Skip to main content

Über dieses Buch

This book constitutes the refereed proceedings of the 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2017, held in Bonn, Germany, in July 2017.

The 18 revised full papers included in this book were carefully reviewed and selected from 67 submissions. They present topics such as enclaves and isolation; malware analysis; cyber-physical systems; detection and protection; code analysis; and web security.



Enclaves and Isolation


Malware Guard Extension: Using SGX to Conceal Cache Attacks

In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers.
In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces.
Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, Stefan Mangard

On the Trade-Offs in Oblivious Execution Techniques

To enable privacy-preserving computation on encrypted data, a class of techniques for input-oblivious execution have surfaced. The property of input-oblivious execution guarantees that an adversary observing the interaction of a program with the underlying system learns nothing about the sensitive input. To highlight the importance of oblivious execution, we demonstrate a concrete practical attack—called a logic-reuse attack—that leaks every byte of encrypted input if oblivious techniques are not used. Next, we study the efficacy of oblivious execution techniques and understand their limitations from a practical perspective. We manually transform 30 common Linux utilities by applying known oblivious execution techniques. As a positive result, we show that 6 utilities perform input-oblivious execution without modification, 11 utilities can be transformed with O(1) performance overhead and 11 other show O(N) overhead. As a negative result, we show that theoretical limitations of oblivious execution techniques do manifest in 2 real applications in our case studies incurring a performance cost of \(O(2^N)\) over non-oblivious execution.
Shruti Tople, Prateek Saxena

MemPatrol: Reliable Sideline Integrity Monitoring for High-Performance Systems

Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a high-performance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.
Myoung Jin Nam, Wonhong Nam, Jin-Young Choi, Periklis Akritidis

Malware Analysis


Measuring and Defeating Anti-Instrumentation-Equipped Malware

Malware authors constantly develop new techniques in order to evade analysis systems. Previous works addressed attempts to evade analysis by means of anti-sandboxing and anti-virtualization techniques, for example proposing to run samples on bare-metal. However, state-of-the-art bare-metal tools fail to provide richness and completeness in the results of the analysis. In this context, Dynamic Binary Instrumentation (DBI) tools have become popular in the analysis of new malware samples because of the deep control they guarantee over the instrumented binary. As a consequence, malware authors developed new techniques, called anti-instrumentation, aimed at detecting if a sample is being instrumented. We propose a practical approach to make DBI frameworks more stealthy and resilient against anti-instrumentation attacks. We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to address them. We implemented our approach in Arancino, on top of the Intel Pin framework. Armed with it, we perform the first large-scale measurement of the anti-instrumentation techniques employed by modern malware. Finally, we leveraged our tool to implement a generic unpacker, showing some case studies of the anti-instrumentation techniques used by known packers.
Mario Polino, Andrea Continella, Sebastiano Mariani, Stefano D’Alessio, Lorenzo Fontana, Fabio Gritti, Stefano Zanero

DynODet: Detecting Dynamic Obfuscation in Malware

Malicious software, better known as malware, is a major threat to society. Malware today typically employ a technique called obfuscation. Obfuscation detection in malware is a well-documented problem and has been analyzed using dynamic analysis. However, many tools that detect obfuscation in malware make no attempts to use the presence of obfuscation as a method of detecting malware because their schemes would also detect benign applications. We present three main contributions. First, we conduct a unique study into the prevalence of obfuscation in benign applications. Second, we create discriminating features that can distinguish obfuscation in benign applications versus malware. Third, we prove that using the presence of obfuscation can detect previously hard-to-detect malware. Our results show that for our set of programs, we are able to reduce the number of malware missed by five market-leading AV tools by 25% while only falsely detecting 2.45% of tested benign applications.
Danny Kim, Amir Majlesi-Kupaei, Julien Roy, Kapil Anand, Khaled ElWazeer, Daniel Buettner, Rajeev Barua

Finding the Needle: A Study of the PE32 Rich Header and Respective Malware Triage

Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hidden PE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header’s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this little-studied header in the PE32 format is a valuable asset for security analysts and has a breadth of future potential.
George D. Webster, Bojan Kolosnjaji, Christian von Pentz, Julian Kirsch, Zachary D. Hanif, Apostolis Zarras, Claudia Eckert

Cyber-physical Systems


Last Line of Defense: A Novel IDS Approach Against Advanced Threats in Industrial Control Systems

