Your search keyword '"Giovanni Vigna"' showing total 186 results

1. One Size Does Not Fit All

Author

Daniela Oliveira, Hojjat Aghakhani, Paulo Licio de Geus, Christopher Kruegel, André Grégio, Giovanni Vigna, Marcus Botacin, and Stefano Ortolani

Subjects

Finance, education.field_of_study, General Computer Science, business.industry, Computer science, Population, Developing country, 020207 software engineering, 02 engineering and technology, computer.software_genre, Personalization, Variety (cybernetics), 020204 information systems, Obfuscation, 0202 electrical engineering, electronic engineering, information engineering, Malware, Web threat, Malware analysis, Safety, Risk, Reliability and Quality, education, business, computer

Abstract

Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats.

Published

2021

2. Tarnhelm: Isolated, Transparent & Confidential Execution of Arbitrary Code in ARM's TrustZone

Author

Martina Lindorfer, Davide Quarta, Yanick Fratantonio, Davide Balzarotti, Eric Gustafson, Aravind Machiry, Giovanni Vigna, Michele Ianni, and Christopher Kruegel

Subjects

Source code, Computer science, media_common.quotation_subject, Mobile computing, Attack surface, Computer security, computer.software_genre, Obfuscation (software), System call, Code (cryptography), computer, Mobile device, media_common, Compile time

Abstract

Protecting the confidentiality of applications on commodity operating systems, both on desktop and mobile devices, is challenging: attackers have unrestricted control over an application's processes and thus direct access to any of the application's assets. However, the application's code itself can be of great commercial value, for example in the case of proprietary code or additional functionality obtained as downloadable content and via in-app purchases, which are widely used to monetize free applications through premium content. Developers still rely heavily on obfuscation to protect their own code from unauthorized tampering or copying, providing an obstacle for an attacker, but not preventing compromise. In this paper, we present Tarnhelm, an approach to offer a practical and transparent primitive to implement code confidentiality by extending ARM's TrustZone, a TEE that so far provides limited functionality to application developers. Tarnhelm allows developers to easily designate part of their code as confidential through source code annotations. At compile time, Tarnhelm automatically partitions the application into regular application code, executed in the "normal world," and the invisible code, transparently executed in the "secure world." Tarnhelm tightly couples and secures the execution in both worlds without exposing any additional attack surface by combining a number of different techniques, such as secure code loading, system call forwarding, transparent world switching, and the enforcement of inter-world control-flow integrity. We im- plemented a proof of concept of Tarnhelm and demonstrate its feasibility in a mobile computing setting.

Published

2021

3. SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning

Author

Giovanni Vigna, Lukas Dresel, Kyle Zeng, Tiffany Bao, Stefano Zanero, Mario Polino, Nicola Ruaro, Christopher Kruegel, Andrea Continella, Services, Cybersecurity & Safety, and Digital Society Institute

Subjects

Symbolic execution, Cybersecurity, Computer science, business.industry, media_common.quotation_subject, Vulnerability, Crash, Replicate, Machine learning, computer.software_genre, Path (graph theory), Vulnerability discovery, Leverage (statistics), The Symbolic, Artificial intelligence, business, Function (engineering), computer, media_common

Abstract

Exploring many execution paths in a binary program is essential to discover new vulnerabilities. Dynamic Symbolic Execution (DSE) is useful to trigger complex input conditions and enables an accurate exploration of a program while providing extensive crash replayability and semantic insights. However, scaling this type of analysis to complex binaries is difficult. Current methods suffer from the path explosion problem, despite many attempts to mitigate this challenge (e.g., by merging paths when appropriate). Still, in general, this challenge is not yet surmounted, and most bugs discovered through such techniques are shallow. We propose a novel approach to address the path explosion problem: A smart triaging system that leverages supervised machine learning techniques to replicate human expertise, leading to vulnerable path discovery. Our approach monitors the execution traces in vulnerable programs and extracts relevant features - register and memory accesses, function complexity, system calls - to guide the symbolic exploration. We train models to learn the patterns of vulnerable paths from the extracted features, and we leverage their predictions to discover interesting execution paths in new programs. We implement our approach in a tool called SyML, and we evaluate it on the Cyber Grand Challenge (CGC) dataset - a well-known dataset of vulnerable programs - and on 3 real-world Linux binaries. We show that the knowledge collected from the analysis of vulnerable paths, without any explicit prior knowledge about vulnerability patterns, is transferrable to unseen binaries, and leads to outperforming prior work in path prioritization by triggering more, and different, unique vulnerabilities.

Published

2021

4. Toward a secure crowdsourced location tracking system

Author

Giovanni Vigna, Andrea Continella, Aravind Machiry, Chinmay Garg, Christopher Kruegel, Digital Society Institute, and Services, Cybersecurity & Safety

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Cybersecurity, BitTorrent tracker, Computer science, 02 engineering and technology, Computer security, computer.software_genre, law.invention, C.2.3, Bluetooth, C.2.1, C.5.m, law, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Leverage (statistics), Set (psychology), business.industry, 020206 networking & telecommunications, Tracking system, Object (computer science), State (computer science), business, Cryptography and Security (cs.CR), computer, Location tracking

Abstract

Low-energy Bluetooth devices have become ubiquitous and widely used for different applications. Among these, Bluetooth trackers are becoming popular as they allow users to track the location of their physical objects. To do so, Bluetooth trackers are often built-in within other commercial products connected to a larger crowdsourced tracking system. Such a system, however, can pose a threat to the security and privacy of the users, for instance, by revealing the location of a user's valuable object. In this paper, we introduce a set of security properties and investigate the state of commercial crowdsourced tracking systems, which present common design flaws that make them insecure. Leveraging the results of our investigation, we propose a new design for a secure crowdsourced tracking system (SECrow), which allows devices to leverage the benefits of the crowdsourced model without sacrificing security and privacy. Our preliminary evaluation shows that SECrow is a practical, secure, and effective crowdsourced tracking solution, 10 pages - ACM WiSec 2021 - Preprint

Published

2021

5. Glitching Demystified: Analyzing Control-flow-based Glitching Attacks and Defenses

Author

Zhongshu Gu, Nathan Burow, Chad Spensky, Aravind Machiry, Giovanni Vigna, Rick Housley, Hani Jamjoom, Christopher Kruegel, and Hamed Okhravi

Subjects

Emulation, Source code, Computer science, media_common.quotation_subject, Fault tolerance, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Computer security, computer.software_genre, Instruction set, Control flow, Encoding (memory), Scalability, computer, Hardware_LOGICDESIGN, media_common

Abstract

Hardware fault injection, or glitching, attacks can compromise the security of devices even when no software vulnerabilities exist. Attempts to analyze the hardware effects of glitching are subject to the Heisenberg effect and there is typically a disconnect between what people “think” is possible and what is actually possible with respect to these attacks. In this work, we attempt to provide some clarity to the impacts of attacks and defenses for control-flow modification through glitching. First, we introduce a glitching emulation framework, which provides a scalable playground to test the effects of bit flips on specific instruction set architectures (ISAs) (i.e., the fault tolerance of the instruction encoding). Next, we examine real glitching experiments using the ChipWhisperer, a popular microcontroller using open-source glitching hardware. These real-world experiments provide novel insights into how glitching attacks are realized and might be defended against in practice. Finally, we present GLITCHRESISTOR, an open-source, software-based glitching defense tool that can automatically insert glitching defenses into any existing source code, in an architecture-independent way. We evaluated GLITCHRESISTOR, which integrates numerous software-only defenses against powerful and real-world glitching attacks. Our findings indicate that software-only defenses can be implemented with acceptable run-time and size overheads, while completely mitigating some single-glitch attacks, minimizing the likelihood of a successful multi-glitch attack (i.e., a success rate of 0.000306%), and detecting failed glitching attempts at a high rate (between 79.2% and 100%).

Published

2021

6. Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms

Author

Priyanka Bose, Dongyu Meng, Andrea Continella, Christopher Kruegel, Hojjat Aghakhani, Aravind Machiry, Giovanni Vigna, Michele Guerriero, Digital Society Institute, and Services, Cybersecurity & Safety

Subjects

Cybersecurity, business.industry, Computer science, Vulnerability, 020207 software engineering, Linux kernel, 02 engineering and technology, Fuzz testing, Static analysis, Machine learning, computer.software_genre, Metadata, Kernel (linear algebra), Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Artificial intelligence, business, computer

Abstract

Software is continually increasing in size and complexity, and therefore, vulnerability discovery would benefit from techniques that identify potentially vulnerable regions within large code bases, as this allows for easing vulnerability detection by reducing the search space. Previous work has explored the use of conventional code-quality and complexity metrics in highlighting suspicious sections of (source) code. Recently, researchers also proposed to reduce the vulnerability search space by studying code properties with neural networks. However, previous work generally failed in leveraging the rich metadata that is available for long-running, large code repositories. In this paper, we present an approach, named Bran, to reduce the vulnerability search space by combining conventional code metrics with fine-grained repository metadata. Bran locates code sections that are more likely to contain vulnerabilities in large code bases, potentially improving the efficiency of both manual and automatic code audits. In our experiments on four large code bases, Bran successfully highlights potentially vulnerable functions, outperforming several baselines, including state-of-art vulnerability prediction tools. We also assess Bran's effectiveness in assisting automated testing tools. We use Bran to guide syzkaller, a known kernel fuzzer, in fuzzing a recent version of the Linux kernel. The guided fuzzer identifies 26 bugs (10 are zero-day flaws), including arbitrary writes and reads.

