Combatting Advanced Persistent Threat via Causality Inference and Program Analysis

Cyber attackers are becoming more and more sophisticated. In particular, Advanced Persistent Threat (APT) is a new class of attack that targets a specifc organization and compromises systems over a long time without being detected. Over the years, we have seen notorious examples of APTs including Stuxnet which disrupted Iranian nuclear centrifuges and data breaches affecting millions of users. Investigating APT is challenging as it occurs over an extended period of time and the attack process is highly sophisticated and stealthy. Also, preventing APTs is diffcult due to ever-expanding attack vectors. In this dissertation, we present proposals for dealing with challenges in attack investigation. Specifcally, we present LDX which conducts precise counter-factual causality inference to determine dependencies between system calls (e.g., between input and output system calls) and allows investigators to determine the origin of an attack (e.g., receiving a spam email) and the propagation path of the attack, and assess the consequences of the attack. LDX is four times more accurate and two orders of magnitude faster than state-of-the-art taint analysis techniques. Moreover, we then present a practical model-based causality inference system, MCI, which achieves precise and accurate causality inference without requiring any modifcation or instrumentation in end-user systems. Second, we show a general protection system against a wide spectrum of attack vectors and methods. Specifcally, we present A2C that prevents a wide range of attacks by randomizing inputs such that any malicious payloads contained in the inputs are corrupted. The protection provided by A2C is both general (e.g., against various attack vectors) and practical (7% runtime overhead)

Cyber Threat Intelligence Platform

Cieľom práce je vytvoriť webovú platformu, ktorá poskytne zjednodušený popis, spracovanie a výmenu bezpečnostných incidentov za pomoci dostupných štandardov STIX, TAXII, CybOX, IDEA. Platforma poskytuje restové API pre zhromažďovanie externých udalostí vo fomráte IDEA, nástroj pre vytvárenie STIX formátovaných modelov udalostí a mechanizmus pre výmenu spracovaných udalostí s využitím služieb popísaných štandardom TAXII.Main goal of this thesis is to create an web application platform, which provides simplified characterization, adaptation and exchange of cyber threat incidents using the STIX, TAXII, CybOX and IDEA standards. Platform has implemented rest API to collect external events in IDEA format, tool for creating STIX formatted models of events and model exchange mechanism based on TAXII described services.

Automatic translation of assembly shellcodes to printable byte codes

The generation of printable shellcode is an important computer security research area. The original idea of the printable shellcode generation was to write a binary, executable code in a way that the generated byte code contains only bytes that are represented by the English letters, numbers and punctuation characters. In this way unfortunately only a limited number of CPU instructions can be used. In the originally published paper a small decoder is written with instructions represented by printable characters and the shellcode is decoded on the stack to be executed later. This paper, however describes a proof of concept project, which converts the source code of a full assembly program or shellcode to a new source code, whose compiled binary code contains only printable characters. The paper also presents new, printable character implementation of some CPU instructions

Risk analysis of information-leakage through interest packets in NDN

International audienceInformation-leakage is one of the most importantsecurity issues in the current Internet. In Named-Data Networking(NDN), Interest names introduce novel vulnerabilities thatcan be exploited. By setting up a malware, Interest names can beused to encode critical information (steganography embedded) andto leak information out of the network by generating anomalousInterest traffic. This security threat based on Interest names doesnot exist in IP network, and it is essential to solve this issue tosecure the NDN architecture. This paper performs risk analysisof information-leakage in NDN. We first describe vulnerabilitieswith Interest names and, as countermeasures, we propose a namebasedfilter using search engine information, and another filterusing one-class Support Vector Machine (SVM). We collectedURLs from the data repository provided by Common Crawland we evaluate the performances of our per-packet filters. Weshow that our filters can choke drastically the throughput ofinformation-leakage, which makes it easier to detect anomalousInterest traffic. It is therefore possible to mitigate informationleakagein NDN network and it is a strong incentive for futuredeployment of this architecture at the Internet scale

