Preventing the Acquisition of Data from Virtual Machine based Secure PortableExecution Environments

A Virtual Machine (VM) based secure Portable Execution Environment (PEE) provides a safe and secure environment that can be loaded into a host PC and an application executed with a degree of confidence that the application is separated, protected and little or no forensic evidence remains after the application has executed. A VM based secure PEE is characterised as a USB storage device containing a VM with a trusted guest operating system and application(s) which is stored in a protected partition, strong authentication to only allow an authorised user to load the VM into the host PC, and full storage device encryption to protect the confidentiality of the contents of the device. Secure PEEs provide an opportunity for organisations to issue a portable device to an individual (to perform a secure transaction on an available host PC) with the reduced risk to the organisation that neither malicious software (resident on the host PC) will infect the secure PEE device, nor sensitive data remnants (resulting from the transaction) will remain on the host PC hard disk drive after the secure PEE device has been removed. A VM based secure PEE significantly reduces the opportunity to use dead forensic analysis techniques to acquire evidence of the occurrence of a transaction. However, VM based secure PEEs are susceptible to the acquisition of data through monitoring software and live forensic techniques. This paper considers the mechanisms that can be used to prevent various monitoring and live forensic techniques acquiring data from a VM based secure PEE. An attack scenario is presented to provide the context for the analysis of VM based secure PEE device vulnerabilities and why it is important that such a device would be required to counter hostile monitoring and forensic analysis. An overview is given of the security mechanisms provided by the type of VM based secure PEE under consideration and how those mechanisms combine to limit the opportunity for data acquisition through dead forensic techniques. The vulnerabilities of VM based secure PEEs with respect to malicious software and live forensic techniques are enumerated and discussed. A comprehensive set of countermeasures are proposed and analysed. The paper concludes by considering the most appropriate countermeasures to include in a VM based secure PEE to prevent the live acquisition of data..

SMM rootkit: a new breed of OS independent malware

The emergence of hardware virtualization technology has led to the development of OS independent malware such as the virtual machine-based rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The system management Mode based rootkit (SMBR). System Management mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits used for high-profile targeted attacks. In this paper, we present our development of a proof of concept SMM rootkit. In it, we explore the potential of system management mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP and receive remote command packets stealthily. By modifying and reflashing the BIOS, the SMM rootkit can install itself on a computer even if the computer has originally locked its SMM. The rootkit hides its memory footprint and requires no changes to the existing operating system. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware

Improving everyday computing tasks with head-mounted displays

The proliferation of consumer-affordable head-mounted displays (HMDs) has brought a rash of entertainment applications for this burgeoning technology, but relatively little research has been devoted to exploring its potential home and office productivity applications. Can the unique characteristics of HMDs be leveraged to improve users’ ability to perform everyday computing tasks? My work strives to explore this question. One significant obstacle to using HMDs for everyday tasks is the fact that the real world is occluded while wearing them. Physical keyboards remain the most performant devices for text input, yet using a physical keyboard is difficult when the user can’t see it. I developed a system for aiding users typing on physical keyboards while wearing HMDs and performed a user study demonstrating the efficacy of my system. Building on this foundation, I developed a window manager optimized for use with HMDs and conducted a user survey to gather feedback. This survey provided evidence that HMD-optimized window managers can provide advantages that are difficult or impossible to achieve with standard desktop monitors. Participants also provided suggestions for improvements and extensions to future versions of this window manager. I explored the issue of distance compression, wherein users tend to underestimate distances in virtual environments relative to the real world, which could be problematic for window managers or other productivity applications seeking to leverage the depth dimension through stereoscopy. I also investigated a mitigation technique for distance compression called minification. I conducted multiple user studies, providing evidence that minification makes users’ distance judgments in HMDs more accurate without causing detrimental perceptual side effects. This work also provided some valuable insight into the human perceptual system. Taken together, this work represents valuable steps toward leveraging HMDs for everyday home and office productivity applications. I developed functioning software for this purpose, demonstrated its efficacy through multiple user studies, and also gathered feedback for future directions by having participants use this software in simulated productivity tasks

Optimizing Human Performance in Mobile Text Entry

Although text entry on mobile phones is abundant, research strives to achieve desktop typing performance "on the go". But how can researchers evaluate new and existing mobile text entry techniques? How can they ensure that evaluations are conducted in a consistent manner that facilitates comparison? What forms of input are possible on a mobile device? Do the audio and haptic feedback options with most touchscreen keyboards affect performance? What influences users' preference for one feedback or another? Can rearranging the characters and keys of a keyboard improve performance? This dissertation answers these questions and more. The developed TEMA software allows researchers to evaluate mobile text entry methods in an easy, detailed, and consistent manner. Many in academia and industry have adopted it. TEMA was used to evaluate a typical QWERTY keyboard with multiple options for audio and haptic feedback. Though feedback did not have a significant effect on performance, a survey revealed that users' choice of feedback is influenced by social and technical factors. Another study using TEMA showed that novice users entered text faster using a tapping technique than with a gesture or handwriting technique. This motivated rearranging the keys and characters to create a new keyboard, MIME, that would provide better performance for expert users. Data on character frequency and key selection times were gathered and used to design MIME. A longitudinal user study using TEMA revealed an entry speed of 17 wpm and a total error rate of 1.7% for MIME, compared to 23 wpm and 5.2% for QWERTY. Although MIME's entry speed did not surpass QWERTY's during the study, it is projected to do so after twelve hours of practice. MIME's error rate was consistently low and significantly lower than QWERTY's. In addition, participants found MIME more comfortable to use, with some reporting hand soreness after using QWERTY for extended periods

