Crime Analysis using Open Source Information

In this paper, we present a method of crime analysis from open source information. We employed un-supervised methods of data mining to explore the facts regarding the crimes of an area of interest. The analysis is based on well known clustering and association techniques. The results show that the proposed method of crime analysis is efficient and gives a broad picture of the crimes of an area to analyst without much effort. The analysis is evaluated using manual approach, which reveals that the results produced by the proposed approach are comparable to the manual analysis, while a great amount of time is saved

ARMageddon: Cache Attacks on Mobile Devices

In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing attention among the scientific community and powerful techniques to exploit cache side channels have been developed. However, modern smartphones use one or more multi-core ARM CPUs that have a different cache organization and instruction set than Intel x86 CPUs. So far, no cross-core cache attacks have been demonstrated on non-rooted Android smartphones. In this work, we demonstrate how to solve key challenges to perform the most powerful cross-core cache attacks Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush on non-rooted ARM-based devices without any privileges. Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen. Eventually, we are the first to attack cryptographic primitives implemented in Java. Our attacks work across CPUs and can even monitor cache activity in the ARM TrustZone from the normal world. The techniques we present can be used to attack hundreds of millions of Android devices.Comment: Original publication in the Proceedings of the 25th Annual USENIX Security Symposium (USENIX Security 2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lip

Fallout: Reading Kernel Writes From User Space

Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors. In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution. Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations

ConTExT: Leakage-Free Transient Execution

Out-of-order execution and speculative execution are among the biggest contributors to performance and efficiency of modern processors. However, they are inconsiderate, leaking secret data during the transient execution of instructions. Many solutions have been proposed against transient execution attacks. However, they do not eliminate the leakage entirely or introduce unacceptable performance penalties. In this paper, we propose ConTExT, a Considerate Transient Execution Technique. The basic idea of ConTExT is that secrets can enter registers, but not transiently leave them. ConTExT transforms Spectre from a problem that cannot be solved purely in software [53], to a problem that is not easy to solve, but solvable in software. For this, ConTExT requires minimal modifications of applications, compilers, operating systems, and the hardware. ConTExT offers full protection for secrets in memory and secrets in registers. We evaluate the security and performance of ConTExT. With its principled approach it inherently mitigates the recently found microarchitectural data sampling attacks on small processor buffers. Even when over-approximating, we observe no performance overhead for unprotected code and data, and an overhead of 71.14% for security-critical applications, which is below the overhead of currently recommended state-of-the-art mitigation strategies. The actual overhead of ConTExT is below 1% for real-world workloads

Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs (Updated and Extended Version)

Meltdown and Spectre exploit microarchitectural changes the CPU makes during transient out-of-order execution. Using side-channel techniques, these attacks enable leaking arbitrary data from memory. As state-of-the-art software mitigations for Meltdown may incur significant performance overheads, they are only seen as a temporary solution. Thus, software mitigations are disabled on more recent processors, which are not susceptible to Meltdown anymore. In this paper, we show that Meltdown-like attacks are still possible on recent CPUs which are not vulnerable to the original Meltdown attack. We show that the store buffer - a microarchitectural optimization to reduce the latency for data stores - in combination with the TLB enables powerful attacks. We present several ASLRrelated attacks, including a KASLR break from unprivileged applications, and breaking ASLR from JavaScript. We can also mount side-channel attacks, breaking the atomicity of TSX, and monitoring control flow of the kernel. Furthermore, when combined with a simple Spectre gadget, we can leak arbitrary data from memory. Our paper shows that Meltdown-like attacks are still possible, and software fixes are still necessary to ensure proper isolation between the kernel and user space. This updated extended version of the original paper includes new results and explanations on the root cause of the vulnerability and shows how it is different to MDS attacks like Fallout

ZombieLoad: Cross-Privilege-Boundary Data Sampling

In early 2018, Meltdown first showed how to read arbitrary kernel memory from user space by exploiting side-effects from transient instructions. While this attack has been mitigated through stronger isolation boundaries between user and kernel space, Meltdown inspired an entirely new class of fault-driven transient execution attacks. Particularly, over the past year, Meltdown-type attacks have been extended to not only leak data from the L1 cache but also from various other microarchitectural structures, including the FPU register file and store buffer. In this paper, we present the ZombieLoad attack which uncovers a novel Meltdown-type effect in the processor's previously unexplored fill-buffer logic. Our analysis shows that faulting load instructions (i.e., loads that have to be re-issued for either architectural or microarchitectural reasons) may transiently dereference unauthorized destinations previously brought into the fill buffer by the current or a sibling logical CPU. Hence, we report data leakage of recently loaded stale values across logical cores. We demonstrate ZombieLoad's effectiveness in a multitude of practical attack scenarios across CPU privilege rings, OS processes, virtual machines, and SGX enclaves. We discuss both short and long-term mitigation approaches and arrive at the conclusion that disabling hyperthreading is the only possible workaround to prevent this extremely powerful attack on current processors

