11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
July 10-11, 2014
Egham, London, UK
|Registration & Light Breakfast (Crosslands, Founder's Building)
Healing Heartbleed: Vulnerability Mitigation with Internet-wide Scanning
Alex Halderman (University of Michigan, USA) [slides]
|Abstract: Internet-wide network scanning has powerful security applications, including exposing vulnerabilities and tracking their mitigation. Unfortunately, probing the entire Internet with standard tools like Nmap requires months of time or large clusters of machines. In this talk, I'll demonstrate ZMap, an open-source network scanner developed by my research group that is designed from the ground up to perform Internet-wide scans efficiently. We've used ZMap with a gigabit Ethernet uplink to survey the entire IPv4 address space in under 45 minutes from a single machine, more than 1300 times faster than Nmap. Data from more than 400 Internet-wide scans conducted over the past 2 years has allowed us to work towards the mitigation of several widespread vulnerabilities, including most recently the OpenSSL Heartbleed bug. By tracking Heartbleed mitigation and notifying users and operators about unpatched systems, we were able to increase the rate of patching and gain unique insights into the world's response to the vulnerability.
|Biography: J. Alex Halderman is an assistant professor of computer science and engineering at the University of Michigan. His research focuses on computer security and privacy, with an emphasis on problems that broadly impact society and public policy. He is well known for developing the "cold boot" attack against disk encryption, which altered widespread thinking on security assumptions about the behavior of RAM, influenced computer forensics practice, and inspired the creation of a new subfield of theoretical cryptography. A noted expert on electronic voting security, he helped lead the first independent review of the election technology used by half a billion voters in India, which prompted the national government to undertake major technical reforms. In recent work, he exposed widespread flaws in public key generation that compromised the security of 5-10% of Internet hosts serving HTTPS and SSH. His work has won numerous distinctions, including two best paper awards from the USENIX Security conference. He received his Ph.D. in computer science from Princeton University.
|Break (Crosslands, Founder's Building)
|Session: Malware 1 - Session Chair: Michael Meier
|Data structure archaeology: scrape away the dirt and glue back the pieces!
(Or: automated techniques to recover split and merged variables)
Asia Slowinska, Istvan Haller, Andrei Bacs, Silviu Horia Baranga and Herbert Bos [slides]
|Abstract: Many software vendors use data obfuscation to make it hard for reverse engineers to recover the layout, value and meaning of the variables in a program. The research question in this paper is whether the state-of-the-art data obfuscations techniques are good enough. For this purpose, we evaluate two of the most popular data obfuscation methods: (1) splitting a single variable over multiple memory location, (2) splitting and merging two variables over multiple memory locations. While completely automated and flawless recovery of obfuscated variables is not yet possible, the outcome of our research is that the obfuscations are very vulnerable to reversing by means of automated analysis. We were able to deobfuscate the obfuscated variables in real world programs with false positive rates below 5%, and false negative rates typically below 10%.
|Identifying Shared Software Components to Support Malware Forensics
Brian Ruttenberg, Craig Miles, Lee Kellog, Vivek Notani, Michael Howard, Charles Ledoux, Arun Lakhotia and Avi Pfeffer
|Abstract: Recent reports from the anti-malware industry indicate similarity between malware code resulting from code reuse can aid in developing a profile of the attackers. We describe a method for identifying shared components in a large corpus of malware, where a component is a collection of code, such as a set of procedures, that implement a unit of functionality. We develop a general architecture for identifying shared components in a corpus using a two-stage clustering technique. While our method is parametrized on any features extracted from a binary, our implementation uses features abstracting the semantics of blocks of instructions. Our system has been found to identify shared components with extremely high accuracy in a rigorous, controlled experiment conducted independently by MITLL. Our technique provides an automated method to find between malware code functional relationships that may be used to establish evolutionary relationships and aid in forensics.
