16,085 research outputs found
Crime Analysis using Open Source Information
In this paper, we present a method of crime analysis from open source
information. We employed un-supervised methods of data mining to explore the
facts regarding the crimes of an area of interest. The analysis is based on
well known clustering and association techniques. The results show that the
proposed method of crime analysis is efficient and gives a broad picture of the
crimes of an area to analyst without much effort. The analysis is evaluated
using manual approach, which reveals that the results produced by the proposed
approach are comparable to the manual analysis, while a great amount of time is
saved
ARMageddon: Cache Attacks on Mobile Devices
In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing
attention among the scientific community and powerful techniques to exploit
cache side channels have been developed. However, modern smartphones use one or
more multi-core ARM CPUs that have a different cache organization and
instruction set than Intel x86 CPUs. So far, no cross-core cache attacks have
been demonstrated on non-rooted Android smartphones. In this work, we
demonstrate how to solve key challenges to perform the most powerful cross-core
cache attacks Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush on
non-rooted ARM-based devices without any privileges. Based on our techniques,
we demonstrate covert channels that outperform state-of-the-art covert channels
on Android by several orders of magnitude. Moreover, we present attacks to
monitor tap and swipe events as well as keystrokes, and even derive the lengths
of words entered on the touchscreen. Eventually, we are the first to attack
cryptographic primitives implemented in Java. Our attacks work across CPUs and
can even monitor cache activity in the ARM TrustZone from the normal world. The
techniques we present can be used to attack hundreds of millions of Android
devices.Comment: Original publication in the Proceedings of the 25th Annual USENIX
Security Symposium (USENIX Security 2016).
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lip
Fallout: Reading Kernel Writes From User Space
Recently, out-of-order execution, an important performance optimization in
modern high-end processors, has been revealed to pose a significant security
threat, allowing information leaks across security domains. In particular, the
Meltdown attack leaks information from the operating system kernel to user
space, completely eroding the security of the system. To address this and
similar attacks, without incurring the performance costs of software
countermeasures, Intel includes hardware-based defenses in its recent Coffee
Lake R processors.
In this work, we show that the recent hardware defenses are not sufficient.
Specifically, we present Fallout, a new transient execution attack that leaks
information from a previously unexplored microarchitectural component called
the store buffer. We show how unprivileged user processes can exploit Fallout
to reconstruct privileged information recently written by the kernel. We
further show how Fallout can be used to bypass kernel address space
randomization. Finally, we identify and explore microcode assists as a hitherto
ignored cause of transient execution.
Fallout affects all processor generations we have tested. However, we notice
a worrying regression, where the newer Coffee Lake R processors are more
vulnerable to Fallout than older generations
ConTExT: Leakage-Free Transient Execution
Out-of-order execution and speculative execution are among the biggest
contributors to performance and efficiency of modern processors. However, they
are inconsiderate, leaking secret data during the transient execution of
instructions. Many solutions have been proposed against transient execution
attacks. However, they do not eliminate the leakage entirely or introduce
unacceptable performance penalties.
In this paper, we propose ConTExT, a Considerate Transient Execution
Technique. The basic idea of ConTExT is that secrets can enter registers, but
not transiently leave them. ConTExT transforms Spectre from a problem that
cannot be solved purely in software [53], to a problem that is not easy to
solve, but solvable in software. For this, ConTExT requires minimal
modifications of applications, compilers, operating systems, and the hardware.
ConTExT offers full protection for secrets in memory and secrets in registers.
We evaluate the security and performance of ConTExT. With its principled
approach it inherently mitigates the recently found microarchitectural data
sampling attacks on small processor buffers. Even when over-approximating, we
observe no performance overhead for unprotected code and data, and an overhead
of 71.14% for security-critical applications, which is below the overhead of
currently recommended state-of-the-art mitigation strategies. The actual
overhead of ConTExT is below 1% for real-world workloads
Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs (Updated and Extended Version)
Meltdown and Spectre exploit microarchitectural changes the CPU makes during
transient out-of-order execution. Using side-channel techniques, these attacks
enable leaking arbitrary data from memory. As state-of-the-art software
mitigations for Meltdown may incur significant performance overheads, they are
only seen as a temporary solution. Thus, software mitigations are disabled on
more recent processors, which are not susceptible to Meltdown anymore.
In this paper, we show that Meltdown-like attacks are still possible on
recent CPUs which are not vulnerable to the original Meltdown attack. We show
that the store buffer - a microarchitectural optimization to reduce the latency
for data stores - in combination with the TLB enables powerful attacks. We
present several ASLRrelated attacks, including a KASLR break from unprivileged
applications, and breaking ASLR from JavaScript. We can also mount side-channel
attacks, breaking the atomicity of TSX, and monitoring control flow of the
kernel. Furthermore, when combined with a simple Spectre gadget, we can leak
arbitrary data from memory. Our paper shows that Meltdown-like attacks are
still possible, and software fixes are still necessary to ensure proper
isolation between the kernel and user space.
This updated extended version of the original paper includes new results and
explanations on the root cause of the vulnerability and shows how it is
different to MDS attacks like Fallout
ZombieLoad: Cross-Privilege-Boundary Data Sampling
In early 2018, Meltdown first showed how to read arbitrary kernel memory from
user space by exploiting side-effects from transient instructions. While this
attack has been mitigated through stronger isolation boundaries between user
and kernel space, Meltdown inspired an entirely new class of fault-driven
transient execution attacks. Particularly, over the past year, Meltdown-type
attacks have been extended to not only leak data from the L1 cache but also
from various other microarchitectural structures, including the FPU register
file and store buffer.
