Behavioral Analysis Of Malicious Code Through Network Traffic And System Call Monitoring

Malicious code (malware) that spreads through the Internet-such as viruses, worms and trojans-is a major threat to information security nowadays and a profitable business for criminals. There are several approaches to analyze malware by monitoring its actions while it is running in a controlled environment, which helps to identify malicious behaviors. In this article we propose a tool to analyze malware behavior in a non-intrusive and effective way, extending the analysis possibilities to cover malware samples that bypass current approaches and also fixes some issues with these approaches. © 2011 SPIE.8059The Society of Photo-Optical Instrumentation Engineers (SPIE)Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G., Efficient detection of split personalities in malware (2010) 17th Annual Network and Distributed System Security SymposiumBayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C., A view on current malware behaviors (2009) Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET)Bayer, U., Kruegel, C., Kirda, E., TTanalyze: A tool for analyzing malware (2006) Proc. 15th Ann. Conf. European Inst. for Computer Antivirus Research (EICAR), pp. 180-192Bellard, F., QEMU, a fast and portable dynamic translator (2005) Proc. of the Annual Conference on USENIX Annual Technical Conference, pp. 41-41. , USENIX AssociationBinsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L., On the analysis of the zeus botnet crimeware toolkit (2010) Proc. of the Eighth Annual Conference on Privacy, Security and Trust, PST'2010Blunden, B., (2009) The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, , Jones and Bartlett Publishers, Inc, 1th editionChoi, Y., Kim, I., Oh, J., Ryou, J., PE file header analysis-based packed pe file detection technique (PHAD) (2008) Proc of the International Symposium on Computer Science and Its Applications, pp. 28-31Dinaburg, A., Royal, P., Sharif, M., Lee, W., Ether: Malware analysis via hardware virtualization extensions (2008) Proc. Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), , OctoberFather, H., Hooking windows API-technics of hooking API functions on windows (2004) CodeBreakers J., 1 (2)Franklin, J., Paxson, V., Perrig, A., Savage, S., An inquiry into the nature and causes of the wealth of internet miscreants (2007) Conference on Computer and Communications Security (CCS)Garfinkel, T., Rosenblum, M., A virtual machine introspection based architecture for intrusion detection (2003) Proc. Network and Distributed Systems Security Symposium, pp. 191-206Hoglund, G., Butler, J., (2005) Rootkits: Subverting the Windows Kernel, , Addison- Wesley Professional, 1th editionHolz, T., Engelberth, M., Freiling, F., Learning more about the underground economy: A case-study of keyloggers and dropzones (2008) Reihe Informatik TR-2008-006, , University of Mannheimhttp://www.joebox.org/Kang, M.G., Poosankam, P., Yin, H., Renovo: A hidden code extractor for packed exe-cutables (2007) Proc. of the 2007 ACM Workshop on Recurring Malcode (WORM 2007)Kong, J., (2007) Designing BSD Rootkits, , No Starch Press, 1th editionLeder, F., Werner, T., Know your enemy: Containing conficker (2009) The Honeynet Project & Research AllianceMartignoni, L., Christodorescu, M., Jha, S., Omniunpack: Fast, generic, and safe unpack-ing of malware (2007) Proc. of the Annual Computer Security Applications Conference (ACSAC)http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde- d599bac8184a/pecoff_v8.docxMoser, A., Kruegel, C., Kirda, E., Limits of static analysis for malware detection (2007) ACSAC, pp. 421-430. , IEEE Computer Societyhttp://www.securelist.com/en/descriptions/old145521http://www.softpanorama.org/Malware/Malware_defense_history/ Malware_gallery/Network_worms/allaple_rahack.shtmlSong, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Saxena, P., BitBlaze: A new approach to computer security via binary analysis (2008) Proc. of the 4th International Conference on Information Systems SecurityWillems, G., Holz, T., Freiling, F., Toward automated dynamic malware analysis using CWSandbox (2007) IEEE Security and Privacy, 5 (2), pp. 32-39. , DOI 10.1109/MSP.2007.45Yegneswaran, V., Saidi, H., Porras, P., Eureka: A framework for enabling static analysis on malware (2008) Technical Report SRI-CSL-08-01 Computer Science Laboratory and College of Computing, , Georgia Institute of Technolog

