C-FLAT: Control-FLow ATtestation for Embedded Systems Software

Remote attestation is a crucial security service particularly relevant to increasingly popular IoT (and other embedded) devices. It allows a trusted party (verifier) to learn the state of a remote, and potentially malware-infected, device (prover). Most existing approaches are static in nature and only check whether benign software is initially loaded on the prover. However, they are vulnerable to run-time attacks that hijack the application's control or data flow, e.g., via return-oriented programming or data-oriented exploits. As a concrete step towards more comprehensive run-time remote attestation, we present the design and implementation of Control- FLow ATtestation (C-FLAT) that enables remote attestation of an application's control-flow path, without requiring the source code. We describe a full prototype implementation of C-FLAT on Raspberry Pi using its ARM TrustZone hardware security extensions. We evaluate C-FLAT's performance using a real-world embedded (cyber-physical) application, and demonstrate its efficacy against control-flow hijacking attacks.Comment: Extended version of article to appear in CCS '16 Proceedings of the 23rd ACM Conference on Computer and Communications Securit

Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response

Considerable delays often exist between the discovery of a vulnerability and the issue of a patch. One way to mitigate this window of vulnerability is to use a configuration workaround, which prevents the vulnerable code from being executed at the cost of some lost functionality -- but only if one is available. Since program configurations are not specifically designed to mitigate software vulnerabilities, we find that they only cover 25.2% of vulnerabilities. To minimize patch delay vulnerabilities and address the limitations of configuration workarounds, we propose Security Workarounds for Rapid Response (SWRRs), which are designed to neutralize security vulnerabilities in a timely, secure, and unobtrusive manner. Similar to configuration workarounds, SWRRs neutralize vulnerabilities by preventing vulnerable code from being executed at the cost of some lost functionality. However, the key difference is that SWRRs use existing error-handling code within programs, which enables them to be mechanically inserted with minimal knowledge of the program and minimal developer effort. This allows SWRRs to achieve high coverage while still being fast and easy to deploy. We have designed and implemented Talos, a system that mechanically instruments SWRRs into a given program, and evaluate it on five popular Linux server programs. We run exploits against 11 real-world software vulnerabilities and show that SWRRs neutralize the vulnerabilities in all cases. Quantitative measurements on 320 SWRRs indicate that SWRRs instrumented by Talos can neutralize 75.1% of all potential vulnerabilities and incur a loss of functionality similar to configuration workarounds in 71.3% of those cases. Our overall conclusion is that automatically generated SWRRs can safely mitigate 2.1x more vulnerabilities, while only incurring a loss of functionality comparable to that of traditional configuration workarounds.Comment: Published in Proceedings of the 37th IEEE Symposium on Security and Privacy (Oakland 2016

Cross-App Interference Threats in Smart Homes: Categorization, Detection and Handling

A number of Internet of Things (IoTs) platforms have emerged to enable various IoT apps developed by third-party developers to automate smart homes. Prior research mostly concerns the overprivilege problem in the permission model. Our work, however, reveals that even IoT apps that follow the principle of least privilege, when they interplay, can cause unique types of threats, named Cross-App Interference (CAI) threats. We describe and categorize the new threats, showing that unexpected automation, security and privacy issues may be caused by such threats, which cannot be handled by existing IoT security mechanisms. To address this problem, we present HOMEGUARD, a system for appified IoT platforms to detect and cope with CAI threats. A symbolic executor module is built to precisely extract the automation semantics from IoT apps. The semantics of different IoT apps are then considered collectively to evaluate their interplay and discover CAI threats systematically. A user interface is presented to users during IoT app installation, interpreting the discovered threats to help them make decisions. We evaluate HOMEGUARD via a proof-of-concept implementation on Samsung SmartThings and discover many threat instances among apps in the SmartThings public repository. The evaluation shows that it is precise, effective and efficient.Comment: An earlier version of this paper was submitted to ACM CCS'18 on May 9th, 2018. This version contains some minor modifications based on that submissio

Review of Considerations for Mobile Device based Secure Access to Financial Services and Risk Handling Strategy for CIOs, CISOs and CTOs

The information technology and security stakeholders like CIOs, CISOs and CTOs in financial services organization are often asked to identify the risks with mobile computing channel for financial services that they support. They are also asked to come up with approaches for handling risks, define risk acceptance level and mitigate them. This requires them to articulate strategy for supporting a huge variety of mobile devices from various vendors with different operating systems and hardware platforms and at the same time stay within the accepted risk level. These articulations should be captured in information security policy document or other suitable document of financial services organization like banks, payment service provider, etc. While risks and mitigation approaches are available from multiple sources, the senior stakeholders may find it challenging to articulate the issues in a comprehensive manner for sharing with business owners and other technology stakeholders. This paper reviews the current research that addresses the issues mentioned above and articulates a strategy that the senior stakeholders may use in their organization. It is assumed that this type of comprehensive strategy guide for senior stakeholders is not readily available and CIOs, CISOs and CTOs would find this paper to be very useful

