The InMAS Approach

The Internet Malware Analysis System (InMAS) is a modular platform for distributed, large-scale monitoring of malware on the Internet. InMAS integrates diverse tools for malware collection (using honeypots) and malware analysis (mainly using dynamic analysis). All collected information is aggregated and accessible through an intuitive and easy-to-use web interface. In this paper, we provide an overview of the structure of InMAS and the various tools it integrates. We also introduce the web frontend that displays all information on different levels of abstraction, from a coarse-grained overview down to highly detailed information on demand

Don't Trust Satellite Phones: A Security Analysis of Two Satphone Standards

Abstract-There is a rich body of work related to the security aspects of cellular mobile phones, in particular with respect to the GSM and UMTS systems. To the best of our knowledge, however, there has been no investigation of the security of satellite phones (abbr. satphones). Even though a niche market compared to the G2 and G3 mobile systems, there are several 100,000 satphone subscribers worldwide. Given the sensitive nature of some of their application domains (e.g., natural disaster areas or military campaigns), security plays a particularly important role for satphones. In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the two algorithms from freely available DSP-firmware updates for satphones, which included the development of a custom disassembler and tools to analyze the code, and extending prior work on binary analysis to efficiently identify cryptographic code. We note that these steps had to be repeated for both systems, because the available binaries were from two entirely different DSP processors. Perhaps somewhat surprisingly, we found that the GMR-1 cipher can be considered a proprietary variant of the GSM A5/2 algorithm, whereas the GMR-2 cipher is an entirely new design. The second main contribution lies in the cryptanalysis of the two proprietary stream ciphers. We were able to adopt known A5/2 ciphertext-only attacks to the GMR-1 algorithm with an average case complexity of 2 32 steps. With respect to the GMR-2 cipher, we developed a new attack which is powerful in a known-plaintext setting. In this situation, the encryption key for one session, i.e., one phone call, can be recovered with approximately 50-65 bytes of key stream and a moderate computational complexity. A major finding of our work is that the stream ciphers of the two existing satellite phone systems are considerably weaker than what is state-ofthe-art in symmetric cryptography

PSiOS: Bring Your Own Privacy & Security to iOS Devices (Distinguished Paper Award)

Apple iOS is one of the most popular mobile operating systems. As its core security technology, iOS provides application sandboxing but assigns a generic sandboxing profile to every third-party application. However, recent attacks and incidents with benign applications demonstrate that this design decision is vulnerable to crucial privacy and security breaches, allowing applications (either benign or malicious) to access contacts, photos, and device IDs. Moreover, the dynamic character of iOS apps written in Objective-C renders the currently proposed static analysis tools less useful. In this paper, we aim to address the open problem of preventing (not only detecting) privacy leaks and simultaneously strengthening security against runtime attacks on iOS. Compared to similar research work on the open Android, realizing such a system for the closed-source iOS is highly involved. We present the design and implementation of PSiOS, a tool that features a novel policy enforcement framework for iOS. It provides fine-grained, application-specific, and user/administrator defined sandboxing for each third-party application without requiring access to the application source code. Our reference implementation deploys control-flow integrity based on the recently proposed MoCFI (Mobile CFI) framework that only protects applications against runtime attacks. We evaluated several popular iOS applications (e.g., Facebook, WhatsApp) to demonstrate the efficiency and effectiveness of PSiOS