An OS-agnostic approach to memory forensics

The analysis of memory dumps presents unique challenges, as operating systems use a variety of (often undocumented) ways to represent data in memory. To solve this problem, forensics tools maintain collections of models that precisely describe the kernel data structures used by a handful of operating systems. However, these models cannot be generalized and developing new models may require a very long and tedious reverse engineering effort for closed source systems. In the last years, the tremendous increase in the number of IoT devices, smart-home appliances and cloud-hosted VMs resulted in a growing number of OSs which are not supported by current forensics tools. The way we have been doing memory forensics until today, based on handwritten models and rules, cannot simply keep pace with this variety of systems. To overcome this problem, in this paper we introduce the new concept of OS-agnostic memory forensics, which is based on techniques that can recover certain forensics information without any knowledge of the internals of the underlying OS. Our approach allows to automatically identify different types of data structures by using only their topological constraints and then supports two modes of investigation. In the first, it allows to traverse the recovered structures by starting from predetermined seeds, i.e., pieces of forensics-relevant information (such as a process name or an IP address) that an analyst knows a priori or that can be easily identified in the dump. Our experiments show that even a single seed can be sufficient to recover the entire list of processes and other important forensics data structures in dumps obtained from 14 different OSs, without any knowledge of the underlying kernels. In the second mode of operation, our system requires no seed but instead uses a set of heuristics to rank all memory data structures and present to the analysts only the most ‘promising’ ones. Even in this case, our experiments show that an analyst can use our approach to easily identify forensics-relevant structured information in a truly OS-agnostic scenario

Toward Black-Box Detection of Logic Flaws in Web Applications

Abstract—Web applications play a very important role in many critical areas, including online banking, health care, and personal communication. This, combined with the limited security training of many web developers, makes web applications one of the most common targets for attackers. In the past, researchers have proposed a large number of white- and black-box techniques to test web applications for the presence of several classes of vulnerabilities. However, traditional approaches focus mostly on the detection of input validation flaws, such as SQL injection and cross-site scripting. Unfortunately, logic vulnerabilities specific to particular applications remain outside the scope of most of the existing tools and still need to be discovered by manual inspection. In this paper we propose a novel black-box technique to detect logic vulnerabilities in web applications. Our approach is based on the automatic identification of a number of behavioral patterns starting from few network traces in which users interact with a certain application. Based on the extracted model, we then generate targeted test cases following a number of common attack scenarios. We applied our prototype to seven real world E-commerce web applications, discovering ten very severe and previously-unknown logic vulnerabilities. I

Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning

ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set, identifying well-known attack patterns. Each rule in the CRS is manually assigned a weight, based on the severity of the corresponding attack, and a request is detected as malicious if the sum of the weights of the firing rules exceeds a given threshold. In this work, we show that this simple strategy is largely ineffective for detecting SQL injection (SQLi) attacks, as it tends to block many legitimate requests, while also being vulnerable to adversarial SQLi attacks, i.e., attacks intentionally manipulated to evade detection. To overcome these issues, we design a robust machine learning model, named AdvModSec, which uses the CRS rules as input features, and it is trained to detect adversarial SQLi attacks. Our experiments show that AdvModSec, being trained on the traffic directed towards the protected web services, achieves a better trade-off between detection and false positive rates, improving the detection rate of the vanilla version of ModSecurity with CRS by 21%. Moreover, our approach is able to improve its adversarial robustness against adversarial SQLi attacks by 42%, thereby taking a step forward towards building more robust and trustworthy WAFs

Uses and Abuses of Server-Side Requests

More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, developers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that—if not properly implemented—this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole. To shed some light on the risks of this communication pattern, we present the first extensive study of the security implication of SSRs. We propose a classification and four new attack scenarios that describe different ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and find that the majority can be abused to perform malicious activities, ranging from server-side code execution to amplification DoS attacks. Finally, we distill our findings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way

Case Study:Analysis and Mitigation of a Novel Sandbox-Evasion Technique

Malware is one of the most popular cyber-attack methods in the digital world. According to the independent test company AV-TEST, 350,000 new malware samples are created every day. To analyze all samples by hand to discover whether they are malware does not scale, so antivirus companies automate the process e.g., using sand- boxes where samples can be run, observed, and classified. Malware authors are aware of this fact, and try to evade detection. In this paper we describe one of such evasion technique: unprecedented, we discovered it while analyzing a ransomware sample. Analyzed in a Cuckoo Sandbox, the sample was able to avoid triggering malware indicators, thus scoring significantly below the minimum severity level. Here, we discuss what strategy the sample follows to evade the analysis, proposing practical defense methods to nullify, in our turn, the sample’s furtive strategy

Understanding the impact of prison design on prisoners and prison staff through virtual reality: a multi-method approach

