Study of Blacklisted Malicious Domains from a Microsoft Windows End-user Perspective: Is It Safe Behind the Wall?

The Internet is a dangerous place, filled with dierent cyber threats, including malware. To withstand this, blacklists have been utilized for a long time to block known infection and delivery sources. However, through blacklisting the domain names we are leaving a landscape of threats to be unknown and forgotten. In this paper, first, we investigate the current state-of-the-art in cyber threats available on such blacklists. Then, we study the corresponding malicious actors and reveal that those persistently appear since 2006. By shedding light on this part of the cyber threat landscape we target increased information security perception of the landscape from the perspective of the average end-user. Moreover, it is clear that the blacklisting the domains should not be one-way function and need to be regularly re-evaluated. Moreover, blacklisting might not be enforced by client applications in addition to outdated system software leaving real danger. For practical evaluation, we created a multi-focused experimental setup employing different MS Windows OS and browser versions. This allowed us to perform a thorough analysis of blacklisted domains from the perspective of the published information, content retrieved and possible malware distribution campaigns. We believe that this paper serves as a stepping stone in a re-evaluation of the once found and then blacklisted domains from the perspective of minimal security protection of a general user, who might not be equipped with a blacklisting mechanism

Forensics Acquisition — Analysis and Circumvention of Samsung Secure Boot enforced Common Criteria Mode

Forensics Acquisition — Analysis and Circumvention of Samsung Secure Boot enforced Common Criteria ModepublishedVersio

Disk Cluster Allocation Behavior in Windows and NTFS

acceptedVersio

Smart Grid challenges - Device Trustworthiness

The Power Grid development brings about technological design changes, resulting in increased connectivity and dependency on IoT devices. The changes offer opportunities to manipulate the IoT hardware as the root of trust. Although terrifying, hardware attacks are considered resource-demanding and rare. Nonetheless, Power Grids are attractive targets for resourceful attackers. As such, the Ukraine attacks boosted Power Grid cybersecurity focus. However, physical assurance and hardware device trustworthiness received less attention. Overhead Line Sensors are utilized in Dynamic Line Rating doctrines for Power Grids. They are potentially essential in the future to optimize conductor ampacity. Conductor optimization is crucial for Power Grids because future throughput volatility demands a high level of grid flexibility. However, there may be challenges to the integrity and availability of the data collected using Overhead Line sensors. We believe that in securing the future Smart Grid, stakeholders need to raise attention to device trustworthiness entailing the hardware layer. That said, integrated into cloud-enhanced digital ecosystems, Overhead Line Sensors can also be manipulated through the network, software, and supply chain to impact their trustworthiness