The Third Annual NASA Science Internet User Working Group Conference

The NASA Science Internet (NSI) User Support Office (USO) sponsored the Third Annual NSI User Working Group (NSIUWG) Conference March 30 through April 3, 1992, in Greenbelt, MD. Approximately 130 NSI users attended to learn more about the NSI, hear from projects which use NSI, and receive updates about new networking technologies and services. This report contains material relevant to the conference; copies of the agenda, meeting summaries, presentations, and descriptions of exhibitors. Plenary sessions featured a variety of speakers, including NSI project management, scientists, and NSI user project managers whose projects and applications effectively use NSI, and notable citizens of the larger Internet community. The conference also included exhibits of advanced networking applications; tutorials on internetworking, computer security, and networking technologies; and user subgroup meetings on the future direction of the conference, networking, and user services and applications

Towards Baselines for Shoulder Surfing on Mobile Authentication

Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or prevent the threat of shoulder surfing, our understanding of how the attack performs on current systems is less well studied. In this paper, we describe a large online experiment (n=1173) that works towards establishing a baseline of shoulder surfing vulnerability for current unlock authentication systems. Using controlled video recordings of a victim entering in a set of 4- and 6-length PINs and Android unlock patterns on different phones from different angles, we asked participants to act as attackers, trying to determine the authentication input based on the observation. We find that 6-digit PINs are the most elusive attacking surface where a single observation leads to just 10.8% successful attacks, improving to 26.5\% with multiple observations. As a comparison, 6-length Android patterns, with one observation, suffered 64.2% attack rate and 79.9% with multiple observations. Removing feedback lines for patterns improves security from 35.3\% and 52.1\% for single and multiple observations, respectively. This evidence, as well as other results related to hand position, phone size, and observation angle, suggests the best and worst case scenarios related to shoulder surfing vulnerability which can both help inform users to improve their security choices, as well as establish baselines for researchers.Comment: Will appear in Annual Computer Security Applications Conference (ACSAC

Feature Engineering Using File Layout for Malware Detection

Malware detection on binary executables provides a high availability to even binaries which are not disassembled or decompiled. However, a binary-level approach could cause ambiguity problems. In this paper, we propose a new feature engineering technique that use minimal knowledge about the internal layout on a binary. The proposed feature avoids the ambiguity problems by integrating the information about the layout with structural entropy. The experimental results show that our feature improves accuracy and F1-score by 3.3% and 0.07, respectively, on a CNN based malware detector with realistic benign and malicious samples.Comment: 2pages, no figures, This manuscript was presented in the poster session of The Annual Computer Security Applications Conference (ACSAC) 202

