198 research outputs found
InversOS: Efficient Control-Flow Protection for AArch64 Applications with Privilege Inversion
With the increasing popularity of AArch64 processors in general-purpose
computing, securing software running on AArch64 systems against control-flow
hijacking attacks has become a critical part toward secure computation. Shadow
stacks keep shadow copies of function return addresses and, when protected from
illegal modifications and coupled with forward-edge control-flow integrity,
form an effective and proven defense against such attacks. However, AArch64
lacks native support for write-protected shadow stacks, while software
alternatives either incur prohibitive performance overhead or provide weak
security guarantees.
We present InversOS, the first hardware-assisted write-protected shadow
stacks for AArch64 user-space applications, utilizing commonly available
features of AArch64 to achieve efficient intra-address space isolation (called
Privilege Inversion) required to protect shadow stacks. Privilege Inversion
adopts unconventional design choices that run protected applications in the
kernel mode and mark operating system (OS) kernel memory as user-accessible;
InversOS therefore uses a novel combination of OS kernel modifications,
compiler transformations, and another AArch64 feature to ensure the safety of
doing so and to support legacy applications. We show that InversOS is secure by
design, effective against various control-flow hijacking attacks, and
performant on selected benchmarks and applications (incurring overhead of 7.0%
on LMBench, 7.1% on SPEC CPU 2017, and 3.0% on Nginx web server).Comment: 18 pages, 9 figures, 4 table
Immigrant community integration in world cities
As a consequence of the accelerated globalization process, today major cities
all over the world are characterized by an increasing multiculturalism. The
integration of immigrant communities may be affected by social polarization and
spatial segregation. How are these dynamics evolving over time? To what extent
the different policies launched to tackle these problems are working? These are
critical questions traditionally addressed by studies based on surveys and
census data. Such sources are safe to avoid spurious biases, but the data
collection becomes an intensive and rather expensive work. Here, we conduct a
comprehensive study on immigrant integration in 53 world cities by introducing
an innovative approach: an analysis of the spatio-temporal communication
patterns of immigrant and local communities based on language detection in
Twitter and on novel metrics of spatial integration. We quantify the "Power of
Integration" of cities --their capacity to spatially integrate diverse
cultures-- and characterize the relations between different cultures when
acting as hosts or immigrants.Comment: 13 pages, 5 figures + Appendi
PhishReplicant: A Language Model-based Approach to Detect Generated Squatting Domain Names
Domain squatting is a technique used by attackers to create domain names for
phishing sites. In recent phishing attempts, we have observed many domain names
that use multiple techniques to evade existing methods for domain squatting.
These domain names, which we call generated squatting domains (GSDs), are quite
different in appearance from legitimate domain names and do not contain brand
names, making them difficult to associate with phishing. In this paper, we
propose a system called PhishReplicant that detects GSDs by focusing on the
linguistic similarity of domain names. We analyzed newly registered and
observed domain names extracted from certificate transparency logs, passive
DNS, and DNS zone files. We detected 3,498 domain names acquired by attackers
in a four-week experiment, of which 2,821 were used for phishing sites within a
month of detection. We also confirmed that our proposed system outperformed
existing systems in both detection accuracy and number of domain names
detected. As an in-depth analysis, we examined 205k GSDs collected over 150
days and found that phishing using GSDs was distributed globally. However,
attackers intensively targeted brands in specific regions and industries. By
analyzing GSDs in real time, we can block phishing sites before or immediately
after they appear.Comment: Accepted at ACSAC 202
Fine-Grained Static Detection of Obfuscation Transforms Using Ensemble-Learning and Semantic Reasoning
International audienceThe ability to efficiently detect the software protections used is at a prime to facilitate the selection and application of adequate deob-fuscation techniques. We present a novel approach that combines semantic reasoning techniques with ensemble learning classification for the purpose of providing a static detection framework for obfuscation transformations. By contrast to existing work, we provide a methodology that can detect multiple layers of obfuscation, without depending on knowledge of the underlying functionality of the training-set used. We also extend our work to detect constructions of obfuscation transformations, thus providing a fine-grained methodology. To that end, we provide several studies for the best practices of the use of machine learning techniques for a scalable and efficient model. According to our experimental results and evaluations on obfuscators such as Tigress and OLLVM, our models have up to 91% accuracy on state-of-the-art obfuscation transformations. Our overall accuracies for their constructions are up to 100%
