Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top

2021 | Book

Persistence in Linux-Based IoT Malware Read chapter Read first chapter

Secure IT Systems

25th Nordic Conference, NordSec 2020, Virtual Event, November 23–24, 2020, Proceedings

Editors: Dr. Mikael Asplund, Simin Nadjm-Tehrani

Publisher: Springer International Publishing

Book Series : Lecture Notes in Computer Science

Part of: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Login to get access
insite
SEARCH

About this book

This book constitutes the refereed proceedings of the 25th Nordic Conference on Secure IT Systems, NordSec 2020, which was organized by Linköping University, Sweden, and held online during November 23-24, 2020.

The 15 papers presented in this volume were carefully reviewed and selected from 45 submissions. They were organized in topical sections named: malware and attacks; formal analysis; applied cryptography; security mechanisms and training; and applications and privacy.

Table of Contents

Frontmatter

Malware and Attacks

Frontmatter
Persistence in Linux-Based IoT Malware
Abstract
The Internet of Things (IoT) is a rapidly growing collection of “smart” devices capable of communicating over the Internet. Being connected to the Internet brings new features and convenience, but it also poses new security threats, such as IoT malware. IoT malware has shown similar growth, making IoT devices highly vulnerable to remote compromise. However, most IoT malware variants do not exhibit the ability to gain persistence, as they typically lose control over the compromised device when the device is restarted. This paper investigates how persistence for various IoT devices can be implemented by attackers, such that they retain control even after the device has been rebooted. Having persistence would make it harder to remove IoT malware. We investigated methods that could be used by an attacker to gain persistence on a variety of IoT devices, and compiled the requirements and potential issues faced by these methods, in order to understand how best to combat this future threat. We successfully used these methods to gain persistence on four vulnerable IoT devices with differing designs, features and architectures. We also identified ways to counter them. This work highlights the enormous risk that persistence poses to potentially billions of IoT devices, and we hope our results and study will encourage manufacturers and developers to consider implementing our proposed countermeasures or create new techniques to combat this nascent threat.
Calvin Brierley, Jamie Pont, Budi Arief, David J. Barnes, Julio Hernandez-Castro

Open Access

Real-Time Triggering of Android Memory Dumps for Stealthy Attack Investigation
Abstract
Attackers regularly target Android phones and come up with new ways to bypass detection mechanisms to achieve long-term stealth on a victim’s phone. One way attackers do this is by leveraging critical benign app functionality to carry out specific attacks.
In this paper, we present a novel generalised framework, JIT-MF (Just-in-time Memory Forensics), which aims to address the problem of timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. The main components of this framework are i) Identification of critical data objects in memory linked with critical benign application steps that may be misused by an attacker; and ii) Careful selection of trigger points, which identify when memory dumps should be taken during benign app execution.
The effectiveness and cost of trigger point selection, a cornerstone of this framework, are evaluated in a preliminary qualitative study using Telegram and Pushbullet as the victim apps targeted by stealthy malware. Our study identifies that JIT-MF is successful in dumping critical data objects on time, providing evidence that eludes all other forensic sources. Experimentation offers insight into identifying categories of trigger points that can strike a balance between the effort required for selection and the resulting effectiveness and storage costs. Several optimisation measures for the JIT-MF tools are presented, considering the typical resource constraints of Android devices.
Jennifer Bellizzi, Mark Vella, Christian Colombo, Julio Hernandez-Castro
PDF View full text
Using Features of Encrypted Network Traffic to Detect Malware
Abstract
Encryption on the Internet is as pervasive as ever. This has protected communications and enhanced the privacy of users. Unfortunately, at the same time malware is also increasingly using encryption to hide its operation. The detection of such encrypted malware is crucial, but the traditional detection solutions assume access to payload data. To overcome this limitation, such solutions employ traffic decryption strategies that have severe drawbacks. This paper studies the usage of encryption for malicious and benign purposes using large datasets and proposes a machine learning based solution to detect malware using connection and TLS metadata without any decryption. The classification is shown to be highly accurate with high precision and recall rates by using a small number of features. Furthermore, we consider the deployment aspects of the solution and discuss different strategies to reduce the false positive rate.
Zeeshan Afzal, Anna Brunstrom, Stefan Lindskog