Practical Enclave Malware with Intel SGX

Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel's threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user's behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware

Hello rootKitty: A lightweight invariance-enforcing framework

In monolithic operating systems, the kernel is the piece of code that executes with the highest privileges and has control over all the software running on a host. A successful attack against an operating system's kernel means a total and complete compromise of the running system. These attacks usually end with the installation of a rootkit, a stealthy piece of software running with kernel privileges. When a rootkit is present, no guarantees can be made about the correctness, privacy or isolation of the operating system. In this paper we present \emph{Hello rootKitty}, an invariance-enforcing framework which takes advantage of current virtualization technology to protect a guest operating system against rootkits. \emph{Hello rootKitty} uses the idea of invariance to detect maliciously modified kernel data structures and restore them to their original legitimate values. Our prototype has negligible performance and memory overhead while effectively protecting commodity operating systems from modern rootkits.Comment: 16 pages, ISC Information Security Conference, Xi'an China, 2011, Springe

Software Defined Security Service Provisioning Framework for Internet of Things

Programmable management framework have paved the way for managing devices in the network. Lately, emerging paradigm of Software Defined Networking (SDN) have revolutionized programmable networks. Designers of networking applications i.e. Internet of things (IoT) have started investigating potentials of SDN paradigm in improving network management. IoT envision interconnecting various embedded devices surrounding our environment with IP to enable internet connectivity. Unlike traditional network architectures, IoT are characterized by constraint in resources and heterogeneous inter connectivity of wireless and wired medium. Therefore, unique challenges for managing IoT are raised which are discussed in this paper. Ubiquity of IoT have raised unique security challenges in IoT which is one of the aspect of management framework for IoT. In this paper, security threats and requirements are summarized in IoT extracted from the state of the art efforts in investigating security challenges of IoT. Also, SDN based security service provisioning framework for IoT is proposed.Comment: 15 pages, 18 figure

Software Vulnerabilities, Banking Threats, Botnets and Malware Self-Protection Technologies

Information security is the protection of information from a wide range of threats in order to ensure success business continuity by minimizing risks and maximizing the return of investments and business opportunities. In this paper, we study and discuss the software vulnerabilities, banking threats, botnets and propose the malware self-protection technologies.Comment: 5 page

Aware: Controlling App Access to I/O Devices on Mobile Platforms

Smartphones' cameras, microphones, and device displays enable users to capture and view memorable moments of their lives. However, adversaries can trick users into authorizing malicious apps that exploit weaknesses in current mobile platforms to misuse such on-board I/O devices to stealthily capture photos, videos, and screen content without the users' consent. Contemporary mobile operating systems fail to prevent such misuse of I/O devices by authorized apps due to lack of binding between users' interactions and accesses to I/O devices performed by these apps. In this paper, we propose Aware, a security framework for authorizing app requests to perform operations using I/O devices, which binds app requests with user intentions to make all uses of certain I/O devices explicit. We evaluate our defense mechanisms through laboratory-based experimentation and a user study, involving 74 human subjects, whose ability to identify undesired operations targeting I/O devices increased significantly. Without Aware, only 18% of the participants were able to identify attacks from tested RAT apps. Aware systematically blocks all the attacks in absence of user consent and supports users in identifying 82% of social-engineering attacks tested to hijack approved requests, including some more sophisticated forms of social engineering not yet present in available RATs. Aware introduces only 4.79% maximum performance overhead over operations targeting I/O devices. Aware shows that a combination of system defenses and user interface can significantly strengthen defenses for controlling the use of on-board I/O devices

EPA-RIMM: A Framework for Dynamic SMM-based Runtime Integrity Measurement

Runtime integrity measurements identify unexpected changes in operating systems and hypervisors during operation, enabling early detection of persistent threats. System Management Mode, a privileged x86 CPU mode, has the potential to effectively perform such rootkit detection. Previously proposed SMM-based approaches demonstrated effective detection capabilities, but at a cost of performance degradation and software side effects. In this paper we introduce our solution to these problems, an SMM-based Extensible, Performance Aware Runtime Integrity Measurement Mechanism called EPA-RIMM. The EPA-RIMM architecture features a performance-sensitive design that decomposes large integrity measurements and schedules them to control perturbation and side effects. EPA-RIMM's decomposition of long-running measurements into shorter tasks, extensibility, and use of SMM complicates the efforts of malicious code to detect or avoid the integrity measurements. Using a Minnowboard-based prototype, we demonstrate its detection capabilities and performance impacts. Early results are promising, and suggest that EPA-RIMM will meet production-level performance constraints while continuously monitoring key OS and hypervisor data structures for signs of attack.Comment: 13 page