Industrial control systems are becoming increasingly interconnected, and with it their vulnerability to malicious actors. While intrusion detection systems are suited to detect network-based attacks, they remain unable to detect more sophisticated attacks against control systems, for example a compromise of the PLCs. This paper makes the case that the evolving landscape of threats such as the Stuxnet malware requires an alternative approach to intrusion detection in industrial control systems. We argue that effective control of such advanced threats needs to happen in the last link of the control network, hence building a last line of defense. A proof of concept of this new paradigm was implemented for the control system of a dredging vessel, and we describe main lessons learned and pose open research questions we find based on these experiences for ICS intrusion detection.
Mark Luchs, Christian Doerr

LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED

In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https://​www.​youtube.​com/​watch?​v=​4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.
Mordechai Guri, Boris Zadov, Yuval Elovici

A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks

Modern vehicles incorporate tens of electronic control units (ECUs), driven by as much as 100,000,000 lines of code. They are tightly interconnected via internal networks, mostly based on the CAN bus standard. Past research showed that, by obtaining physical access to the network or by remotely compromising a vulnerable ECU, an attacker could control even safety-critical inputs such as throttle, steering or brakes. In order to secure current CAN networks from cyberattacks, detection and prevention approaches based on the analysis of transmitted frames have been proposed, and are generally considered the most time- and cost-effective solution, to the point that companies have started promoting aftermarket products for existing vehicles.
In this paper, we present a selective denial-of-service attack against the CAN standard which does not involve the transmission of any complete frames for its execution, and thus would be undetectable via frame-level analysis. As the attack is based on CAN protocol weaknesses, all CAN bus implementations by all manufacturers are vulnerable. In order to precisely investigate the time, money and expertise needed, we implement an experimental proof-of-concept against a modern, unmodified vehicle and prove that the barrier to entry is extremely low. Finally, we present a discussion of our threat analysis, and propose possible countermeasures for detecting and preventing such an attack.
Andrea Palanca, Eric Evenchick, Federico Maggi, Stefano Zanero

Detection and Protection


Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps

Malware predominantly employs code injections, which allow to run code in the trusted context of another process. This enables malware, for instance, to secretly operate or to intercept critical information. It is crucial for analysts to quickly detect injected code. While there are systems to detect code injections in memory dumps, they suffer from unsatisfying detection rates or their detection granularity is too coarse. In this paper, we present Quincy to overcome these drawbacks. It employs 38 features commonly associated with code injections to classify memory regions. We implemented Quincy for Windows XP, 7 and 10 and compared it to the current state of the art, Volatility’s malfind as well as hollowfind. For this sake, we created a high quality data set consisting of 102 current representatives of code injecting malware families. Quincy improves significantly upon both approaches, with up to 19.49% more true positives and a decrease in false positives by up to 94,76%.
Thomas Barabosch, Niklas Bergmann, Adrian Dombeck, Elmar Padilla

SPEAKER: Split-Phase Execution of Application Containers

Linux containers have recently gained more popularity as an operating system level virtualization approach for running multiple isolated OS distros on a control host or deploying large scale microservice-based applications in the cloud environment. The wide adoption of containers as an application deployment platform also attracts attackers’ attention. Since the system calls are the entry points for processes trapping into the kernel, Linux seccomp filter has been integrated into popular container management tools such as Docker to effectively constrain the system calls available to the container. However, Docker lacks a method to obtain and customize the set of necessary system calls for a given application. Moreover, we observe that a number of system calls are only used during the short-term booting phase and can be safely removed from the long-term running phase for a given application container. In this paper, we propose a container security mechanism called SPEAKER that can dramatically reduce the number of available system calls to a given application container by customizing and differentiating its necessary system calls at two different execution phases, namely, booting phase and running phase. For a given application container, we first separate its execution into booting phase and running phase and then trace the invoked system calls at these two phases, respectively. Second, we extend the Linux seccomp filter to dynamically update the available system calls when the application is running from the booting phase into the running phase. Our mechanism is non-intrusive to the application running in the container. We evaluate SPEAKER on the popular web server and data store containers from Docker hub, and the experimental results show that it can successfully reduce more than 50% and 35% system calls in the running phase for the data store containers and the web server containers, respectively, with negligible performance overhead.
Lingguang Lei, Jianhua Sun, Kun Sun, Chris Shenefiel, Rui Ma, Yuewu Wang, Qi Li

