EvoSec 2025W Lecture 18

Readings

• Dabbour, "Towards In-Band Non-Cryptographic Authentication." (NSPW 2020)
• Foster, "Object-Level Recombination of Commodity Applications." (GECCO 2010)

Notes

Lecture 18
----------
G1
 - can be more complex to detect imposters in practice because to do so because 1) you won't consider it a possibility, and 2) you'd have to act weird
 - AI chatbots can immitate people given chat history, that could defeat detection attempts
 - shared history may be the strongest authenticator but isn't practical (like narrative auth)

G2
 - What's the connection between these two? Seemed obscure
   - create new and identifiable contexts for security
     - security context from code diversity vs shared knowledge/observations
 - computer-to-computer is not like people-to-people communication, is it even feasible to distinguish them?
 - similar to encryption, shared secret, but secret is shared context
 - how complex of models would be required for authentication between computers?

G4
 - doesn't computer behavior boil down to protocols, so not so much opportunity for unknown shared context?
   - if one host is compromised, it can be immitated using stolen data
   - compromised communication allows models to be built up over time
 - how does the link resolver work?!
 - is genetic recombination practical?
   - can you really get more complexity over many generations?
 - what is the similarity between the papers?

G3
 - knowing the attacker could be there biases the conversation
   - if you did a more "real world" experiment, would people detect impersonation if not primed? suspect they won't
   - in the real world users, if someone knows they've been hacked they have other ways of communicating this fact
 - if defender can train model, attacker can also, and your behavior is harder to change than a password
 - no mutation of object files, so is this evolution?
   - how can we do mutation here that would generate novelty?
   - don't we still need people? How can this be fully automated?


I don't see these papers as practical, but evocative
 - how do people recognize each other when limited to text?
 - can we have programs sexually reproduce like biological organisms, without
   being designed for this?


don't mistake the abstraction for the implementation
 - computer-to-computer "conversational" auth would have models of implementation & context-specific details
   - precise program versions
   - communication details