Reverse Engineering Microprocessor Content Using Electromagnetic Radiation

Moore’s law has, for almost half a century, described a trend in which the number of transistors in integrated circuits have been doubled every year. Properties, such as processing speed, memory capacity and physical size of circuits, are strongly linked to Moore’s prediction. Integrated circuits, such as microprocessors, therefore get smaller yet more and more powerful. The combination of smaller size and larger capacity allow more and more functionality to be included in small microprocessor devices, such as smart phones and smart cards. This includes security related functions, such as confidentiality, integrity, availability and non-repudiation. The use of microprocessor devices is said to make fraud more difficult, however, research has found them susceptible to side-channel attacks. Sensitive information can escape via side-channels such as power consumption or electromagnetic radiation (EMR). When a microprocessor executes its program, power consumption (or resulting EMR) can be used to reveal the content of program and/or data memory of the microprocessor. The correlation between power consumption and microprocessor activity has found many uses: to recover cryptographic keys, to reveal hidden hardware faults, to create a covert channel or to reverse engineer the code executed. This is concerning, considering the increasing demand for and dependability upon microprocessors in secure applications. This thesis contributes by building a more realistic model of the arsenal available to an adversary engaged in reverse engineering microprocessor content through the electromagnetic side-channel. This includes; (i) presenting a new attack, resembling wireless skimming, (ii) a method for in-depth analysis of EMR and better understanding of what and how much EMR is necessary to launch an attack, (iii) a new power model that better explains the underlying phenomena and (iv) a non-invasive method for reverse engineering physical properties based on EMR. The Wireless Covert Channel Attack (WCCA) contributes towards exploiting the electromagnetic side-channel in a new attack and attack scenario for microprocessor smart cards. The attack brings together knowledge from different fields; electromagnetic sidechannels, covert channels and subversion. The scenario assumes that a highly skilled insider is able to hide a small program (subversive code) on a microprocessor smart card in an early stage of the products life cycle. During normal use of the smart card, the subversive code intentionally manipulates the electromagnetic side-channel, creating a covert channel that can potentially broadcast the cards internal secrets to a nearby receiver. The attack is launched without possession of the card and is, therefore, unlikely to be detected by the user. The feasibility of the attack has been demonstrated on modern, high-security cards with all available security features activated, which demonstrates that attacks resembling wireless skimming are feasible. This contribution highlights the importance of life-cycle security focus for products used in secure applications. Challenges faced by WCCA and other side-channel attacks are: What and how much of the available EMR is necessary to launch an attack, and how do choices affect the efficiency of the attack? This thesis recognizes reverse engineering microprocessor content as a pattern recognition problem, and can therefore address these challenges as a feature selection problem. A comparison of several multi-class feature selection methods by their performance in a WCCA application is provided. Combining these results with the template attack provides a method for in-depth analysis of the electromagnetic side-channel. This method was applied to data transfer on the microprocessor’s internal buses, which gave new insight as to the underlying phenomena and revealed that commonly used power models are not suitable to explain the level of detail achieved by Bayesian classification (e.g. template attack). This thesis provides the hypothesis that the classification results can be explained by layout dependent phenomena (LDP). LDP include; (i) inductance and capacitance of conductors, (ii) inductance and capacitance between conductors, (iii) wireless transmission characteristics (i.e. antenna properties) of conductors and other circuit elements and (iv) complex combinations of these phenomena. Simulations and experiments are provided that give new insight as to how capacitance between bus-wires (capacitive crosstalk) influence the energy dissipation and the resulting radiated electromagnetic field in any physical implementation of a digital circuit (e.g. microprocessor). A new power model, based on capacitive crosstalk, is proposed, which better explains the classification results achieved. This can improved side-channel exploitation capabilities. The new power model shows that energy dissipation (i.e. EMR) is a function of internal physical structures of the microprocessor. It can therefore improve the performance of sidechannel attacks that rely upon a good power model to be successful (e.g. power analysis attacks). A spinoff of this result is that if the microprocessor activity is known, it should be possible to reverse engineer physical structures of the microprocessor. This thesis provides a non-invasive method for determining the relative position of internal bus wires based on known transition pattern and the influence of capacitive crosstalk on EMR. By including other LDP it should be possible to reverse engineer other physical structures of the microprocessor. This is, to the best of our knowledge, a new application area for electromagnetic side-channel information and holds potential for future work

Reverse Engineering Microprocessor Content Using Electromagnetic Radiation

Moore’s law has, for almost half a century, described a trend in which the number of transistors in integrated circuits have been doubled every year. Properties, such as processing speed, memory capacity and physical size of circuits, are strongly linked to Moore’s prediction. Integrated circuits, such as microprocessors, therefore get smaller yet more and more powerful. The combination of smaller size and larger capacity allow more and more functionality to be included in small microprocessor devices, such as smart phones and smart cards. This includes security related functions, such as confidentiality, integrity, availability and non-repudiation. The use of microprocessor devices is said to make fraud more difficult, however, research has found them susceptible to side-channel attacks. Sensitive information can escape via side-channels such as power consumption or electromagnetic radiation (EMR). When a microprocessor executes its program, power consumption (or resulting EMR) can be used to reveal the content of program and/or data memory of the microprocessor. The correlation between power consumption and microprocessor activity has found many uses: to recover cryptographic keys, to reveal hidden hardware faults, to create a covert channel or to reverse engineer the code executed. This is concerning, considering the increasing demand for and dependability upon microprocessors in secure applications. This thesis contributes by building a more realistic model of the arsenal available to an adversary engaged in reverse engineering microprocessor content through the electromagnetic side-channel. This includes; (i) presenting a new attack, resembling wireless skimming, (ii) a method for in-depth analysis of EMR and better understanding of what and how much EMR is necessary to launch an attack, (iii) a new power model that better explains the underlying phenomena and (iv) a non-invasive method for reverse engineering physical properties based on EMR. The Wireless Covert Channel Attack (WCCA) contributes towards exploiting the electromagnetic side-channel in a new attack and attack scenario for microprocessor smart cards. The attack brings together knowledge from different fields; electromagnetic sidechannels, covert channels and subversion. The scenario assumes that a highly skilled insider is able to hide a small program (subversive code) on a microprocessor smart card in an early stage of the products life cycle. During normal use of the smart card, the subversive code intentionally manipulates the electromagnetic side-channel, creating a covert channel that can potentially broadcast the cards internal secrets to a nearby receiver. The attack is launched without possession of the card and is, therefore, unlikely to be detected by the user. The feasibility of the attack has been demonstrated on modern, high-security cards with all available security features activated, which demonstrates that attacks resembling wireless skimming are feasible. This contribution highlights the importance of life-cycle security focus for products used in secure applications. Challenges faced by WCCA and other side-channel attacks are: What and how much of the available EMR is necessary to launch an attack, and how do choices affect the efficiency of the attack? This thesis recognizes reverse engineering microprocessor content as a pattern recognition problem, and can therefore address these challenges as a feature selection problem. A comparison of several multi-class feature selection methods by their performance in a WCCA application is provided. Combining these results with the template attack provides a method for in-depth analysis of the electromagnetic side-channel. This method was applied to data transfer on the microprocessor’s internal buses, which gave new insight as to the underlying phenomena and revealed that commonly used power models are not suitable to explain the level of detail achieved by Bayesian classification (e.g. template attack). This thesis provides the hypothesis that the classification results can be explained by layout dependent phenomena (LDP). LDP include; (i) inductance and capacitance of conductors, (ii) inductance and capacitance between conductors, (iii) wireless transmission characteristics (i.e. antenna properties) of conductors and other circuit elements and (iv) complex combinations of these phenomena. Simulations and experiments are provided that give new insight as to how capacitance between bus-wires (capacitive crosstalk) influence the energy dissipation and the resulting radiated electromagnetic field in any physical implementation of a digital circuit (e.g. microprocessor). A new power model, based on capacitive crosstalk, is proposed, which better explains the classification results achieved. This can improved side-channel exploitation capabilities. The new power model shows that energy dissipation (i.e. EMR) is a function of internal physical structures of the microprocessor. It can therefore improve the performance of sidechannel attacks that rely upon a good power model to be successful (e.g. power analysis attacks). A spinoff of this result is that if the microprocessor activity is known, it should be possible to reverse engineer physical structures of the microprocessor. This thesis provides a non-invasive method for determining the relative position of internal bus wires based on known transition pattern and the influence of capacitive crosstalk on EMR. By including other LDP it should be possible to reverse engineer other physical structures of the microprocessor. This is, to the best of our knowledge, a new application area for electromagnetic side-channel information and holds potential for future work