Published

2021

7. Conware: Automated Modeling of Hardware Peripherals

Author

Nilo Redini, Colin Unger, Hamed Okhravi, Evan Blasband, Chad Spensky, Aravind Machiry, Giovanni Vigna, Christopher Kruegel, and Graham Foster

Subjects

021110 strategic, defence & security studies, Emulation, Firmware, Computer science, business.industry, 0211 other engineering and technologies, 020206 networking & telecommunications, 02 engineering and technology, Hardware emulation, computer.software_genre, Automaton, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Instrumentation (computer programming), Hardware_CONTROLSTRUCTURESANDMICROPROGRAMMING, business, computer, Computer hardware

Abstract

Emulation is at the core of many security analyses. However, emulating embedded systems is still not possible in most cases. To facilitate this critical analysis, we present Conware, a hardware emulation framework that can automatically generate models for hardware peripherals, which alleviates one of the major challenges currently hindering embedded systems emulation. Conware enables individual peripherals to be modeled, exported, and combined with other peripherals in a pluggable fashion. Conware achieves this by first obtaining a recording of the low-level hardware interactions between the firmware and the peripheral, using either existing methods or our source-code instrumentation technique. These recordings are then used to create high-fidelity automata representations of the peripheral using novel automata-generation techniques. The various models can then be merged to facilitate full-system emulation of any embedded firmware that uses any of the modeled peripherals, even if that specific firmware or its target hardware was never directly instrumented. Indeed, we demonstrate that Conware is able to successfully emulate a peripheral-heavy firmware binary that was never instrumented, by merging the models of six unique peripherals that were trained on a development board using only the vendor-provided example code.

Published

2021

8. SYMBION

Author

Christopher Kruegel, Eric Gustafson, Andrea Continella, Fabio Gritti, Lorenzo Fontana, Giovanni Vigna, Fabio Pagani, and Services, Cybersecurity & Safety

Subjects

Reverse engineering, Interleaving, Computer science, business.industry, Programming language, Process (computing), 020207 software engineering, 02 engineering and technology, computer.software_genre, Symbolic execution, Malware, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), The Symbolic, business, computer, Computer Security

Abstract

Symbolic execution is a powerful technique for exploring programs and generating inputs that drive them into specific states. However, symbolic execution is also known to suffer from severe limitations, which prevent its application to real-world software. For example, symbolically executing programs requires modeling their interactions with the surrounding environment (e.g., libraries, operating systems). Unfortunately, models are usually created manually, introducing considerable approximations of the programs behaviors and significant imprecision in the analysis. In addition, as the complexity of the system under analysis grows, additional models are needed, making this process unsustainable. For these reasons, in this paper we propose a novel technique that allows interleaving symbolic execution with concrete execution, focusing the symbolic exploration only on interesting portions of code. We call this approach interleaved symbolic execution. The key idea of our approach is to re-use the concrete environment to run the input program, and then synchronize the results of the environment interactions with the symbolic execution engine. As a consequence, our approach does not make any assumption about such interactions, and it is agnostic with respect to the concrete environment. We implement a prototype for this technique, SYMBION, and we demonstrate its effectiveness by analyzing real-world malware, showing that it allows us to effectively skip complex portions of code that do not need to be analyzed symbolically.

Published

2020

9. TRUST.IO: Protecting Physical Interfaces on Cyber-physical Systems

Author

Marcel Busch, Aravind Machiry, Christopher Kruegel, Chad Spensky, Kevin Leach, Giovanni Vigna, and Rick Housley

Subjects

021110 strategic, defence & security studies, Hardware security module, Exploit, Computer science, business.industry, Overhead (engineering), 0211 other engineering and technologies, Cyber-physical system, Cryptography, 02 engineering and technology, Critical infrastructure, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), business, Computer network

Abstract

Cyber-physical systems (CPSes) have been replacing their mechanical counterparts in many safety and securitycritical applications (e.g., door locks, automobiles, and critical infrastructure). However, this paradigm shift has introduced a new software-based attack vector into these historically isolated systems. Since many of these devices are networked, their physical interfaces are vulnerable to both remote and local attackers. In this work, we present TRUST. IO, a framework that automatically, and transparently, hardens these physical interfaces against all software-based exploits. More precisely, TRUST.IO ensures that the software on the device cannot access any protected general purpose input/output (GPIO) interfaces unless the command was initiated from a trusted external client (e.g., a key, phone, or centralized server). TRUST.IO exploits the fact that users rarely interact directly with these embedded devices. Instead, users interact with a remote system (e.g., a car key, smart hub, or control system) that ultimately issues commands to the single-purpose embedded device. Thus, TRUST.IO leverages modern embedded processor features to ensure that these critical physical interactions (e.g., actuating motors or reading sensors) will be performed if and only if the command was issued by an authorized external device that can satisfy a cryptographic challenge. We demonstrate that TRUST.IO can be easily applied to existing CPSes, both bare-metal and Linux-based, with minimal runtime overhead and minimal code modifications.

Published

2020

10. Exploring Abstraction Functions in Fuzzing

Author

Yan Shoshitaishvili, Adam Doupé, Giovanni Vigna, Christopher Kruegel, Christopher Salls, and Aravind Machiry

Subjects

Formalism (philosophy of mathematics), Security analysis, Computer science, business.industry, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Genetic programming, Fuzz testing, Static analysis, Scientific modelling, Software engineering, business

Abstract

Fuzz testing has emerged as the preeminent automated security analysis technique in the real world. To keep up with the shifting security landscape, researchers have innovated the fuzzing process to identify more and more complex vulnerabilities. One innovation is an approach inspired by genetic programming: the fuzzer generates test-cases, evaluates the quality of the test-case, and uses this evaluation to select test-cases for further iterations of the process. While this innovation has impressive results: without a formal, scientific model on which to base these improvements, the field of fuzzing has been explored in an ad hoc way. As a result, it is difficult to understand the relative merit of different techniques. In this paper, we formalize the input evaluation and selection components of fuzzing, borrowing concepts from the field of static analysis, and providing a base for future expansion of and research into fuzzing techniques. In building this formalism, we observed that the impact of different abstraction functions in modern fuzzing techniques is under-explored in prior research. Without a formal base on which to reason about their contributions, researchers of fuzzing techniques have missed the potential for improvements to this critical component of fuzzing approaches. We explore the implications of our formalization-derived observation on the effectiveness of evolutionary fuzzing techniques in the second half of the paper, showing that the application of different abstraction functions, and the use of multiple abstraction functions in tandem, improves state-of-the-art fuzzing techniques.

Published

2020

11. KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware

Author

Giovanni Vigna, Chad Spensky, Yan Shoshitaishvili, Christopher Kruegel, Nilo Redini, Ruoyu Wang, Aravind Machiry, and Andrea Continella

Subjects

Web server, Computer science, business.industry, Firmware, Vulnerability, 020207 software engineering, 02 engineering and technology, computer.file_format, Static analysis, System monitoring, computer.software_genre, Software, Software bug, 020204 information systems, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, The Internet, Executable, business, computer

Abstract

Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of users’ lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Many of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this paper, we present Karonte, a static analysis approach capable of analyzing embedded-device firmware by modeling and tracking multi-binary interactions. Our approach propagates taint information between binaries to detect insecure interactions and identify vulnerabilities. We first evaluated Karonte on 53 firmware samples from various vendors, showing that our prototype tool can successfully track and constrain multi-binary interactions. This led to the discovery of 46 zero-day bugs. Then, we performed a large-scale experiment on 899 different samples, showing that Karonte scales well with firmware samples of different size and complexity.

Published

2020

12. SPIDER: Enabling Fast Patch Propagation In Related Software Repositories

Author

Nilo Redini, Eric Camellini, Christopher Kruegel, Giovanni Vigna, and Aravind Machiry

Subjects

Public domain software, Spider, Source code, business.industry, Computer science, media_common.quotation_subject, Distributed computing, 020207 software engineering, 02 engineering and technology, Software maintenance, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, business, ComputingMethodologies_COMPUTERGRAPHICS, media_common, Codebase

Abstract

Despite the effort of software maintainers, patches to open-source repositories are propagated from the main codebase to all the related projects (e.g., forks) with a significant delay. Previous work shows that this is true also for security patches, which represents a critical problem. Vulnerability databases, such as the CVE database, were born to speed-up the application of critical patches; however, patches associated with CVE entries (i.e., CVE patches) are still applied with a delay, and some security fixes lack the corresponding CVE entries. Because of this, project maintainers could miss security patches when upgrading software.In this paper, we are the first to define safe patches (sps). An sp is a patch that does not disrupt the intended functionality of the program (on valid inputs), meaning that it can be applied with no testing; we argue that most security fixes fall into this category. Furthermore, we show a technique to identify sps, and implement SPIDER 1, a tool based on such a technique that works by analyzing the source code of the original and patched versions of a file. We performed a large-scale evaluation on 341,767 patches from 32 large and popular source code repositories as well as on 809 CVE patches. Results show that SPIDER was able to identify 67,408 sps and that most of the CVE patches are sps. In addition, SPIDER identified 2,278 patches that fix vulnerabilities lacking a CVE; 229 of these are still unpatched in different vendor kernels, which can be considered as potential unfixed vulnerabilities.

