144 research outputs found
Experience Report on the Challenges and Opportunities in Securing Smartphones Against Zero-Click Attacks
Zero-click attacks require no user interaction and typically exploit zero-day
(i.e., unpatched) vulnerabilities in instant chat applications (such as
WhatsApp and iMessage) to gain root access to the victim's smartphone and
exfiltrate sensitive data. In this paper, we report our experiences in
attempting to secure smartphones against zero-click attacks. We approached the
problem by first enumerating several properties we believed were necessary to
prevent zero-click attacks against smartphones. Then, we created a security
design that satisfies all the identified properties, and attempted to build it
using off-the-shelf components. Our key idea was to shift the attack surface
from the user's smartphone to a sandboxed virtual smartphone ecosystem where
each chat application runs in isolation. Our performance and usability
evaluations of the system we built highlighted several shortcomings and the
fundamental challenges in securing modern smartphones against zero-click
attacks. In this experience report, we discuss the lessons we learned, and
share insights on the missing components necessary to achieve foolproof
security against zero-click attacks for modern mobile devices
Prospex:ProtocolSpecificationExtraction
Protocol reverse engineering is the process of extracting application-level specifications for network protocols. Such specificationsare very useful in a numberof security-related contexts, forexample, to perform deep packet inspectionand black-box fuzzing, or to quickly understand custom botnet command and control (C&C) channels. Since manual reverse engineering is a time-consuming and tedious process, a number of systems have been proposed that aim to automate this task. These systems either analyze network traffic directly or monitor the execution of the application that receivestheprotocolmessages.While previoussystemsshow thatprecise message formatscanbe extractedautomatically, they do not provide a protocol specification. The reason is that they do not reverse engineerthe protocol state machine. In this paper, we focus on closing this gap by presenting a system that is capable of automatically inferring state machines. This greatly enhances the results of automatic protocol reverse engineering, while further reducing the need for human interaction. We extend previous work that focuses on behavior-based message format extraction, and introduce techniques for identifying and clustering different types of messages not only based on their structure, but also accordingto the impact of each message on server behavior. Moreover, we present an algorithm for extracting the state machine. We have applied our techniques to a number of real-world protocols, including the command and control protocol used by a malicious bot. Our results demonstrate that we are able to extract format specifications for different types of messages and meaningful protocol state machines. We use these protocol specifications to automatically generate input for a stateful fuzzer, allowing us to discover security vulnerabilities in real-world applications. 1
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing
Contemporary fuzz testing techniques focus on identifying memory corruption
vulnerabilities that allow adversaries to achieve either remote code execution
or information disclosure. Meanwhile, Algorithmic Complexity
(AC)vulnerabilities, which are a common attack vector for denial-of-service
attacks, remain an understudied threat. In this paper, we present HotFuzz, a
framework for automatically discovering AC vulnerabilities in Java libraries.
HotFuzz uses micro-fuzzing, a genetic algorithm that evolves arbitrary Java
objects in order to trigger the worst-case performance for a method under test.
We define Small Recursive Instantiation (SRI) as a technique to derive seed
inputs represented as Java objects to micro-fuzzing. After micro-fuzzing,
HotFuzz synthesizes test cases that triggered AC vulnerabilities into Java
programs and monitors their execution in order to reproduce vulnerabilities
outside the fuzzing framework. HotFuzz outputs those programs that exhibit high
CPU utilization as witnesses for AC vulnerabilities in a Java library. We
evaluate HotFuzz over the Java Runtime Environment (JRE), the 100 most popular
Java libraries on Maven, and challenges contained in the DARPA Space and Time
Analysis for Cybersecurity (STAC) program. We evaluate SRI's effectiveness by
comparing the performance of micro-fuzzing with SRI, measured by the number of
AC vulnerabilities detected, to simply using empty values as seed inputs. In
this evaluation, we verified known AC vulnerabilities, discovered previously
unknown AC vulnerabilities that we responsibly reported to vendors, and
received confirmation from both IBM and Oracle. Our results demonstrate that
micro-fuzzing finds AC vulnerabilities in real-world software, and that
micro-fuzzing with SRI-derived seed inputs outperforms using empty values.Comment: Network and Distributed Systems Security (NDSS) Symposium, San Diego,
CA, USA, February 202
- …