</em><span> defenses, Einstein highlights that vendors should strongly consider deploying one or more of the </span><em>comprehensive</em><span> defenses. Vendors may also use Einstein to mitigate vulnerabilities on a case-by-case basis, however, a general solution — e.g., by making the </span><em>comprehensive</em><span> defenses more </span><em>practical</em><span> — poses a pressing direction for future research.</span></p></div></div></div> </div> </div> </div></div></div></div> <fieldset class="group-appendix field-group-fieldset form-wrapper"><legend><span class="fieldset-legend">Appendix</span></legend><div class="fieldset-wrapper"><div class="field field-name-field-lvl2-appendix-refs field-type-text field-label-above"><div class="field-label">References:&nbsp;</div><div class="field-items"><div class="field-item odd"><a class="anchor" name="reference-1"></a><p>[1] M. Miller, "Trends, challenges, and strategic shifts in the software vulnerability mitigation landscape," in <em>BlueHat</em>, 2019.</p> </div><div class="field-item even"><a class="anchor" name="reference-2"></a><p>[2] Chromium, "Memory safety," <a href="https://www.chromium.org/Home/chromium-security/memory-safety/" rel="nofollow">https://www.chromium.org/Home/chromium-security/memory-safety/</a>.</p> </div><div class="field-item odd"><a class="anchor" name="reference-3"></a><p>[3]&nbsp;D. Hosfelt, “Implications of Rewriting a Browser Component in Rust,” <a href="https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/" rel="nofollow">https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/</a>, 2019.</p> </div><div class="field-item even"><a class="anchor" name="reference-4"></a><p>[4]&nbsp;E. H. Spafford, “The Internet Worm Program: An Analysis,” <em>SIGCOMM CCR</em>, vol. 19, no. 1, 1989.</p> </div><div class="field-item odd"><a class="anchor" name="reference-5"></a><p>[5]&nbsp;B. Johannesmeyer, A. Slowinska, H. Bos, and C. Giuffrida, "Practical Data-Only Attack Generation," in <em>USENIX Security</em>, 2024.</p> </div><div class="field-item even"><a class="anchor" name="reference-6"></a><p>[6]&nbsp;S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer, “Non-Control-Data Attacks Are Realistic Threats,” in <em>USENIX Security</em>, 2005.</p> </div><div class="field-item odd"><a class="anchor" name="reference-7"></a><p>[7]&nbsp;R. Rogowski, M. Morton, F. Li, F. Monrose, K.Z. Snow, and M. Polychronakis, "Revisiting Browser Security in the Modern Era: New Data-only Attacks and Defenses," in <em>EuroS&amp;P</em>, 2017.</p> </div><div class="field-item even"><a class="anchor" name="reference-8"></a><p>[8]&nbsp;J. Newsome, and D. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software," in <em>NDSS</em>, 2005.</p> </div></div></div></div></fieldset> </div><div class="field field-name-field-lv2-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Article Categories:&nbsp;</div><div class="field-items"><div class="field-item odd">Security</div></div></div><div class="psuedo-last-updated">Last updated July 1, 2024</div> <div class="field-collection-container clearfix"><div class="field field-name-field-authors field-type-field-collection field-label-above"><div class="field-label">Authors:&nbsp;</div><div class="field-items"><div class="field-item odd"><div class="field-collection-view clearfix view-mode-full"><div class="entity entity-field-collection-item field-collection-item-field-authors view-mode-full view-mode-full--field_collection_item view-mode-full--field_collection_item--field_authors clearfix"> <div class="content"> <a class="anchor" name="Brian Johannesmeyer"></a><div class="field field-name-field-collection-author-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/author_bio/public/brian.jpg?itok=TWC0haqP" width="138" height="138" alt="" /></div></div></div><div class="field field-name-field-collection-author-bio field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>Brian Johannesmeyer is a PhD candidate with VUSec. His research focuses on using program analysis techniques to uncover security vulnerabilities. When he’s not revolutionizing the world of computer security, you can either find him perfecting his taco recipe or camping in the mountains of southern Arizona (or sometimes both, at the same time) [<a href="https://bjohannesmeyer.github.io/" rel="nofollow">webpage</a>].