Published

2020

13. Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability

Author

Christopher Kruegel, Hojjat Aghakhani, Yu-Xiang Wang, Giovanni Vigna, and Dongyu Meng

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Artificial neural network, business.industry, Computer science, Feature vector, Machine Learning (stat.ML), Pattern recognition, Object (computer science), Machine Learning (cs.LG), Image (mathematics), Attack model, Robustness (computer science), Statistics - Machine Learning, Scalability, Artificial intelligence, Transfer of learning, business, Cryptography and Security (cs.CR)

Abstract

A recent source of concern for the security of neural networks is the emergence of clean-label dataset poisoning attacks, wherein correctly labeled poison samples are injected into the training dataset. While these poison samples look legitimate to the human observer, they contain malicious characteristics that trigger a targeted misclassification during inference. We propose a scalable and transferable clean-label poisoning attack against transfer learning, which creates poison images with their center close to the target image in the feature space. Our attack, Bullseye Polytope, improves the attack success rate of the current state-of-the-art by 26.75% in end-to-end transfer learning, while increasing attack speed by a factor of 12. We further extend Bullseye Polytope to a more practical attack model by including multiple images of the same object (e.g., from different angles) when crafting the poison samples. We demonstrate that this extension improves attack transferability by over 16% to unseen images (of the same object) without using extra poison samples.

Published

2020

14. Dirty Clicks: A Study of the Usability and Security Implications of Click-related Behaviors on the Web

Author

Igor Santos, Giovanni Vigna, Davide Balzarotti, Christopher Kruegel, and Iskander Sanchez-Rola

Subjects

Service (systems architecture), business.industry, Computer science, Perspective (graphical), Usability, 02 engineering and technology, Internet security, World Wide Web, 020204 information systems, Web page, 0202 electrical engineering, electronic engineering, information engineering, Web application, 020201 artificial intelligence & image processing, Set (psychology), business, Web crawler

Abstract

Web pages have evolved into very complex dynamic applications, which are often very opaque and difficult for non-experts to understand. At the same time, security researchers push for more transparent web applications, which can help users in taking important security-related decisions about which information to disclose, which link to visit, and which online service to trust. In this paper, we look at one of the simplest but also most representative aspect that captures the struggle between these opposite demands: a mouse click. In particular, we present the first comprehensive study of the possible security and privacy implications that clicks can have from a user perspective, analyzing the disconnect that exists between what is shown to users and what actually happens after. We started by identifying and classifying possible problems. We then implemented a crawler that performed nearly 2.5M clicks looking for signs of misbehavior. We analyzed all the interactions created as a result of those clicks, and discovered that the vast majority of domains are putting users at risk by either obscuring the real target of links or by not providing sufficient information for users to make an informed decision. We conclude the paper by proposing a set of countermeasures.

Published

2020

15. When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features

Author

Giovanni Vigna, Stefano Ortolani, Fabio Gritti, Davide Balzarotti, Francesco Mecca, Hojjat Aghakhani, Christopher Kruegel, Martina Lindorfer, University of California [Santa Barbara] (UC Santa Barbara), University of California (UC), Università degli studi di Torino = University of Turin (UNITO), Vienna University of Technology (TU Wien), Lastline Inc., Eurecom [Sophia Antipolis], European Project: 771844,BITCRUMBS, and European Project: 875019C0003,DARPA

Subjects

021110 strategic, defence & security studies, Computer science, business.industry, 0211 other engineering and technologies, Sample (statistics), 02 engineering and technology, computer.file_format, Static analysis, Machine learning, computer.software_genre, Obfuscation (software), Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, False positive paradox, Malware, [INFO]Computer Science [cs], Executable, Artificial intelligence, Heuristics, business, computer

Abstract

International audience; Machine learning techniques are widely used in addition to signatures and heuristics to increase the detection rate of anti-malware software, as they automate the creation of detection models, making it possible to handle an ever-increasing number of new malware samples. In order to foil the analysis of anti-malware systems and evade detection, malware uses packing and other forms of obfuscation. However, few realize that benign applications use packing and obfuscation as well, to protect intellectual property and prevent license abuse. In this paper, we study how machine learning based on static analysis features operates on packed samples. Malware researchers have often assumed that packing would prevent machine learning techniques from building effective classifiers. However, both industry and academia have published results that show that machine-learning-based classifiers can achieve good detection rates, leading many experts to think that classifiers are simply detecting the fact that a sample is packed, as packing is more prevalent in malicious samples. We show that, different from what is commonly assumed, packers do preserve some information when packing programs that is "useful" for malware classification. However, this information does not necessarily capture the sample's behavior. We demonstrate that the signals extracted from packed executables are not rich enough for machine-learning-based models to (1) generalize their knowledge to operate on unseen packers, and (2) be robust against adversarial examples. We also show that a naïve application of machine learning techniques results in a substantial number of false positives, which, in turn, might have resulted in incorrect labeling of ground-truth data used in past work.

Published

2020

16. On the Security of Application Installers and Online Software Repositories

Author

Marcus Botacin, Christopher Kruegel, Paulo Licio de Geus, André Grégio, Giovanni Vigna, and Giovanni Bertão

Subjects

021110 strategic, defence & security studies, Focus (computing), End user, Computer science, Download, business.industry, Rank (computer programming), 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Software, Installation, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), 020201 artificial intelligence & image processing, The Internet, business, computer

Abstract

The security of application installers is often overlooked, but the security risks associated to these pieces of code are not negligible. Online public repositories have been one of the most popular ways for end users to obtain software, but there is a lack of systematic security evaluation of popular public repositories. In this paper, we bridge this gap by analyzing five popular software repositories. We focus on their software updating dynamics, as well as the presence of traces of vulnerable and/or trojanized applications among the top-100 most downloaded Windows programs on each of the evaluated repositories. We analyzed 2,935 unique programs collected in a period of 144 consecutive days. Our results show that: (i) the repositories frequently exhibit rank changes due to applications fast climbing toward the first positions; (ii) the repositories often update their payloads, which may cause the distribution of distinct binaries for the same intended application (binaries for the same applications may also be different in each repository); (iii) the installers are composed by multiple components and often download payloads from the Internet to complete their installation steps, posing new risks for users (we demonstrate that some installers are vulnerable to content tampering through man-in-the-middle attacks); (iv) the ever-changing nature of repositories and installers makes them prone to abuse, as we observed that 30% of all applications were reported malicious by at least one AV.

Published

2020

17. Sleak

Author

Christopher Kruegel, Yan Shoshitaishvili, Giovanni Vigna, Christophe Hauser, Jayakrishna Menon, and Ruoyu Wang

Subjects

021110 strategic, defence & security studies, Address space layout randomization, Theoretical computer science, Address space, Computer science, 0211 other engineering and technologies, 02 engineering and technology, computer.file_format, Static analysis, Symbolic execution, Function pointer, 020204 information systems, Information leakage, 0202 electrical engineering, electronic engineering, information engineering, Executable, computer, Heap (data structure)

Abstract

We present a novel approach to automatically recover information about the address space layout of remote processes in the presence of Address Space Layout Randomization (ASLR). Our system, dubbed Sleak, performs static analysis and symbolic execution of binary executable programs, and identifies program paths and input parameters leading to partial (i.e., only a few bits) or complete (i.e., the whole address) information disclosure vulnerabilities, revealing addresses of known objects of the target service or application. Sleak takes, as input, the binary executable program, and generates a symbolic expression for each program output that leaks information about the addresses of objects, such as stack variables, heap structures, or function pointers. By comparing these expressions with the concrete output of a remote process executing the same binary program image, our system is able to recover from a few bits to whole addresses of objects of the target application or service. Discovering the address of a single object in the target application is often enough to guess the layout of entire sections of the address space, which can be leveraged by attackers to bypass ASLR.

Published

2019

18. Mechanical Phish: Resilient Autonomous Hacking

Author

Aravind Machiry, Christopher Salls, Audrey Dutcher, Yan Shoshitaishvili, Giovanni Vigna, Ruoyu Wang, Antonio Bianchi, Jacopo Corbetta, Paul Grosen, Kevin Borgolte, Nick Stephens, Amat Cama, John Grosen, and Francesco Disperati

Subjects

Reasoning system, Exploit, Computer Networks and Communications, business.industry, Computer science, 05 social sciences, Vulnerability, 020206 networking & telecommunications, Static program analysis, 02 engineering and technology, Computer security, computer.software_genre, Phishing, Knowledge-based systems, Software, Vulnerability assessment, 0202 electrical engineering, electronic engineering, information engineering, 0509 other social sciences, Electrical and Electronic Engineering, 050904 information & library sciences, business, Law, computer, Hacker

Abstract

The size and complexity of software is increasing, and security flaws are becoming more numerous, sophisticated, and impactful. While the vulnerability identification process (especially in hard-to-analyze binary programs) has traditionally been driven by highly skilled human analysts, this approach does not scale, given the vast amount of deployed software. Recently, the vulnerability analysis process has started to shift toward automated approaches. The DARPA Cyber Grand Challenge has played a key role in transforming disconnected research ideas into fully autonomous cyber reasoning systems that analyze code to find vulnerabilities, generate exploits to prove the existence of these vulnerabilities, and patch the vulnerable software. In this article, we discuss our cyber reasoning system, Mechanical Phish, which we have open-sourced; the lessons we learned in participating in this ground-breaking competition; and our system’s performance as a tool in assisting humans during the DEF CON Capture-the-Flag competition, which followed the DARPA Cyber Grand Challenge.