Deep Ground Truth Analysis of Current Android Malware

To build effective malware analysis techniques and to evaluate new detection tools, up-to-date datasets reflecting the current Android malware landscape are essential. For such datasets to be maximally useful, they need to contain reliable and complete information on malware’s behaviors and techniques used in the malicious activities. Such a dataset shall also provide a comprehensive coverage of a large number of types of malware. The Android Malware Genome created circa 2011 has been the only well-labeled and widely studied dataset the research community had easy access to (As of 12/21/2015 the Genome authors have stopped supporting the dataset sharing due to resource limitation). But not only is it outdated and no longer represents the current Android malware landscape, it also does not provide as detailed information on malware’s behaviors as needed for research. Thus it is urgent to create a high-quality dataset for Android malware. While existing information sources such as VirusTotal are useful, to obtain the accurate and detailed information for malware behaviors, deep manual analysis is indispensable. In this work we present our approach to preparing a large Android malware dataset for the research community. We leverage existing anti-virus scan results and automation techniques in categorizing our large dataset (containing 24,650 malware app samples) into 135 varieties (based on malware behavioral semantics) which belong to 71 malware families. For each variety, we select three samples as representatives, for a total of 405 malware samples, to conduct in-depth manual analysis. Based on the manual analysis result we generate detailed descriptions of each malware variety’s behaviors and include them in our dataset. We also report our observations on the current landscape of Android malware as depicted in the dataset. Furthermore, we present detailed documentation of the process used in creating the dataset, including the guidelines for the manual analysis. We make our Android malware dataset available to the research community.
Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, Wu Zhou

Code Analysis


HumIDIFy: A Tool for Hidden Functionality Detection in Firmware

This paper presents a semi-automated approach to detect hidden functionality (such as backdoors) within binaries from consumer off-the-shelf (COTS) embedded device firmware. We build a classifier using semi-supervised learning to infer what kind of functionality a given binary has. We then use this classifier to identify binaries from firmware, so that they may then be compared to an expected functionality profile, which we define by hand for a range of applications. To specify these profiles we have developed a domain specific language called Binary Functionality Description Language (BFDL), which encodes the static analysis passes used to identify specific functionality traits of a binary. Our tool, HumIDIFy achieves a classification accuracy of \(96.45\%\) with virtually zero false positives for the most common services. We demonstrate the applicability of our techniques to large-scale analysis by measuring performance on a large data set of firmware. From sampling that data set, HumIDIFy identifies a number of binaries containing unexpected functionality, notably a backdoor in router firmware by Tenda. In addition to this, it is also able to identify backdoors in artificial instances known to contain unexpected functionality in the form of backdoors.
Sam L. Thomas, Flavio D. Garcia, Tom Chothia

BinShape: Scalable and Robust Binary Library Function Identification Using Function Shape

Identifying library functions in program binaries is important to many security applications, such as threat analysis, digital forensics, software infringement, and malware detection. Today’s program binaries normally contain a significant amount of third-party library functions taken from standard libraries or free open-source software packages. The ability to automatically identify such library functions not only enhances the quality and the efficiency of threat analysis and reverse engineering tasks, but also improves their accuracy by avoiding false correlations between irrelevant code bases. Existing methods are found to either lack efficiency or are not robust enough to identify different versions of the same library function caused by the use of different compilers, different compilation settings, or obfuscation techniques. To address these limitations, we present a scalable and robust system called BinShape to identify standard library functions in binaries. The key idea of BinShape is twofold. First, we derive a robust signature for each library function based on heterogeneous features covering CFGs, instruction-level characteristics, statistical characteristics, and function-call graphs. Second, we design a novel data structure to store such signatures and facilitate efficient matching against a target function. We evaluate BinShape on a diverse set of C/C++ binaries, compiled with GCC and Visual Studio compilers on x86-x64 CPU architectures, at optimization levels \(O0-O3\). Our experiments show that BinShape is able to identify library functions in real binaries both efficiently and accurately, with an average accuracy of \(89\%\) and taking about 0.14 s to identify one function out of three million candidates. We also show that BinShape is robust enough when the code is subjected to different compilers, slight modification, or some obfuscation techniques.
Paria Shirani, Lingyu Wang, Mourad Debbabi