</p></div></div></div><div class="field field-name-field-collection-author-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item odd"><a href="mailto:b.g.johannesmeyer@vu.nl">b.g.johannesmeyer@vu.nl</a></div></div></div> </div> </div> </div></div><div class="field-item even"><div class="field-collection-view clearfix view-mode-full"><div class="entity entity-field-collection-item field-collection-item-field-authors view-mode-full view-mode-full--field_collection_item view-mode-full--field_collection_item--field_authors clearfix"> <div class="content"> <a class="anchor" name="Herbert Bos"></a><div class="field field-name-field-collection-author-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/author_bio/public/herbert_1.jpg?itok=cXYfe5YU" width="138" height="138" alt="" /></div></div></div><div class="field field-name-field-collection-author-bio field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Herbert Bos is Full Professor at Vrije Universiteit Amsterdam where he co-leads the VUSec Systems Security group. He is very proud of his current and former students who are all much cleverer than he is. Also, he loves the Beatles.</span></p></div></div></div><div class="field field-name-field-collection-author-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item odd"><a href="mailto:herbertb@cs.vu.nl">herbertb@cs.vu.nl</a></div></div></div> </div> </div> </div></div><div class="field-item odd"><div class="field-collection-view clearfix view-mode-full"><div class="entity entity-field-collection-item field-collection-item-field-authors view-mode-full view-mode-full--field_collection_item view-mode-full--field_collection_item--field_authors clearfix"> <div class="content"> <a class="anchor" name="Cristiano Giuffrida"></a><div class="field field-name-field-collection-author-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/author_bio/public/cristiano.jpg?itok=03PY__Qk" width="138" height="138" alt="" /></div></div></div><div class="field field-name-field-collection-author-bio field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p><span>Cristiano Giuffrida is an Associate Professor at Vrije Universiteit Amsterdam where he co-leads the VUSec Systems Security group. His research interests span across several aspects of computer systems, with a focus on systems security.</span></p></div></div></div><div class="field field-name-field-collection-author-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item odd"><a href="mailto:giuffrida@cs.vu.nl">giuffrida@cs.vu.nl</a></div></div></div> </div> </div> </div></div><div class="field-item even"><div class="field-collection-view clearfix view-mode-full field-collection-view-final"><div class="entity entity-field-collection-item field-collection-item-field-authors view-mode-full view-mode-full--field_collection_item view-mode-full--field_collection_item--field_authors clearfix"> <div class="content"> <a class="anchor" name="Asia Slowinska"></a><div class="field field-name-field-collection-author-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item odd"><img src="https://www.usenix.org/sites/default/files/styles/author_bio/public/asia.jpg?itok=KOH0yYzE" width="138" height="138" alt="" /></div></div></div><div class="field field-name-field-collection-author-bio field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item odd"><p>Asia Slowinska is a researcher with one foot in industry, and the other in academia. As an Assistant Professor at Vrije Universiteit Amsterdam, she conducts research into systems security. Owing to her unique combination of both industrial and academic experience, she hopes to foster further communication and collaboration, and eventually make the world a safer place.</p></div></div></div><div class="field field-name-field-collection-author-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item odd"><a href="mailto:asia@vusec.net">asia@vusec.net</a></div></div></div> </div> </div> </div></div></div></div></div> </div> <ul class="links inline"><li class="comment_forbidden first last"><span><span class="comment-1"><a id="comments" href="/user/login?destination=node/299919%23comment-form">Log in</a>&nbsp;or&nbsp;<a href="/user/register?destination=node/299919%23comment-form">Register</a> to post comments</span></span></li> </ul> </div> </div> </div> </div> </div></div> <!-- /.section, /#content --> </div></div> <!