Hydras and IPFS: A Decentralised Playground for Malware

Modern malware can take various forms, and has reached a very high level of sophistication in terms of its penetration, persistence, communication and hiding capabilities. The use of cryptography, and of covert communication channels over public and widely used protocols and services, is becoming a norm. In this work, we start by introducing Resource Identifier Generation Algorithms. These are an extension of a well-known mechanism called Domain Generation Algorithms (DGA), which are frequently employed by cybercriminals for bot management and communication. Our extension allows, beyond DNS, the use of other protocols. More concretely, we showcase the exploitation of the InterPlanetary file system (IPFS). This is a solution for the "permanent web", which enjoys a steadily growing community interest and adoption. The IPFS is, in addition, one of the most prominent solutions for blockchain storage. We go beyond the straightforward case of using the IPFS for hosting malicious content, and explore ways in which a botmaster could employ it, to manage her bots, validating our findings experimentally. Finally, we discuss the advantages of our approach for malware authors, its efficacy and highlight its extensibility for other distributed storage services.Comment: Published in International Journal of Information Securit

Reduced visual attention in heterogeneous textures is reflected in occipital alpha and theta band activity.

Increasing context heterogeneity has been found to reduce attention deployment towards an embedded target item. Heterogeneity in visual search tasks is typically induced by segmenting the background into several perceptual groups. In the present study, however, context heterogeneity was induced by varying whole-field heterogeneity, i.e., the degree of distractor variability within the entire context. This allowed us to (i) more gradually vary context heterogeneity, and (ii) investigate attention deployment on a whole-field scale. Results showed that both search performance and amplitude of the N2pc (lateralized ERP; posterior contralateral negativity in the N2 range) monotonically decreased with increasing context heterogeneity, which confirmed that there was less efficient attention deployment for more heterogeneous contexts. The amplitude of the bilateral N2 exhibited a U-shaped function, suggesting global perception for the lowest and highest levels of heterogeneity, but local processing for intermediate heterogeneity levels. Independent component analyses revealed an occipital ERP-contributing effective source cluster that may reflect stimulus representations on a saliency map. With increasing heterogeneity, these sources exhibited more theta band activity for distractors and less theta band activity for targets. Alpha band activity of a second component cluster varied with heterogeneity level, and low-theta/delta activity of a third source cluster distinguished target presence versus absence. In sum, our results suggest that independent brain sources contributed to the differential processing of heterogeneous versus homogeneous contexts

A Study of Newly Observed Hostnames and DNS Tunneling in the Wild

The domain name system (DNS) is a crucial backbone of the Internet and millions of new domains are created on a daily basis. While the vast majority of these domains are legitimate, adversaries also register new hostnames to carry out nefarious purposes, such as scams, phishing, or other types of attacks. In this paper, we present insights on the global utilization of DNS through a measurement study examining exclusively newly observed hostnames via passive DNS data analysis. We analyzed more than two billion such hostnames collected over a period of two months. Surprisingly, we find that only three second-level domains are responsible for more than half of all newly observed hostnames every day. More specifically, we found that Google's Accelerated Mobile Pages (AMP) project, the music streaming service Spotify, and a DNS tunnel provider generate the majority of new domains on the Internet. DNS tunneling is a covert channel technique to transfer arbitrary information over DNS via DNS queries and answers. This technique is often (ab)used by attackers to transfer data in a stealthy way, bypassing traditional network security systems. We find that potential DNS tunnels cause a significant fraction of the global DNS requests for new hostnames: our analysis reveals that nearly all resource record type NULL requests and more than a third of all TXT requests can be attributed to DNS tunnels. Motivated by these empirical measurement results, we propose and implement a method to identify DNS tunnels via a step-wise filtering approach that relies on general characteristics of such tunnels (e.g., number of subdomains or resource record type). Using our approach on empirical data, we successfully identified 273 suspicious domains related to DNS tunnels, including two known APT campaigns (Wekby and APT32)

SoK: Tools for Game Theoretic Models of Security for Cryptocurrencies

Cryptocurrencies have garnered much attention in recent years, both from the academic community and industry. One interesting aspect of cryptocurrencies is their explicit consideration of incentives at the protocol level. Understanding how to incorporate this into the models used to design cryptocurrencies has motivated a large body of work, yet many open problems still exist and current systems rarely deal with incentive related problems well. This issue arises due to the gap between Cryptography and Distributed Systems security, which deals with traditional security problems that ignore the explicit consideration of incentives, and Game Theory, which deals best with situations involving incentives. With this work, we aim to offer a systematization of the work that relates to this problem, considering papers that blend Game Theory with Cryptography or Distributed systems and discussing how they can be related. This gives an overview of the available tools, and we look at their (potential) use in practice, in the context of existing blockchain based systems that have been proposed or implemented