publications

2025

2025

1. USENIX Security

   URL Inspection Tasks: Helping Users Detect Phishing Links in Emails

   Daniele Lain, Yoshimichi Nakatsuka, Kari Kostiainen, Gene Tsudik, and Srdjan Capkun

   In 34th USENIX Security Symposium, USENIX Security 2025, August 13-15, 2025, 2025

   Abs PDF

   The most widespread type of phishing attack involves email messages with links pointing to malicious content. Despite user training and the use of detection techniques, these attacks are still highly effective. Recent studies show that it is user inattentiveness, rather than lack of education, that is one of the key factors in successful phishing attacks. To this end, we develop a novel phishing defense mechanism based on URL inspection tasks: small challenges (loosely inspired by CAPTCHAs) that, to be solved, require users to interact with, and understand, the basic URL structure. We implemented and evaluated three tasks that act as "barriers" to visiting the website: (1) correct click-selection from a list of URLs, (2) mouse-based highlighting of the domain-name URL component, and (3) re-typing the domain-name. These tasks follow best practices in security interfaces and warning design. We assessed the efficacy of these tasks through an extensive on-line user study with 2,673 participants from three different cultures, native languages, and alphabets. Results show that these tasks significantly decrease the rate of successful phishing attempts, compared to the baseline case. Results also showed the highest efficacy for difficult URLs, such as typo-squats, with which participants struggled the most. This highlights the importance of (1) slowing down users while focusing their attention and (2) helping them understand the URL structure (especially, the domain-name component thereof) and matching it to their intent.

2024

2024

1. NDSS

   Scrappy: SeCure Rate Assuring Protocol with PrivacY

   Kosei Akama, Yoshimichi Nakatsuka, Masaaki Sato, and Keisuke Uehara

   In 31st Annual Network and Distributed System Security Symposium, NDSS 2024, San Diego, California, USA, 26 February 2024 - 1 March 2024, 2024

   Abs PDF Code

   Users accessing online services at a rate exceeding that expected by websites has become an ever-increasing problem. Many websites nowadays employ “rate-limiting” systems to slow down such users. Two widely used rate-limiting systems are CAPTCHAs and SMS authentication, but they are becoming less effective and some are even considered privacy invasive. In light of this, many studies have proposed better rate-limiting systems that protect user privacy, but they have their own shortcomings: (1) assume trust in the underlying hardware and (2) are vulnerable to side-channel attacks. In this work, we propose Scrappy, a novel rate-limiting system that overcomes the aforementioned issues of prior work. Scrappy utilizes the popular DAA cryptographic primitive and widely available hardware security devices. We show that Scrappy can make use of different kinds of hardware security devices by implementing it on three different devices, one of which can be immediately deployable in the real world. Our baseline evaluation shows that the end-to-end latency of Scrappy is 0.32 seconds and only transferrs minimal amount of data (679 bytes) during the protocol. Most importantly, we show that the rate-limiting feature of Scrappy does not rely on the security of the hardware security device.

2023

2023

1. USENIX Security

   An Empirical Study & Evaluation of Modern CAPTCHAs

   Andrew Searles, Yoshimichi Nakatsuka, Ercan Ozturk, Andrew Paverd, Gene Tsudik, and Ai Enkoji

   In 32th USENIX Security Symposium, USENIX Security 2023, August 9-11, 2023, Anaheim, California, USA, 2023

   Abs PDF Code

   For nearly two decades, CAPTCHAs have been widely used as a means of protection against bots. Throughout the years, as their use grew, techniques to defeat or bypass CAPTCHAs have continued to improve. Meanwhile, CAPTCHAs have also evolved in terms of sophistication and diversity, becoming increasingly difficult to solve for both bots (machines) and humans. Given this long-standing and still-ongoing arms race, it is critical to investigate how long it takes legitimate users to solve modern CAPTCHAs, and how they are perceived by those users. In this work, we explore CAPTCHAs in the wild by evaluating users’ solving performance and perceptions of unmodified currently-deployed CAPTCHAs. We obtain this data through manual inspection of popular websites and user studies in which 1,400 participants collectively solved 14,000 CAPTCHAs. Results show significant differences between the most popular types of CAPTCHAs: surprisingly, solving time and user perception are not always correlated. We performed a comparative study to investigate the effect of experimental context – specifically the difference between solving CAPTCHAs directly versus solving them as part of a more natural task, such as account creation. Whilst there were several potential confounding factors, our results show that experimental context could have an impact on this task, and must be taken into account in future CAPTCHA studies. Finally, we investigate CAPTCHA-induced user task abandonment by analyzing participants who start and do not complete the task.

