68 research outputs found
Automated Analysis of Freeware Installers Promoted by Download Portals
Abstract We present an analysis system for studying Windows application installers. The analysis system is fully automated from installer download to execution and data collection. The system emulates the behavior of a lazy user who wants to finish the installation dialogs with the default options and with as few clicks as possible. The UI automation makes use of image recognition techniques and heuristics. During the installation, the system collects data about the system modification and network access. The analysis system is scalable and can run on bare-metal hosts as well as in a data center. We use the system to analyze 792 freeware application installers obtained from popular download portals. In particular, we measure how many of them drop potentially unwanted programs (PUP) such as browser plugins or make other unwanted system modifications. We discover that most installers that download executable files over the network are vulnerable to man-in-the-middle attacks. We also find, that while popular download portals are not used for blatant malware distribution, nearly 10% of the analyzed installers come with a third-party browser or a browser extension.Peer reviewe
Malware distributions and graph structure of the Web
Knowledge about the graph structure of the Web is important for understanding
this complex socio-technical system and for devising proper policies supporting
its future development. Knowledge about the differences between clean and
malicious parts of the Web is important for understanding potential treats to
its users and for devising protection mechanisms. In this study, we conduct
data science methods on a large crawl of surface and deep Web pages with the
aim to increase such knowledge. To accomplish this, we answer the following
questions. Which theoretical distributions explain important local
characteristics and network properties of websites? How are these
characteristics and properties different between clean and malicious
(malware-affected) websites? What is the prediction power of local
characteristics and network properties to classify malware websites? To the
best of our knowledge, this is the first large-scale study describing the
differences in global properties between malicious and clean parts of the Web.
In other words, our work is building on and bridging the gap between
\textit{Web science} that tackles large-scale graph representations and
\textit{Web cyber security} that is concerned with malicious activities on the
Web. The results presented herein can also help antivirus vendors in devising
approaches to improve their detection algorithms
Security Analysis of the Consumer Remote SIM Provisioning Protocol
Remote SIM provisioning (RSP) for consumer devices is the protocol specified
by the GSM Association for downloading SIM profiles into a secure element in a
mobile device. The process is commonly known as eSIM, and it is expected to
replace removable SIM cards. The security of the protocol is critical because
the profile includes the credentials with which the mobile device will
authenticate to the mobile network. In this paper, we present a formal security
analysis of the consumer RSP protocol. We model the multi-party protocol in
applied pi calculus, define formal security goals, and verify them in ProVerif.
The analysis shows that the consumer RSP protocol protects against a network
adversary when all the intended participants are honest. However, we also model
the protocol in realistic partial compromise scenarios where the adversary
controls a legitimate participant or communication channel. The security
failures in the partial compromise scenarios reveal weaknesses in the protocol
design. The most important observation is that the security of RSP depends
unnecessarily on it being encapsulated in a TLS tunnel. Also, the lack of
pre-established identifiers means that a compromised download server anywhere
in the world or a compromised secure element can be used for attacks against
RSP between honest participants. Additionally, the lack of reliable methods for
verifying user intent can lead to serious security failures. Based on the
findings, we recommend practical improvements to RSP implementations, to future
versions of the specification, and to mobile operator processes to increase the
robustness of eSIM security.Comment: 33 pages, 8 figures, Associated ProVerif model files located at
https://github.com/peltona/rsp_mode
Transparency of SIM profiles for the consumer remote SIM provisioning protocol
In mobile communication, User Equipment (UE) authenticates a subscriber to a Mobile Network Operator (MNO) using credentials from the MNO specified SIM profile that is securely stored inside the SIM card. Traditionally, a change in a subscriber's SIM profile, such as a change in a subscription, requires replacement of the physical SIM card. To address this shortcoming, the GSM Association (GSMA) has specified the consumer Remote SIM Provisioning (RSP) protocol. The protocol enables remote provisioning of SIM profiles from a server to SIM cards, also known as the embedded Universal Integrated Circuit Card (eUICC). In RSP, any GSMA-certified server is trusted by all eUICCs, and consequently any server can provision SIM profiles to all eUICCs, even those not originating from the MNO associated with the GSMA-certified RSP server. Consequently, an attacker, by compromising a server, can clone a genuine SIM profile and provision it to other eUICCs. To address this security problem, we present SIM Profile Transparency Protocol (SPTP) to detect malicious provisioning of SIM profiles. SPTP assures to the eUICC and the MNO that all SIM provisioning actions-both approved and unapproved-leave a permanent, non-repudiatable trail. We evaluate security guarantees provided by SPTP using a formal model, implement a prototype for SPTP, and evaluate the prototype against a set of practical requirements.Peer reviewe
Forwarding anomalies in Bloom filter-based multicast
Abstract-Several recently proposed multicast protocols use inpacket Bloom filters to encode multicast trees. These mechanisms are in principle highly scalable because no per-flow state is required in the routers and because routing decisions can be made efficiently by simply checking for the presence of outbound links in the filter. Yet, the viability of previous approaches is limited by the possibility of forwarding anomalies caused by false positives inherent in Bloom filters. This paper explores such anomalies, namely (1) packets storms, (2) forwarding loops and (3) flow duplication. We propose stateless solutions that increase the robustness and the scalability of Bloom filter-based multicast protocols. In particular, we show that the parameters of the filter need to be varied to guarantee the stability of the packet forwarding, and we present a bit permutation technique that effectively prevents both accidental and maliciously created anomalies. We evaluate our solutions in the context of BloomCast, a source-specific inter-domain multicast protocol, using analytical methods and simulations
- …