|Instruction-Level Steganography for Covert Trigger-Based Malware (short paper)
Dennis Andriesse and Herbert Bos [slides]
|Abstract: Trigger-based malware is designed to remain dormant and undetected unless a specific trigger occurs. Such behavior occurs in prevalent threats such as backdoors and environment-dependent (targeted) malware. Currently, trigger-based malicious code is often hidden in rarely exercised code paths in benign host binaries, and relies upon a lack of code inspection to remain undetected. However, recent advances in automatic backdoor detection make this approach unsustainable. We introduce a new code hiding approach for trigger-based malware, which conceals malicious code inside spurious code fragments in such a way that it is invisible to disassemblers and static backdoor detectors. Furthermore, we implement stealthy control transfers to the hidden code by crafting trigger-dependent bugs, which jump to the hidden code only if provided with the correct trigger. Thus, the hidden code also remains invisible under dynamic analysis if the correct trigger is unknown. We demonstrate the feasibility of our approach by crafting a hidden backdoor for the Nginx HTTP server module.
|Lunch (Crosslands, Founder's Building)
|Keynote Talk: The economics and psychology of botnets
Ross Anderson (University of Cambridge, UK) [slides]
|Abstract: We know that botnets are a problem, but why should anyone pay attention? How big a problem are they and what can the average person do about them anyway? In this talk I will discuss what's known about the costs botnets and other shared criminal infrastructure impose on society from the viewpoint of an analysis of the costs of cybercrime. I will then discuss what we know about the effectiveness of warnings. Many warnings are designed by lawyers to benefit the person giving the warning rather than the person receiving it; how would we communicate a warning to someone if we really want them to act on it?
|Biography: Ross Anderson is Professor of Security Engineering at Cambridge University where his research ranges from cryptography (where his algorithm Serpent was an AES finalist) through hardware tamper resistance and peer-to-peer systems to the social-science aspects of security. He was one of the founders of the study of the economics of security; this is now a field with over a hundred active researchers. This has extended in recent years to the behavioural economics and psychology of security. He is a Fellow of the Royal Society and of the Royal Academy of Engineering.
|Break (Crosslands, Founder's Building)
|Session: Mobile Security - Session Chair: Ulrich Flegel
|AndRadar: Fast Discovery of Android Applications in Alternative Markets
Martina Lindorfer, Stamatis Volanis, Alessandro Sisto, Matthias Neugschwandtner, Elias Athanasopoulos, Federico Maggi, Christian Platzer, Stefano Zanero and Sotiris Ioannidis [slides]
|Abstract: Compared to traditional desktop software, Android applications are delivered through software repositories, commonly known as application markets. Other mobile platforms, such as Apple iOS and BlackBerry OS also use the marketplace model, but what is unique to Android is the existence of a plethora of alternative application markets. This complicates the task of detecting and tracking Android malware. Identifying a malicious application in one particular market is simply not enough, as many instances of this application may exist in other markets. To quantify this phenomenon, we exhaustively crawled 8 markets between June and November 2013. Our findings indicate that alternative markets host a large number of ad-aggressive apps, a non-negligible amount of malware, and some markets even allow authors to publish known malicious apps without prompt action. Motivated by these findings, we present AndRadar, a framework for discovering multiple instances of a malicious Android application in a set of alternative application markets. AndRadar scans a set of markets in parallel to discover similar applications. Each lookup takes no more than a few seconds, regardless of the size of the marketplace. Moreover, it is modular, and new markets can be transparently added once the search and download URLs are known. Using AndRadar we are able to achieve three goals. First, we can discover malicious applications in alternative markets, second, we can expose app distribution strategies used by malware developers, and third, we can monitor how different markets react to new malware. During a three-month evaluation period, AndRadar tracked over 20,000 apps and recorded more than 1,500 app deletions in 16 markets. Nearly 8% of those deletions were related to apps that were hopping from market to market. The most established markets were able to react and delete new malware within tens of days from the malicious app publication date while other markets did not react at all.