2. NDSS

   VICEROY: GDPR-/CCPA-compliant Enforcement of Verifiable Accountless Consumer Requests

   Scott Jordan, Yoshimichi Nakatsuka, Ercan Ozturk, Andrew Paverd, and Gene Tsudik

   In 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, California, USA, 27 February 2023 - 3 March 2023, 2023

   Abs DOI PDF Code

   Data regulation laws such as GDPR and CCPA provide consumers (or data subjects) with rights to request data operations such as access, modification, or deletion of their collected data. Authenticating consumers is crucial when conducting this operation, as such data can be privacy-sensitive. This is straight forward for consumers with accounts, as they simply provide authenticate by logging into their account. Such data regulation laws also require the same right to be provided to accountless consumers. However, authenticating such consumers have been adhoc, insecure, and privacy-invasive. In this work, we present VICEROY, a first-of-its-kind protocol that allows accountless consumers to authenticate themselves securely, privately, and in scale. We prove the security of VICEROY via Tamarin prover and its scalability through extensive evaluation.

2022

2022

1. ACM MobiSys

   Vronicle: verifiable provenance for videos from mobile devices

   Yuxin (Myles) Liu, Yoshimichi Nakatsuka, Ardalan Amiri Sani, Sharad Agarwal, and Gene Tsudik

   In MobiSys ’22: The 20th Annual International Conference on Mobile Systems, Applications and Services, Portland, Oregon, 27 June 2022 - 1 July 2022, 2022

   Abs DOI PDF Code Poster

   Videos have always been used in security-critical applications where videos are used as evidence or the videos themselves are sensitive. This was due to the fact that faking them was generally believed to be nearly impossible. However, there is a increasingly concerning trend of fraudulent videos, the so-called deepfakes. In this work we propose a novel system that generates a fine-grained, cryptographically verifiable provenance information of the videos without compromising performance. We utilize TEEs on both the device that takes the videos and the servers that processes the video. Our extensive measurements show that our proof-of-concept implementation outperforms the state-of-the-art system and is comparable with modern video hosting websites that do not provide such provenance info.

2021

2021

1. USENIX Security

   CACTI: Captcha Avoidance via Client-side TEE Integration

   Yoshimichi Nakatsuka, Ercan Ozturk, Andrew Paverd, and Gene Tsudik

   In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, 2021

   Abs PDF Slides

   Preventing abuse of web services is becoming increasingly important, as bot activities are becoming wide spread. CAPTCHAs are commonly used to thwart bot abuse, by distinguishing bots from real human users. However, CAPTCHAs are well known to be frustrating for humans, as it takes time to solve. Moreover, the rise of machine learning based image recognition technology as well as CAPTCHA farms decrease the effectiveness of CAPTCHAs. In addition, privacy concerns related to more modern CAPTCHAs (e.g., behavior-based CAPTCHAs) is starting to attract public attention. In this work, we propose a novel system that utilizes client-side TEEs to solve the aforementioned issues. Our system, CACTI, allows users (bot or human) to cryptographically prove how many times they have conducted an action in a given timeframe (“rate”). Based on this “rate-proof”, the server can allow the user to skip solving CAPTCHAs entirely. Our measurements show that the end-to-end latency of CACTI is about 0.25 seconds and the overall bandwidth used is 98% smaller compared to conventional CAPTCHAs. Additionally, the use of group signature schemes prevents servers to track users based on the proofs.

2. ACM DTRAP

   PDoT: Private DNS-over-TLS with TEE Support

   Yoshimichi Nakatsuka, Andrew Paverd, and Gene Tsudik

   Digital Threats, Feb 2021

   DOI PDF

2019

2019

1. ACM ACSAC

   PDoT: Private DNS-over-TLS with TEE support

   Yoshimichi Nakatsuka, Andrew Paverd, and Gene Tsudik

   In Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC 2019, San Juan, PR, USA, December 09-13, 2019, Feb 2019

   Abs DOI PDF Code Slides

   DNS-over-TLS was introduced to improve user privacy, as DNS packets are currently sent over the Internet in plaintext. However, DNS-over-TLS still suffers from privacy issues from malicious recursive resolvers and also usability issues. PDoT is a novel recursive resolver architecture that aims to overcome both of these issues using Trusted Execution Environments (TEEs).

2018

2018

1. IEEE ISCC

   FROG: A Packet Hop Count based DDoS Countermeasure in NDN

   Yoshimichi Nakatsuka, Janaka L. Wijekoon, and Hiroaki Nishi

   In 2018 IEEE Symposium on Computers and Communications, ISCC 2018, Natal, Brazil, June 25-28, 2018, Feb 2018

   Abs DOI PDF

   Named Data Networking (NDN) is one of the emerging future Internet architecture that aims to put content in the center of the communication. Similar to the current Internet, NDN also suffers from DDoS attacks. FROG aims to detect and mitigate DDoS attacks in NDN using a novel method that utilizes packet hop counts.