Detection of Intrusions and Malware, and Vulnerability Assessment

The password recovery process is a critical part of a website’s functionality. Many websites that provide online services to their users also need to solve the problem of allowing their users to reset their passwords (e.g., if they have forgotten it). A popular, established technique for allowing a user to recover a lost account is to allow her to send a reset link to her own account via email. Although it might seem easy at a first glance, the security requirements of the password recovery process require web sites to carefully design each step of the process to be resilient even in the presence of an attack. In this paper, we present an in-depth security analysis of the email-based recovery mechanisms of a wide range of web applications. By manually registering accounts and triggering the password recovery process for each website, we were able to study the password reset mechanisms of web sites from three different groups in the Alexa Top 5K (i.e., popular sites, medium popular sites, low popular sites). In this work, we show that the lack of standards in the password recovery process plagues many websites with security weaknesses, and negatively influences the security of the reset process itself. We also show that concrete password-recovery reset attacks can be launched against a high percentage of websites that might even lead to account takeover.

OAuth 2.0 is a popular and industry-standard protocol. To date, different attack classes and relevant countermeasures have been proposed. However, despite the presence of guidelines and best practices, the current implementations are still vulnerable and error-prone. In this research, we focus on OAuth Cross-Site Request Forgery (OCSRF) as an overlooked attack scenario.

We studied one of the most recurrent types of OCSRF attacks by proposing several novel attack strategies based on different status of the victim browser. In order to validate them, we designed a repeatable methodology and conducted a large-scale analysis on 314 high-ranked sites to assess the prevalence of OCSRF vulnerabilities. Our automated crawler discovered about 36% of targeted sites are still vulnerable and detected about 20% more well-hidden vulnerable sites utilizing the novel attack strategies. Although our experiment revealed a significant increase in the number of OCSRF protection compared to the past scale analyses, over one-fourth are still vulnerable to at least one proposed attack strategy.

Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3 Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3 Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated.

In this paper, we measure in-the-wild DRDoS attacks as observed from a large Internet exchange point (IXP) and provide a number of security-relevant insights. To enable our measurements, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim’s network bandwidth.

Attackers use various techniques to lure victims to malicious domains. A typical approach is to generate domains which look similar to well-known ones so that a confused victim is tricked into visiting the domain. An important attack technique in practice is the impersonation of domains in the lower DNS hierarchy as subdomains of otherwise unsuspiciously looking domains, such as paypal.com.foo.example.com.

In this paper, we present an in-depth, empirical measurement study of low-level domain impersonations to understand their prevalence and provide a basis for the development of corresponding countermeasures. We introduce a generic measurement approach to find and analyze such domains in phishing feeds from three large anti-phishing vendors (PhishLabs, Phishtank, and OpenPhish) covering multiple years and a data set consisting of one and a half years of certificate transparency logs (CTL). In our measurement study, we discovered more than 122,000 cases of domain impersonations detected during the last seven years in PhishLabs, almost 3,000 in Phishtank, and a couple of hundred instances in OpenPhish. Additionally, we compared the usage of low-level domain impersonation with other well-known domain squatting techniques and find that low-level domain impersonation is among the most popular squatting techniques in the wild.

In this work, we discuss the security of the Signal messenger in this multi-device setting. We show that the current implementation of the device registration allows an attacker to register an own, malicious device, which gives them unrestricted access to all future communication of their victim, and even allows full impersonation. This directly shows that the current Signal implementation does not guarantee post-compromise security. We discuss several countermeasures, both simple ones aiming to increase detectability of our attack, as well as a broader approach that seeks to solve the root issue, namely the weak device registration flow.

We design and implement from scratch a new fuzzer called Sivo that refines multiple stages of grey-box fuzzing. First, Sivo refines data-flow fuzzing in two ways: (a) it provides a new taint inference engine that requires only logarithmic number of tests in the input size to infer dependency of many program branches on the input bytes, and (b) it employs a novel method for inverting branches by solving a systems of inequalities efficiently. Second, our fuzzer refines accurate tracking and detection of code coverage with simple and easily implementable methods. Finally, Sivo refines selection of parameters and strategies by parameterizing all stages of fuzzing and then dynamically selecting optimal values during fuzzing. Thus the fuzzer can easily adapt to a target program and rapidly increase coverage. We compare our fuzzer to 11 other state-of-the-art grey-box fuzzers on 27 popular benchmarks. Our evaluation shows that Sivo scores the highest both in terms of code coverage and in terms of number of found vulnerabilities.

Growing numbers of advanced malware-based attacks against governments and corporations, for political, financial and scientific gains, have taken security breaches to the next level. In response to such attacks, both academia and industry have investigated techniques to model and reconstruct these attacks and to defend against them. While such efforts have been all useful in mitigating the effects of modern attacks, automated malware code reuse inspection and campaign attribution have received less attention.