|Attacks on Android Clipboard
Xiao Zhang and Wenliang Du [slides]
|I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics
Cristiano Giuffrida, Kamil Majdanik, Mauro Conti and Herbert Bos [slides]
|Abstract: Mobile devices have become an important part of our everyday life, harvesting more and more confidential user information. Their portable nature and the great exposure to security attacks, however, call out for stronger authentication mechanisms than simple password-based identification. Biometric authentication techniques have shown potential in this context. Unfortunately, prior approaches are either excessively prone to forgery or have too low accuracy to foster widespread adoption. In this paper, we propose sensor-enhanced keystroke dynamics, a new biometric mechanism to authenticate users typing on mobile devices. The key idea is to characterize the typing behavior of the user via unique sensor features and rely on standard machine learning techniques to perform user authentication. To demonstrate the effectiveness of our approach, we implemented an Android prototype system termed Unagi. Our implementation supports several feature extraction and detection algorithms for evaluation and comparison purposes. Experimental results demonstrate that sensor-enhanced keystroke dynamics can improve the accuracy of recent gestured-based authentication mechanisms (i.e., EER>0.5%) by one order of magnitude, and the accuracy of traditional keystroke dynamics (i.e., EER>7%) by two orders of magnitude.
|End of program (Thursday)
|GI SIDAR Meeting
|Royal Holloway Picture Gallery Tour
Gala Dinner at Beaumont Estate, Old Windsor
|Registration & Light Breakfast (Crosslands, Founder's Building)
|Session: Malware 2 - Session Chair: Michael Meier
|AV-Meter: An Evaluation of Antivirus Scans and Labels
Aziz Mohaisen and Omar Alrawi [slides]
|Abstract: Antivirus scanners are designed to detect malware and, to a lesser extent, to label detections based on a family association. The labeling provided by AV vendors has many applications such as guiding efforts of disinfection and countermeasures, intelligence gathering, and attack attribution, among others. Furthermore, researchers rely on AV labels to establish a baseline of ground truth to compare their detection and classification algorithms. This is done despite many papers pointing out the subtle problem of relying on AV labels. However, the literature lacks any systematic study on validating the performance of antivirus scanners, and the reliability of those labels or detection. In this paper, we set out to answer several questions concerning the detection rate, correctness of labels, and consistency of detection of AV scanners. Equipped with more than 12,000 malware samples of 11 malware families that are manually inspected and labeled, we pose the following questions. How do antivirus vendors perform relatively on them? How correct are the labels given by those vendors? How consistent are antivirus vendors among each other? We answer those questions unveiling many interesting results, and invite the community to challenge assumptions about relying on antivirus scans and labels as a ground truth for malware analysis and classification. Finally, we stress several research directions that may help addressing the problem.
|PExy: The other side of Exploit Kits
Giancarlo De Maio, Alexandros Kapravelos, Yan Shoshitaishvili, Christopher Kruegel and Giovanni Vigna [slides]
|Abstract: The drive-by download scene has changed dramatically in the last few years. What was a disorganized ad-hoc generation of malicious pages by individuals has evolved into sophisticated, easily extensible frameworks that incorporate multiple exploits at the same time and are highly configurable. We are now dealing with exploit kits. In this paper we focus on the server-side part of drive-by downloads by automatically analyzing the source code of multiple exploit kits. We discover through static analysis what checks exploit-kit authors perform on the server to decide which exploit is served to which client and we automatically generate the configurations to extract all possible exploits from every exploit kit. We also examine the source code of exploit kits and look for interesting coding practices, their detection mitigation techniques, the similarities between them and the rise of Exploit-as-a-Service through a highly customizable design. Our results indicate that even with a perfect drive-by download analyzer it is not trivial to trigger the expected behavior from an exploit kit so that it is classified appropriately as malicious.
|Metadata-driven Threat Classification of Network Endpoints Appearing in Malware
Andrew West and Aziz Mohaisen [slides]
|Abstract: Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency. Leveraging 28,000 expert-labeled endpoints derived from ~100k malware binaries this paper characterizes those domains/URLs towards prioritizing manual efforts and automatic signature generation. Our analysis focuses on endpoints' static metadata properties and not network payloads or routing dynamics. Performance validates this straightforward approach, achieving 99.4% accuracy at binary threat classification and 93% accuracy on the more granular task of severity prediction. This performance is driven by features capturing a domain's behavioral history and registration properties. More qualitatively we discover the prominent role that dynamic DNS providers and "shared-use" public services play as perpetrators seek agile and cost-effective hosting infrastructure.