Published

2018

19. Demystifying DDoS as a Service

Author

Giovanni Vigna, Alok Tongaonkar, Ali Zand, Christopher Kruegel, Sung-Ju Lee, and Gaspar Modelo-Howard

Subjects

Exploit, Computer Networks and Communications, business.industry, Network security, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Application layer DDoS attack, 020206 networking & telecommunications, Denial-of-service attack, 02 engineering and technology, Computer security, computer.software_genre, Computer Science Applications, Server, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, Electrical and Electronic Engineering, business, computer, Trinoo, Computer network

Abstract

In recent years, we have observed a resurgence of DDoS attacks. These attacks often exploit vulnerable servers (e.g., DNS and NTP) to produce large amounts of traffic with little effort. However, we have also observed the appearance of application-level DDoS attacks, which leverage corner cases in the logic of an application in order to severely reduce the availability of the provided service. In both cases, these attacks are used to extort a ransom, to hurt a target organization, or to gain some tactical advantage. As it has happened for many of the components in the underground economy, DDoS has been commoditized, and DDoS as a service (DaaS) providers allow paying customers to buy and direct attacks against specific targets. In this article, we present a measurement study of 17 different DaaS providers, in which we analyzed the different techniques used to launch DDoS attacks, as well as the infrastructure leveraged in order to carry out the attacks. Results show a growing market of short-lived providers, where DDoS attacks are available at low cost (tens of dollars) and capable of easily disrupting connections of over 1.4 Gb/s. In our study, particular attention was given to characterize application-level (HTTP) DDoS attacks, which are more difficult to study given the low volume of traffic they generate and the need to study the logic of the application providing the target service.

Published

2017

20. Scaling the Academic Security Community

Author

Somesh Jha, Ninghui Li, Adam Doupé, and Giovanni Vigna

Subjects

SPARK (programming language), Computer science, business.industry, media_common.quotation_subject, Quality (business), Security community, Public relations, business, computer, computer.programming_language, media_common

Abstract

The security community is growing considerably. Consider CCS: the 2000 edition of the conference had 25 program committee members, 132 paper submissions, and 28 accepted papers, while the 2019 edition has 184 PC members, 934 paper submissions, and 149 accepted papers. This significant growth is not unique to CCS, and this panel will discuss and explore the challenges and opportunities facing the community in terms of this growth. The panel will touch on all issues, including the growing number of papers, the load of the program committees, quality and quantity of reviews, different publication models, among others. The goal of the panel is to spark discussion with the community, so please attend and share your thoughts.

Published

2019

21. Neurlux: Dynamic Malware Analysis Without Feature Engineering

Author

Chani Jindal, Christopher Kruegel, Keith Long, Christopher Salls, Giovanni Vigna, and Hojjat Aghakhani

Subjects

FOS: Computer and information sciences, Feature engineering, 021110 strategic, defence & security studies, Computer Science - Cryptography and Security, Artificial neural network, business.industry, Computer science, Deep learning, Document classification, 0211 other engineering and technologies, 02 engineering and technology, computer.software_genre, Machine learning, Field (computer science), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Malware, Domain knowledge, Artificial intelligence, Malware analysis, business, Cryptography and Security (cs.CR), computer

Abstract

Malware detection plays a vital role in computer security. Modern machine learning approaches have been centered around domain knowledge for extracting malicious features. However, many potential features can be used, and it is time consuming and difficult to manually identify the best features, especially given the diverse nature of malware. In this paper, we propose Neurlux, a neural network for malware detection. Neurlux does not rely on any feature engineering, rather it learns automatically from dynamic analysis reports that detail behavioral information. Our model borrows ideas from the field of document classification, using word sequences present in the reports to predict if a report is from a malicious binary or not. We investigate the learned features of our model and show which components of the reports it tends to give the highest importance. Then, we evaluate our approach on two different datasets and report formats, showing that Neurlux improves on the state of the art and can effectively learn from the dynamic analysis reports. Furthermore, we show that our approach is portable to other malware analysis environments and generalizes to different datasets.

Published

2019

22. Lightning Talk - Think Outside the Dataset: Finding Fraudulent Reviews using Cross-Dataset Analysis

Author

Shirin Nilizadeh, Giovanni Vigna, Eric Gustafson, Hojjat Aghakhani, and Christopher Kruegel

Subjects

Computer science, media_common.quotation_subject, 05 social sciences, 02 engineering and technology, Adversary, Data science, Metadata, 020204 information systems, 0502 economics and business, Threat model, 0202 electrical engineering, electronic engineering, information engineering, 050207 economics, Reputation management, Reputation, media_common

Abstract

Many crowd-sourced review platforms, such as Yelp, TripAdvisor, and Foursquare, have sprung up to provide a shared space for people to write reviews and rate local businesses. With the substantial impact of businesses’ online ratings on their selling [2], many businesses add themselves to multiple websites to more easily be discovered. Some might also engage in reputation management, which could range from rewarding their customers for a favorable review, or a complex review campaign, where armies of accounts post reviews to influence a business’ average review score. Most of previous work use supervised machine learning, and only focus on textual and stylometry features [1, 3, 4, 7]. Their obtained ground truth data is not large and comprehensive [4, 5, 6, 7, 8, 10]. These works also assume a limited threat model, e.g., an adversary’s activity is assumed to be found near sudden shifts in the data [8], or focused on positive campaigns. We propose OneReview , a system for finding fraudulent content on a crowd-sourced review site, leveraging correlations with other independent review sites, and the use of textual and contextual features. We assume that an attacker may not be able to exert the same influence over a business’ reputation on several websites, due to increased cost. OneReview focuses on isolating anomalous changes in a business’ reputation across multiple review sites, to locate malicious activity without relying on specific patterns. Our intuition is that a business’s reputation should not be very different in multiple review sites; e.g., if a restaurant changes its chef or manager, then the impact of these changes should appear on reviews across all the websites. OneReview utilizes Change Point Analysis method on the reviews of every business independently on every website, and then uses our proposed Change Point Analyzer to evaluate change-points, detect those that do not match across the websites, and identify them as suspicious. Then, it uses supervised machine learning, utilizing a combination of textual and metadata features to locate fraudulent reviews among the suspicious reviews. We evaluated our approach, using data from two reviewing websites, Yelp and TripAdvisor, to find fraudulent activity on Yelp. We obtained Yelp reviews, through the Yelp Data Challenge [9], and used our Change Point Analyzer to correlate this with data crawled from TripAdvisor. Since realistic and varied ground truth data is not currently available, we used a combination of our change point analysis and crowd-labeling to create a set of 5,655 labeled reviews. We used k-cross validation (k=5) on our ground truth and obtained 97% (+/- 0.01) accuracy, 91% (+/- 0.03) precision and 90% (+/- 0.06) recall. The model was used on the suspicious reviews, which classified 61,983 reviews, about 8% of all reviews, as fraudulent. We further detected fraudulent campaigns that are actively initiated by or targeted toward specific businesses. We identified 3,980 businesses with fraudulent reviews, as well as, 14,910 suspected spam, where at least 40% of their reviews are classified as fraudulent. We also used community detection algorithms to locate several large astroturfing campaigns. These results show the effectiveness of OneReview in detecting fraudulent campaigns.

Published

2019

23. Think Outside the Dataset

Author

Christopher Kruegel, Hojjat Aghakhani, Giovanni Vigna, Eric Gustafson, and Shirin Nilizadeh

Subjects

010104 statistics & probability, Computer science, media_common.quotation_subject, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 02 engineering and technology, 0101 mathematics, Set (psychology), 01 natural sciences, Data science, Reputation, media_common

Abstract

While online review services provide a two-way conversation between brands and consumers, malicious actors, including misbehaving businesses, have an equal opportunity to distort the reviews for their own gains. We propose OneReview, a method for locating fraudulent reviews, correlating data from multiple crowd-sourced review sites. Our approach utilizes Change Point Analysis to locate points at which a business' reputation shifts. Inconsistent trends in reviews of the same businesses across multiple websites are used to identify suspicious reviews. We then extract an extensive set of textual and contextual features from these suspicious reviews and employ supervised machine learning to detect fraudulent reviews. We evaluated OneReview on about 805K and 462K reviews from Yelp and TripAdvisor, respectively to identify fraud on Yelp. Supervised machine learning yields excellent results, with 97% accuracy. We applied the created model on suspicious reviews and detected about 62K fraudulent reviews (about 8% of all the Yelp reviews). We further analyzed the detected fraudulent reviews and their authors, and located several spam campaigns in the wild, including campaigns against specific businesses, as well as campaigns consisting of several hundreds of socially-networked untrustworthy accounts.