In this paper, we present an automated system, called SCRUTINIZER, to identify code reuse in malware via a novel machine learning-based encoding mechanism at the function-level. By creating a large knowledge base of previously observed and tagged malware campaigns, we can compare unknown samples against this knowledge base and determine how much overlap exists. SCRUTINIZER leverages an unsupervised learning approach to filter out irrelevant functions before code reuse detection. It provides two valuable capabilities. First, it identifies ties between an unknown sample and those malware specimens that are known to be used by a specific campaign. Second, it inspects if specific tools or functionalities are used by a campaign. Using SCRUTINIZER, we were able to identify 12 samples that were previously unknown to us and that we were able to correctly assign to well-known APT campaigns.

This paper presents Specularizer, a framework for uncovering speculative execution attacks using performance tracing features available in commodity processors. It is motivated by the practical difficulty of eradicating such vulnerabilities in the design of CPU hardware and operating systems and the principle of defense-in-depth. The key idea of Specularizer is the use of Hardware Performance Counters and Processor Trace to perform lightweight monitoring of production applications and the use of machine learning techniques for identifying the occurrence of the attacks during offline forensics analysis. Different from prior works that use performance counters to detect side-channel attacks, Specularizer monitors triggers of the critical paths of the speculative execution attacks, thus making the detection mechanisms robust to different choices of side channels used in the attacks. To evaluate Specularizer, we model all known types of exception-based and misprediction-based speculative execution attacks and automatically generate thousands of attack variants. Experimental results show that Specularizer yields superior detection accuracy and the online tracing of Specularizer incur reasonable overhead.

A causal relationship implies that a function call should follow another function call. However, causal relationships can be implicit in practice and therefore often missed and violated by developers, causing many serious risks such as memory leaks and crashes. Although a set of works are proposed to mitigate the issue, they fall short in solving two main challenges: the contradiction between bugs in specific paths and intra-function path-explosion, and missing contextual constraints of causal relationships, which leads to high performance cost or failing to detect context-related bugs.

This paper proposes Third-Eye, a practical static analysis tool that infers causal relationship violations for commodity kernels like Linux. Third-Eye leverages the intersection-based call sequence building algorithm to cope with intra-function path-explosion, which can reduce the number of paths while collecting callee information as much as possible. Besides, Third-Eye detects causal relationship violations context-sensitively based on a statistical method. Our experiments show Third-Eye is effective and efficient—successfully identified 60 bugs in Linux 5.3. Of them, 41  have been confirmed and fixed by Linux developers (The accepted patches are in https://​ipads.​se.​sjtu.​edu.​cn:​1312/​opensource/​third-eye.).

A software update is a critical but complicated part of software security. Its delay poses risks due to vulnerabilities and defects of software. Despite the high demand to shorten the update lag and keep the software up-to-date, software updates involve factors such as human behavior, program configurations, and system policies, adding variety in the updates of software. Investigating these factors in a real environment poses significant challenges such as the knowledge of software release schedules from the software vendors and the deployment times of programs in each user’s machine. Obtaining software release plans requires information from vendors which is not typically available to public. On the users’ side, tracking each software’s exact update installation is required to determine the accurate update delay. Currently, a scalable and systematic approach is missing to analyze these two sides’ views of a comprehensive set of software. We performed a long term system-wide study of update behavior for all software running in an enterprise by translating the operating system logs from enterprise machines into graphs of binary executable updates showing their complex, and individualized updates in the environment. Our comparative analysis locates risky machines and software with belated or dormant updates falling behind others within an enterprise without relying on any third-party or domain knowledge, providing new observations and opportunities for improvement of software updates. Our evaluation analyzes real data from 113,675 unique programs used by 774 computers over 3 years.

Browser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous purposes, such as bot detection or multi-factor authentication. In this paper, we explore the adoption of browser fingerprinting for security-oriented purposes. More specifically, we study 4 types of web pages that require security mechanisms to process user data: sign-up, sign-in, basket and payment pages. We visited 1, 485 pages on 446 domains and we identified the acquisition of browser fingerprints from 405 pages. By using an existing classification technique, we identified 169 distinct browser fingerprinting scripts included in these pages. By investigating the origins of the browser fingerprinting scripts, we identified 12 security-oriented organizations who collect browser fingerprints on sign-up, sign-in, and payment pages. Finally, we assess the effectiveness of browser fingerprinting against two potential attacks, namely stolen credentials and cookie hijacking. We observe browser fingerprinting being successfully used to enhance web security.

