Using HTML5 to Prevent Detection of Drive-by-Download Web Malware

The web is experiencing an explosive growth in the last years. New technologies are introduced at a very fast-pace with the aim of narrowing the gap between web-based applications and traditional desktop applications. The results are web applications that look and feel almost like desktop applications while retaining the advantages of being originated from the web. However, these advancements come at a price. The same technologies used to build responsive, pleasant and fully-featured web applications, can also be used to write web malware able to escape detection systems. In this article we present new obfuscation techniques, based on some of the features of the upcoming HTML5 standard, which can be used to deceive malware detection systems. The proposed techniques have been experimented on a reference set of obfuscated malware. Our results show that the malware rewritten using our obfuscation techniques go undetected while being analyzed by a large number of detection systems. The same detection systems were able to correctly identify the same malware in its original unobfuscated form. We also provide some hints about how the existing malware detection systems can be modified in order to cope with these new techniques.Comment: This is the pre-peer reviewed version of the article: \emph{Using HTML5 to Prevent Detection of Drive-by-Download Web Malware}, which has been published in final form at \url{http://dx.doi.org/10.1002/sec.1077}. This article may be used for non-commercial purposes in accordance with Wiley Terms and Conditions for Self-Archivin

Catastrophic Faults in Reconfigurable Linear Arrays of Processors

In regular architectures of identical processing elements, a widely used technique to improve the reconfigurability of the system consists of providing redundant processing elements and mechanisms of reconfiguration. In this paper we consider linear arrays of processing elements, with unidirectional bypass links of length g. We count the number of particular sets of faulty processing elements. We show that the number of catastrophic faults of g elements is equal to the (g-1)-th Catalan number. We also provide algorithms to rank and unrank all catastrophic sets of g faults. Finally, we describe a linear time algorithm that generate all such sets of faults

Optimal Colored Threshold Visual Cryptography Schemes

Visual cryptography schemes allow the encoding of a secret image into n shares which are distributed to the participants. The shares are such that only qualified subsets of participants can visually recover the secret image. Usually the secret image consist of black and white pixels. In colored threshold visual cryptography schemes the secret image is composed of pixels taken from a given set of c colors. The pixels expansion and the contrast of a scheme are two measures of the goodness of the scheme. In this paper, we study c-color (k,n)-threshold visual cryptography schemes and provide a characterization of contrast-optimal schemes. More specifically we prove that there exists a contrast-optimal scheme that is a member of a special set of schemes, which we call canonical schemes, and that satisfy strong symmetry properties. Then we use canonical schemes to provide a constructive proof of optimality, with respect to the pixel expansion, of c-color (n,n)-threshold visual cryptography schemes. Finally, we provide constructions of c-color (2,n)-threshold schemes whose pixels expansion improves on previously proposed schemes

The knowledge complexity of quadratic residuosity languages

AbstractNoninteractive perfect zero-knowledge (ZK) proofs are very elusive objects. In fact, since the introduction of the noninteractive model of Blum . (1988), the only perfect zero-knowledge proof known was the one for quadratic nonresiduosity of Blum . (1991). The situation is no better in the interactive case where perfect zero-knowledge proofs are known only for a handful of particular languages.In this work, we show that a large class of languages related to quadratic residuosity admits noninteractive perfect zero-knowledge proofs. More precisely, we give a protocol for the language of thresholds of quadratic residuosity.Moreover, we develop a new technique for converting noninteractive zero-knowledge proofs into round-optimal zero-knowledge proofs for an even wider class of languages. The transformation preserves perfect zero knowledge in the sense that, if the noninteractive proof we started with is a perfect zero-knowledge proof, then we obtain a round-optimal perfect zero-knowledge proof. The noninteractive perfect zero-knowledge proofs presented in this work can be transformed into 4-round (which is optimal) interactive perfect zero-knowledge proofs. Until now, the only known 4-round perfect ZK proof systems were the ones for quadratic nonresiduosity (Goldwasser et al., 1989) and for graph nonisomorphism (Goldreich et al., 1986) and no 4-round perfect zero-knowledge proof system was known for the simple case of the language of quadratic residues