-- /#main, /#main-wrapper --> <div id="footer"><div class="section"> <div id="footer-col-1" class="footer-col"> <div class="region region-footer-col-1"> <div id="block-usenix-blocks-usenix-logo-2" class="block block-usenix-blocks usenix-logo-2"> <div class="content"> <a href="/" title="Home" rel="home"><img src="https://www.usenix.org/sites/all/themes/custom/cotija/images/logo.svg" alt="Home" /></a> </div> </div> <div id="block-block-141" class="block block-block 141"> <div class="content"> <p class="subtitle-small">&copy; USENIX <script>new Date().getFullYear()>document.write(new Date().getFullYear());</script><br>Website designed and built<br>by <a href="https://giantrabbit.com"target="_blank" style="color: black;">Giant Rabbit LLC</a></p> </div> </div> <div id="block-usenix-blocks-usenix-social-media-2" class="block block-usenix-blocks usenix-social-media-small usenix-social-media-2"> <div class="content"> <ul class="usenix-social-media"><li class="0 first"><a href="https://www.linkedin.com/company/usenix-association/" class="usenix-social-media-icon" alt="LinkedIn" title="LinkedIn"><i class="fab fa-linkedin"></i></a></li> <li class="1"><a href="https://www.facebook.com/pages/USENIX-Association/124487434386" class="usenix-social-media-icon" alt="Facebook" title="Facebook"><i class="fab fa-facebook-square"></i></a></li> <li class="2"><a href="https://www.youtube.com/user/USENIXAssociation" class="usenix-social-media-icon" alt="YouTube" title="YouTube"><i class="fab fa-youtube"></i></a></li> <li class="3 last"><a href="https://twitter.com/usenix" class="usenix-social-media-icon" alt="Twitter" title="Twitter"><i class="fab fa-square-x-twitter"></i></a></li> </ul> </div> </div> </div> </div> <div id="footer-col-2" class="footer-col"> <div class="region region-footer-col-2"> <div id="block-menu-menu-footer" class="block block-menu menu-footer"> <div class="content"> <ul class="menu"><li class="first leaf"><a href="/privacy-policy">Privacy Policy</a></li> <li class="last leaf"><a href="/contact">Contact Us</a></li> </ul> </div> </div> </div> </div> <div id="footer-col-3" class="footer-col"> <div class="region region-footer-col-3"> <div id="block-block-140" class="block block-block 140"> <div class="content"> <a class="anchor" name="signup"></a> <script src="https://www.google.com/recaptcha/api.js"></script> <script> function timestamp() { var response = document.getElementById("g-recaptcha-response"); if (response == null || response.value.trim() == "") {var elems = JSON.parse(document.getElementsByName("captcha_settings")[0].value);elems["ts"] = JSON.stringify(new Date().getTime());document.getElementsByName("captcha_settings")[0].value = JSON.stringify(elems); } } setInterval(timestamp, 500); </script> <div class="subtitle">Sign up for Our Newsletter:</div> <form action="https://webto.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST" class="inline-form-extra-large"> <input type=hidden name='captcha_settings' value='{"keyname":"web_to_lead_google_v2_recaptcha","fallback":"true","orgId":"00DA0000000Ihkj","ts":""}'> <input type=hidden name="oid" value="00DA0000000Ihkj"> <input type=hidden name="retURL" value="https://usenix.org?newsletter_submit=1"> <input type=hidden name="lead_source" value="Newsletter"> <div class="row"> <input name="first_name" type="text" placeholder="First Name" required style="border: none;"> <input name="last_name" type="text" placeholder="Last Name" required style="border: none;"> <input name="email" type="email" placeholder="Email" required style="border: none;"> </div> <div class="row"><div class="g-recaptcha" data-sitekey="6Ldbd8gUAAAAAKvBvNAlRsQWTH1ZqzM5f07hB7lO"></div></div> <div class="row"><input type="submit" name="submit" value="Submit" class="btn-small"></div> </form> </div> </div> </div> </div> </div></div> <!-- /.section, /#footer --> </div></div> <!-- /#page, /#page-wrapper --> <script type="text/javascript"> <!--//--><![CDATA[//><!-- da2a.targets=[ {title:"Data-Only Attacks Are Easier than You Think",url:"https:\/\/www.usenix.org\/publications\/loginonline\/data-only-attacks-are-easier-you-think"}]; da2a.html_done=true;if(da2a.script_ready&&!da2a.done)da2a.init();da2a.script_load(); //--><!]]> </script> <script type="text/javascript">window.NREUM||(NREUM={});NREUM.info={"beacon":"bam.nr-data.net","licenseKey":"d823139095","applicationID":"509444","transactionName":"YVJVZksCXkEEVhIMWFgYYkBQTBodDFsCAE8YR19C","queueTime":0,"applicationTime":20,"atts":"TRVWEAMYTU8=","errorBeacon":"bam.nr-data.net","agent":""}</script></body> </html>