89 research outputs found
Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing
For safety reasons, unprivileged users today have only limited ways to
customize the kernel through the extended Berkeley Packet Filter (eBPF). This
is unfortunate, especially since the eBPF framework itself has seen an increase
in scope over the years. We propose SandBPF, a software-based kernel isolation
technique that dynamically sandboxes eBPF programs to allow unprivileged users
to safely extend the kernel, unleashing eBPF's full potential. Our early
proof-of-concept shows that SandBPF can effectively prevent exploits missed by
eBPF's native safety mechanism (i.e., static verification) while incurring
0%-10% overhead on web server benchmarks.Comment: 8 pages, 5 figures, to appear in the 1st SIGCOMM Workshop on eBPF and
Kernel Extension
Sharing and Preserving Computational Analyses for Posterity with encapsulator
Open data and open-source software may be part of the solution to science's
"reproducibility crisis", but they are insufficient to guarantee
reproducibility. Requiring minimal end-user expertise, encapsulator creates a
"time capsule" with reproducible code in a self-contained computational
environment. encapsulator provides end-users with a fully-featured desktop
environment for reproducible research.Comment: 11 pages, 6 figure
Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance
Provenance graphs are structured audit logs that describe the history of a
system's execution. Recent studies have explored a variety of techniques to
analyze provenance graphs for automated host intrusion detection, focusing
particularly on advanced persistent threats. Sifting through their design
documents, we identify four common dimensions that drive the development of
provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect
modern attacks that infiltrate across application boundaries?), attack
agnosticity (can PIDSes detect novel attacks without a priori knowledge of
attack characteristics?), timeliness (can PIDSes efficiently monitor host
systems as they run?), and attack reconstruction (can PIDSes distill attack
activity from large provenance graphs so that sysadmins can easily understand
and quickly respond to system intrusion?). We present KAIROS, the first PIDS
that simultaneously satisfies the desiderata in all four dimensions, whereas
existing approaches sacrifice at least one and struggle to achieve comparable
detection performance.
Kairos leverages a novel graph neural network-based encoder-decoder
architecture that learns the temporal evolution of a provenance graph's
structural changes to quantify the degree of anomalousness for each system
event. Then, based on this fine-grained information, Kairos reconstructs attack
footprints, generating compact summary graphs that accurately describe
malicious activity over a stream of system audit logs. Using state-of-the-art
benchmark datasets, we demonstrate that Kairos outperforms previous approaches.Comment: 23 pages, 16 figures, to appear in the 45th IEEE Symposium on
Security and Privacy (S&P'24
Xanthus: Push-button Orchestration of Host Provenance Data Collection
Host-based anomaly detectors generate alarms by inspecting audit logs for
suspicious behavior. Unfortunately, evaluating these anomaly detectors is hard.
There are few high-quality, publicly-available audit logs, and there are no
pre-existing frameworks that enable push-button creation of realistic system
traces. To make trace generation easier, we created Xanthus, an automated tool
that orchestrates virtual machines to generate realistic audit logs. Using
Xanthus' simple management interface, administrators select a base VM image,
configure a particular tracing framework to use within that VM, and define
post-launch scripts that collect and save trace data. Once data collection is
finished, Xanthus creates a self-describing archive, which contains the VM, its
configuration parameters, and the collected trace data. We demonstrate that
Xanthus hides many of the tedious (yet subtle) orchestration tasks that humans
often get wrong; Xanthus avoids mistakes that lead to non-replicable
experiments.Comment: 6 pages, 1 figure, 7 listings, 1 table, worksho
SIGL:Securing Software Installations Through Deep Graph Learning
Many users implicitly assume that software can only be exploited after it is
installed. However, recent supply-chain attacks demonstrate that application
integrity must be ensured during installation itself. We introduce SIGL, a new
tool for detecting malicious behavior during software installation. SIGL
collects traces of system call activity, building a data provenance graph that
it analyzes using a novel autoencoder architecture with a graph long short-term
memory network (graph LSTM) for the encoder and a standard multilayer
perceptron for the decoder. SIGL flags suspicious installations as well as the
specific installation-time processes that are likely to be malicious. Using a
test corpus of 625 malicious installers containing real-world malware, we
demonstrate that SIGL has a detection accuracy of 96%, outperforming similar
systems from industry and academia by up to 87% in precision and recall and 45%
in accuracy. We also demonstrate that SIGL can pinpoint the processes most
likely to have triggered malicious behavior, works on different audit platforms
and operating systems, and is robust to training data contamination and
adversarial attack. It can be used with application-specific models, even in
the presence of new software versions, as well as application-agnostic
meta-models that encompass a wide range of applications and installers.Comment: 18 pages, to appear in the 30th USENIX Security Symposium (USENIX
Security '21
Investigating the critical characteristics of thermal runaway process for LiFePO4/graphite batteries by a ceased segmented method
Lithium-ion batteries (LIBs) are widely used as the energy carrier in our daily life. However, the higher energy density of LIBs results in poor safety performance. Thermal runaway (TR) is the critical problem which hinders the further application of LIBs. Clarifying the mechanism of TR evolution is beneficial to safer cell design and safety management. In this paper, liquid nitrogen spray is proved to be an effective way to stop the violent reaction of LIBs during the TR process. Based on extended-volume accelerating rate calorimetry, the liquid nitrogen ceasing combined with non-atmospheric exposure analysis is used to investigate the TR evolution about LiFePO4/graphite batteries at critical temperature. Specifically, the geometrical shape, voltage, and impedance change are monitored during the TR process on the cell level. The morphologies/constitution of electrodes and separators are presented on the component level. Utilizing the gas analysis, the failure mechanism of the prismatic LiFePO4/graphite battery is studied comprehensively
Enhancing credibility of digital evidence through provenance-based incident response handling
Digital forensics are becoming increasingly important for the investigation of computer-related crimes, white-collar crimes and massive hacker attacks. After an incident has been detected an appropriate incident response is usually initiated with the aim to mitigate the attack and ensure the recovery of the IT systems. Digital Forensics pursues the goal of acquiring evidence that will stand up in court for sentencing and sometimes opposes contradicting objectives of incident response approaches. The concept presented here provides a solution to strengthen the credibility of digital evidence during actions related to incident response. It adapts an approach for data provenance to accurately track the transformation of digital evidence. For this purpose, the affected system and the incident response systems are equipped with a whole system data provenance capturing mechanism and then data provenance is captured simultaneously during an incident response. Context information about the incident response is also documented. An adapted algorithm for sub-graph detection is used to identify similarities between two provenance graphs. By applying the proposed concept to a use case, the advantages are demonstrated and possibilities for further development are presented
The relationship between consumer ethnocentrism, cosmopolitanism and product country image among younger generation consumers: the moderating role of country development status
Although the differences between developed and developing countries have been extensively studied in the context of globalization strategies, few studies have so far been conducted on the relationship between country development status and the possession by countries of a favorable (or unfavorable) product country image (PCI). Moreover, the results of such studies to date have been inconclusive. The purpose of this paper is to investigate the moderating role of country developmental status on PCI coupled with two antecedents of PCI, namely consumer ethnocentrism and cosmopolitanism. The paper also distinguishes between the PCI of the home and foreign country images of respondents. We test a new model that incorporates these constructs with a sample of 2655 younger generation consumers. The results show that country development status moderates some relationships but does not moderate others. These findings have significant implications for international companies from both developed and developing countries when developing global strategy
- …