SCVD: A New Semantics-Based Approach for Cloned Vulnerable Code Detection

The behavior of copying existing code to reuse or modify its functionality is very common in the software development. However, when developers clone the existing code, they also clone any vulnerabilities in it. Thus, it seriously affects the security of the system. In this paper, we propose a novel semantics-based approach called SCVD for cloned vulnerable code detection. We use the full path traversal algorithm to transform the Program Dependency Graph (PDG) into a tree structure while preserving all the semantic information carried by the PDG and apply the tree to the cloned vulnerable code detection. We use the identifier name mapping technique to eliminate the impact of identifier name modification. Our key insights are converting the complex graph similarity problem into a simpler tree similarity problem and using the identifier name mapping technique to improve the effectiveness of semantics-based cloned vulnerable code detection. We have developed a practical tool based on our approach and performed a large number of experiments to evaluate the performance from three aspects, including the false positive rate, false negative rate, and time cost. The experiment results show that our approach has a significant improvement on the vulnerability detection effectiveness compared with the existing approaches and has lower time cost than subgraph isomorphism approaches.
Deqing Zou, Hanchao Qi, Zhen Li, Song Wu, Hai Jin, Guozhong Sun, Sujuan Wang, Yuyi Zhong

Web Security


On the Privacy Impacts of Publicly Leaked Password Databases

Regularly, hackers steal data sets containing user identifiers and passwords. Often these data sets become publicly available. The most prominent and important leaks use bad password protection mechanisms, e.g. rely on unsalted password hashes, despite longtime known recommendations. The accumulation of leaked password data sets allows the research community to study the problems of password strength estimation, password breaking and to conduct usability and usage studies. The impact of these leaks in terms of privacy has not been studied.
In this paper, we consider attackers trying to break the privacy of users, while not breaking a single password. We consider attacks revealing that distinct identifiers are in fact used by the same physical person. We evaluate large scale linkability attacks based on properties and relations between identifiers and password information. With these attacks, stronger passwords lead to better predictions. Using a leaked and publicly available data set containing 130 \(\times \,10^{6}\) encrypted passwords, we show that a privacy attacker is able to build a database containing the multiple identifiers of people, including their secret identifiers. We illustrate potential consequences by showing that a privacy attacker is capable of deanonymizing (potentially embarrassing) secret identifiers by intersecting several leaked password databases.
Olivier Heen, Christoph Neumann

Unsupervised Detection of APT C&C Channels using Web Request Graphs

HTTP is the main protocol used by attackers to establish a command and control (C&C) channel to infected hosts in a network. Identifying such C&C channels in network traffic is however a challenge because of the large volume and complex structure of benign HTTP requests emerging from regular user browsing activities. A common approach to C&C channel detection has been to use supervised learning techniques which are trained on old malware samples. However, these techniques require large training datasets which are generally not available in the case of advanced persistent threats (APT); APT malware are often custom-built and used against selected targets only, making it difficult to collect malware artifacts for supervised machine learning and thus rendering supervised approaches ineffective at detecting APT traffic.
In this paper, we present a novel and highly effective unsupervised approach to detect C&C channels in Web traffic. Our key observation is that APT malware typically follow a specific communication pattern that is different from regular Web browsing. Therefore, by reconstructing the dependencies between Web requests, that is the Web request graphs, and filtering away the nodes pertaining to regular Web browsing, we can identify malware requests without training a malware model.
We evaluated our approach on real Web traces and show that it can detect the C&C requests of nine APTs with a true positive rate of 99.5–100% and a true negative rate of 99.5–99.7%. These APTs had been used against several hundred organizations for years without being detected.
Pavlos Lamprakis, Ruggiero Dargenio, David Gugelmann, Vincent Lenders, Markus Happe, Laurent Vanbever

Measuring Network Reputation in the Ad-Bidding Process

Online advertising is a multi-billion dollar market, and therefore a target for abuse by Internet criminals. Prior work has shown millions of dollars of advertisers’ capital are lost due to ad abuse and focused on defense from the perspective of the end-host or the local network egress point. We investigate the potential of using public threat data to measure and detect adware and malicious affiliate traffic from the perspective of demand side platforms, which facilitate ad bidding between ad exchanges and advertisers. Our results show that malicious ad campaigns have statistically significant differences in traffic and lookup patterns from benign ones, however, public blacklists can only label a small percentage of ad publishers (0.27%), which suggests new lists dedicated to ad abuse should be created. Furthermore, we show malicious infrastructure on ad exchanges can be tracked with simple graph analysis and maliciousness heuristics.
Yizheng Chen, Yacin Nadji, Rosa Romero-Gómez, Manos Antonakakis, David Dagon


Weitere Informationen

Premium Partner

BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.



Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.
Jetzt gratis downloaden!