main-content

Über dieses Buch

This book constitutes the refereed post-conference proceedings of the Second International Workshop on Information & Operational Technology (IT & OT) security systems, IOSec 2019 , the First International Workshop on Model-driven Simulation and Training Environments, MSTEC 2019, and the First International Workshop on Security for Financial Critical Infrastructures and Services, FINSEC 2019, held in Luxembourg City, Luxembourg, in September 2019, in conjunction with the 24th European Symposium on Research in Computer Security, ESORICS 2019.
The IOSec Workshop received 17 submissions from which 7 full papers were selected for presentation. They cover topics related to security architectures and frameworks for enterprises, SMEs, public administration or critical infrastructures, threat models for IT & OT systems and communication networks, cyber-threat detection, classification and pro ling, incident management, security training and awareness, risk assessment safety and security, hardware security, cryptographic engineering, secure software development, malicious code analysis as well as security testing platforms.
From the MSTEC Workshop 7 full papers out of 15 submissions are included. The selected papers deal focus on the verification and validation (V&V) process, which provides the operational community with confidence in knowing that cyber models represent the real world, and discuss how defense training may benefit from cyber models.
The FINSEC Workshop received 8 submissions from which 3 full papers and 1 short paper were accepted for publication. The papers reflect the objective to rethink cyber-security in the light of latest technology developments (e.g., FinTech, cloud computing, blockchain, BigData, AI, Internet-of-Things (IoT), mobile-first services, mobile payments).

Inhaltsverzeichnis

A Comprehensive Technical Survey of Contemporary Cybersecurity Products and Solutions

Abstract
As the complexity of applications and software frameworks increases, cybersecurity becomes more challenging.The potential attack surface keeps expanding while each product has its own peculiarities and requirements leading to tailor-made solutions per case.These are the primary reasons which render security solutions expensive, highly complex and with significant deployment delay. This technical survey intends to reveal the pillars of today’s cybersecurity market, as well as identify emerging trends,key players and functional aspects. Such an insight will allow all interested parties to optimize the design process of a contemporary and future-proof cybersecurity framework for end-to-end protection.
Christos Tselios, George Tsolis, Manos Athanatos

CyberSure: A Framework for Liability Based Trust

Abstract
CyberSure is a programme of collaborations and exchanges between researchers aimed at developing a framework for creating and managing cyber insurance policy for cyber systems. Creating such policies will enhance the trustworthiness of cyber systems and provide a sound basis for liability in cases of security and privacy breaches in them. The framework is supported by a platform of tools enabling an integrated risk cyber system security risk analysis, certification and cyber insurance, based on the analysis of objective evidence during the operation of such systems. CyberSure develops its cyber insurance platform by building upon and integrating state of the art tools, methods and techniques. The development of the CyberSure platform is driven by certification, risk analysis and cyber insurance scenarios for cyber system pilots providing cloud and e-health services. Through these, CyberSure addresses the conditions required for offering effective cyber insurance for interoperable service chains cutting across application domains and jurisdictions. CyberSure platform aims to tackle the challenges of offering cyber insurance for interoperable service chains cutting across application domains and jurisdictions.

Deploying Fog-to-Cloud Towards a Security Architecture for Critical Infrastructure Scenarios

Abstract
Critical infrastructures are bringing security, and safety for people in terms of healthcare, water, electricity, industry, transportation, etc. The huge amount of data produced by CIs need to be aggregated, filtered, and stored. Cloud computing was merged into the CIs for utilizing cloud data centers as a pay-as-you-go online computing system for outsourcing services for data storage, filtering and aggregating. On the other hand, CIs need real-time processing for providing sophisticated services to people. Consequently, fog computing is merged into CIs aimed at providing services closer to the users, turning into a smooth real-time decision making and processing. When considering both, that is fog and cloud (for example, deploying the recently coined hierarchical fog-to-cloud F2C concept), new enriched features may be applied to the CIs. Security in CIs is one of the most essential challenges since any failure or attack can turn into a national wise disaster. Moreover, CIs also need to support quality of service (QoS) guarantees for users. Thus, bringing balanced QoS vs security is one of the main challenges for any CI infrastructure. In this paper, we illustrate the benefits of deploying an F2C system in CIs, particularly identifying specific F2C security requirements to be applied to CIs. Finally, we also introduce a decoupled security architecture specifically tailored to CIs that can bring security with reasonable QoS in terms of authentication and key distribution time delay.
Sarang Kahvazadeh, Xavi Masip-Bruin, Pau Marcer, Eva Marín-Tordera

