Détecter et survivre aux intrusions : exploration de nouvelles approches de détection, de restauration, et de réponse aux intrusions

Computing platforms, such as embedded systems or laptops, are built with layers of preventive security mechanisms to reduce the likelihood of attackers successfully compromising them. Nevertheless, given time and despite decades of improvements in preventive security, intrusions still happen. Therefore, systems should expect intrusions to occur, thus they should be built to detect and to survive them. Commodity Operating Systems (OSs) are deployed with intrusion detection solutions, but their ability to survive them is limited. State-of-the-art approaches from industry or academia either involve manual procedures, loss of availability, coarse-grained responses, or non-negligible performance overhead. Moreover, low-level components, such as the BIOS, are increasingly targeted by sophisticated attackers to implant stealthy and resilient malware. State-of-the-art solutions, however, mainly focus on boot time integrity, leaving the runtime part of the BIOS—known as the System Management Mode (SMM)—a prime target. This dissertation shows that we can build platforms that detect intrusions at the BIOS level and survive intrusions at the OS level. First, by demonstrating that intrusion survivability is a viable approach for commodity OSs. We develop a new approach that address various limitations from the literature, and we evaluate its security and performance. Second, by developing a hardware-based approach that detects attacks at the BIOS level where we demonstrate its feasibility with multiple detection methods.Les systèmes informatiques, tels que les ordinateurs portables ou les systèmes embarqués, sont construits avec des couches de mécanismes de sécurité préventifs afin de réduire la probabilité qu'un attaquant les compromettent. Néanmoins, malgré des décennies d'avancées dans ce domaine, des intrusions surviennent toujours. Par conséquent, nous devons supposer que des intrusions auront lieu et nous devons construire nos systèmes afin qu'ils puissent les détecter et y survivre. Les systèmes d'exploitation généralistes sont déployés avec des mécanismes de détection d'intrusion, mais leur capacité à survivre à une intrusion est limitée. Les solutions de l'état de l'art nécessitent des procédures manuelles, comportent des pertes de disponibilité, ou font subir un fort coût en performance. De plus, les composants de bas niveau tels que le BIOS sont de plus en plus la cible d'attaquants cherchant à implanter des logiciels malveillants, furtifs, et résilients. Bien que des solutions de l'état de l'art garantissent l'intégrité de ces composants au démarrage, peu s'intéressent à la sécurité des services fournis par le BIOS qui sont exécutés au sein du System Management Mode (SMM). Ce manuscrit montre que nous pouvons construire des systèmes capables de détecter des intrusions au niveau du BIOS et y survivre au niveau du système d'exploitation. Tout d'abord, nous démontrons qu'une approche de survivabilité aux intrusions est viable et praticable pour des systèmes d'exploitation généralistes. Ensuite, nous démontrons qu'il est possible de détecter des intrusions au niveau du BIOS avec une solution basée sur du matériel

Détecter et survivre aux intrusions : exploration de nouvelles approches de détection, de restauration, et de réponse aux intrusions

Computing platforms, such as embedded systems or laptops, are built with layers of preventive security mechanisms to reduce the likelihood of attackers successfully compromising them. Nevertheless, given time and despite decades of improvements in preventive security, intrusions still happen. Therefore, systems should expect intrusions to occur, thus they should be built to detect and to survive them. Commodity Operating Systems (OSs) are deployed with intrusion detection solutions, but their ability to survive them is limited. State-of-the-art approaches from industry or academia either involve manual procedures, loss of availability, coarse-grained responses, or non-negligible performance overhead. Moreover, low-level components, such as the BIOS, are increasingly targeted by sophisticated attackers to implant stealthy and resilient malware. State-of-the-art solutions, however, mainly focus on boot time integrity, leaving the runtime part of the BIOS—known as the System Management Mode (SMM)—a prime target. This dissertation shows that we can build platforms that detect intrusions at the BIOS level and survive intrusions at the OS level. First, by demonstrating that intrusion survivability is a viable approach for commodity OSs. We develop a new approach that address various limitations from the literature, and we evaluate its security and performance. Second, by developing a hardware-based approach that detects attacks at the BIOS level where we demonstrate its feasibility with multiple detection methods.Les systèmes informatiques, tels que les ordinateurs portables ou les systèmes embarqués, sont construits avec des couches de mécanismes de sécurité préventifs afin de réduire la probabilité qu'un attaquant les compromettent. Néanmoins, malgré des décennies d'avancées dans ce domaine, des intrusions surviennent toujours. Par conséquent, nous devons supposer que des intrusions auront lieu et nous devons construire nos systèmes afin qu'ils puissent les détecter et y survivre. Les systèmes d'exploitation généralistes sont déployés avec des mécanismes de détection d'intrusion, mais leur capacité à survivre à une intrusion est limitée. Les solutions de l'état de l'art nécessitent des procédures manuelles, comportent des pertes de disponibilité, ou font subir un fort coût en performance. De plus, les composants de bas niveau tels que le BIOS sont de plus en plus la cible d'attaquants cherchant à implanter des logiciels malveillants, furtifs, et résilients. Bien que des solutions de l'état de l'art garantissent l'intégrité de ces composants au démarrage, peu s'intéressent à la sécurité des services fournis par le BIOS qui sont exécutés au sein du System Management Mode (SMM). Ce manuscrit montre que nous pouvons construire des systèmes capables de détecter des intrusions au niveau du BIOS et y survivre au niveau du système d'exploitation. Tout d'abord, nous démontrons qu'une approche de survivabilité aux intrusions est viable et praticable pour des systèmes d'exploitation généralistes. Ensuite, nous démontrons qu'il est possible de détecter des intrusions au niveau du BIOS avec une solution basée sur du matériel