Published

2019

24. BootKeeper

Author

Christopher Kruegel, Stefano Cristalli, Giovanni Vigna, Yan Shoshitaishvili, Ronny Chevalier, Andrea Lanzi, Danilo Bruschi, Ruoyu Wang, Christophe Hauser, Confidentialité, Intégrité, Disponibilité et Répartition (CIDRE), CentraleSupélec-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-SYSTÈMES LARGE ÉCHELLE (IRISA-D1), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-CentraleSupélec-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Università degli Studi di Milano [Milano] (UNIMI), University of Southern California (USC), Arizona State University [Tempe] (ASU), Department of Computer Science [Santa Barbara] (CS-UCSB), University of California [Santa Barbara] (UCSB), University of California-University of California, Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Università degli Studi di Milano = University of Milan (UNIMI), University of California [Santa Barbara] (UC Santa Barbara), and University of California (UC)-University of California (UC)

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer science, 0211 other engineering and technologies, Cryptography, 02 engineering and technology, TPM, computer.software_genre, SCRTM, Set (abstract data type), [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Firmware, 0202 electrical engineering, electronic engineering, information engineering, 021110 strategic, defence & security studies, business.industry, Process (computing), 020207 software engineering, Static analysis, Binary analysis, Software deployment, Embedded system, Key (cryptography), Trusted Platform Module, business, Cryptography and Security (cs.CR), computer

Abstract

International audience; Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of the firmware’s loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.

Published

2019

25. PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Author

Giovanni Vigna, Dokyung Song, Felicitas Hetzelt, Stijn Volckaert, Christopher Kruegel, Jean-Pierre Seifert, Dipanjan Das, Chad Spensky, Michael Franz, and Yeoul Na

Subjects

law, Computer science, Computer graphics (images), 0202 electrical engineering, electronic engineering, information engineering, Boundary (topology), 020206 networking & telecommunications, 020201 artificial intelligence & image processing, 02 engineering and technology, Fuzz testing, Periscope, law.invention

Abstract

ispartof: pages:1-15 ispartof: 2019 Network and Distributed Systems Security Symposium (NDSS) pages:1-15 ispartof: Network and Distributed Systems Security (NDSS) Symposium 2019 location:San Diego date:24 Feb - 27 Feb 2019 status: Published online

Published

2019

26. BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation

Author

Yan Shoshitaishvili, Christopher Kruegel, Ruoyu Wang, Giovanni Vigna, Aravind Machiry, and Nilo Redini

Subjects

Software, Harm, Dead code, Computer science, business.industry, Final product, Code (cryptography), Binary number, Software engineering, business, Abstract interpretation

Abstract

The increasing complexity of modern programs motivates software engineers to often rely on the support of third-party libraries. Although this practice allows application developers to achieve a compelling time-to-market, it often makes the final product bloated with conspicuous chunks of unused code. Other than making a program unnecessarily large, this dormant code could be leveraged by willful attackers to harm users. As a consequence, several techniques have been recently proposed to perform program debloating and remove (or secure) dead code from applications. However, state-of-the-art approaches are either based on unsound strategies, thus producing unreliable results, or pose too strict assumptions on the program itself.

Published

2019

27. Towards Automatically Generating a Sound and Complete Dataset for Evaluating Static Analysis Tools

Author

Aravind Machiry, Nilo Redini, Christopher Kruegel, Hojjat Aghakhani, Eric Gustafson, and Giovanni Vigna

Subjects

geography, geography.geographical_feature_category, Computer science, Static program analysis, Data mining, computer.software_genre, computer, Sound (geography)

Published

2019

28. Using Loops For Malware Classification Resilient to Feature-unaware Perturbations

Author

Aravind Machiry, Yanick Fratantonio, Giovanni Vigna, Eric Gustafson, Yung Ryn Choe, Nilo Redini, and Christopher Kruegel

Subjects

Source code, business.industry, Computer science, media_common.quotation_subject, Feature vector, Counterintuitive, 020207 software engineering, 02 engineering and technology, Machine learning, computer.software_genre, Random forest, Foreach loop, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Malware, Artificial intelligence, Android (operating system), business, computer, Codebase, media_common

Abstract

In the past few years, both the industry and the academic communities have developed several approaches to detect malicious Android apps. State-of-the-art research approaches achieve very high accuracy when performing malware detection on existing datasets. These approaches perform their malware classification tasks in an "offline" scenario, where malware authors cannot learn from and adapt their malicious apps to these systems. In real-world deployments, however, adversaries get feedback about whether their app was detected, and can react accordingly by transforming their code until they are able to influence the classification. In this work, we propose a new approach for detecting Android malware that is designed to be resilient to feature-unaware perturbations without retraining. Our work builds on two key ideas. First, we consider only a subset of the codebase of a given app, both for precision and performance aspects. For this paper, our implementation focuses exclusively on the loops contained in a given app. We hypothesize, and empirically verify, that the code contained in apps' loops is enough to precisely detect malware. This provides the additional benefits of being less prone to noise and errors, and being more performant. The second idea is to build a feature space by extracting a set of labels for each loop, and by then considering each unique combination of these labels as a different feature: The combinatorial nature of this feature space makes it prohibitively difficult for an attacker to influence our feature vector and avoid detection, without access to the specific model used for classification. We assembled these techniques into a prototype, called LoopMC, which can locate loops in applications, extract features, and perform classification, without requiring source code. We used LoopMC to classify about 20,000 benign and malicious applications. While focusing on a smaller portion of the program may seem counterintuitive, the results of these experiments are surprising: our system achieves a classification accuracy of 99.3% and 99.1% for the Malware Genome Project and VirusShare datasets respectively, which outperforms previous approaches. We also evaluated LoopMC, along with the related work, in the context of various evasion techniques, and show that our system is more resilient to evasion.

Published

2018

29. Cloud Strife

Author

Shuang Hao, Tobias Fiebig, Christopher Kruegel, Kevin Borgolte, and Giovanni Vigna

Subjects

060201 languages & linguistics, Authentication, Exploit, Computer science, business.industry, Cloud computing, 06 humanities and the arts, 02 engineering and technology, Computer security, computer.software_genre, Certificate, Phishing, Elasticity (cloud computing), 0602 languages and literature, Certificate authority, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Automated Certificate Management Environment, The Internet, business, computer

Abstract

Infrastructure-as-a-Service (IaaS), and more generally the "cloud," like Amazon Web Services (AWS) or Microsoft Azure, have changed the landscape of system operations on the Internet. Their elasticity allows operators to rapidly allocate and use resources as needed, from virtual machines, to storage, to bandwidth, and even to IP addresses, which is what made them popular and spurred innovation.In this paper, we show that the dynamic component paired with recent developments in trust-based ecosystems (e.g., SSL certificates) creates so far unknown attack vectors. Specifically, we discover a substantial number of stale DNS records that point to available IP addresses in clouds, yet, are still actively attempted to be accessed. Often, these records belong to discontinued services that were previously hosted in the cloud. We demonstrate that it is practical, and time and cost efficient for attackers to allocate IP addresses to which stale DNS records point. Considering the ubiquity of domain validation in trust ecosystems, like SSL certificates, an attacker can impersonate the service using a valid certificate trusted by all major operating systems and browsers. The attacker can then also exploit residual trust in the domain name for phishing, receiving and sending emails, or possibly distribute code to clients that load remote code from the domain (e.g., loading of native code by mobile apps, or JavaScript libraries by websites).Even worse, an aggressive attacker could execute the attack in less than 70 seconds, well below common time-to-live (TTL) for DNS records. In turn, it means an attacker could exploit normal service migrations in the cloud to obtain a valid SSL certificate for domains owned and managed by others, and, worse, that she might not actually be bound by DNS records being (temporarily) stale, but that she can exploit caching instead.We introduce a new authentication method for trust-based domain validation that mitigates staleness issues without incurring additional certificate requester effort by incorporating existing trust of a name into the validation process. Furthermore, we provide recommendations for domain name owners and cloud operators to reduce their and their clients’ exposure to DNS staleness issues and the resulting domain takeover attacks.