Event-Based Remote Attacks in HTML5-Based Mobile Apps

Abstract
HTML5-based mobile apps become increasingly popular as they leverage standard web technologies such as HTML5, JavaScript, CSS for saving development cost. Like web apps, they are built using JavaScript frameworks (e.g. jQuery) for making mobile websites responsive, faster, etc. Attackers may fire the events integrated into the frameworks for reusing sensitive APIs included in apps. Once the internal functions are accessed successfully, it may cause serious consequences (e.g. resource access). Its main advantage is that it is not required to inject malicious payloads for accessing to the system resources into apps. We define this vector of attacks as event-based remote attacks.
In this paper, we present a systematic study about the event-based remote attacks. In addition, we introduce a static detection approach to detect vulnerable apps that can be exploited to launch such remote attacks. For the measurement, we performed the approach on a dataset of 2,536 HTML5-based mobile apps. It eventually flagged out 53 vulnerable apps, including 45 true positives.
Phi Tuong Lau

Horizontal Attacks Against ECC: From Simulations to ASIC

Abstract
In this paper we analyse the impact of different compile options on the success rate of side channel analysis attacks. We run horizontal differential side channel attacks against simulated power traces for the same kP design synthesized using two different compile options after synthesis and after layout. As we are interested in the effect on the produced ASIC we also run the same attack against measured power traces after manufacturing the ASIC. We found that the compile_ultra option reduces the success rate significantly from 5 key candidates with a correctness of between 75 and 90% down to 3 key candidates with a maximum success rate of 72% compared to the simple compile option. Also the success rate after layout shows a very high correlation with the one obtained attacking the measured power and electromagnetic traces, i.e. the simulations are a good indicator of the resistance of the ASIC.
Ievgen Kabin, Zoya Dyka, Dan Klann, Peter Langendoerfer

Web Servers Protection Using Anomaly Detection for HTTP Requests

Abstract
Many web servers are vulnerable to HTTP attacks and patching is not always possible, especially against 0 day exploits. We propose a solution able to learn the normal patterns in HTTP requests and reject those requests that do not match these normal patterns. The solution is mainly oriented towards IoT devices. These devices usually support a limited range of requests. Performance and energy consumption considerations prevents the usage of an internal security solution, while the firmware may be difficult to upgrade. The proposed system was able to protect the test servers, by deflecting most of the incoming attacks.
Paul Sătmărean, Ciprian Oprişa

You Shall Not Register! Detecting Privacy Leaks Across Registration Forms

Abstract
Most of the modern web services offer their users the ability to be registered on them via dedicated registration pages. Most of the times, they use this method so the users can profit by accessing more content or privileged items. In these pages, users are typically requested to provide their names, email addresses, phone numbers and other personal information in order to create an account. As the purpose of the tracking ecosystem is to collect as many information and data from the user, this kind of Personally Identifiable Information (PII) might leak on the 3rd-Parties, when the users fill in the registration forms. In this work, we conduct a large-scale measurement analysis of the PII leakage via registration pages of the 200,000 most popular websites. We design and implement a scalable and easily replicable methodology, for detecting and filling registration forms in an automated way. Our analysis shows that a number of websites ($$\approx$$5%) leak PIIs to 3rd-Party trackers without any user’s consent, in a non-transparent fashion. Furthermore, we explore the techniques employed by 3rd-Parties in order to harvest user’s data, and we highlight the implications on user’s privacy.
Manolis Chatzimpyrros, Konstantinos Solomos, Sotiris Ioannidis

A Model Driven Approach for Cyber Security Scenarios Deployment

Abstract
Cyber ranges for training in threat scenarios are nowadays highly demanded in order to improve people ability to detect vulnerabilities and to react to cyber-threats. Among the other components, scenarios deployment requires a modeling language to express the (software and hardware) architecture of the underlying system, and an emulation platform.
In this paper, we exploit a model-driven engineering approach to develop a framework for cyber security scenarios deployment. We develop a domain specific language for scenarios construction, which allows the description of the architectural setting of the system under analysis, and a mechanism to deploy scenarios on the OpenStack cloud infrastructure by means of HEAT templates. On the scenario model, we also show how it is possible to detect network configuration problems and structural vulnerabilities. The presented results are part of our ongoing research work towards the definition of a training cyber range within the EU H2020 project THREAT-ARREST.
Chiara Braghin, Stelvio Cimato, Ernesto Damiani, Fulvio Frati, Lara Mauri, Elvinia Riccobene