|Break (Crosslands, Founder's Building)
Lawful Hacking: Using Internet Vulnerabilities to Wiretap Internet Communications
Susan Landau (Worcester Polytechnic Institute, USA)
For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. The changing structure of telecommunications and new technologies such as ISDN and cellular telephony made executing a wiretap more complicated for law enforcement, and such simple technologies would no longer suffice. In response, the US Congress passed the Communications Assistance for Law Enforcement Act (CALEA), which required that wiretapping capabilities be built into digital telephony switches. (Europe has similar requirements.) With new real-time communications technologies using packet-switching technologies, law enforcement has claimed it is "going dark." Several years ago, the FBI proposed changes in wiretap laws to require a CALEA-like interface in Internet software.
By requiring an architected security breach, such a "solution" would, in fact, create a great insecurity in all communications technology. Susan will present an alternative, namely using current vulnerabilities in order to wiretap. In this talk, Susan will briefly discuss the technology issues and then focus on the policy implications.
This represents joint work with Steve Bellovin, Matt Blaze, and Sandy Clark.
|Biography: Susan Landau is a professor in the Department of Social Science and Policy Studies at Worcester Polytechnic Institute, where she works in cybersecurity, privacy, and public policy. Landau has been a senior staff Privacy Analyst at Google, a Distinguished Engineer at Sun Microsystems, a faculty member at the University of Massachusetts at Amherst and at Wesleyan University. She has held visiting positions at Harvard, Cornell, and Yale, and the Mathematical Sciences Research Institute. Landau is the author of Surveillance or Security? The Risks Posed by New Wiretapping Technologies (MIT Press, 2011), and co-author, with Whitfield Diffie, of Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press, 1998, rev. ed. 2007). She has written numerous computer science and public policy papers and op-eds on cybersecurity and encryption policy and testified in Congress on the security risks of wiretapping and on cybersecurity activities at NIST's Information Technology Laboratory. Landau currently serves on the Computer Science Telecommunications Board of the National Research Council. A 2012 Guggenheim fellow, Landau was a 2010-2011 fellow at the Radcliffe Institute for Advanced Study, the recipient of the 2008 Women of Vision Social Impact Award, and also a fellow of the American Association for the Advancement of Science and the Association for Computing Machinery. She received her BA from Princeton, her MS from Cornell, and her PhD from MIT.
|Lunch (Crosslands, Founder's Building)
|Session: Network Security - Session Chair: Ulrich Flegel
|Parallelization of Network Intrusion Detection Systems under Attack Conditions
Rene Rietz, Franka Schuster, Hartmut Koenig and Michael Vogel
|Abstract: Intrusion detection systems are proven remedies to protect networks and end systems in practice. IT systems, however, are currently changing their characteristics. Highly variable communication relations and constantly increasing network bandwidths force single intrusion detection instances to handle high peak rates. Today's intrusion detection systems are not prepared to this development. In particular, they do not scale efficiently enough during an attack. In this article, we investigate different strategies how intrusion detection systems can cope with dynamic communication relations and increasing data rates under attack conditions. Based on a detailed performance profiling of typical intrusion detection systems, we outline the drawbacks of current optimization approaches and present a new approach for parallelizing the intrusion detection analysis that copes with the increasing network dynamics.
|Phoenix: DGA-based Botnet Tracking and Intelligence
Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro and Stefano Zanero [slides]
|Abstract: Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Given the prevalence of this mechanism, recent work has focused on the analysis of DNS traffic to recognize botnets based on their DGAs. While previous work has concentrated on detection, we focus on supporting intelligence operations. We propose Phoenix, a mechanism that, in addition to telling DGA- and non-DGA-generated domains apart using a combination of string and IP-based features, characterizes the DGAs behind them, and, most importantly, finds groups of DGA-generated domains that are representative of the respective botnets. As a result, Phoenix can associate previously unknown DGA-generated domains to these groups, and produce novel knowledge about the evolving behavior of each tracked botnet. We evaluated Phoenix on 1,153,516 domains, including DGA-generated domains from modern, well-known botnets: without supervision, it correctly distinguished DGA- vs. non-DGA-generated domains in 94.8 percent of the cases, characterized families of domains that belonged to distinct DGAs, and helped researchers "on the field" in gathering intelligence on suspicious domains to identify the correct botnet.