SSPFA: Effective Stack Smashing Protection for Android OS

[EN] In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack bufferoverflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Androiddevices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA,the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows withoutchanging the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is notintrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over theproposed solution.This work was partially funded by Universitat Politecnica de Valencia (Grant No. 20160251-ASLR-NG).Marco Gisbert, H.; Ripoll Ripoll, JI. (2019). SSPFA: Effective Stack Smashing Protection for Android OS. International Journal of Information Security. 18(4):519-532. https://doi.org/10.1007/s10207-018-00425-8S519532184Buchanan, W.J., Chiale, S., Macfarlane, R.: A methodology for the security evaluation within third-party android marketplaces. Digit. Investig. 23(Supplement C), 88–98 (2017). https://doi.org/10.1016/j.diin.2017.10.002Tian, D., Jia, X., Chen, J., Hu, C., Xue, J.: A practical online approach to protecting kernel heap buffers in kernel modules. China Commun. 1, 143–152 (2016)One, A.: Smashing the stack for fun and profit. Phrack, 7(49) (1996)Younan, Y., Pozza, D., Piessens, F., Joosen, W.: Extended protection against stack smashing attacks without performance loss. In: In Proceedings of ACSAC (2006)Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow Integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, Series CCS ’05, pp. 340–353. ACM, New York (2005). https://doi.org/10.1145/1102120.1102165Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, Series CCS ’12, pp. 157–168. ACM, New York (2012). https://doi.org/10.1145/2382196.2382216Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Proceedings of the 2009 Annual Computer Security Applications Conference, Series ACSAC ’09, pp. 60–69. IEEE Computer Society, Washington (2009). https://doi.org/10.1109/ACSAC.2009.16Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012). https://doi.org/10.1145/2133375.2133377Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 601–615 (2012)S. R. to Thwart Return Oriented Programming in Embedded Systems, Stack Redundancy to Thwart Return Oriented Programming in Embedded Systems, IEEE Embedded Systems Letters, vol. (first on-line), pp. 1–1 (2018)Moula, V., Niksefat, S.: ROPK++: an enhanced ROP attack detection framework for Linux operating system. In: International Conference on Cyber Security And Protection Of Digital Services (Cyber Security). IEEE (2017)Das, S., Zhang, W., Liu, Y.: A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Trans. Very Large Scale Integr. VLSI Syst. 25, 3193–3207 (2016)Alam, M., Roy, D.B., Bhattacharya, S., Govindan, V., Chakraborty, R.S., Mukhopadhyay, D.: SmashClean: a hardware level mitigation to stack smashing attacks in OpenRISC. In: ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE), pp. 1–4. IEEE (2016)Kananizadeh, S., Kononenko, K.: Development of dynamic protection against timing channels. Int. J. Inf. Secur. 16, 641–651 (2017)Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a board range of memory error exploits. In: Proceedings of the 12th Conference on USENIX Security Symposium—volume 12, Series SSYM’03, p. 8. USENIX Association, Berkeley (2003). http://dl.acm.org/citation.cfm?id=1251353.1251361 . Accessed 18 Jan 2019Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 574–588. IEEE (2013)Kumar, K.S., Kisore, N.R.: Protection against buffer overflow attacks through runtime memory layout randomization. In: International Conference on Information Technology (ICIT). IEEE (2014)Oberheide, J.: A look at ASLR in Android ice cream sandwich 4.0 (2012). https://www.duosecurity.com/blog/a-look-at-aslr-in-android-ice-cream-sandwich-4-0 . Accessed 18 Jan 2019Zabrocki, A.P.: Scraps of notes on remote stack overflow exploitation (2010). http://www.phrack.org/issues.html?issue=67&id=13#article . Accessed 18 Jan 2019Saito, T., Watanabe, R., Kondo, S., Sugawara, S., Yokoyama, M.: A survey of prevention/mitigation against memory corruption attacks. In: 19th International Conference on Network-Based Information Systems (NBiS). IEEE (2016)Meike, G.B.: Inside the Android OS: Building, Customizing, Managing and Operating Android System Services, illustrated ed., P. Education, Ed. Pearson Education, vol. 1 (2018). https://www.amazon.com/Inside-Android-OS-Customizing-Operating/dp/0134096347?SubscriptionId=0JYN1NVW651KCA56C102&tag=techkie-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=0134096347 . Accessed 18 Jan 2019Cowan, C., Pu, C., Maier, D., Hintongif, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, pp. 63–78 (1998)’xorl’: Linux GLibC stack canary values (2010). http://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/ . Accessed 18 Jan 2019Lee, B., Lu, L., Wang, T., Kim, T., Lee, W.: From zygote to morula: fortifying weakened ASLR on Android. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, Series SP ’14, pp. 424–439. IEEE Computer Society, Washington (2014). https://doi.org/10.1109/SP.2014.34Miller, D.: Security measures in OpenSSH (2007). http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf . Accessed 18 Jan 2019Molnar, I.: Exec shield, new Linux security feature (2003). https://lwn.net/Articles/31032/ . Accessed 18 Jan 2019Wagle, P., Cowan, C.: StackGuard: simple stack smash protection for GCC. In: Proceedings of the GCC Developers Summit, pp. 243–256 (2003)Etoh, H.: GCC extension for protecting applications from stack-smashing attacks (ProPolice) (2003). http://www.trl.ibm.com/projects/security/ssp/ . Accessed 18 Jan 2019Erb, C., Collins, M., Greathouse, J. L.: Dynamic buffer overflow detection for GPGPUs. In: IEEE/ACM International Symposium on Code Generation and Optimization (CGO), pp. 61–73 IEEE (2017)Molnar, I.: Stackprotector updates for v3.14 (2014). https://lwn.net/Articles/584278/Shen, H.: Add a new option “-fstack-protector-strong” (2012). http://gcc.gnu.org/ml/gcc-patches/2012-06/msg00974.html . Accessed 18 Jan 2019Guan, X., Ji, J., Jiang, J., Zhang, S.: Stack overflow protection device, method, and related compiler and computing device, August 22 2013, uS Patent App. 13/772,858. https://www.google.com/patents/US20130219373 . Accessed 18 Jan 2019Backes, M., Bugiel, S., Derr, E.: Reliable third-party library detection in Android and its security applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Series. CCS ’16, pp. 356–367. ACM, New York (2016)Greenberg, A.: SC magazine: trojanized Android apps steal authentication tokens, put accounts at risk (2014). www.scmagazine.com/trojanized-android-apps-steal-authentication-tokens-put-accounts-at-risk/article/342208/Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, Series SEC’11, pp. 21–21. USENIX Association, Berkeley (2011) http://dl.acm.org/citation.cfm?id=2028067.2028088 . Accessed 18 Jan 2019Poll: How often do you reboot? (2014). http://www.androidcentral.com/poll-how-often-do-you-reboot . Accessed 18 Jan 2019Wang, H., Li, H., Li, L., Guo, Y., Xu, G.: Why are android apps removed from Google play? A large-scale empirical study. In Proceedings of the 15th International Conference on Mining Software Repositories, Series MSR ’18, pp. 231–242. ACM, New York (2018). http://doi.acm.org/10.1145/3196398.3196412Marco-Gisbert, H., Ripoll, I.: Preventing brute force attacks against stack canary protection on networking servers. In: 12th International Symposium on Network Computing and Applications, pp. 243–250 (2013)Petsios, T., Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: DynaGuard: armoring canary-based protections against brute-force attacks. In: Proceedings of the 31st Annual Computer Security Applications Conference, Series ACSAC 2015, pp. 351–360. ACM, New York (2015). http://doi.acm.org/10.1145/2818000.281803

Game Theory Meets Network Security: A Tutorial at ACM CCS

The increasingly pervasive connectivity of today's information systems brings up new challenges to security. Traditional security has accomplished a long way toward protecting well-defined goals such as confidentiality, integrity, availability, and authenticity. However, with the growing sophistication of the attacks and the complexity of the system, the protection using traditional methods could be cost-prohibitive. A new perspective and a new theoretical foundation are needed to understand security from a strategic and decision-making perspective. Game theory provides a natural framework to capture the adversarial and defensive interactions between an attacker and a defender. It provides a quantitative assessment of security, prediction of security outcomes, and a mechanism design tool that can enable security-by-design and reverse the attacker's advantage. This tutorial provides an overview of diverse methodologies from game theory that includes games of incomplete information, dynamic games, mechanism design theory to offer a modern theoretic underpinning of a science of cybersecurity. The tutorial will also discuss open problems and research challenges that the CCS community can address and contribute with an objective to build a multidisciplinary bridge between cybersecurity, economics, game and decision theory