Difficult XSS Code Patterns for Static Code Analysis Tools

Abstract
We present source code patterns that are difficult for modern static code analysis tools. Our study comprises 50 different open source projects in both a vulnerable and a fixed version for XSS vulnerabilities reported with CVE IDs over a period of seven years. We used three commercial and two open source static code analysis tools. Based on the reported vulnerabilities we discovered code patterns that appear to be difficult to classify by static analysis. The results show that code analysis tools are helpful, but still have problems with specific source code patterns. These patterns should be a focus in training for developers.
Felix Schuckert, Basel Katt, Hanno Langweg

An Open and Flexible CyberSecurity Training Laboratory in IT/OT Infrastructures

Abstract
There are significant concerns regarding the lack of proficient cybersecurity professionals with a background in both Information Technology (IT) and Operational Technology (OT). To alleviate this problem, we propose an open and flexible laboratory for experimenting with an IT/OT infrastructure and the related cybersecurity problems, such as emulating attacks and understanding how they work and how they could be identified and mitigated. We also report our experience in using the laboratory during a one-week training event with 24 students from 7 different high-schools at the mechatronics prototyping facility ProM in Rovereto (Italy).
Umberto Morelli, Lorenzo Nicolodi, Silvio Ranise

PROTECT – An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks

Abstract
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player’s context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.
Ludger Goeke, Alejandro Quintanar, Kristian Beckers, Sebastian Pape

Model-Driven Cyber Range Training: A Cyber Security Assurance Perspective

Abstract
Security demands are increasing for all types of organisations, due to the ever-closer integration of computing infrastructures and smart devices into all aspects of the organisational operations. Consequently, the need for security-aware employees in every role of an organisation increases in accordance. Cyber Range training emerges as a promising solution, allowing employees to train in both realistic environments and scenarios and gaining hands-on experience in security aspects of varied complexity, depending on their role and level of expertise. To that end, this work introduces a model-driven approach for Cyber Range training that facilitates the generation of tailor-made training scenarios based on a comprehensive model-based description of the organisation and its security posture. Additionally, our approach facilitates the auto- mated deployment of such training environments, tailored to each defined scenario, through simulation and emulation means. To further highlight the usability of the proposed approach, this work also presents scenarios focusing on phishing threats, with increasing level of complexity and difficulty.
Iason Somarakis, Michail Smyrlis, Konstantinos Fysarakis, George Spanoudakis

Towards the Insurance of Healthcare Systems

Abstract
Insurance of digital assets is becoming an important aspect nowadays, in order to reduce the investment risks in modern businesses. GDPR and other legal initiatives makes this necessity even more demanding as an organization is now accountable for the usage of its client data. In this paper, we present a cyber insurance framework, called CyberSure. The main contribution is the runtime integration of certification, risk management, and cyber insurance of cyber systems. Thus, the framework determines the current level of compliance with the acquired policies and provide early notifications for potential violations of them. CyberSure develops CUMULUS certification models for this purpose and, based on automated (or semi-automated) certification carried out using them, it develops ways of dynamically adjusting risk estimates, insurance policies and premiums. In particular, it considers the case of dynamic certification, based on continuous monitoring, dynamic testing and hybrid combinations of them, to adapt cyber insurance policies as the conditions of cyber system operation evolve and new data become available for adjusting to the associated risk. The applicability of the whole approach is demonstrated in the healthcare sector, for insuring an e-health software suite that is provided by an IT company to public and private hospitals in Greece. The overall approach can reduce the potential security incidents and the related economic loss, as the beneficiary deploys adequate protection mechanisms, whose proper operation is continually assessed, benefiting both the insured and the insurer.
George Hatzivasilis, Panos Chatziadam, Andreas Miaoudakis, Eftychia Lakka, Sotiris Ioannidis, Alessia Alessio, Michail Smyrlis, George Spanoudakis, Artsiom Yautsiukhin, Michalis Antoniou, Nikos Stathiakis

