Privacy Set Intersection (PSI) computation is a specific scenario in secure multi-party computing (MPC) applications. It not only has important theoretical significance but also has great practical usage. As people are more and more focusing on the privacy protection of user data, the research in this area is in line with the increasing desire to benefit from using personal information while maximizing its protection. This article first analyzes and compares 17 PSI protocol schemes based on secure MPC and full homomorphic encryption, including attack model, security model, performance test etc. The results show the EC-ROM/DE-ROM is currently the fastest cryptographic-based public secure PSI protocol. The article also made a comparative analysis with the latest SGX-based PSI protocol. The results show that the SGX-based PSI protocol independently proposed by Baidu Security Lab is 60 times faster than the fastest PSI protocol (EC-ROM and DE-ROM). Moreover, SGX PSI has many other advantages over traditional PSI in terms of security, flexibility and versatility. …


OpenRASP is an open source and free adaptive security product released by Baidu Security, which has an in-depth cooperation with the internationally renowned non-profit security organization OWASP (Open Web Application Security Project). OpenRASP has now joined the OWASP global technology project, and is being promoted around the world. OpenRASP popularizes the emerging RASP (Runtime Application Self-Protection) technology, making it a critical weapon for enterprise web security protection, effectively enhancing the defense system’s depth and adaptability in vulnerability protection. Because OpenRASP directly targets the vulnerabilities in the web application servers, its protection capability is boosted drastically compared with the traditional WAF and others. OpenRASP has rapidly spread and matured through the open source community, and it solves the stability and compatibility issues that have baffled commercial RASP for a long time. …


Abstract

The memory safety is crucial to guarantee the security of the software in Trusted Execution Environments (TEEs, e.g. TPM and Intel SGX). Although TEEs provide a powerful hardware foundation for trusted computing, but they do not automatically guarantee the security of the software. Any memory safety issues, such as the buffer overflow could provide an attack surface for attackers to invade TEE. MesaTEE (“Memory Safe TEE”) introduces the concept of the Hybrid Memory Safety (HMS) to guarantee the memory safety of the software. For the key components, it reconstructs its semantics with memory safe language Rust to guarantee its memory safety. …


After Rust SGX SDK, MesaLock Linux, MesaLink, MesaPy and other sub-projects have been open sourced, the highly anticipated secure computing platform MesaTEE is released at https://github.com/mesalock-linux/mesatee, and the open source license is Apache 2.0.

MesaTEE is the first universal secure computing (USC) platform. It provides the next generation USC capabilities for scenarios with high demand for security and privacy, enabling sensitive data to be circulated and processed under security control, even in off-site and offshore environments, without being compromised or misused. This is especially critical today with so much attention on privacy concerns, and it makes many big data business usages possible. …


0x01 Current Research of Deep Learning Robustness

Deep neural networks have achieved impressive results in many important visual tasks, such as image classification, with the accuracy better than humans. However, compared to the human visual system, the deep learning model is performing surprisingly at a much weaker level on certain samples with only small perturbations. The existence of these, called “adversarial examples”, poses threats and uncertainties for deep learning applications in many security scenarios such as autonomous driving, face recognition, and malware detection.

As shown in Figure 1, we found that even the adversarial inputs generated under the black-box setting can effectively deceive different APIs of the Google Cloud Vision Platform based on deep learning, including image classification, object detection, image censorship, and optical character recognition(OCR) etc. The cloud-based black-box model can be bypassed with just a few queries. And this research result was presented at Blackhat Asia 2019. The emerging of adversarial examples and their almost 100% bypass rate creates a serious challenge for the use of deep learning models in safety-critical scenarios. …


GBDT (Gradient Boosting Decision Tree) is a widely used machine learning algorithm in the industry, and XGBoost is an open source GBDT toolkit initiated by the renowned Chinese scholar Tianqi Chen and becoming popular across industry. GBDT/XGBoost has helped to win numerous championships in various machine learning competitions, and is one of the most commonly used methods/tools in machine learning.

As data security and privacy protection have received more and more attention from many different areas, protecting data from leaks and abuses in public cloud and data offshore scenarios has become an urgent issue of common concerns. Consequently, the industry is eager to have a GBDT solution with strong data security mechanism. With the development of hardware Trusted Execution Environment (TEE) technology represented by Intel SGX, the integrity and confidentiality of data codes can be supported by chip-level security. At the software level, Baidu Security X-Lab’s original Hybrid Memory Safety (HMS) technology guarantees the memory safety of the system in the software architecture. Baidu Security MesaTEE project combines hardware TEE and HMS technologies, protects machine learning data and codes from both hardware and software, and ensures that sensitive data and confidential models cannot be leaked. …


In late April, more than 300 Rust developers from China, USA, Canada, Germany, Russia, India, Australia and other countries around the world attended the four-day RustCon Asia in Beijing. At the conference, more than 20 top Rust developers/lecturers gave talks and conducted workshop tutorials, covering a wide range of cross-industry Rust application practices including distributed data storage, security, search engines, embedded IoT, and image processing. …


Since the first appearance of the Rowhammer vulnerability, researchers and defenders have staged an arms race, demonstrating the technical strength against the other side. Recently, Dr. Yueqiang Cheng, a senior researcher at Baidu Security X-Lab, and Dr. Zhi Zhang from the University of New South Wales, have discovered a new type of Rowhammer attack that can effectively break through various advanced defenses. As a result, the entire PC security mechanism is at risk of collapse.

This research is selected into this year’s Black Hat Asia, and with two other topics selected, Baidu Security becomes the “triple crown winner” of this conference. On March 26th, Dr. Yueqiang Cheng and Dr. …


Is there a security vulnerability in the world that is widely used in electronic devices and is extremely destructive and difficult to fix? In January 2018, some independent researchers discovered the hardware chip level vulnerabilities Spectre and Meltdown, which created a huge storm across the industry. The world once again ran into the panic of security vulnerabilities, and the chip makers were racing against time to find solutions. Up to now, the protection combination (i.e., KPTI+SMAP+user-kernel isolation) is widely recognized as the de facto defense method.

However, at BlackHat Asia 2019, held in Singapore from March 26th to 29th, Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, and Tao Wei from Baidu Security X-Lab presented an original study on the new variant of Meltdown. The talk explained how the existing Meltdown and Spectre attacks were defeated by the combined defense of KPTI+SMAP+user-kernel isolation, and showed that a new Meltdown variant can completely break this defense. …


MesaLink is the next-gen Transport Layer Security (TLS) library developed by Baidu Security X-Lab. Since its first public version v0.6.0 came out in April 2018, MesaLink has released 7 versions and it has been massively deployed in production environments including Android-based set-top boxes, smart speakers and automobile systems. By the end of 2018, the number of monthly active users had surpassed 10 million. At the one-year anniversary of MesaLink, we are releasing v1.0.0. This marks the milestone that MesaLink has been through tough real-world tests and proven reliable in production environments. …

About

Baidu Security X-Lab

Security never sleeps

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store