23 research outputs found
Recommended from our members
A Framework for the Systematic Evaluation of Malware Forensic Tools
Following a series of high profile miscarriages of justice linked to questionable expert evidence, the post of the Forensic Science Regulator was created in 2008 with a remit to improve the standard of practitioner competences and forensic procedures. It has since moved to incorporate a greater level of scientific practice in these areas, as used in the production of expert evidence submitted to the UK Criminal Justice System. Accreditation to their codes of practice and conduct will become mandatory for all forensic practitioners by October 2017. A variety of challenges with expert evidence are explored and linked to a lack of a scientific methodology underpinning the processes followed. In particular, the research focuses upon investigations where malicious software (âmalwareâ) has been identified.
A framework, called the âMalware Analysis Tool Evaluation Frameworkâ (MATEF), has been developed to address this lack of methodology to evaluate software tools used during investigations involving malware. A prototype implementation of the framework was used to evaluate two tools against a population of over 350,000 samples of malware. Analysis of the findings indicated that the choice of tool could impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts.
Three different measures were used to evaluate the framework. The first of these evaluated the framework against the requirements and determined that these were largely met. Where the requirements were not met these are attributed to matters either outside scope or the fledgling nature of the research. Another measure used to evaluate the framework was to consider its performance in terms of speed and resource utilisation. This identified scope for improvement in terms of the time to complete a test and the need for more economical use of disk space. Finally, the framework provides a scientific means to evaluate malware analysis tools, hence addressing the Research Question subject to the level at which ground truth is established.
A number of contributions are produced as the output of this work. First there is confirmation for the case for a lack of trusted practice in the field of malware forensics. Second, the MATEF itself, as it facilitates the production of empirical evidence of a toolâs ability to detect malware artefacts. A third contribution is a set of requirements for establishing trusted practice in the use of malware artefact detection tools. Finally, empirical evidence that supports both the notion that the choice of tool can impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts
Sécurité et protection de la vie privée dans les systÚmes embarqués automobiles
Electronic equipment has become an integral part of a vehicle's network architecture, which consists of multiple buses and microcontrollers called Electronic Control Units (ECUs). These ECUs recently also connect to the outside world. Navigation and entertainment system, consumer devices, and Car2X functions are examples for this. Recent security analyses have shown severe vulnerabilities of exposed ECUs and protocols, which may make it possible for attackers to gain control over a vehicle. Given that car safety-critical systems can no longer be fully isolated from such third party devices and infotainment services, we propose a new approach to securing vehicular on-board systems that combines mechanisms at different layers of the communication stack and of the execution platforms. We describe our secure communication protocols, which are designed to provide strong cryptographic assurances together with an efficient implementation fitting the prevalent vehicular communication paradigms. They rely on hardware security modules providing secure storage and acting as root of trust. A distributed data flow tracking based approach is employed for checking code execution against a security policy describing authorized communication patterns. Binary instrumentation is used to track data flows throughout execution (taint engine) and also between control units (middleware), thus making it applicable to industrial applications. We evaluate the feasibility of our mechanisms to secure communication on the CAN bus, which is ubiquitously implemented in cars today. A proof of concept demonstrator also shows the feasibility of integrating security features into real vehicles.L'Ă©quipement Ă©lectronique de bord est maintenant devenue partie intĂ©grante de l'architecture rĂ©seau des vĂ©hicules. Elle sâappuie sur l'interconnexion de microcontroleurs appelĂ©s ECUs par des bus divers. On commence maintenant Ă connecter ces ECUs au monde extĂ©rieur, comme le montrent les systĂšmes de navigation, de divertissement, ou de communication mobile embarquĂ©s, et les fonctionnalitĂ©s Car2X. Des analyses rĂ©centes ont montrĂ© de graves vulnĂ©rabilitĂ©s des ECUs et protocoles employĂ©s qui permettent Ă un attaquant de prendre le contrĂŽle du vĂ©hicule. Comme les systĂšmes critiques du vĂ©hicule ne peuvent plus ĂȘtre complĂštement isolĂ©s, nous