Visible to the public Biblio

Filters: Keyword is Unix  [Clear All Filters]
2020-08-14
Walla, Sebastian, Rossow, Christian.  2019.  MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware. 2019 IEEE European Symposium on Security and Privacy (EuroS P). :590—605.
Law enforcement agencies regularly take down botnets as the ultimate defense against global malware operations. By arresting malware authors, and simultaneously infiltrating or shutting down a botnet's network infrastructures (such as C2 servers), defenders stop global threats and mitigate pending infections. In this paper, we propose malware tarpits, an orthogonal defense that does not require seizing botnet infrastructures, and at the same time can also be used to slow down malware spreading and infiltrate its monetization techniques. A tarpit is a network service that causes a client to stay busy with a network operation. Our work aims to automatically identify network operations used by malware that will block the malware either forever or for a significant amount of time. We describe how to non-intrusively exploit such tarpit vulnerabilities in malware to slow down or, ideally, even stop malware. Using dynamic malware analysis, we monitor how malware interacts with the POSIX and Winsock socket APIs. From this, we infer network operations that would have blocked when provided certain network inputs. We augment this vulnerability search with an automated generation of tarpits that exploit the identified vulnerabilities. We apply our prototype MALPITY on six popular malware families and discover 12 previously-unknown tarpit vulnerabilities, revealing that all families are susceptible to our defense. We demonstrate how to, e.g., halt Pushdo's DGA-based C2 communication, hinder SalityP2P peers from receiving commands or updates, and stop Bashlite's spreading engine.
2020-03-23
Hyunki-Kim, Jinhyeok-Oh, Changuk-Jang, Okyeon-Yi, Juhong-Han, Hansaem-Wi, Chanil-Park.  2019.  Analysis of the Noise Source Entropy Used in OpenSSL’s Random Number Generation Mechanism. 2019 International Conference on Information and Communication Technology Convergence (ICTC). :59–62.
OpenSSL is an open source library that implements the Secure Socket Layer (SSL), a security protocol used by the TCP/IP layer. All cryptographic systems require random number generation for many reasons, such as cryptographic key generation and protocol challenge/response, OpenSSL is also the same. OpenSSL can be run on a variety of operating systems. especially when generating random numbers on Unix-like operating systems, it can use /dev /(u)random [6], as a seed to add randomness. In this paper, we analyze the process provided by OpenSSL when random number generation is required. We also provide considerations for application developers and OpenSSL users to use /dev/urandom and real-time clock (nanoseconds of timespec structure) as a seed to generate cryptographic random numbers in the Unix family.
2019-03-18
Condé, R. C. R., Maziero, C. A., Will, N. C..  2018.  Using Intel SGX to Protect Authentication Credentials in an Untrusted Operating System. 2018 IEEE Symposium on Computers and Communications (ISCC). :00158–00163.
An important principle in computational security is to reduce the attack surface, by maintaining the Trusted Computing Base (TCB) small. Even so, no security technique ensures full protection against any adversary. Thus, sensitive applications should be designed with several layers of protection so that, even if a layer might be violated, sensitive content will not be compromised. In 2015, Intel released the Software Guard Extensions (SGX) technology in its processors. This mechanism allows applications to allocate enclaves, which are private memory regions that can hold code and data. Other applications and even privileged code, like the OS kernel and the BIOS, are not able to access enclaves' contents. This paper presents a novel password file protection scheme, which uses Intel SGX to protect authentication credentials in the PAM authentication framework, commonly used in UNIX systems. We defined and implemented an SGX-enabled version of the pam\_unix.so authentication module, called UniSGX. This module uses an SGX enclave to handle the credentials informed by the user and to check them against the password file. To add an extra security layer, the password file is stored using SGX sealing. A threat model was proposed to assess the security of the proposed solution. The obtained results show that the proposed solution is secure against the threat model considered, and that its performance overhead is acceptable from the user point of view. The scheme presented here is also suitable to other authentication frameworks.
2018-05-09
Barenghi, A., Mainardi, N., Pelosi, G..  2017.  A Security Audit of the OpenPGP Format. 2017 14th International Symposium on Pervasive Systems, Algorithms and Networks 2017 11th International Conference on Frontier of Computer Science and Technology 2017 Third International Symposium of Creative Computing (ISPAN-FCST-ISCC). :336–343.

For over two decades the OpenPGP format has provided the mainstay of email confidentiality and authenticity, and is currently being relied upon to provide authenticated package distributions in open source Unix systems. In this work, we provide the first language theoretical analysis of the OpenPGP format, classifying it as a deterministic context free language and establishing that an automatically generated parser can in principle be defined. However, we show that the number of rules required to describe it with a deterministic context free grammar is prohibitively high, and we identify security vulnerabilities in the OpenPGP format specification. We identify possible attacks aimed at tampering with messages and certificates while retaining their syntactical and semantical validity. We evaluate the effectiveness of these attacks against the two OpenPGP implementations covering the overwhelming majority of uses, i.e., the GNU Privacy Guard (GPG) and Symantec PGP. The results of the evaluation show that both implementations turn out not to be vulnerable due to conser- vative choices in dealing with malicious input data. Finally, we provide guidelines to improve the OpenPGP specification

2018-04-02
Vernotte, A., Johnson, P., Ekstedt, M., Lagerström, R..  2017.  In-Depth Modeling of the UNIX Operating System for Architectural Cyber Security Analysis. 2017 IEEE 21st International Enterprise Distributed Object Computing Workshop (EDOCW). :127–136.

ICT systems have become an integral part of business and life. At the same time, these systems have become extremely complex. In such systems exist numerous vulnerabilities waiting to be exploited by potential threat actors. pwnPr3d is a novel modelling approach that performs automated architectural analysis with the objective of measuring the cyber security of the modeled architecture. Its integrated modelling language allows users to model software and hardware components with great level of details. To illustrate this capability, we present in this paper the metamodel of UNIX, operating systems being the core of every software and every IT system. After describing the main UNIX constituents and how they have been modelled, we illustrate how the modelled OS integrates within pwnPr3d's rationale by modelling the spreading of a self-replicating malware inspired by WannaCry.

2015-05-04
Khosmood, F., Nico, P.L., Woolery, J..  2014.  User identification through command history analysis. Computational Intelligence in Cyber Security (CICS), 2014 IEEE Symposium on. :1-7.

As any veteran of the editor wars can attest, Unix users can be fiercely and irrationally attached to the commands they use and the manner in which they use them. In this work, we investigate the problem of identifying users out of a large set of candidates (25-97) through their command-line histories. Using standard algorithms and feature sets inspired by natural language authorship attribution literature, we demonstrate conclusively that individual users can be identified with a high degree of accuracy through their command-line behavior. Further, we report on the best performing feature combinations, from the many thousands that are possible, both in terms of accuracy and generality. We validate our work by experimenting on three user corpora comprising data gathered over three decades at three distinct locations. These are the Greenberg user profile corpus (168 users), Schonlau masquerading corpus (50 users) and Cal Poly command history corpus (97 users). The first two are well known corpora published in 1991 and 2001 respectively. The last is developed by the authors in a year-long study in 2014 and represents the most recent corpus of its kind. For a 50 user configuration, we find feature sets that can successfully identify users with over 90% accuracy on the Cal Poly, Greenberg and one variant of the Schonlau corpus, and over 87% on the other Schonlau variant.