Packed, Printable, and Polymorphic Return-Oriented Programming

Abstract. Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W ⊕ X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signaturebased detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms. keywords: Return-oriented programming, packer, printable shellcode, polymorphic malware

EVIL: Exploiting Software via Natural Language

Writing exploits for security assessment is a challenging task. The writer needs to master programming and obfuscation techniques to develop a successful exploit. To make the task easier, we propose an approach (EVIL) to automatically generate exploits in assembly/Python language from descriptions in natural language. The approach leverages Neural Machine Translation (NMT) techniques and a dataset that we developed for this work. We present an extensive experimental study to evaluate the feasibility of EVIL, using both automatic and manual analysis, and both at generating individual statements and entire exploits. The generated code achieved high accuracy in terms of syntactic and semantic correctness

Name Filter: A Countermeasure against Information Leakage Attacks in Named Data Networking

International audienceNamed Data Networking (NDN) has emerged as a future networking architecture having thepotential to replace the Internet. In order to do so, NDN needs to cope with inherent problems of the Internetsuch as attacks that cause information leakage from an enterprise. Since NDN has not yet been deployed ona large scale, it is currently unknown how such attacks can occur, let alone what countermeasures can betaken against them. In this study, we first show that information leakage in NDN, can be caused by malwareinside an enterprise, which uses steganography to produce malicious Interest names encoding confidentialinformation. We investigate such attacks by utilizing a content name dataset based on uniform resourcelocators (URLs) collected by a web crawler. Our main contribution is a name filter based on anomalydetection that takes the dataset as input and classifies a name in the Interest as legitimate or not. Ourevaluation shows that malware can exploit the path part in the URL-based NDN name to create maliciousnames, thus, information leakage in NDN cannot be prevented completely. However, we illustrate for thefirst time that our filter can dramatically choke the leakage throughput causing the malware to be 137 timesless efficient at leaking information. This finding opens up an interesting avenue of research that could resultin a safer future networking architecture

Ensuring system integrity and security on limited environment systems

Cyber security threats have rapidly developed in recent years and should also be considered when building or implementing systems that traditionally have not been connected to networks. More and more these systems are getting networked and controlled remotely, which widens their attack surface and lays them open to cyber threats. This means the systems should be able to detect and block malware threats without letting the controls affect daily operations. File integrity monitoring and protection could be one way to protect systems from emerging threats. The use case for this study is a computer system, that controls medical device. This kind of system does not necessarily have an internet connection and is not connected to a LAN network by default. Ensuring integrity on the system is critical as if the system would be infected by a malware, it could affect to the test results. This thesis studies what are the feasible ways to ensure system integrity on limited environment systems. Firstly these methods and tools are listed through a literature review. All of the tools are studied how they protect the system integrity. The literature review aims to select methods for further testing through a deductive reasoning. After selecting methods for testing, their implementations are installed to the testing environment. The methods are first tested for performance and then their detection and blocking capability is tested against real life threats. Finally, this thesis proposes a method which could be implemented to the presented use case. The proposal at the end is based on the conducted tests

Protecting Software through Obfuscation:Can It Keep Pace with Progress in Code Analysis?

Software obfuscation has always been a controversially discussed research area. While theoretical results indicate that provably secure obfuscation in general is impossible, its widespread application in malware and commercial software shows that it is nevertheless popular in practice. Still, it remains largely unexplored to what extent today’s software obfuscations keep up with state-of-the-art code analysis and where we stand in the arms race between software developers and code analysts. The main goal of this survey is to analyze the effectiveness of different classes of software obfuscation against the continuously improving deobfuscation techniques and off-the-shelf code analysis tools. The answer very much depends on the goals of the analyst and the available resources. On the one hand, many forms of lightweight static analysis have difficulties with even basic obfuscation schemes, which explains the unbroken popularity of obfuscation among malware writers. On the other hand, more expensive analysis techniques, in particular when used interactively by a human analyst, can easily defeat many obfuscations. As a result, software obfuscation for the purpose of intellectual property protection remains highly challenging.</jats:p