Published

2018

30. Detecting Deceptive Reviews Using Generative Adversarial Networks

Author

Aravind Machiry, Hojjat Aghakhani, Giovanni Vigna, Christopher Kruegel, and Shirin Nilizadeh

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Discriminator, Computer Science - Artificial Intelligence, Computer science, Stability (learning theory), 02 engineering and technology, 010501 environmental sciences, Machine learning, computer.software_genre, 01 natural sciences, Computer Science - Information Retrieval, Machine Learning (cs.LG), Search algorithm, Classifier (linguistics), 0202 electrical engineering, electronic engineering, information engineering, Reinforcement learning, 0105 earth and related environmental sciences, Computer Science - Computation and Language, Artificial neural network, business.industry, Computer Science - Learning, Generative model, Artificial Intelligence (cs.AI), Task analysis, 020201 artificial intelligence & image processing, Artificial intelligence, business, Cryptography and Security (cs.CR), Computation and Language (cs.CL), computer, Information Retrieval (cs.IR)

Abstract

In the past few years, consumer review sites have become the main target of deceptive opinion spam, where fictitious opinions or reviews are deliberately written to sound authentic. Most of the existing work to detect the deceptive reviews focus on building supervised classifiers based on syntactic and lexical patterns of an opinion. With the successful use of Neural Networks on various classification applications, in this paper, we propose FakeGAN a system that for the first time augments and adopts Generative Adversarial Networks (GANs) for a text classification task, in particular, detecting deceptive reviews. Unlike standard GAN models which have a single Generator and Discriminator model, FakeGAN uses two discriminator models and one generative model. The generator is modeled as a stochastic policy agent in reinforcement learning (RL), and the discriminators use Monte Carlo search algorithm to estimate and pass the intermediate action-value as the RL reward to the generator. Providing the generator model with two discriminator models avoids the mod collapse issue by learning from both distributions of truthful and deceptive reviews. Indeed, our experiments show that using two discriminators provides FakeGAN high stability, which is a known issue for GAN architectures. While FakeGAN is built upon a semi-supervised classifier, known for less accuracy, our evaluation results on a dataset of TripAdvisor hotel reviews show the same performance in terms of accuracy as of the state-of-the-art approaches that apply supervised machine learning. These results indicate that GANs can be effective for text classification tasks. Specifically, FakeGAN is effective at detecting deceptive reviews., Comment: accepted at 1st Deep Learning and Security Workshop co-located with the 39th IEEE Symposium on Security and Privacy

Published

2018

31. Measuring E-mail header injections on the world wide web

Author

Pierre-Marie Bajan, Gail-Joon Ahn, Giovanni Vigna, Christopher Kruegel, Adam Doupé, Sai Prashanth Chandramouli, and Ziming Zhao

Subjects

DomainKeys Identified Mail, Java, business.industry, Computer science, Vulnerability, 020207 software engineering, 02 engineering and technology, Python (programming language), World Wide Web, Software security assurance, 020204 information systems, Header, 0202 electrical engineering, electronic engineering, information engineering, Web application, business, computer, computer.programming_language

Abstract

E-mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail header injection vulnerabilities exist in the built-in e-mail functionality of the popular languages PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to allow an attacker to inject additional headers, modify existing headers, and alter the content of the e-mail. While E-mail header injection vulnerabilities are known to the community, and some commercial vulnerability scanners claim to discover E-mail header injection vulnerabilities, they have never been studied by the academic community. This paper presents a scalable mechanism to automatically detect E-mail header injection vulnerabilities and uses this mechanism to quantify the prevalence of E-mail header injection vulnerabilities on the web. From crawling 23,553,796 URLs, we found 994 vulnerable URLs across 414 domains. 135 of these domains are in the Alexa top 1 million, and five of them are in the top 20,000. 137 of the vulnerable domains are using anti-spoofing mechanisms such as DKIM, SPF, or DMARC, and E-mail header injection renders this protection useless. This work shows that E-mail header injection vulnerabilities are widespread and deserve future research attention.

Published

2018

32. GuardION:Practical mitigation of DMA-based rowhammer attacks on ARM

Author

Giovanni Vigna, Kaveh Razavi, Yanick Fratantonio, Herbert Bos, Martina Lindorfer, Harikrishnan Padmanabha Pillai, Victor van der Veen, Christopher Kruegel, Computer Systems, Network Institute, and Systems and Network Security

Subjects

010302 applied physics, Disturbance (geology), Exploit, business.industry, Computer science, Cloud computing, 02 engineering and technology, 01 natural sciences, 020202 computer hardware & architecture, Bit (horse), 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, business, Mobile device, Computer hardware, Dram

Abstract

Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector. Researchers demonstrated exploits not only against desktop computers, but also used single bit flips to compromise the cloud and mobile devices, all without relying on any software vulnerability. Since hardware-level mitigations cannot be backported, a search for software defenses is pressing. Proposals made by both academia and industry, however, are either impractical to deploy, or insufficient in stopping all attacks: we present rampage, a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses. To mitigate Rowhammer exploitation on ARM, we propose guardion, a lightweight defense that prevents DMA-based attacks—the main attack vector on mobile devices—by isolating DMA buffers with guard rows. We evaluate guardion on 22 benchmark apps and show that it has a negligible memory overhead (2.2 MB on average). We further show that we can improve system performance by re-enabling higher order allocations after Google disabled these as a reaction to previous attacks.

Published

2018

33. Broken Fingers: On the Usage of the Fingerprint API in Android

Author

Wenke Lee, Christopher Kruegel, Yanick Fratantonio, Giovanni Vigna, Aravind Machiry, Antonio Bianchi, and Simon P. Chung

Subjects

Computer science, 0202 electrical engineering, electronic engineering, information engineering, Operating system, 020207 software engineering, 020201 artificial intelligence & image processing, 02 engineering and technology, Android (operating system), computer.software_genre, computer

Published

2018

34. Enumerating Active IPv6 Hosts for Large-scale Security Scans via DNSSEC-signed Reverse Zones

Author

Giovanni Vigna, Kevin Borgolte, Tobias Fiebig, and Shuang Hao

Subjects

IPv4 address exhaustion, IPv6 address, Computer science, business.industry, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, 02 engineering and technology, Space (commercial competition), Computer security, computer.software_genre, IPv4, IPv6, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, State (computer science), business, computer

Abstract

Security research has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the overall state of security of the Internet, and ZMap made scanning the entire IPv4 address space practical. However, the IPv4 address space is exhausted, and a switch to IPv6, the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, including in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 2^96 times larger than the IPv4 address space. Therefore, enumeration of active hosts prior to scanning is necessary. Without it, we will be unable to investigate the overall security of Internet-connected devices in the future. In this paper, we introduce a novel technique to enumerate an active part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. Subsequently, by scanning the enumerated addresses, we uncover significant security problems: the exposure of sensitive data, and incorrectly controlled access to hosts, such as access to routing infrastructure via administrative interfaces, all of which were accessible via IPv6. Furthermore, from our analysis of the differences between accessing dual-stack hosts via IPv6 and IPv4, we hypothesize that the root cause is that machines automatically and by default take on globally routable IPv6 addresses. This is a practice that the affected system administrators appear unaware of, as the respective services are almost always properly protected from unauthorized access via IPv4. Our findings indicate (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts, and (iii) that unintended IPv6 connectivity is a major security issue for unaware system administrators.

Published

2018

35. In rDNS We Trust: Revisiting a Common Data-Source’s Reliability

Author

Christopher Kruegel, Anja Feldmann, Shuang Hao, Giovanni Vigna, Kevin Borgolte, and Tobias Fiebig

Subjects

Data source, Data collection, computer.internet_protocol, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Data science, IPv4, IPv6, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Internet measurement, computer, Reliability (statistics)

Abstract

Reverse DNS (rDNS) is regularly used as a data source in Internet measurement research. However, existing work is polarized on its reliability, and new techniques to collect active IPv6 datasets have not yet been sufficiently evaluated. In this paper, we investigate active and passive data collection and practical use aspects of rDNS datasets. We observe that the share of non-authoritatively answerable IPv4 rDNS queries reduced since earlier studies and IPv6 rDNS has less non-authoritatively answerable queries than IPv4 rDNS. Furthermore, we compare passively collected datasets with actively collected ones, and we show that they enable observing the same effects in rDNS data. While highlighting opportunities for future research, we find no immediate challenges to the use of rDNS as active and passive data-source for Internet measurement research.

Published

2018

36. Erratum to: In rDNS We Trust: Revisiting a Common Data-Source’s Reliability

Author

Giovanni Vigna, Kevin Borgolte, Christopher Kruegel, Tobias Fiebig, Shuang Hao, and Anja Feldmann

Subjects

060201 languages & linguistics, Data source, Computer science, 0602 languages and literature, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 06 humanities and the arts, 02 engineering and technology, Reliability (statistics), Reliability engineering

Published

2018

37. MineSweeper - An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense

Author

Martina Lindorfer, Radhesh Krishnan Konoth, Christopher Kruegel, Herbert Bos, Veelasha Moonsamy, Emanuele Vineti, Giovanni Vigna, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Cryptocurrency, SDG 16 - Peace, Computer science, 02 engineering and technology, computer.software_genre, JavaScript, Computer security, Malware, Mining, Obfuscation, 0202 electrical engineering, electronic engineering, information engineering, Blacklisting, Code (cryptography), computer.programming_language, Drive-by attacks, SDG 16 - Peace, Justice and Strong Institutions, 020206 networking & telecommunications, Justice and Strong Institutions, Obfuscation (software), 020201 artificial intelligence & image processing, Profitability index, Cryptojacking, computer

Abstract

A wave of alternative coins that can be effectively mined without specialized hardware, and a surge in cryptocurrencies’ market value has led to the development of cryptocurrency mining (cryptomining) services, such as Coinhive, which can be easily integrated into websites to monetize the computational power of their visitors. While legitimate website operators are exploring these services as an alternative to advertisements, they have also drawn the attention of cybercriminals: drive-by mining (also known as cryptojacking) is a new web-based attack, in which an infected website secretly executes JavaScript code and/or a WebAssembly module in the user’s browser to mine cryptocurrencies without her consent. In this paper, we perform a comprehensive analysis on Alexa’s Top 1 Million websites to shed light on the prevalence and profitability of this attack. We study the websites affected by drive-by mining to understand the techniques being used to evade detection, and the latest web technologies being exploited to efficiently mine cryptocurrency. As a result of our study, which covers 28 Coinhive-like services that are widely being used by drive-by mining websites, we identified 20 active cryptomining campaigns. Motivated by our findings, we investigate possible countermeasures against this type of attack. We discuss how current blacklisting approaches and heuristics based on CPU usage are insufficient, and present MineSweeper, a novel detection technique that is based on the intrinsic characteristics of cryptomining code, and, thus, is resilient to obfuscation. Our approach could be integrated into browsers to warn users about silent cryptomining when visiting websites that do not ask for their consent.