Virtual machine introspection (VMI) allows a monitoring application, usually running in a separate virtual machine on the same host, to peek into another guest virtual machine running on the same host, check and modify both registers and memory state of the guest. It has gained popularity in malware analysis, software reverse engineering, and intrusion detection systems. However, VMI comes with a huge overhead, which not only is a waste of resources but also can tip malware that VMI is being used.

In this paper, we present an approach to significantly enhance the performance of VMI. Our work eliminates a large number of context switches between the monitored guest system, the hypervisor, and the monitoring application. Our approach implements the management of tracing directly into the hypervisor and uses asynchronous events between hypervisor and monitoring process to minimize the performance impact of tracing without losing functionality. We show that our approach reduces the main bottlenecks of introspection by more than an order of magnitude compared to the popular approach using LibVMI and the Xen hypervisor.

A popular control-flow obfuscation approach used to protect software is inserting opaque predicates. However, recent research has questioned the usefulness of opaque predicates with the realization that simple heuristic attacks can effectively detect them. In this paper, we introduce a novel approach to construct opaque predicates that prevents both heuristic attacks and automated attacks by having opaque predicates syntactically and semantically resemble real predicates.

Our approach uses abstract interpretation to infer variables’ value sets. From each value set, we synthesize an opaque predicate that 1) evaluates all items in its value set to the same truth value and 2) shares real predicates’ common syntactic features.

Our opaque predicates syntactically resemble real predicates because they share real predicates’ common syntactic features and their invariants are naturally occurring as they are inferred from the program’s semantics. Previous approaches to constructing opaque predicates are susceptible to heuristic attacks because they use synthetic invariants that can inadvertently introduce unnatural code.

Our opaque predicates semantically resemble real predicates because the naturally occurring invariants they use are based on value sets. Like real predicates’ variables, our opaque predicates’ variables can also take on different values during runtime. From our evaluation, we show promising results that our opaque predicates can withstand automated attacks. Current state-of-the-art deobfuscation, dynamic symbolic execution, can only detect 41% of our opaque predicates.

Android malware detection is a significant problem that affects billions of users using millions of Android applications (apps) in existing markets. Thiss paper proposes PetaDroid, a framework for accurate Android malware detection and family clustering on top of static analyses. PetaDroid automatically adapts to Android malware and benign changes over time with resilience to common binary obfuscation techniques. The framework employs novel techniques elaborated on top of natural language processing (NLP) and machine learning techniques to achieve accurate, adaptive, and resilient Android malware detection and family clustering. We extensively evaluated PetaDroid on multiple reference datasets. PetaDroid achieved a high detection rate (98–99% f1-score) under different evaluation settings with high homogeneity in the produced clusters (96%). We conducted a thorough quantitative comparison with state-of-the-art solutions MaMaDroid, DroidAPIMiner, MalDozer, in which PetaDroid outperforms them under all the evaluation settings.

Phishing is in practice one of the most common attack vectors threatening digital assets. An attacker sends a legitimate-looking e-mail to a victim to lure her on a website with the goal of tricking the victim into revealing credentials. A phishing e-mail can use both technical (e.g., a forged link) and psychological vectors (e.g., an authoritarian tone) to persuade the victim.

In this paper, we present an analysis of more than 420,000 phishing e-mails sent over more than 1.5 years by a consulting company offering awareness trainings. Our data set contains detailed information on how users interact with the e-mails, e.g., when they click on links and what psychological vectors are used in the e-mails to convince the recipient of its legitimacy. While previous studies often used lab environments, the e-mails in our data set are sent to real users during their day-to-day work so that we can study their behavior in a genuine setting. Our results indicate a continually decreasing click rate (from 19% to 10%) with progressing awareness training. We also found some psychological vectors, including an authoritative tone and curiosity, to be more effective than others to trick a user into falling for this type of scam e-mails.

Providing integrity guarantees for websites rendered on a user’s browser is a crucial security property for web applications. There are several ways to tamper with data being received or rendered on the client side, including browser hijacking, malicious plugins, cross-site scripting attacks and manipulation of data in transit. Detecting such attacks is important for content providers in order to generate alerts and prevent further attacks. Detection of website integrity is a challenging task, due to the heterogeneity of possible attacks. In this work we present an approach to detect integrity attacks that is designed to scale to millions of clients while offering high accuracy. Our approach is based on a fine grained analysis of website internal components and a clustering technique. Such clustering allows for an efficient automatic and semi-automatic classification of client-side content (such as scripts, forms, iframes, etc.). This approach is partially implemented in a productive system and is evaluated on a real-world dataset belonging to a sample of tens of thousands unique visits. We show that we can achieve up to 98.7% accuracy on real data based on a labelled prefix, and up to 99.4% compression ratio on incoming to-be-classified client-side content. To the best of our knowledge, we are the first study to show a scalable and practical clustering system for web integrity detection.