The THREAT-ARREST Cyber-Security Training Platform

Abstract
Cyber security is always a main concern for critical infrastructures and nation-wide safety and sustainability. Thus, advanced cyber ranges and security training is becoming imperative for the involved organizations. This paper presets a cyber security training platform, called THREAT-ARREST. The various platform modules can analyze an organization’s system, identify the most critical threats, and tailor a training program to its personnel needs. Then, different training programmes are created based on the trainee types (i.e. administrator, simple operator, etc.), providing several teaching procedures and accomplishing diverse learning goals. One of the main novelties of THREAT-ARREST is the modelling of these programmes along with the runtime monitoring, management, and evaluation operations. The platform is generic. Nevertheless, its applicability in a smart energy case study is detailed.
Othonas Soultatos, Konstantinos Fysarakis, George Spanoudakis, Hristo Koshutanski, Ernesto Damiani, Kristian Beckers, Dirk Wortmann, George Bravos, Menelaos Ioannidis

dAPTaset: A Comprehensive Mapping of APT-Related Data

Abstract
Advance Persistent Threats (APTs) are the most challenging adversaries for financial companies and critical infrastructures. Many open source platforms present various information about APTs but do not fully cover multiple edges of the diamond model, or may be easily used for research purpose. For this reason, we propose dAPTaset, a database that collects data related to APTs from existing public sources through a semi automatic methodology, and produces an exhaustive dataset.
Giuseppe Laurenza, Riccardo Lazzeretti

Blockchain Based Sharing of Security Information for Critical Infrastructures of the Finance Sector

Abstract
Recent security incidents in the finance sector have demonstrated the importance of sharing security information across financial institutions, as a means of mitigating risks and boosting the early preparedness against relevant attacks. However, financial institutions are in several cases reluctant to share security information beyond what is imposed by applicable regulations. In this paper, we introduce a blockchain-based solution for sharing security information in a decentralized way, which boosts security and trust in the information sharing process. We also illustrate how the information that is shared across financial institutions can serve as a basis for collaborative security services such as risk assessment.
Ioannis Karagiannis, Konstantinos Mavrogiannis, John Soldatos, Dimitris Drakoulis, Ernesto Troiano, Ariana Polyviou

Bunkers: Jail Application Level Firewall for the Mitigation and Identification of Service Takeover Attacks on HardenedBSD

Abstract
Jails are a lightweight operating-system based virtualization framework that allow safe delegation of subsets of a FreeBSD operating system to guest root users. HardenedBSD is a security-enhanced fork of FreeBSD, with Jail capabilities. In this paper we introduce Bunkers for Bank IT infrastructure security. Bunkers are security-enhanced HardenedBSD jails having only UNIX domain sockets enabled, and refusing all other types of socket creation including networking sockets. Bunkers also disable the execve() system call inside and only allow bit exact validated binaries from a global whitelist to be loaded and executed.The main objectives are to prevent elevation of privilege attacks and to isolate remote payloads and exploits from their source of origin. Bunkers detect, log, monitor and prevent all attempts to use network communications or unwanted binaries by isolating all the internal processes to UNIX domain sockets and filtering the execve() system call. Two use-cases are presented for isolating the ClamAV antivirus engine and all the necessary compressed file unpackers into HardenedBSD Bunkers: for e-mail security in a store and forward system and a real mail server and for web browsing security through the Squid proxy. Extensive benchmarks show that in both cases, for store and forward systems and for timely content delivery web systems the impact of the Bunker kernel module is comparable to rival approach Integriforce or with Regular Jails. More importantly, enforcing UNIX domain sockets for internal communication provides faster and safer inter-process communication mechanisms, between service processes and between Jails. The bit-exact execve() firewall has a consistent 13%–19% additional computation regardless of the type of service protected (web application firewall, SQL database). For the utmost security of mission-critical services we consider the results to be adequate.
Alin Anton, Răzvan Cioargă

A Language-Based Approach to Prevent DDoS Attacks in Distributed Financial Agent Systems

Abstract
Denial of Service (DoS) and Distributed DoS (DDoS) attacks, with even higher severity, are among the major security threats for distributed systems, and in particular in the financial sector where trust is essential.
In this paper, our aim is to develop an additional layer of defense in distributed agent systems to combat such threats. We consider a high-level object-oriented modeling framework for distributed systems, based on the actor model with support of asynchronous and synchronous method interaction and futures, which are sophisticated and popular communication mechanisms applied in many systems today. Our approach uses static detection to identify and prevent potential vulnerabilities caused by asynchronous communication including call-based DoS or DDoS attacks, possibly involving a large number of distributed actors.
Elahe Fazeldehkordi, Olaf Owe, Toktam Ramezanifarkhani

Backmatter

Weitere Informationen