Overcoming the Obfuscation of Java Programs by Identifier Renaming

Decompilation is the process of translating object code to source code and is usually the first step towards the reverse-engineering of an application. Many obfuscation techniques and tools have been developed, with the aim of modifying a program, such that its functionalities are preserved, while its understandability is compromised for a human reader or the decompilation is made unsuccessful. Some approaches rely on malicious identifiers renaming, i.e., on the modification of the program identifiers in order to introduce confusion and possibly prevent the decompilation of the code. In this work we introduce a new technique to overcome the obfuscation of Java programs by identifier renaming. Such a technique relies on the intelligent modification of identifiers in Java bytecode. We present a new software tool which implements our technique and allows the processing of an obfuscated program in order to rename the identifiers as required by our technique. Moreover, we show how to use the existing tools to provide a partial implementation of the technique we propose. Finally, we discuss the feasibility of our approach by showing how to contrast the obfuscation techniques based on malicious identifier renaming recently presented in literature

Design of Self-Healing Key Distribution Schemes

A self-healing key distribution scheme enables dynamic groups of users of an unreliable network to establish group keys for secure communication. In such a scheme, a group manager, at the beginning of each session, in order to provide a key to each member of the group, sends packets over a broadcast channel. Every user, belonging to the group, computes the group key by using the packets and some private information. The group manager can start multiple sessions during a certain time-interval, by adding/removing users to/from the initial group. The main property of the scheme is that, if during a certain session some broadcasted packet gets lost, then users are still capable of recovering the group key for that session simply by using the packets they have received during a previous session and the packets they will receive at the beginning of a subsequent one, without requesting additional transmission from the group manager. Indeed, the only requirement that must be satisfied, in order for the user to recover the lost keys, is membership in the group both before and after the sessions in which the broadcast messages containing the keys are sent. This novel and appealing approach to key distribution is quite suitable in certain military applications and in several Internet-related settings, where high security requirements need to be satisfied. In this paper we continue the study of self-healing key distribution schemes, introduced by Staddon et al. [37]. We analyze some existing constructions: we show an attack that can be applied to one of these constructions, in order to recover session keys, and two problems in another construction. Then, we present a new mechanism for implementing the self-healing approach, and we present an efficient construction which is optimal in terms of user memory storage. Finally, we extend the self-healing approach to key distribution, and we present a scheme which enables a user to recover from a single broadcast message all keys associated with sessions in which he is member of the communication group

Metaproofs (and their Cryptographic Applications)

We develop a non-interactive proof-system which we call Metaproof (mu-NIZK proof system); it provides a proof of the existence of a proof to a statement . This meta-mathematical notion indeed seems redundant when we deal with proving NP statements, but in the context of zero-knowledge theory and cryptography it has a large variety of applications. Combined with another tool we develop which we call on-line simulatable NIZK proof system , it is the key tool used to solve the open problem of the existence of a many prover non-interactive zero-knowledge system (MP-NIZK proof system). This problem was presented by Micali when the important notion of non-interactive zero-knowledge proofs (NIZK) was first suggested and implemented for a sole prover. The solution immensely enlarges the domain of applications of the NIZK model. The work also provides a new connection between bounded (single-theorem) non-interactive zero-knowledge proofs and the unbounded (multi-theorem) one. This may help in reducing the complexity assumption upon which to base NIZK systems. Remark: This is a full version (with more details, more material, and with new proofs) of the Crypto 1990 paper on Metaproof. Over the years, the concept has been used and reinvented for specific settings beyond the original ones, by others; (which has made it more useful). Recently, we were asked about this paper and about details, so here they are! For historical reasons, except for this remark, this version is presented as it was in the above mentioned date under the above affiliations, though we did not pursue publication before