Purpose: The prison population is considered to be vulnerable to stress caused by the physical environment. The aim of this study was to evaluate the psychological effects of the prison’s environment on both inmates and staff. Design: We compared the psychophysiological arousal and self-report measurements of 73 participants (40 prisoners and 33 prison staff) to the prison environment through the exploration of three immersive virtual environments (the dormitory, the prison entrance, and the prison yard). Findings: There were few physiological activation differences between inmates and prison staff during the task, but significant discrepancies did arise, particularly from self-reported assessments. Compared to prison staff, prisoners demonstrated a greater decrease in finger pulse, indicating a stronger orienting response to virtual environments. While prison staff emphasized the importance of good lighting throughout the environments, prisoners focused their hatred on the furniture of the cells and on the layout and function of the prison yard. Both groups had conflicting emotions towards the virtual environments. Originality: Our study offers a realistic portrayal of the prison population's perceptions about the setting in which they are engaged in everyday life and activities. Practical implications: Hence, there are implications for both prison rehabilitation and designing prison renovations that are in line with the psychological needs of inmates and prison staff

Allogeneic Stem Cell Transplantation Compared with Chemotherapy for Poor-Risk Hodgkin Lymphoma

n/

Structural Learning of Attack Vectors for Generating Mutated XSS Attacks

Web applications suffer from cross-site scripting (XSS) attacks that resulting from incomplete or incorrect input sanitization. Learning the structure of attack vectors could enrich the variety of manifestations in generated XSS attacks. In this study, we focus on generating more threatening XSS attacks for the state-of-the-art detection approaches that can find potential XSS vulnerabilities in Web applications, and propose a mechanism for structural learning of attack vectors with the aim of generating mutated XSS attacks in a fully automatic way. Mutated XSS attack generation depends on the analysis of attack vectors and the structural learning mechanism. For the kernel of the learning mechanism, we use a Hidden Markov model (HMM) as the structure of the attack vector model to capture the implicit manner of the attack vector, and this manner is benefited from the syntax meanings that are labeled by the proposed tokenizing mechanism. Bayes theorem is used to determine the number of hidden states in the model for generalizing the structure model. The paper has the contributions as following: (1) automatically learn the structure of attack vectors from practical data analysis to modeling a structure model of attack vectors, (2) mimic the manners and the elements of attack vectors to extend the ability of testing tool for identifying XSS vulnerabilities, (3) be helpful to verify the flaws of blacklist sanitization procedures of Web applications. We evaluated the proposed mechanism by Burp Intruder with a dataset collected from public XSS archives. The results show that mutated XSS attack generation can identify potential vulnerabilities.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330

Colorectal Cancer Stage at Diagnosis Before vs During the COVID-19 Pandemic in Italy

IMPORTANCE Delays in screening programs and the reluctance of patients to seek medical attention because of the outbreak of SARS-CoV-2 could be associated with the risk of more advanced colorectal cancers at diagnosis. OBJECTIVE To evaluate whether the SARS-CoV-2 pandemic was associated with more advanced oncologic stage and change in clinical presentation for patients with colorectal cancer. DESIGN, SETTING, AND PARTICIPANTS This retrospective, multicenter cohort study included all 17 938 adult patients who underwent surgery for colorectal cancer from March 1, 2020, to December 31, 2021 (pandemic period), and from January 1, 2018, to February 29, 2020 (prepandemic period), in 81 participating centers in Italy, including tertiary centers and community hospitals. Follow-up was 30 days from surgery. EXPOSURES Any type of surgical procedure for colorectal cancer, including explorative surgery, palliative procedures, and atypical or segmental resections. MAIN OUTCOMES AND MEASURES The primary outcome was advanced stage of colorectal cancer at diagnosis. Secondary outcomes were distant metastasis, T4 stage, aggressive biology (defined as cancer with at least 1 of the following characteristics: signet ring cells, mucinous tumor, budding, lymphovascular invasion, perineural invasion, and lymphangitis), stenotic lesion, emergency surgery, and palliative surgery. The independent association between the pandemic period and the outcomes was assessed using multivariate random-effects logistic regression, with hospital as the cluster variable. RESULTS A total of 17 938 patients (10 007 men [55.8%]; mean [SD] age, 70.6 [12.2] years) underwent surgery for colorectal cancer: 7796 (43.5%) during the pandemic period and 10 142 (56.5%) during the prepandemic period. Logistic regression indicated that the pandemic period was significantly associated with an increased rate of advanced-stage colorectal cancer (odds ratio [OR], 1.07; 95%CI, 1.01-1.13; P = .03), aggressive biology (OR, 1.32; 95%CI, 1.15-1.53; P < .001), and stenotic lesions (OR, 1.15; 95%CI, 1.01-1.31; P = .03). CONCLUSIONS AND RELEVANCE This cohort study suggests a significant association between the SARS-CoV-2 pandemic and the risk of a more advanced oncologic stage at diagnosis among patients undergoing surgery for colorectal cancer and might indicate a potential reduction of survival for these patients