Published

2018

38. Piston

Author

Christopher Kruegel, Christopher Salls, Yan Shoshitaishvili, Nick Stephens, and Giovanni Vigna

Subjects

Downtime, Exploit, business.industry, Computer science, Distributed computing, Control (management), Process (computing), 020207 software engineering, 02 engineering and technology, law.invention, Piston, Software, law, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Binary code, business

Abstract

While software is now being developed with more sophisticated tools, its complexity has increased considerably, and, as a consequence new vulnerabilities are discovered every day. To address the constant flow of vulnerabilities being identified, patches are frequently being pushed to consumers. Patches, however, often involve having to shutdown services in order to be applied, which can result in expensive downtime. To solve this problem, various hot-patching systems have been devised to patch systems without the need for restarting. These systems often require either the cooperation of the system or the process they are patching. This still leaves out a considerable amount of systems, most notably embedded devices, which remain unable to be hot-patched. We present Piston, a generic system for the remote hot-patching of uninterruptible software that operates without the system's cooperation. Piston achieves this by using an exploit to take control of the remote process and modify its code on-the-fly. Piston works directly on binary code and is capable of automatically counter-acting the destructive effects on memory that might be the result of the exploitation.

Published

2017

39. Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information

Author

Giovanni Vigna, Antonio Bianchi, Eric Gustafson, Yanick Fratantonio, and Christopher Kruegel

Subjects

Authentication, Public information, Virtual goods, business.industry, Computer science, Vulnerability, 020207 software engineering, Usability, 0102 computer and information sciences, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, 010201 computation theory & mathematics, Phone, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), business, Private information retrieval, computer

Abstract

Today's mobile applications increasingly rely on communication with a remote backend service to perform many critical functions, including handling user-specific information. This implies that some form of authentication should be used to associate a user with their actions and data. Since schemes involving tedious account creation procedures can represent "friction" for users, many applications are moving toward alternative solutions, some of which, while increasing usability, sacrifice security. This paper focuses on a new trend of authentication schemes based on what we call "device-public" information, which consists of properties and data that any application running on a device can obtain. While these schemes are convenient to users, since they require little to no interaction, they are vulnerable by design, since all the needed information to authenticate a user is available to any app installed on the device. An attacker with a malicious app on a user's device could easily hijack the user's account, steal private information, send (and receive) messages on behalf of the user, or steal valuable virtual goods. To demonstrate how easily these vulnerabilities can be weaponized, we developed a generic exploitation technique that first mines all relevant data from a victim's phone, and then transfers and injects them into an attacker's phone to fool apps into granting access to the victim's account. Moreover, we developed a dynamic analysis detection system to automatically highlight problematic apps. Using our tool, we analyzed 1,000 popular applications and found that 41 of them, including the popular messaging apps WhatsApp and Viber, were vulnerable. Finally, our work proposes solutions to this issue, based on modifications to the Android API.

Published

2017

40. Evaluating Cybersecurity Education Interventions: Three Case Studies

Author

Jelena Mirkovic, Melissa Dark, Tamara Denning, Giovanni Vigna, and Wenliang Du

Subjects

Computer Networks and Communications, Computer science, Intervention (counseling), ComputingMilieux_COMPUTERSANDEDUCATION, Psychological intervention, Electrical and Electronic Engineering, Computer security, computer.software_genre, Investment (macroeconomics), Law, computer

Abstract

The authors collaborate with cybersecurity faculty members from different universities to apply a five-step approach in designing an evaluation for education interventions. The goals of this exercise were to show how to design an evaluation for a real intervention from beginning to end, to highlight the common intervention goals and propose suitable evaluation instruments, and to discuss the expected investment of time and effort in preparing and performing the education evaluations.

Published

2015

41. Portrait of a Privacy Invasion

Author

Christopher Kruegel, Giovanni Vigna, and Yan Shoshitaishvili

Subjects

Portrait, business.industry, Computer science, Internet privacy, General Earth and Planetary Sciences, Information technology, business, General Environmental Science

Abstract

The popularity of online social networks has changed the way in which we share personal thoughts, political views, and pictures. Pictures have a particularly important role in the privacy of users, as they can convey substantial information (e.g., a person was attending an event, or has met with another person). Moreover, because of the nature of social networks, it has become increasingly difficult to control who has access to which content. Therefore, when a substantial amount of pictures are accessible to one party, there is a very serious potential for violations of the privacy of users. In this paper, we demonstrate a novel technique that, given a large corpus of pictures shared on a social network, automatically determines who is dating whom, with reasonable precision. More specifically, our approach combines facial recognition, spatial analysis, and machine learning techniques to determine pairs that are dating. To the best of our knowledge, this is the first privacy attack of this kind performed on social networks. We implemented our approach in a tool, called Creepic, and evaluated it on two real-world datasets. The results show that it is possible to automatically extract non-obvious, and nondisclosed, relationships between people represented in a group of pictures, even when the people involved are not directly part of a connected social clique.

Published

2015

42. Rise of the HaCRS

Author

Yan Shoshitaishvili, Lukas Dresel, Giovanni Vigna, Michael Weissbacher, Christopher Salls, Christopher Kruegel, and Ruoyu Wang

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, business.industry, Computer science, Process (engineering), Computer Science - Human-Computer Interaction, 020207 software engineering, 02 engineering and technology, Fuzz testing, Computer security, computer.software_genre, Automation, Data science, Human-Computer Interaction (cs.HC), Software, Software security assurance, Vulnerability assessment, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Software system, business, Cryptography and Security (cs.CR), computer

Abstract

Software permeates every aspect of our world, from our homes to the infrastructure that provides mission-critical services. As the size and complexity of software systems increase, the number and sophistication of software security flaws increase as well. The analysis of these flaws began as a manual approach, but it soon became apparent that a manual approach alone cannot scale, and that tools were necessary to assist human experts in this task, resulting in a number of techniques and approaches that automated certain aspects of the vulnerability analysis process. Recently, DARPA carried out the Cyber Grand Challenge, a competition among autonomous vulnerability analysis systems designed to push the tool-assisted human-centered paradigm into the territory of complete automation, with the hope that, by removing the human factor, the analysis would be able to scale to new heights. However, when the autonomous systems were pitted against human experts it became clear that certain tasks, albeit simple, could not be carried out by an autonomous system, as they require an understanding of the logic of the application under analysis. Based on this observation, we propose a shift in the vulnerability analysis paradigm, from tool-assisted human-centered to human-assisted tool-centered. In this paradigm, the automated system orchestrates the vulnerability analysis process, and leverages humans (with different levels of expertise) to perform well-defined sub-tasks, whose results are integrated in the analysis. As a result, it is possible to scale the analysis to a larger number of programs, and, at the same time, optimize the use of expensive human resources. In this paper, we detail our design for a human-assisted automated vulnerability analysis system, describe its implementation atop an open-sourced autonomous vulnerability analysis system that participated in the Cyber Grand Challenge, and evaluate and discuss the significant improvements that non-expert human assistance can offer to automated analysis approaches.

Published

2017

43. DIFUZE

Author

Giovanni Vigna, Christopher Salls, Christopher Kruegel, Yan Shoshitaishvili, Jake Corina, Shuang Hao, and Aravind Machiry

Subjects

sysfs, business.industry, Computer science, 020207 software engineering, 02 engineering and technology, Fuzz testing, Static analysis, Kernel (image processing), 020204 information systems, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), business, Mobile device, Arbitrary code execution

Abstract

Device drivers are an essential part in modern Unix-like systems to handle operations on physical devices, from hard disks and printers to digital cameras and Bluetooth speakers. The surge of new hardware, particularly on mobile devices, introduces an explosive growth of device drivers in system kernels. Many such drivers are provided by third-party developers, which are susceptible to security vulnerabilities and lack proper vetting. Unfortunately, the complex input data structures for device drivers render traditional analysis tools, such as fuzz testing, less effective, and so far, research on kernel driver security is comparatively sparse. In this paper, we present DIFUZE, an interface-aware fuzzing tool to automatically generate valid inputs and trigger the execution of the kernel drivers. We leverage static analysis to compose correctly-structured input in the userspace to explore kernel drivers. DIFUZE is fully automatic, ranging from identifying driver handlers, to mapping to device file names, to constructing complex argument instances. We evaluate our approach on seven modern Android smartphones. The results show that DIFUZE can effectively identify kernel driver bugs, and reports 32 previously unknown vulnerabilities, including flaws that lead to arbitrary code execution.