proposons une nouvelle approche pour sĂ©curiser l'informatique embarquĂ©e combinant des mĂ©canismes Ă diffĂ©rents niveaux de la pile protocolaire comme des environnements d'exĂ©cution. Nous dĂ©crivons nos protocoles sĂ©curisĂ©s qui s'appuient sur une cryptographie efficace et intĂ©grĂ©e au paradigme de communication dominant dans l'automobile et sur des modules de sĂ©curitĂ© matĂ©riels fournissant un stockage sĂ©curisĂ© et un noyau de confiance. Nous dĂ©crivons aussi comment surveiller les flux d'information distribuĂ©s dans le vĂ©hicule pour assurer une exĂ©cution conforme Ă la politique de sĂ©curitĂ© des communications. L'instrumentation binaire du code, nĂ©cessaire pour lâindustrialisation, est utilisĂ©e pour rĂ©aliser cette surveillance durant lâexĂ©cution (par data tainting) et entre ECUs (dans lâintergiciel). Nous Ă©valuons la faisabilitĂ© de nos mĂ©canismes pour sĂ©curiser la communication sur le bus CAN aujourd'hui omniprĂ©sent dans les vĂ©hicules. Une preuve de concept montre aussi la faisabilitĂ© d'intĂ©grer des mĂ©canismes de sĂ©curitĂ© dans des vĂ©hicules rĂ©els
A recompilation and instrumentation-free monitoring architecture for detecting heap memory errors and exploits
Software written in programming languages that permit manual memory management, such as C and C++, are often littered with exploitable memory errors. These memory bugs enable attackers to leak sensitive information, hijack program control flow, or otherwise compromise the system and are a critical concern for computer security. Many runtime monitoring and protection approaches have been proposed to detect memory errors in C and C++ applications, however, they require source code recompilation or binary instrumentation, creating compatibility challenges for applications using proprietary or closed source code, libraries, or plug-ins. This work introduces a new approach for detecting heap memory errors that does not require applications to be recompiled or instrumented. We show how to leverage the calling convention of a processor to track all dynamic memory allocations made by an application during runtime. We also present a transparent tracking and caching architecture to efficiently verify program heap memory accesses. Security analysis using a software prototype shows our architecture detects 98% of heap memory errors from selected test cases in the Juliet Test Suite and real-world exploits. Performance simulations of our architecture using SPEC benchmarks and real-world application workloads show our architecture achieves hit rates over 95% for a 256-entry cache, resulting in only 2.9% runtime overhead
Cyber-Physical Threat Intelligence for Critical Infrastructures Security
Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well
Best Practices and Recommendations for Cybersecurity Service Providers
This chapter outlines some concrete best practices and recommendations for cybersecurity service providers, with a focus on data sharing, data protection and penetration testing. Based on a brief outline of dilemmas that cybersecurity service providers may experience in their daily operations, it discusses data handling policies and practices of cybersecurity vendors along the following five topics: customer data handling; information about breaches; threat intelligence; vulnerability-related information; and data involved when collaborating with peers, CERTs, cybersecurity research groups, etc. There is, furthermore, a discussion of specific issues of penetration testing such as customer recruitment and execution as well as the supervision and governance of penetration testing. The chapter closes with some general recommendations regarding improving the ethical decision-making procedures of private cybersecurity service providers
Ethical and Unethical Hacking
The goal of this chapter is to provide a conceptual analysis of ethical, comprising history, common usage and the attempt to provide a systematic classification that is both compatible with common usage and normatively adequate. Subsequently, the article identifies a tension between common usage and a normativelyadequate nomenclature. âEthical hackersâ are often identified with hackers that abide to a code of ethics privileging business-friendly values. However, there is no guarantee that respecting such values is always compatible with the all-things-considered morally best act. It is recognised, however, that in terms of assessment, it may be quite difficult to determine who is an ethical hacker in the âall things consideredâ sense, while society may agree more easily on the determination of who is one in the âbusiness-friendlyâ limited sense. The article concludes by suggesting a pragmatic best-practice approach for characterising ethical hacking, which reaches beyond business-friendly values and helps in the taking of decisions that are respectful of the hackersâ individual ethics in morally debatable, grey zones
Cyber-Physical Threat Intelligence for Critical Infrastructures Security
Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well
Virtual Machine Flow Analysis Using Host Kernel Tracing
