This is the personal website for Wu “Cousin” Ka Lok (also known as Cosine, usin, …). This website contains blogs and write-ups to CTF challenges that I find interesting. I would also like to share the mathematics behind cryptography, and how the designed may be exploited for attacks. I also made some visualizations of (sometimes seemingly abstract) mathematical concepts.

About Me

I am a second-year PhD student in CS at Stony Brook University, under the supervision of Prof. Omar Chowdhury. Previously, I was an MPhil student in the Department of Information Engineering at the Chinese University of Hong Kong (CUHK), under the supervision of Prof. Sze Yiu Chau. Before that, I was an undergraduate majoring in Mathematics (Pure Mathematics (Advanced)) and Computer Science at the Hong Kong University of Science and Technology (HKUST).

I am interested in cybersecurity, especially applications and implementations of cryptographic protocols, the intersection of formal methods and security, and like to play capture the flag (CTF) games.

I previously played with and trained the academic team Firebird of HKUST and was one of the captains in 2020-2021. I was the coordinator of Open Innovation Lab (OIL) in CUHK in 2021-2023, where I was responsible for the management, holding events, and giving CTF training as well. I also play CTF with the Black Bauhinia (blackb6a) CTF team based in Hong Kong.

Publications

Conferences

  1. Tang, K.F., Wu, K.L. and Chau, S.Y. 2024. Investigating TLS Version Downgrade in Enterprise Software. Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy (New York, NY, USA, 2024), 31–42.
    abstract

    In this paper, we revisit the problem of TLS version downgrade, with a specific focus on enterprise software, which are applications that play direct roles in the daily operations of an organization, including remote desktop, email, and VPN clients. Although TLS version downgrade is a classic problem, previous studies have mostly focused on its manifestations in browser applications. However, as TLS continues to gain prominence in other application scenarios, it is crucial to also investigate the implementation and deployment of TLS in other mission-critical appliances that depend upon TLS for their corresponding security guarantees. To this end, we identified and tested 217 enterprise software on 4 mainstream operating systems (OSes) for how they implement and deploy TLS downgrade defenses. We carefully designed a series of experiments to determine whether a client-side enterprise software is vulnerable to downgrade attacks. Results of our experiments paint the enterprise software ecosystem in a positive light, as only 8 enterprise client applications exhibit some vulnerabilities to TLS version downgrade due to missing protection mechanisms. Given the availability and low costs of standardized downgrade defenses, we champion their adoption by software vendors to put an end to the threat of TLS version downgrade. Finally, as various industries are moving away from legacy versions of TLS, it is also time for enterprise software vendors to rethink the necessity and merits of supporting old TLS versions in their products.

    bibtex
    @inproceedings{tang2024investigating,
      author = {Tang, Ka Fun and Wu, Ka Lok and Chau, Sze Yiu},
      title = {Investigating TLS Version Downgrade in Enterprise Software},
      year = {2024},
      isbn = {9798400704215},
      publisher = {Association for Computing Machinery},
      address = {New York, NY, USA},
      url = {https://doi.org/10.1145/3626232.3653263},
      doi = {10.1145/3626232.3653263},
      booktitle = {Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy},
      pages = {31–42},
      numpages = {12},
      keywords = {email, enterprise vpn, remote desktop, tls version downgrade},
      location = {, Porto, Portugal, },
      series = {CODASPY '24}
    }
    
  2. Chen, Y., Liu, Y., Wu, K.L., Le, D.V. and Chau, S.Y. 2024. Towards Precise Reporting of Cryptographic Misuses. 31th Annual Network and Distributed System Security Symposium, NDSS 2024 (2024).
    bibtex
    @inproceedings{chen2024towards,
      title = {Towards Precise Reporting of Cryptographic Misuses},
      author = {Chen, Yikang and Liu, Yibo and Wu, Ka Lok and Le, Duc V and Chau, Sze Yiu},
      booktitle = {31th Annual Network and Distributed System Security Symposium, {NDSS} 2024},
      year = {2024},
      publisher = {The Internet Society},
      video = {https://www.youtube.com/watch?v=xwrrReZeUxc},
      url = {https://www.ndss-symposium.org/ndss-paper/towards-precise-reporting-of-cryptographic-misuses/}
    }
    
  3. Wu, K.L., Hue, M.H., Tang, K.F. and Chau, S.Y. 2023. The Devil is in the Details: Hidden Problems of Client-Side Enterprise Wi-Fi Configurators. Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’23) (2023).
    (Best Paper Award from ACM WiSec ’23)
    abstract