On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural Vulnerabilities
Software vulnerabilities are a major cyber threat and it is important to
detect them. One important approach to detecting vulnerabilities is to use deep
learning while treating a program function as a whole, known as function-level
vulnerability detectors. However, the limitation of this approach is not
understood. In this paper, we investigate its limitation in detecting one class
of vulnerabilities known as inter-procedural vulnerabilities, where the
to-be-patched statements and the vulnerability-triggering statements belong to
different functions. For this purpose, we create the first Inter-Procedural
Vulnerability Dataset (InterPVD) based on C/C++ open-source software, and we
propose a tool dubbed VulTrigger for identifying vulnerability-triggering
statements across functions. Experimental results show that VulTrigger can
effectively identify vulnerability-triggering statements and inter-procedural
vulnerabilities. Our findings include: (i) inter-procedural vulnerabilities are
prevalent with an average of 2.8 inter-procedural layers; and (ii)
function-level vulnerability detectors are much less effective in detecting
to-be-patched functions of inter-procedural vulnerabilities than detecting
their counterparts of intra-procedural vulnerabilities.Comment: 12 pages, 7 figures. To appear in the Proceedings of the 46th
International Conference on Software Engineering (ICSE'24
Assessing the Effectiveness of Binary-Level CFI Techniques
Memory corruption is an important class of vulnerability that can be
leveraged to craft control flow hijacking attacks. Control Flow Integrity (CFI)
provides protection against such attacks. Application of type-based CFI
policies requires information regarding the number and type of function
arguments. Binary-level type recovery is inherently speculative, which
motivates the need for an evaluation framework to assess the effectiveness of
binary-level CFI techniques compared with their source-level counterparts,
where such type information is fully and accurately accessible. In this work,
we develop a novel, generalized and extensible framework to assess how the
program analysis information we get from state-of-the-art binary analysis tools
affects the efficacy of type-based CFI techniques. We introduce new and
insightful metrics to quantitatively compare source independent CFI policies
with their ground truth source aware counterparts. We leverage our framework to
evaluate binary-level CFI policies implemented using program analysis
information extracted from the IDA Pro binary analyzer and compared with the
ground truth information obtained from the LLVM compiler, and present our
observations.Comment: 14 pages, 9 figures, 9 tables, Part of this work is to be published
in 16th International Symposium on Foundations & Practice of Security (FPS -
2023
Preventing Ransomware Attacks Through File System Filter Drivers
International audienceOver the last years ransomware attacks have been widely spreading over the Internet, indiscriminately targeting home users as well as corporates and public agencies. Several approaches have been proposed to analyze and detect ransomware intrusions in literature, moving from combined heuristics, behavior analysis, sandbox-based solutions and machine learning techniques to function calls monitoring. Our approach differs from the above by shifting the focus from removing the problem to mitigating damages, to ensure data availability despite malware attacks. The aim is not to detect new ransomware samples, but simply to protect integrity and availability of private data. In other words, we interfere with ransomware usual behavior, intercepting I/O request packets and denying operations on user's valuable data
An iterative technique to identify browser fingerprinting scripts
Browser fingerprinting is a stateless identification technique based on
browser properties. Together, they form an identifier that can be collected
without users' notice and has been studied to be unique and stable. As this
technique relies on browser properties that serve legitimate purposes, the
detection of this technique is challenging. While several studies propose
classification techniques, none of these are publicly available, making them
difficult to reproduce. This paper proposes a new browser fingerprinting
detection technique. Based on an incremental process, it relies on both
automatic and manual decisions to be both reliable and fast. The automatic step
matches API calls similarities between scripts while the manual step is
required to classify a script with different calls. We publicly share our
algorithm and implementation to improve the general knowledge on the subject
- …