|Break (Crosslands, Founder's Building)
|Session: Host Security - Session Chair: Lorenzo Cavallaro
|Quantifiable Run-time Kernel Attack Surface Reduction
Anil Kurmus, Sergej Dechand and Ruediger Kapitza
|Abstract: The sheer size of commodity operating system kernels makes them a prime target for local attackers aiming to escalate privileges. At the same time, as much as 90% of kernel functions are not required for processing system calls originating from a typical network daemon. This results in an unnecessarily high exposure. In this paper, we introduce kRazor, an approach to reduce the kernel's attack surface by limiting the amount of kernel code accessible to an application. KRAZOR first traces individual kernel functions used by an application. KRAZOR can then detect and prevent uses of unnecessary kernel functions by a process. This step is implemented as a kernel module that instruments select kernel functions. A heuristic on the kernel function selection allows KRAZOR to have negligible performance overhead. We evaluate results under real-world workloads for four typical server applications. Results show that the performance overhead and false positives remain low, while the attack surface reduction can be as high as 80%.
|Bee Master: Detecting Host-Based Code Injection Attacks
Thomas Barabosch, Sebastian Eschweiler and Elmar Gerhards-Padilla [slides]
|Abstract: A technique commonly used by malware for hiding on a targeted system is the host-based code injection attack. It allows malware to execute its code in a foreign process space enabling it to operate covertly and access critical information of other processes. Since there exists a plethora of different ways for injecting and executing code in a foreign process space, a generic approach spanning all these possibilities is needed. Approaches just focussing on low-level operating system details (e.g. API hooking) do not suffice since the suspicious API set is constantly extended. Thus, approaches focussing on low level operating system details are prone to miss novel attacks. Furthermore, such approaches are restricted to intimate knowledge of exactly one operating system. In this paper, we present Bee Master, a novel approach for detecting host-based code injection attacks. Bee Master applies the honeypot paradigm to OS processes and by that it does not rely on low-level OS details. The basic idea is to expose regular OS processes as a decoy to malware. Our approach focuses on concepts-such as threads or memory pages-present in every modern operating system. Therefore, Bee Master does not suffer from the drawbacks of low-level OS-based approaches. Furthermore, it allows OS independent detection of host-based code injection attacks. To test the capabilities of our approach, we evaluated Bee Master qualitatively and quantitatively on Microsoft Windows and Linux. The results show that it reaches reliable and robust detection for various current malware families.
|Diagnosis and Emergency Patch Generation for Integer Overflow Exploits
Tielei Wang, Chengyu Song and Wenke Lee [slides]
|Abstract: Integer overflow has become a common cause of software vulnerabilities, and significantly threatens system availability and security. Yet protecting commodity software from attacks against unknown or unpatched integer overflow vulnerabilities remains unaddressed. This paper presents SoupInt, a system that can diagnose exploited integer overflow vulnerabilities from captured attack instances and then automatically generate patches to fix the vulnerabilities. Specifically, given an attack instance, SoupInt first diagnoses whether it exploits integer overflow vulnerabilities through a dynamic data flow analysis based mechanism. To fix the exploited integer overflows, SoupInt generates patches and deploys them at existing, relevant validation check points inside the program. By leveraging existing error-handlers for programmer-anticipated errors to deal with the unanticipated integer overflows, these patches enable the program to survive future attacks that exploit the same integer overflows. We have implemented a SoupInt prototype that directly works on x86 binaries. We evaluated SoupInt with various input formats and a number of real world integer overflow vulnerabilities in commodity software, including Adobe Reader, Adobe Flash Player, etc. The results show that SoupInt can accurately locate the exploited integer overflow vulnerabilities and generate patches in minutes.