In this paper, we present the ZombieLoad attack which uncovers a novel
Meltdown-type effect in the processor's previously unexplored fill-buffer
logic. Our analysis shows that faulting load instructions (i.e., loads that
have to be re-issued for either architectural or microarchitectural reasons)
may transiently dereference unauthorized destinations previously brought into
the fill buffer by the current or a sibling logical CPU. Hence, we report data
leakage of recently loaded stale values across logical cores. We demonstrate
ZombieLoad's effectiveness in a multitude of practical attack scenarios across
CPU privilege rings, OS processes, virtual machines, and SGX enclaves. We
discuss both short and long-term mitigation approaches and arrive at the
conclusion that disabling hyperthreading is the only possible workaround to
prevent this extremely powerful attack on current processors
Hydras and IPFS: A Decentralised Playground for Malware
Modern malware can take various forms, and has reached a very high level of
sophistication in terms of its penetration, persistence, communication and
hiding capabilities. The use of cryptography, and of covert communication
channels over public and widely used protocols and services, is becoming a
norm. In this work, we start by introducing Resource Identifier Generation
Algorithms. These are an extension of a well-known mechanism called Domain
Generation Algorithms (DGA), which are frequently employed by cybercriminals
for bot management and communication. Our extension allows, beyond DNS, the use
of other protocols. More concretely, we showcase the exploitation of the
InterPlanetary file system (IPFS). This is a solution for the "permanent web",
which enjoys a steadily growing community interest and adoption. The IPFS is,
in addition, one of the most prominent solutions for blockchain storage. We go
beyond the straightforward case of using the IPFS for hosting malicious
content, and explore ways in which a botmaster could employ it, to manage her
bots, validating our findings experimentally. Finally, we discuss the
advantages of our approach for malware authors, its efficacy and highlight its
extensibility for other distributed storage services.Comment: Published in International Journal of Information Securit
Recommended from our members
Reduced visual attention in heterogeneous textures is reflected in occipital alpha and theta band activity.
Increasing context heterogeneity has been found to reduce attention deployment towards an embedded target item. Heterogeneity in visual search tasks is typically induced by segmenting the background into several perceptual groups. In the present study, however, context heterogeneity was induced by varying whole-field heterogeneity, i.e., the degree of distractor variability within the entire context. This allowed us to (i) more gradually vary context heterogeneity, and (ii) investigate attention deployment on a whole-field scale. Results showed that both search performance and amplitude of the N2pc (lateralized ERP; posterior contralateral negativity in the N2 range) monotonically decreased with increasing context heterogeneity, which confirmed that there was less efficient attention deployment for more heterogeneous contexts. The amplitude of the bilateral N2 exhibited a U-shaped function, suggesting global perception for the lowest and highest levels of heterogeneity, but local processing for intermediate heterogeneity levels. Independent component analyses revealed an occipital ERP-contributing effective source cluster that may reflect stimulus representations on a saliency map. With increasing heterogeneity, these sources exhibited more theta band activity for distractors and less theta band activity for targets. Alpha band activity of a second component cluster varied with heterogeneity level, and low-theta/delta activity of a third source cluster distinguished target presence versus absence. In sum, our results suggest that independent brain sources contributed to the differential processing of heterogeneous versus homogeneous contexts
A Study of Newly Observed Hostnames and DNS Tunneling in the Wild
The domain name system (DNS) is a crucial backbone of the Internet and
millions of new domains are created on a daily basis. While the vast majority
of these domains are legitimate, adversaries also register new hostnames to
carry out nefarious purposes, such as scams, phishing, or other types of
attacks. In this paper, we present insights on the global utilization of DNS
through a measurement study examining exclusively newly observed hostnames via
passive DNS data analysis. We analyzed more than two billion such hostnames
collected over a period of two months. Surprisingly, we find that only three
second-level domains are responsible for more than half of all newly observed
hostnames every day. More specifically, we found that Google's Accelerated
Mobile Pages (AMP) project, the music streaming service Spotify, and a DNS
tunnel provider generate the majority of new domains on the Internet. DNS
tunneling is a covert channel technique to transfer arbitrary information over
DNS via DNS queries and answers. This technique is often (ab)used by attackers
to transfer data in a stealthy way, bypassing traditional network security
systems. We find that potential DNS tunnels cause a significant fraction of the
global DNS requests for new hostnames: our analysis reveals that nearly all
resource record type NULL requests and more than a third of all TXT requests
can be attributed to DNS tunnels.
Motivated by these empirical measurement results, we propose and implement a
method to identify DNS tunnels via a step-wise filtering approach that relies
on general characteristics of such tunnels (e.g., number of subdomains or
resource record type). Using our approach on empirical data, we successfully
identified 273 suspicious domains related to DNS tunnels, including two known
APT campaigns (Wekby and APT32)
SoK: Tools for Game Theoretic Models of Security for Cryptocurrencies
Cryptocurrencies have garnered much attention in recent years, both from the
academic community and industry. One interesting aspect of cryptocurrencies is
their explicit consideration of incentives at the protocol level. Understanding
how to incorporate this into the models used to design cryptocurrencies has
motivated a large body of work, yet many open problems still exist and current
systems rarely deal with incentive related problems well. This issue arises due
to the gap between Cryptography and Distributed Systems security, which deals
with traditional security problems that ignore the explicit consideration of
incentives, and Game Theory, which deals best with situations involving
incentives. With this work, we aim to offer a systematization of the work that
relates to this problem, considering papers that blend Game Theory with
Cryptography or Distributed systems and discussing how they can be related.
This gives an overview of the available tools, and we look at their (potential)
use in practice, in the context of existing blockchain based systems that have
been proposed or implemented
- …