Formal Analysis

Frontmatter
Machine-Checking the Universal Verifiability of ElectionGuard
Abstract
ElectionGuard is an open source set of software components and specifications from Microsoft designed to allow the modification of a number of different e-voting protocols and products to produce public evidence (transcripts) which anyone can verify. The software uses ElGamal, homomorphic tallying and sigma protocols to enable public scrutiny without adversely affecting privacy. Some components have been formally verified (machine-checked) to be free of certain software bugs but there was no formal verification of their cryptographic security.
Here, we present a machine-checked proof of the verifiability guarantees of the transcripts produced according to the ElectionGuard specification. We have also extracted an executable version of the verifier specification, which we proved to be secure, and used it to verify election transcripts produced by ElectionGuard. Our results show that our implementation is of similar efficiency to existing implementations.
Thomas Haines, Rajeev Goré, Jack Stodart
Information-Flow Control by Means of Security Wrappers for Active Object Languages with Futures
Abstract
This paper introduces a run-time mechanism for preventing leakage of secure information in distributed systems. We consider a general concurrency language model where concurrent objects interact by asynchronous method calls and futures. The aim is to prevent leakage of secure information to low-level viewers. The approach is based on a notion of security wrappers, where a wrapper encloses an object or a component and controls its interactions with the environment. Our run-time system automatically adds a wrapper to an insecure component.The wrappers are invisible such that a wrapped component and its environment are not aware of it.
The security policies of a wrapper are formalized based on a notion of security levels. At run-time, future components will be wrapped upon need, and objects of unsafe classes will be wrapped, using static checking to limit the number of unsafe classes and thereby reducing run-time overhead. We define an operational semantics and sketch a proof of non-interference. A service provider may use wrappers to protect its services in an insecure environment, and vice-versa: a system platform may use wrappers to protect itself from insecure service providers.
Farzane Karami, Olaf Owe, Gerardo Schneider
Efficient Mixing of Arbitrary Ballots with Everlasting Privacy: How to Verifiably Mix the PPATC Scheme
Abstract
The long term privacy of voting systems is of increasing concern as quantum computers come closer to reality. Everlasting privacy schemes offer the best way to manage these risks at present. While homomorphic tallying schemes with everlasting privacy are well developed, most national elections, using electronic voting, use mixnets. Currently the best candidate encryption scheme for making these kinds of elections everlastingly private is PPATC, but it has not been shown to work with any mixnet of comparable efficiency to the current ElGamal mixnets. In this work we give a paper proof, and a machine checked proof, that the variant of Wikström’s mixnet commonly in use is safe for use with the PPATC encryption scheme.
Kristian Gjøsteen, Thomas Haines, Morten Rotvold Solberg

Applied Cryptography

Frontmatter
(F)unctional Sifting: A Privacy-Preserving Reputation System Through Multi-Input Functional Encryption
Abstract
Functional Encryption (FE) allows users who hold a specific secret key (known as the functional key) to learn a specific function of encrypted data whilst learning nothing about the content of the underlying data. Considering this functionality and the fact that the field of FE is still in its infancy, we sought a route to apply this potent tool to solve the existing problem of designing decentralised additive reputation systems. To this end, we first built a symmetric FE scheme for the \(\ell _1\) norm of a vector space, which allows us to compute the sum of the components of an encrypted vector (i.e. the votes). Then, we utilized our construction, along with functionalities offered by Intel SGX, to design the first FE-based decentralized additive reputation system with Multi-Party Computation. While our reputation system faces certain limitations, this work is amongst the first attempts that seek to utilize FE in the solution of a real-life problem.
Alexandros Bakas, Antonis Michalas, Amjad Ullah
TLV-to-MUC Express: Post-quantum MACsec in VXLAN
Abstract
MACsec in VXLAN is an end-to-end security protocol for protecting Ethernet frames traveling over IP networks. It can provide a high-speed Ethernet encryption while supporting the virtualization of a large network such as data center network. Although MACsec addresses most of security threats, it is not immune against quantum attacks which are a future, yet disastrous threat against public-key cryptography in use. In this paper, we demonstrate a new solution for a MACsec protocol over VXLAN in a post-quantum setting. Instead of a standard MACsec key agreement protocol, we use an ephemeral key exchange protocol and an end-to-end authentication scheme, both of which are based on post-quantum cryptography. To measure the impact on the performance, we established a quantum-secure link between Germany and Israel using MACsec in VXLAN over public IP networks. We verified that the impact on the latency and throughput is minimal. Our experiment confirms that quantum-secure virtualized links can be already established in a long-distance without changing their infrastructure.
Joo Yeon Cho, Andrew Sergeev

Open Access

On the Certificate Revocation Problem in the Maritime Sector
Abstract
Maritime shipping is currently undergoing rapid digitalization, but with increasing exposure to cyber threats, there is a need to improve the security of the ship communication technology used during operations across international waters, as well as close to local shores and in ports. To this aid, there are ongoing standardization efforts for an international maritime Public Key Infrastructure, but the inherent properties of limited connectivity and bandwidth make certificate revocation a problematic affair compared to traditional Internet systems. The main contribution of this paper is an analysis of certificate revocation techniques based on how they fulfil fundamental maritime requirements and simulated usage over time. Our results identify CRLs (with Delta CRLs) and CRLite as the two most promising candidates. Finally, we outline the pros and cons with these two different solutions.
Guillaume Bour, Karin Bernsmed, Ravishankar Borgaonkar, Per Håkon Meland
PDF View full text