Published

2017

44. POISED: Spotting Twitter Spam Off the Beaten Paths

Author

Shirin Nilizadeh, Ali Zand, Gianluca Stringhini, Alireza Sedighian, José M. Fernandez, Francois Labreche, Christopher Kruegel, and Giovanni Vigna

Subjects

Social and Information Networks (cs.SI), FOS: Computer and information sciences, Computer Science - Cryptography and Security, Social network, Online Social Networks, Computer science, business.industry, Parties of Interest, Computer Science - Social and Information Networks, 02 engineering and technology, Communities of Interest, Adversarial machine learning, Spotting, Computer security, computer.software_genre, Information Diffusion, Spam Detection, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Cryptography and Security (cs.CR), computer

Abstract

Cybercriminals have found in online social networks a propitious medium to spread spam and malicious content. Existing techniques for detecting spam include predicting the trustworthiness of accounts and analyzing the content of these messages. However, advanced attackers can still successfully evade these defences. Online social networks bring people who have personal connections or share common interests to form communities. In this paper, we first show that users within a networked community share some topics of interest. Moreover, content shared on these social networks tend to propagate according to the interests of people. Dissemination paths may emerge where some communities post similar messages, based on the interests of those communities. Spam and other malicious content, on the other hand, follow different spreading patterns. In this paper, we follow this insight and present POISED, a system that leverages the differences in propagation between benign and malicious messages on social networks to identify spam and other unwanted content. We test our system on a dataset of 1.3M tweets collected from 64K users, and we show that our approach is effective in detecting malicious messages, reaching 91% precision and 93% recall. We also show that POISED’s detection is more comprehensive than previous systems, by comparing it to three state-of-the-art spam detection systems that have been proposed by the research community in the past. POISED significantly outperforms each of these systems. Moreover, through simulations, we show how POISED is effective in the early detection of spam messages and how it is resilient against two well-known adversarial machine learning attacks.

Published

2017

45. How Shall We Play a Game?: A Game-theoretical Model for Cyber-warfare Games

Author

Giovanni Vigna, Yan Shoshitaishvili, Christopher Kruegel, Tiffany Bao, David Brumley, and Ruoyu Wang

Subjects

021110 strategic, defence & security studies, Computer science, Process (engineering), Management science, 0211 other engineering and technologies, 02 engineering and technology, 010501 environmental sciences, 01 natural sciences, Bottleneck, Strategy development, Cyberwarfare, symbols.namesake, Work (electrical), Order (exchange), Human–computer interaction, Nash equilibrium, symbols, Game theory, 0105 earth and related environmental sciences

Abstract

Automated techniques and tools for finding, exploiting and patching vulnerabilities are maturing. In order to achieve an end goal such as winning a cyber-battle, these techniques and tools must be wielded strategically. Currently, strategy development in cyber - even with automated tools - is done manually, and is a bottleneck in practice. In this paper, we apply game theory toward the augmentation of the human decision-making process.,,Our work makes two novel contributions. First, previous work is limited by strong assumptions regarding the number of actors, actions, and choices in cyber-warfare. We develop a novel model of cyber-warfare that is more comprehensive than previous work, removing these limitations in the process. Second, we present an algorithm for calculating the optimal strategy of the players in our model. We show that our model is capable of finding better solutions than previous work within seconds, making computer-time strategic reasoning a reality. We also provide new insights, compared to previous models, on the impact of optimal strategies.

Published

2017

46. Gossip

Author

Giovanni Vigna, Yong Fang, Cheng Huang, Christopher Kruegel, Jiayong Liu, Shuang Hao, and Luca Invernizzi

Subjects

Honeypot, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, computer.software_genre, Computer security, World Wide Web, Cybercrime, Trojan, Gossip, Server, 0202 electrical engineering, electronic engineering, information engineering, Blacklisting, Malware, 020201 artificial intelligence & image processing, The Internet, Mailing list, business, computer

Abstract

Domain names play a critical role in cybercrime, because they identify hosts that serve malicious content (such as malware, Trojan binaries, or malicious scripts), operate as command-and-control servers, or carry out some other role in the malicious network infrastructure. To defend against Internet attacks and scams, operators widely use blacklisting to detect and block malicious domain names and IP addresses. Existing blacklists are typically generated by crawling suspicious domains, manually or automatically analyzing malware, and collecting information from honeypots and intrusion detection systems. Unfortunately, such blacklists are difficult to maintain and are often slow to respond to new attacks. Security experts set up and join mailing lists to discuss and share intelligence information, which provides a better chance to identify emerging malicious activities. In this paper, we design Gossip, a novel approach to automatically detect malicious domains based on the analysis of discussions in technical mailing lists (particularly on security-related topics) by using natural language processing and machine learning techniques. We identify a set of effective features extracted from email threads, users participating in the discussions, and content keywords, to infer malicious domains from mailing lists, without the need to actually crawl the suspect websites. Our result shows that Gossip achieves high detection accuracy. Moreover, the detection from our system is often days or weeks earlier than existing public blacklists.

Published

2017

47. Ramblr: Making Reassembly Great Again

Author

Christopher Kruegel, Ruoyu Wang, Aravind Machiry, Yan Shoshitaishvili, Giovanni Vigna, Paul Grosen, John Grosen, and Antonio Bianchi

Subjects

Computer science, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020207 software engineering, 02 engineering and technology, Data science

Published

2017

48. BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments

Author

Christopher Salls, Giovanni Vigna, Chad Spensky, Eric Gustafson, Yung Ryn Choe, Ruoyu Wang, Christopher Kruegel, Antonio Bianchi, Aravind Machiry, and Nick Stephens

Subjects

World Wide Web, 021110 strategic, defence & security studies, Computer science, 020204 information systems, 0211 other engineering and technologies, 0202 electrical engineering, electronic engineering, information engineering, 02 engineering and technology, Semantic gap

Published

2017

49. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis

Author

Giovanni Vigna, Martina Lindorfer, Andrea Continella, Alessandro Puccetti, Christopher Kruegel, Ali Zand, Yanick Fratantonio, and Services, Cybersecurity & Safety

Subjects

021110 strategic, defence & security studies, Traffic analysis, Cybersecurity, Computer science, business.industry, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Encryption, Identifier, Data flow diagram, Obfuscation, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Timestamp, Android (operating system), business, computer, Private information retrieval

Abstract

Mobile apps are notorious for collecting a wealth of private information from users. Despite significant effort from the research community in developing privacy leak detection tools based on data flow tracking inside the app or through network traffic analysis, it is still unclear whether apps and ad libraries can hide the fact that they are leaking private information. In fact, all existing analysis tools have limitations: data flow tracking suffers from imprecisions that cause false positives, as well as false negatives when the data flow from a source of private information to a network sink is interrupted; on the other hand, network traffic analysis cannot handle encryption or custom encoding. We propose a new approach to privacy leak detection that is not affected by such limitations, and it is also resilient to obfuscation techniques, such as encoding, formatting, encryption, or any other kind of transformation performed on private information before it is leaked. Our work is based on blackbox differential analysis, and it works in two steps: first, it establishes a baseline of the network behavior of an app; then, it modifies sources of private information, such as the device ID and location, and detects leaks by observing deviations in the resulting network traffic. The basic concept of black-box differential analysis is not novel, but, unfortunately, it is not practical enough to precisely analyze modern mobile apps. In fact, their network traffic contains many sources of non-determinism, such as random identifiers, timestamps, and server-assigned session identifiers, which, when not handled properly, cause too much noise to correlate output changes with input changes. The main contribution of this work is to make black-box differential analysis practical when applied to modern Android apps. In particular, we show that the network-based non-determinism can often be explained and eliminated, and it is thus possible to reliably use variations in the network traffic as a strong signal to detect privacy leaks. We implemented this approach in a tool, called Agrigento, and we evaluated it on more than one thousand Android apps. Our evaluation shows that our approach works well in practice and outperforms current state-of-the-art techniques. We conclude our study by discussing several case studies that show how popular apps and ad libraries currently exfiltrate data by using complex combinations of encoding and encryption mechanisms that other approaches fail to detect. Our results show that these apps and libraries seem to deliberately hide their data leaks from current approaches and clearly demonstrate the need for an obfuscation-resilient approach such as ours.

Published

2017

50. On the Workings and Current Practices of Web-Based Device Fingerprinting

Author

Nick Nikiforakis, Wouter Joosen, Christopher Kruegel, Giovanni Vigna, Alexandros Kapravelos, and Frank Piessens

Subjects

World Wide Web, Do Not Track, Identifier, Measure (data warehouse), Computer Networks and Communications, Computer science, business.industry, Code (cryptography), Web application, Electrical and Electronic Engineering, business, Law

Abstract

By analyzing the code of three popular browser-fingerprinting code providers, the authors reveal the techniques that allow websites to track users without client-side identifiers. They expose questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plug-ins. In addition, they measure the adoption of fingerprinting on the Web and evaluate user-agent-spoofing browser extensions, showing that current commercial approaches can bypass the extensions and take advantage of their shortcomings.

Published

2014