XSS Vulnerabilities in Cloud-Application Add-Ons

Cloud-application add-ons are microservices that extend the functionality of the core applications. Many application vendors have opened their APIs for third-party developers and created marketplaces for add-ons (also add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. We found that many such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons in each marketplace. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated

Practical Attacks Against Graph-based Clustering

Graph modeling allows numerous security problems to be tackled in a general way, however, little work has been done to understand their ability to withstand adversarial attacks. We design and evaluate two novel graph attacks against a state-of-the-art network-level, graph-based detection system. Our work highlights areas in adversarial machine learning that have not yet been addressed, specifically: graph-based clustering techniques, and a global feature space where realistic attackers without perfect knowledge must be accounted for (by the defenders) in order to be practical. Even though less informed attackers can evade graph clustering with low cost, we show that some practical defenses are possible.Comment: ACM CCS 201

Understanding DNS-based criminal infrastructure for informing takedowns

Botnets are a pervasive threat to the Internet and its inhabitants. A botnet is a collection of infected machines that receive commands from the botmaster, a person, group or nation- state, to perform malicious actions. Instead of “cleaning” individual infections, one can sever the method of communication between a botmaster and her zombies by attempting a botnet takedown, which contains the botnet and its malicious actions. Unfortunately, takedowns are currently performed without technical rigor nor are there automated and independent means to measure success or assist in performing them. This dissertation focuses on understanding the criminal infrastructure that enables communication between a botmaster and her zombies in order to measure attempts at, and to perform, successful takedowns. We show that by interrogating malware and performing large-scale analysis of passively collected network data, we can measure if a past botnet takedown was successful and use the same techniques to perform more comprehensive takedowns in the future.Ph.D

Automated Remote Repair for Mobile Malware

Mobile application markets currently serve as the main line of defense against malicious applications. While marketplace revocations have successfully removed the few overtly malicious applications installed on mobile devices, the anticipated coming flood of mobile malware mandates the need for mechanisms that can respond faster than manual intervention. In this paper, we propose an infrastructure that automatically identifies and responds to malicious mobile applications based on their network behavior. We design and implement a prototype, Airmid, that uses cooperation between in-network sensors and smart devices to identify the provenance of malicious traffic. We then develop sample malicious mobile applications exceeding the capabilities of malware recently discovered in the wild, demonstrate the ease with which they can evade current detection techniques, and then use Airmid to show a range of automated recovery responses ranging from on-device firewalling to application removal. 1

Understanding the prevalence and use of alternative plans in malware with network games

In this paper we describe and evaluate a technique to im-prove the amount of information gained from dynamic mal-ware analysis systems. By playing network games during analysis, we explore the behavior of malware when it be-lieves its network resources are malfunctioning. This forces the malware to reveal its alternative plan to the analysis system resulting in a more complete understanding of mal-ware behavior. Network games are similar to multipath ex-ploration techniques, but are resistant to conditional code obfuscation. Our experimental results show that network games discover highly useful network information from mal-ware. Of the 161,000 domain names and over three million IP addresses coerced from malware during three weeks, over 95 % never appeared on public blacklists. We show that this information is both likely to be malicious and can be used to improve existing domain name and IP address reputation systems, blacklists, and network-based malware clustering systems. 1

Connected Colors: Unveiling the Structure of Criminal Networks

Abstract. In this paper we study the structure of criminal networks, groups of related malicious infrastructures that work in concert to provide hosting for criminal activities. We develop a method to construct a graph of relationships between malicious hosts and identify the underlying criminal networks, using historic assignments in the DNS. We also develop methods to analyze these networks to identify general structural trends and devise strategies for effective remediation through takedowns. We then apply these graph construction and analysis algorithms to study the general threat landscape, as well as four cases of sophisticated criminal networks. Our results indicate that in many cases, criminal networks can be taken down by de-registering as few as five domain names, removing critical communication links. In cases of sophisticated criminal networks, we show that our analysis techniques can identify hosts that are critical to the network’s functionality and estimate the impact of performing network takedowns in remediating the threats. In one case, disabling 20 % of a criminal network’s hosts would reduce the overall volume of successful DNS lookups to the criminal network by as much as 70%. This measure can be interpreted as an estimate of the decrease in the number of potential victims reaching the criminal network that would be caused by such a takedown strategy.