Multi-aspect, robust, and memory exclusive guest os fingerprinting

Precise fingerprinting of an operating system (OS) is critical to many security and forensics applications in the cloud, such as virtual machine (VM) introspection, penetration testing, guest OS administration, kernel dump analysis, and memory forensics. The existing OS fingerprinting techniques primarily inspect network packets or CPU states, and they all fall short in precision and usability. As the physical memory of a VM always exists in all these applications, in this article, we present OS-Sommelier+, a multi-aspect, memory exclusive approach for precise and robust guest OS fingerprinting in the cloud. It works as follows: given a physical memory dump of a guest OS, OS-Sommelier+ first uses a code hash based approach from kernel code aspect to determine the guest OS version. If code hash approach fails, OS-Sommelier+ then uses a kernel data signature based approach from kernel data aspect to determine the version. We have implemented a prototype system, and tested it with a number of Linux kernels. Our evaluation results show that the code hash approach is faster but can only fingerprint the known kernels, and data signature approach complements the code signature approach and can fingerprint even unknown kernels

Computational and Energy Costs of Cryptographic Algorithms on Handheld Devices

Networks are evolving toward a ubiquitous model in which heterogeneous devices are interconnected. Cryptographic algorithms are required for developing security solutions that protect network activity. However, the computational and energy limitations of network devices jeopardize the actual implementation of such mechanisms. In this paper, we perform a wide analysis on the expenses of launching symmetric and asymmetric cryptographic algorithms, hash chain functions, elliptic curves cryptography and pairing based cryptography on personal agendas, and compare them with the costs of basic operating system functions. Results show that although cryptographic power costs are high and such operations shall be restricted in time, they are not the main limiting factor of the autonomy of a device

A Study of the Relationship Between Antivirus Regressions and Label Changes

AntiVirus (AV) products use multiple components to detect malware. A component which is found in virtually all AVs is the signature-based detection engine: this component assigns a particular signature label to a malware that the AV detects. In previous analysis [1-3], we observed cases of regressions in several different AVs: i.e. cases where on a particular date a given AV detects a given malware but on a later date the same AV fails to detect the same malware. We studied this aspect further by analyzing the only externally observable behaviors from these AVs, namely whether AV engines detect a malware and what labels they assign to the detected malware. In this paper we present the results of the analysis about the relationship between the changing of the labels with which AV vendors recognize malware and the AV regressions

Visual identification by signature tracking

We propose a new camera-based biometric: visual signature identification. We discuss the importance of the parameterization of the signatures in order to achieve good classification results, independently of variations in the position of the camera with respect to the writing surface. We show that affine arc-length parameterization performs better than conventional time and Euclidean arc-length ones. We find that the system verification performance is better than 4 percent error on skilled forgeries and 1 percent error on random forgeries, and that its recognition performance is better than 1 percent error rate, comparable to the best camera-based biometrics

Selective AP-sequence Based Indoor Localization without Site Survey

In this paper, we propose an indoor localization system employing ordered sequence of access points (APs) based on received signal strength (RSS). Unlike existing indoor localization systems, our approach does not require any time-consuming and laborious site survey phase to characterize the radio signals in the environment. To be precise, we construct the fingerprint map by cutting the layouts of the interested area into regions with only the knowledge of positions of APs. This can be done offline within a second and has a potential for practical use. The localization is then achieved by matching the ordered AP-sequence to the ones in the fingerprint map. Different from traditional fingerprinting that employing all APs information, we use only selected APs to perform localization, due to the fact that, without site survey, the possibility in obtaining the correct AP sequence is lower if it involves more APs. Experimental results show that, the proposed system achieves localization accuracy < 5m with an accumulative density function (CDF) of 50% to 60% depending on the density of APs. Furthermore, we observe that, using all APs for localization might not achieve the best localization accuracy, e.g. in our case, 4 APs out of total 7 APs achieves the best performance. In practice, the number of APs used to perform localization should be a design parameter based on the placement of APs.Comment: VTC2016-Spring, 15-18 May 2016, Nanjing, Chin