Etude de la cartographie des systèmes SCADA à l'échelle d'Internet

Les systèmes SCADA ont eu un regain d’intérêt dans le monde de la sécurité informatique, notamment dû à la découverte du logiciel malveillant Stuxnet. Des vies humaines dépendant de ces systèmes, il est nécessaire de mettre en place des mécanismes pour les sécuriser et évaluer leur exposition sur Internet. Dans ce papier, nous allons étudier les différentes approches et méthodes disponibles afin de cartographier les systèmes SCADA à l’échelle d’Internet

Intrusion Survivability for Commodity Operating Systems and Services: A Work in Progress

National audienceThis paper presents a work-in-progress of our approach for intrusion survivability in commodity operating systems. Our approach relies on an orchestration of recovery and mitigation actions. We rollback infected services (i.e., their processes) and infected files to a previous known safe state, and we apply per-service mitigations (i.e., privileges removal) before unfreezing the restored processes. Such approach effectively puts the previously compromised service into a degraded mode, allowing the system to withstand ongoing intrusions and ensures the availability of core functions to the users. A prototype for Linux-based systems is currently in development

Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode

International audienceHighly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 µs threshold defined by Intel)

Intrusion Survivability for Commodity Operating Systems

International audienceDespite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead

Internal femoral component malrotation in TKA significantly alters tibiofemoral kinematics

Purpose Femoral component malrotation in total knee arthroplasty (TKA) is clinically proven to cause dissatisfaction and impaired function. This study is an attempt to characterize the tibiofemoral kinematics following femoral malrotation in posterior stabilized (PS) TKA. It was hypothesized that internal malrotation would introduce the most pronounced changes. Methods Six fresh-frozen cadaver specimens were mounted in a kinematic rig. Three motion patterns were applied with the native knee and following PS TKA (passive motion, open chain extension, and squatting) while infrared cameras recorded the trajectories of markers attached to femur and tibia. Three different femoral implants were tested: a conventional posterior stabilized component, and adapted components of the same implant with 5° of intrinsic external and internal rotation, respectively. Results The implantation of the PS TKA resulted in less tibial internal rotation (squat 33–70°, p < 0.05) and the medial femoral condyle shifted posteriorly especially in deep flexion (squat 84–111°, p < 0.05). Internal component malrotation caused internal rotation and abduction of the tibia in flexion (squat 33–111°, p < 0.05), an elevated (squat 43–111°, p < 0.05) and more anterior (passive 61–126°, p < 0.05) located medial femoral condyle and a lateral femoral condyle located more posterior and inferior (squat 73–111°, p < 0.05) than in the neutrally aligned TKA. External component malrotation caused only little changes under passive motion. Under a squat there was less internal rotation and more adduction to the tibia (33–111°, p < 0.05). The medial femoral condyle was moved more posterior (squat 59–97°, p < 0.05), the lateral femoral condyle more superior (squat 54–105°, p < 0.05) than in the neutrally aligned TKA. Conclusion The greatest differences to the native tibiofemoral kinematics were introduced by internal rotation of the femoral component. Also neutrally and externally rotated femoral components introduce kinematic changes, but to a lesser extent. With respect to the alterations introduced to kinematics internal malrotation should be avoided when performing PS TKA.status: accepte

Biomechanics of medial unicondylar in combination with patellofemoral knee arthroplasty

Modular bicompartmental knee arthroplasty (BKA) for treatment of medio-patellofemoral osteoarthritis (OA) should allow for close to normal kinematics in comparison with unicondylar knee arthroplasty (UKA) and the native knee. There is so far no data to support this.status: publishe

UKA closely preserves natural knee kinematics in vitro.

It is assumed that unicondylar knee arthroplasty (UKA) features kinematics close to the natural knee. Clinical studies have also shown functional benefits for UKA. There is to date only little biomechanical data to support or explain these findings. The purpose of this study was to investigate whether UKA is able to preserve natural knee kinematics or not.JOURNAL ARTICLESCOPUS: ar.jinfo:eu-repo/semantics/publishe