Exact Inference Techniques for the Analysis of Bayesian Attack Graphs

Attack graphs are a powerful tool for security risk assessment by analysing network vulnerabilities and the paths attackers can use to compromise network resources. The uncertainty about the attacker's behaviour makes Bayesian networks suitable to model attack graphs to perform static and dynamic analysis. Previous approaches have focused on the formalization of attack graphs into a Bayesian model rather than proposing mechanisms for their analysis. In this paper we propose to use efficient algorithms to make exact inference in Bayesian attack graphs, enabling the static and dynamic network risk assessments. To support the validity of our approach we have performed an extensive experimental evaluation on synthetic Bayesian attack graphs with different topologies, showing the computational advantages in terms of time and memory use of the proposed techniques when compared to existing approaches.Comment: 14 pages, 15 figure

Measuring the Semantic Integrity of a Process Self

The focus of the thesis is the definition of a framework to protect a process from attacks against the process self, i.e. attacks that alter the expected behavior of the process, by integrating static analysis and run-time monitoring. The static analysis of the program returns a description of the process self that consists of a context-free grammar, which defines the legal system call traces, and a set of invariants on process variables that hold when a system call is issued. Run-time monitoring assures the semantic integrity of the process by checking that its behavior is coherent with the process self returned by the static analysis. The proposed framework can also cover kernel integrity to protect the process from attacks from the kernel-level. The implementation of the run-time monitoring is based upon introspection, a technique that analyzes the state of a computer to rebuild and check the consistency of kernel or user-level data structures. The ability of observing the run-time values of variables reduces the complexity of the static analysis and increases the amount of information that can be extracted on the run-time behavior of the process. To achieve transparency of the controls for the process while avoiding the introduction of special purpose hardware units that access the memory, the architecture of the run-time monitoring adopts virtualization technology and introduces two virtual machines, the monitored and the introspection virtual machines. This approach increases the overall robustness because a distinct virtual machine, the introspection virtual machine, applies introspection in a transparent way both to verify the kernel integrity and to retrieve the status of the process to check the process self. After presenting the framework and its implementation, the thesis discusses some of its applications to increase the security of a computer network. The first application of the proposed framework is the remote attestation of the semantic integrity of a process. Then, the thesis describes a set of extensions to the framework to protect a process from physical attacks by running an obfuscated version of the process code. Finally, the thesis generalizes the framework to support the efficient sharing of an information infrastructure among users and applications with distinct security and reliability requirements by introducing highly parallel overlays

Architetture di sicurezza e tecnologie di virtualizzazione: rilevamento delle intrusioni tramite introspezione.

Negli ultimi tempi c'è stato un rinnovato e crescente interesse per la virtualizzazione, il cui compito è quello di creare degli ambienti di esecuzione software (chiamati anche macchine virtuali) tramite l'astrazione delle risorse. Questa tecnologia fornisce degli strumenti utili a rilevare le intrusioni e gli attacchi portati ad un sistema informatico: infatti, è possibile avere una visione completa, e a più livelli, dello stato dell'host che viene eseguito all'interno di un ambiente virtuale. Ad esempio, la virtualizzazione permette di esaminare lo stato della memoria, dei registri del processore e dei dispositivi di I/O della macchina virtuale. Inoltre, queste informazioni sullo stato della macchina virtuale sono meno suscettibili di manomissione da parte di un attaccante. La virtualizzazione offre anche strumenti efficaci che permettono di reagire ad attacchi e ad intrusioni: ad esempio, è possibile sospendere l'esecuzione o salvare lo stato della macchina virtuale su cui l'host è in esecuzione, per potere eseguire successivamente controlli più accurati sul suo stato. Questa tesi presenta un'architettura per il rilevamento delle intrusioni su macchine virtuali che fa uso sia di tecniche di introspezione, per analizzare lo stato delle macchine virtuali tramite il Virtual Machine Monitor, che dei tradizionali metodi per il rilevamento delle intrusioni. L'architettura è distribuita su più macchine virtuali: una di queste ha funzionalità di introspezione e di controllo delle altre macchine virtuali e, in caso di intrusione, può agire sullo stato di esecuzione delle macchine virtuali, ad esempio bloccandone l'esecuzione

MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention

Android users are constantly threatened by an increasing number of malicious applications (apps), generically called malware. Malware constitutes a serious threat to user privacy, money, device and file integrity. In this paper we note that, by studying their actions, we can classify malware into a small number of behavioral classes, each of which performs a limited set of misbehaviors that characterize them. These misbehaviors can be defined by monitoring features belonging to different Android levels. In this paper we present MADAM, a novel host-based malware detection system for Android devices which simultaneously analyzes and correlates features at four levels: kernel, application, user and package, to detect and stop malicious behaviors. MADAM has been designed to take into account those behaviors characteristics of almost every real malware which can be found in the wild. MADAM detects and effectively blocks more than 96% of malicious apps, which come from three large datasets with about 2,800 apps, by exploiting the cooperation of two parallel classifiers and a behavioral signature-based detector. Extensive experiments, which also includes the analysis of a testbed of 9,804 genuine apps, have been conducted to show the low false alarm rate, the negligible performance overhead and limited battery consumption

A Survey on Security for Mobile Devices

Nowadays, mobile devices are an important part of our everyday lives since they enable us to access a large variety of ubiquitous services. In recent years, the availability of these ubiquitous and mobile services has signicantly increased due to the dierent form of connectivity provided by mobile devices, such as GSM, GPRS, Bluetooth and Wi-Fi. In the same trend, the number and typologies of vulnerabilities exploiting these services and communication channels have increased as well. Therefore, smartphones may now represent an ideal target for malware writers. As the number of vulnerabilities and, hence, of attacks increase, there has been a corresponding rise of security solutions proposed by researchers. Due to the fact that this research eld is immature and still unexplored in depth, with this paper we aim to provide a structured and comprehensive overview of the research on security solutions for mobile devices. This paper surveys the state of the art on threats, vulnerabilities and security solutions over the period 2004-2011. We focus on high-level attacks, such those to user applications, through SMS/MMS, denial-of-service, overcharging and privacy. We group existing approaches aimed at protecting mobile devices against these classes of attacks into dierent categories, based upon the detection principles, architectures, collected data and operating systems, especially focusing on IDS-based models and tools. With this categorization we aim to provide an easy and concise view of the underlying model adopted by each approach

A Framework for Probabilistic Contract Compliance

We propose PICARD (ProbabIlistic Contract on AndRoiD), a framework to detect repackaged applications for Android smartphones based upon probabilistic contract matching. A contract describes the sequences of actions that an application is allowed to perform at run-time, i.e. its legal behavior. In PICARD, contracts are generated from the set of traces that represent the usage profile of the application. Both the contract and the application\u27s run-time behavior are represented through clustered probabilistic automata. At run-time, a monitoring system verifies the compliance of the application trace with the contract. This approach is useful in detecting repackaged applications, whose behavior is strongly similar to the original application but it differs only from small paths in the traces. In this paper, we discuss the framework of PICARD for describing and generating contracts through probabilistic automata and introduce the notion of ActionNode, a cluster of related system calls. Then, we present a first set of results using a prototype implementation of PICARD for Android smartphones to prove the efficacy of the framework in detecting two classes of applications, repackaged and trojanized ones

Ransomclave:Ransomware Key Management using SGX

Modern ransomware often generate and manage cryptographic keys on the victim's machine, giving defenders an opportunity to capture exposed keys and recover encrypted data without paying the ransom. However, recent work has raised the possibility of future enclave-enhanced malware that could avoid such mitigations using emerging support for hardware-enforced secure enclaves in commodity CPUs. Nonetheless, the practicality of such enclave-enhanced malware and its potential impact on all phases of the ransomware lifecyle remain unclear. Given the demonstrated capacity of ransomware authors to innovate in order to better extort their victims (e.g. through the adoption of untraceable virtual currencies and anonymity networks), it is important to better understand the risks involved and identify potential mitigations. As a basis for comprehensive security and performance analysis of enclave-enhanced ransomware, we present RansomClave, a family of ransomware that securely manage their cryptographic keys using an enclave. We use RansomClave to explore the implications of enclave-enhanced ransomware for the key generation, encryption and key release phases of the ransomware lifecycle, and to identify potential limitations and mitigations. We propose two plausible victim models and analyse, from an attacker's perspective, how RansomClave can protect cryptographic keys from each type of victim. We find that some existing mitigations are likely to be effective during the key generation and encryption phases, but that RansomClave enables new trustless key release schemes that could potentially improve attacker's profitability and, by extension, make enclaves an attractive target for future attackers