Lâinfonuagique a beaucoup gagnĂ© en popularitĂ© car elle permet dâoffrir des services Ă coĂ»t rĂ©duit, avec le modĂšle Ă©conomique Pay-to-Use, un stockage illimitĂ© avec les systĂšmes de stockage distribuĂ©, et une grande puissance de calcul grĂące Ă lâaccĂšs direct au matĂ©riel. La technologie de virtualisation permet de partager un serveur physique entre plusieurs environnements virtualisĂ©s isolĂ©s, en dĂ©ployant une couche logicielle (Hyperviseur) au-dessus du matĂ©riel. En consĂ©quence, les environnements isolĂ©s peuvent fonctionner avec des systĂšmes dâexploitation et des applications diffĂ©rentes, sans interfĂ©rence mutuelle. La croissance du nombre dâutilisateurs des services infonuagiques et la dĂ©mocratisation de la technologie de
virtualisation prĂ©sentent un nouveau dĂ©fi pour les fournisseurs de services infonuagiques. Fournir une bonne qualitĂ© de service et une haute disponibilitĂ© est une exigence principale pour lâinfonuagique. La raison de la dĂ©gradation des performances dâune machine virtuelle
peut ĂȘtre nombreuses. a ActivitĂ© intense dâune application Ă lâintĂ©rieur de la machine virtuelle. b Conflits avec dâautres applications Ă lâintĂ©rieur de la machine mĂȘme virtuelle. c Conflits avec dâautres machines virtuelles qui roulent sur la mĂȘme machine physique. d Ăchecs de la plateforme infonuagique. Les deux premiers cas peuvent ĂȘtre gĂ©rĂ©s par le propriĂ©taire de la machine virtuelle et les autres cas doivent ĂȘtre rĂ©solus par le fournisseur de
lâinfrastructure infonuagique. Ces infrastructures sont gĂ©nĂ©ralement trĂšs complexes et peuvent contenir diffĂ©rentes couches de virtualisation. Il est donc nĂ©cessaire dâavoir un outil dâanalyse Ă faible surcoĂ»t pour dĂ©tecter ces types de problĂšmes. Dans cette thĂšse, nous prĂ©sentons une mĂ©thode prĂ©cise permettant de rĂ©cupĂ©rer le flux dâexĂ©cution des environnements virtualisĂ©s Ă partir de la machine hĂŽte, quel que soit le niveau de la virtualisation. Pour Ă©viter des problĂšmes de sĂ©curitĂ©, faciliter le dĂ©ploiement et
minimiser le surcoĂ»t, notre mĂ©thode limite la collecte de donnĂ©es au niveau de lâhyperviseur. Pour analyser le comportement des machines virtuelles, nous utilisons un outil de traçage lĂ©ger appelĂ© Linux Trace Toolkit Next Generation (LTTng) [1]. LTTng est capable dâeffectuer
un traçage à haut débit et à faible surcoût, grùce aux mécanismes de synchronisation sans verrous utilisés pour mettre à jour le contenu des tampons de traçage.----------ABSTRACT: Cloud computing has gained popularity as it offers services at lower cost, with Pay-per-Use model, unlimited storage, with distributed storage, and flexible computational power, with direct hardware access. Virtualization technology allows to share a physical server, between several isolated virtualized environments, by deploying an hypervisor layer on top of hardware. As a result, each isolated environment can run with its OS and application without mutual interference. With the growth of cloud usage, and the use of virtualization, performance
understanding and debugging are becoming a serious challenge for Cloud providers. Offering a better QoS and high availability are expected to be salient features of cloud computing. Nonetheless, possible reasons behind performance degradation in VMs are numerous. a) Heavy load of an application inside the VM. b) Contention with other applications inside the VM. c) Contention with other co-located VMs. d) Cloud platform failures. The first
two cases can be managed by the VM owner, while the other cases need to be solved by the infrastructure provider. One key requirement for such a complex environment, with different virtualization layers, is a precise low overhead analysis tool. In this thesis, we present a host-based, precise method to recover the execution flow of virtualized
environments, regardless of the level of nested virtualization. To avoid security issues, ease deployment and reduce execution overhead, our method limits its data collection to the hypervisor level. In order to analyse the behavior of each VM, we use a lightweight tracing
tool called the Linux Trace Toolkit Next Generation (LTTng) [1]. LTTng is optimised for high throughput tracing with low overhead, thanks to its lock-free synchronization mechanisms
used to update the trace buffer content
The Ethics of Cybersecurity
This open access book provides the first comprehensive collection of papers that provide an integrative view on cybersecurity. It discusses theories, problems and solutions on the relevant ethical issues involved. This work is sorely needed in a world where cybersecurity has become indispensable to protect trust and confidence in the digital infrastructure whilst respecting fundamental values like equality, fairness, freedom, or privacy. The book has a strong practical focus as it includes case studies outlining ethical issues in cybersecurity and presenting guidelines and other measures to tackle those issues. It is thus not only relevant for academics but also for practitioners in cybersecurity such as providers of security software, governmental CERTs or Chief Security Officers in companies