Security Mechanisms and Training

Frontmatter
HoneyHash: Honeyword Generation Based on Transformed Hashes
Abstract
Since systems using honeywords store a set of decoy passwords together with real passwords of users to confuse adversaries, they are strongly dependent on the algorithm for generating honeywords. However, all of the existing honeyword generating algorithms are based on raw passwords of users and they either need lots of storage space or show weaknesses in flatness or usability. This paper proposes HoneyHash, a new direction of generating honeywords - generating by transforming password hashes. Analyses show that our algorithm attains expected levels of flatness, security, performance and usability.
Canyang Shi, Huiping Sun
Agent-Based File Extraction Using Virtual Machine Introspection
Abstract
Virtual machine introspection (VMI) can be defined as the external monitoring of virtual machines. In previous work, the importance of this technique for malware analysis and digital forensics has become apparent. However, in these domains the problem occurs that some information is not available in the main memory at all times. Specifically, files contained on non-volatile memory are typically not accessible for VMI applications. In this paper, we present a file extraction architecture that uses a dynamically injected in-guest agent to expose the file system for VMI-based analysis. To enable the execution of this in-guest agent, we also introduce a process injection mechanism for ELF binaries through the main memory using VMI.
Thomas Dangl, Benjamin Taubmann, Hans P. Reiser

Open Access

Cyber Range Automation Overview with a Case Study of CRATE
Abstract
Cyber security research is quintessential to secure computerized systems against cyber threats. Likewise, cyber security training and exercises are instrumental in ensuring that the professionals protecting the systems have the right set of skills to do the job. Cyber ranges provide platforms for testing, experimentation and training, but developing and executing experiments and training sessions are labour intensive and require highly skilled personnel. Several cyber range operators are developing automated tools to speed up the creation of emulated environments and scenarios as well as to increase the number and quality of the executed events. In this paper we investigate automated tools used in cyber ranges and research initiatives designated to augment cyber ranges automation. We also investigate the automation features in CRATE (Cyber Range And Training Environment) operated by the Swedish Defence Research Agency (FOI).
Tommy Gustafsson, Jonas Almroth
PDF View full text

Applications and Privacy

Frontmatter
Privacy Analysis of COVID-19 Contact Tracing Apps in the EU
Abstract
This paper presents results from a privacy analysis of COVID-19 contact tracing apps developed within the EU. Though these apps have been termed advantageous, concerns regarding privacy have become an issue that has led to their slow adoption. In this empirical study, we perform both static and dynamic analysis to judge apps’ privacy-preserving behavior together with the analysis of the privacy and data protection goals to deduce their transparency and intervenability. From the results, we discover that while the apps aim to be privacy-preserving, not all adhere to this as we observe one tracks users’ location, while the other violates the principle of least privilege, data minimisation and transparency, which puts the users’ at risk by invading their privacy.
Samuel Wairimu, Nurul Momen
OnLITE: On-line Label for IoT Transparency Enhancement
Abstract
We present a privacy transparency tool, which helps non-expert consumers understand and compare how Internet of Things (IoT) devices handle data. The need for such tools arises with the growing number of IoT products and the privacy implications of their use. This research is further motivated by legal acts, such as the General Data Protection Regulation (GDPR), which mandates the communication of privacy practices in a clear language. Our solution summarizes key privacy facts and visualizes information flows in a way that facilitates quick assessments, even for large data sets. We followed an interdisciplinary iterative design process that combines input from legal and usability experts, as well as feedback from 15 participants of our think-aloud task analysis study. In addition to explaining the rationale behind the design and evaluation methodology, we compare our solution, implemented as a graphical user interface, with existing ones. The results show that participants consider the interface straightforward and useful. Our solution encourages them to think critically about privacy and question some of the manufacturers’ claims. Participants also reported that they would be glad if such tools were widely available, to further improve privacy awareness. Besides, our solution can be a part of an evidence-based standardization process, enabling policy-makers to further promote privacy.
Alexandr Railean, Delphine Reinhardt
An Investigation of Comic-Based Permission Requests
Abstract
Research suggests that permission requests do not adequately inform users about the implications of granting or denying such requests. It is important that informed consent is given should users grant the request. This paper reports on the results of a study that examined novel comic-based permission request design in terms of user response and preferences for permission-granting decisions. We conducted co-design workshops to design the comic-based permission requests. We then compared our comic-based designs to current Android text-based permission requests using five common permission request types in an online survey. Our results showed that 52% of participants preferred the comic-based requests, and 24% the text-based requests. While comics were found to be an effective medium to achieve informed consent, some participants reported that the text-based request offered sufficient information to make decisions. Given that a relatively large number of participants preferred the comic-based permissions, we encourage future designers to consider alternative forms of permission requests.
Katie Watson, Mike Just, Tessa Berg
Backmatter
Metadata
Title
Secure IT Systems
Editors
Dr. Mikael Asplund
Simin Nadjm-Tehrani
Copyright Year
2021
Electronic ISBN
978-3-030-70852-8
Print ISBN
978-3-030-70851-1
DOI
https://doi.org/10.1007/978-3-030-70852-8

Premium Partner

    Image Credits