Multinomial malware classification via low-level features

Because malicious software or (”malware”) is so frequently used in a cyber crimes, malware detection and relevant research became a serious issue in the information security landscape. However, in order to have an appropriate defense and post-attack response however, malware must not only be detected, but also categorized according to its functionality. It comes as no surprise that more and more malware is now made with the intent to avoid detection and research mechanisms. Despite sophisticated obfuscation, encryption, and anti-debug techniques, it is impossible to avoid execution on hardware, so hardware (“low-level”) activity is a promising source of features. In this paper, we study the applicability of low-level features for multinomial malware classification. This research is a logical continuation of a previously published paper (Banin et al., 2016) where it was proved that memory access patterns can be successfully used for malware detection. In this research we use memory access patterns to distinguish between 10 malware families and 10 malware types. In the results, we show that our method works better for classifying malware into families than into types, and analyze our achievements in detail. With satisfying classification accuracy, we show that thorough feature selection can reduce data dimensionality by a magnitude of 3 without significant loss in classification performance

Detection of Previously Unseen Malware using Memory Access Patterns Recorded Before the Entry Point

Recently it has been shown, that it is possible to detect malware based on the memory access patterns produced before executions reaches its Entry Point. In this paper, we investigate the usefulness of memory access patterns over time, i.e to what extent can machine learning algorithm trained on “old” data, detect new malware samples, that was not part of the training set and how does this performance change over time. During our experiments, we found that machine learning models trained on memory access patterns of older samples can provide both high accuracy and a high true positive rate for the period from several months to almost a year from the update of the model. We also perform a substantial analysis of our findings that may aid researchers who work with malware and Big Data

Layout Dependent Phenomena A New Side-channel Power Model

This is the journal's version originally published in Journal of Computers: http://dx.doi.org/10.4304/jcp.7.4.827-837. This is an open access journal. Reprinted with permission from Academy Publisher.The energy dissipation associated with switching in CMOS logic gates can be used to classify the microprocessor’s activity. In VLSI design, layout dependent phenomena, such as capacitive crosstalk, become a major contributor to the power consumption and delays of on-chip busses as transistor technology get smaller. These effects may be known to the security community but have received little attention. In a recent paper we presented a new power model, taking into consideration capacitive crosstalk. We have shown that capacitive crosstalk has a significant effect on gate energy dissipation. Our results confirm that the dissipated energy from CMOS switching gates depends not only on the hamming distance (HD), but also on the direction of switching activity on nearby data lines. We show that for an 8 bit data bus, crosstalk may improve detection performance from 2.5 bits (HD based detector) to a theoretical 5.7 bits and simulated 5.0 bits (crosstalk based detector) of information per sample. In this paper we elaborate on the theory and simulations of layout dependent phenomena and how they must be considered when analyzing security implications of power and electromagnetic side-channels. We have also added a small case study, i.e. the electromagnetic side-channel of a smart card, that supports our simulations/theoretical results