    In the context of connecting to enterprise Wi-Fi, previous works show that relying on human users to manually configure or enforce server authentication often leads to insecure outcomes. Consequently, many user credentials can potentially be stolen by the so-called “Evil-Twin” (ET) attack. To ease the burden of human users, various easy-to-use Wi-Fi configurators have been released and deployed. In this work, we investigate whether such configurators can indeed protect users from variants of the ET attack. To our surprise, the results of our investigation show that all configurators considered in the study suffer from certain weaknesses due to their design, implementation, or deployment practices. Notable findings include a series of design flaws in the new trust-on-first-use (TOFU) configurator on Android (available since version 12), which can be exploited in tandem to achieve a stealthy ET attack. Moreover, we found that 2 open-source Android Wi-Fi configurators fail to properly enforce server authentication under specific situations. The cause of these could be partly attributed to the complexity stemmed from certificate name matching as well as the limitations of the Android API. Last but not least, we found that a commercial configurator not only allows insecure Wi-Fi configurations to be deployed, but also the covert injection of certificates on the user device to facilitate interception of other TLS traffic, posing yet another hidden security and privacy threat to its users. All in all, this study shows that despite years of research on the topic, developing a user-friendly yet reliable Wi-Fi configurator remains an elusive goal, and thus the threat of ET attacks continues to be relevant. As such, it is time to rethink whether the complexity of the standard certificate chain validation is actually good for enterprise Wi-Fi.

    bibtex
    @inproceedings{wu2023the,
      title = {The Devil is in the Details: Hidden Problems of Client-Side Enterprise Wi-Fi Configurators},
      author = {Wu, Ka Lok and Hue, Man Hong and Tang, Ka Fun and Chau, Sze Yiu},
      booktitle = {Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'23)},
      year = {2023},
      publisher = {ACM},
      doi = {10.1145/3558482.3590199},
      note = {(Best Paper Award from ACM WiSec '23)},
      slides = {wu2023the-slides.pdf},
      video = {https://www.youtube.com/watch?v=HgOIOUFVBo4}
    }
    
  4. Wu, K.L., Hue, M.H., Poon, N.M., Leung, K.M., Po, W.Y., Wong, K.T., Hui, S.H. and Chau, S.Y. 2023. Back to School: On the (In)Security of Academic VPNs. 32nd USENIX Security Symposium (USENIX Security 23) (Anaheim, CA, Aug. 2023), 5737–5754.
    abstract

    In this paper, we investigate the security of academic VPNs around the globe, covering various protocols that are used to realize VPN services. Our study considers 3 aspects that can go wrong in a VPN setup, which include (i) the design and implementation of VPN front-ends, (ii) the client-side configurations, and (iii) the back-end configurations. For (i), we tested more than 140 front-ends, and discovered numerous design and implementation issues that enable stealthy but severe attacks, including credential theft and remote code execution. For (ii), we collected and evaluated 2097 VPN setup guides from universities, and discovered many instances of secret key leakage and lack of consideration to potential attacks, leaving many client-side setups vulnerable. Finally, for (iii), we probed more than 2000 VPN back-ends to evaluate their overall health, and uncovered some concerning configuration and maintenance issues on many of them. Our findings suggest that severe cracks exist in the VPN setups of many organizations, making them profitable targets for criminals.

    bibtex
    @inproceedings{wu2023back,
      author = {Wu, Ka Lok and Hue, Man Hong and Poon, Ngai Man and Leung, Kin Man and Po, Wai Yin and Wong, Kin Ting and Hui, Sze Ho and Chau, Sze Yiu},
      title = {Back to School: On the ({In}){Security} of Academic {VPNs}},
      booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
      year = {2023},
      isbn = {978-1-939133-37-3},
      address = {Anaheim, CA},
      pages = {5737--5754},
      url = {https://www.usenix.org/conference/usenixsecurity23/presentation/wu-ka-lok},
      video = {https://www.youtube.com/watch?v=Lkth4goqO6Y},
      publisher = {USENIX Association},
      month = aug
    }
    

Theses

  1. Wu, K.L. 2023. Understanding the security challenges of enterprise network access . Chinese University of Hong Kong.
    abstract

    The purpose of this thesis is to study the security challenges of enterprise network access, for example, Virtual Private Networks (VPNs) and Enterprise Wi-Fi. We analyze four aspects related to the security of these systems, including (1) the underlying security protocols used, (2) designs and implementations of front-end applications that are used, (3) how users are instructed to use these systems, and (4) the back-end deployments. With this practice, we found many security issues and vulnerabilities in different aspects of the systems we studied. In VPNs, we found numerous applications that did not perform any server authentication, or use ad-hoc protocols that are not secure. In Enterprise Wi-Fi, we found problems in both policy definition and policy enforcement in different Wi-Fi configurators. These problems can lead to credential theft and thus compromise the security of organizations that use the technologies. These problems suggest that we may want to rethink the current method of server authentication.

    bibtex
    @mastersthesis{wu2023understanding,
      author = {Wu, Ka Lok},
      booktitle = {Understanding the security challenges of enterprise network access},
      keywords = {Academic theses},
      language = {eng},
      school = {Chinese University of Hong Kong},
      title = {Understanding the security challenges of enterprise network access },
      year = {2023}
    }