Half-Moon Cookie: Private, Similarity-Based Blocklisting with TOCTOU-Attack Resilience

TL;DR

Half-Moon Cookie is a privacy-preserving, similarity-based blocklisting framework that prevents TOCTOU attacks and enables efficient malware detection without revealing client data or disclosing the blocklist.

Contribution

It introduces a novel privacy-preserving blocklisting method that separates embedding and checking, supporting efficient pre-checks and resilience against TOCTOU attacks.

Findings

Supports similarity-based malware detection without revealing client inputs.

Separates embedding from blocklist check to optimize performance.

Provides a fast pre-check to prevent TOCTOU attacks.

Abstract

Blocklisting is a common technique for preventing the use of known malicious content. However, conventional blocklisting infrastructures require either the blocklist to be public or clients to reveal their queries to the blocklist server. In this work, we introduce a private blocklisting framework, Half-Moon Cookie, by which a client can check an item against a proprietary blocklist held by a server, to determine whether the item is close to any blocklist element in a metric space. Critically, our design separates the embedding step from the blocklist check, so that performance degrades with their sum and not their product. Still, this check might be too costly to perform on the critical path of using the item, and so our design also supports a very efficient check that an item previously passed the blocklist check. In doing so, we support applications where one client can perform the blocklist check on the item before sending it, and recipients can more efficiently confirm the previous result before using the item, thereby avoiding TOCTOU attacks. We demonstrate how Half-Moon Cookie can be instantiated for similarity-based malware detection, enabling effective identification of malicious executables without revealing client inputs or disclosing the underlying blocklist.