Landscape Study in Wireless and Mobile Learning in the post-16 sector

In the post-16 sector (further and higher education, and adult and community learning) there is a need to understand how wireless and mobile technologies can contribute to improving the student experience of learning, and help institutions fulfil their missions in an age of incomparably fast technological change. In the context of this interest and growing need, a Landscape Study project was commissioned by JISC through the Innovation strand of the JISC e-Learning Programme in 2004-5. Our project aims were to take a birds-eye view of developments and practice in the UK and internationally, and to communicate our findings to a broad and varied audience. The Summary report is accompanied by 3 associated reports on 'Current Uses', 'Potential Uses' and 'Strategic Aspects'. (The four reports are available in one single document here.

Towards understanding and mitigating attacks leveraging zero-day exploits

Zero-day vulnerabilities are unknown and therefore not addressed with the result that they can be exploited by attackers to gain unauthorised system access. In order to understand and mitigate against attacks leveraging zero-days or unknown techniques, it is necessary to study the vulnerabilities, exploits and attacks that make use of them. In recent years there have been a number of leaks publishing such attacks using various methods to exploit vulnerabilities. This research seeks to understand what types of vulnerabilities exist, why and how these are exploited, and how to defend against such attacks by either mitigating the vulnerabilities or the method / process of exploiting them. By moving beyond merely remedying the vulnerabilities to defences that are able to prevent or detect the actions taken by attackers, the security of the information system will be better positioned to deal with future unknown threats. An interesting finding is how attackers exploit moving beyond the observable bounds to circumvent security defences, for example, compromising syslog servers, or going down to lower system rings to gain access. However, defenders can counter this by employing defences that are external to the system preventing attackers from disabling them or removing collected evidence after gaining system access. Attackers are able to defeat air-gaps via the leakage of electromagnetic radiation as well as misdirect attribution by planting false artefacts for forensic analysis and attacking from third party information systems. They analyse the methods of other attackers to learn new techniques. An example of this is the Umbrage project whereby malware is analysed to decide whether it should be implemented as a proof of concept. Another important finding is that attackers respect defence mechanisms such as: remote syslog (e.g. firewall), core dump files, database auditing, and Tripwire (e.g. SlyHeretic). These defences all have the potential to result in the attacker being discovered. Attackers must either negate the defence mechanism or find unprotected targets. Defenders can use technologies such as encryption to defend against interception and man-in-the-middle attacks. They can also employ honeytokens and honeypots to alarm misdirect, slow down and learn from attackers. By employing various tactics defenders are able to increase their chance of detecting and time to react to attacks, even those exploiting hitherto unknown vulnerabilities. To summarize the information presented in this thesis and to show the practical importance thereof, an examination is presented of the NSA's network intrusion of the SWIFT organisation. It shows that the firewalls were exploited with remote code execution zerodays. This attack has a striking parallel in the approach used in the recent VPNFilter malware. If nothing else, the leaks provide information to other actors on how to attack and what to avoid. However, by studying state actors, we can gain insight into what other actors with fewer resources can do in the future

A methodology and trial implementation for digitising information on a factory floor

In recent years manufacturing industries have moved towards Smart Manufacturing, to achieve improved efficiency and production targets. Part of this innovation of current processes includes digitisation and improving access to machine information, usually through the introduction of new technology to assist with this transition. In order to maintain smooth processes and uninterrupted production, various information sources must be available on the factory floor. This project aims to provide a proof of concept for digitisation and access to necessary information during Pulse Walks. The methodology used to develop this tool is discussed. Observations during Pulse Walks were used to highlight the areas that this could be applied to, and a survey was used to determine the most useful information sources to include. Another aspect of this project is to introduce a method of digitally storing issues discussed during the Pulse Walk, to highlight recurring issues and problematic areas. This was developed to be used as part of the tool during Pulse Walks. This research will present a proof of concept for an app that will act as a digital information hub for accessing information and logging issues from the Pulse Walks. The use cases for this tool have been deliberated and the benefits clearly identified. This tool can assist with tracking recurring issues, using previously logged issues to create a historical database. The issue logging dashboard can be used for investigating reasons for machine downtime. This tool aims to improve production efficiency for a manufacturing line in a factory through issue tracking