RESEC ’18- Proceedings of the First Workshop on Radical and Experiential Security
SESSION: Threat Research
Vulnerability discovery and exploiting are critical to software security. Emerging intelligent vulnerability discovery solutions usually require a large number of training data. Studying exploits also requires a set of existing exploit samples. As a result, building a dataset for vulnerability and exploit research is necessary. In this paper, we present CBTracer, able to catch real-time I/O traffic of target applications and monitor their runtime executions, to build an evolving dataset for kinds of security analysis, including vulnerability discovery and exploit generation. CBTracer is a lightweight framework designed to be deployed easily in various CTF competitions by different organizers to build a bigger dataset. We used CBTracer to collect data from CGC challenges and deployed it in several real-world CTF challenges, showing that it could efficiently collects security-related data.
SESSION: Mobile Security
Active authentication is a user authentication scheme that uses the user’s behavioral characteristics and environmental information collected in the background, to reduce the number of explicit authentication requests. In this paper, we propose active authentication scheme, which performs Grade-Up and Grade-Extend after comparing mobile device user’s confidence grade and level of application authentication. We collect application usage log, face confidence, Context of Interest (COI) familiarity, placement of mobile device and screen log from 22 participants over approximately 42.5 days. The proposed scheme classifies into 4 authentication levels applications that participants used depending on authentication method of the applications. Our experiments demonstrate that the proposed scheme is able to reduce the number of explicit authentication requests by 49%.
Android sandbox is built either on the Android emulator or the real device with a hooking framework. Fingerprints of the Android sandbox could be used to evade the dynamic detection. So, in this paper, we first conduct a measurement on eight Android sandboxes and find that their customized usage profile (e.g., contact, SMS) can be fingerprinted by attackers for evading the sandbox. From our measurement results, most Android sandboxes have empty usage profile fingerprints, or fixed fingerprints, or random artifact fingerprints. So, without protections on such user profiles, Android malware can identify these fingerprints that associate with different sandboxes and hide its malicious behaviors. At last, we propose several mitigation solutions trivial to implement, including generating and feeding random real usage profiles to the malware sample every time, as well as a hybrid approach, which combines both random and fixed usage profiles.
With essential privileges, native daemons provide core system services for apps in the Android system. However, we find that exploiting Android native daemons can still lead to another security issue: the privilege abuse within the confined privilege. So, in this paper, we firstly demonstrate the privilege abuse problem in native daemons through two types of attacks: the data leakage attack and the Denial-of-Service (DoS) attack. To mitigate the privilege abuse issue, we then propose the Daemon-Guard framework, in which we build a dispatcher to fork a new daemon process for handling each service request from apps. The dispatcher can check the ownership of data and determine whether a data access operation is authorized, and check the speed of the service requests from an app by a reference monitor. To restrict a daemon process accessing data in the file system, we deploy Seccomp, a capability system supported by the Linux kernel. At last, we implement the Daemon-Guard framework on the keystore daemon through the static instrumentation. The evaluation of the keystore case shows that Daemon-Guard can successfully prevent these two privilege abuse attacks with an acceptable performance overhead.
SESSION: Machine Learning in Security
New malicious domain campaigns often include large sets of domains registered in bulk and deployed simultaneously. Early identification of these campaigns can often be accomplished with distance functions or regular expressions of registered domains, but these methods may also miss some campaign domains. Other studies have used time-of-registration features to help identify malicious domains. This paper explores the use of unsupervised clustering based on passive DNS records and other inherent network information to identify domains that may be part of campaigns but resistant to detection by domain name or time-of-registration analysis alone. We have found that using this method, we can achieve up to 2.1x expansion from a seed of known campaign domains with less than 4% false positives. This could be a useful tool to augment other methods of identifying malicious domains.
In recent years, scale, frequency and complexity of cyber-attacks have been continuously on the rise. As a result, it has significantly impacted our daily lives and society as a whole. Never before have we had such an urgent need to defend against cyber-attacks. Previous studies suggest that it is possible to detect rootkits and control-flow attacks with high accuracy using information collected from hardware level. For data-only exploits, however, where the control-flow of the victim application is strictly conserved while its behavior may only be slightly modified, high accuracy detection is much more difficult to achieve. In this study, we propose the use of low-level hardware information collected as a short time series for the detection of data-only malware attacks. We employed several representative classification algorithms, e.g., linear regression (LR), autoencoder (AE), stacked denoising autoencoder (SDA), and echo state network (ESN). We build one-class classifiers that either use individual samples collected via monitoring hardware-level events or use multiple samples of hardware events collected at different time during execution, but all with only the knowledge from regular behavior. Using several real-life attacks as case studies, we examined their detection accuracy when confronted with malicious behavior. Our experimental results show that our SDA- and ESN-based approaches can achieve an average detection accuracy of 97.75% and 98.36% for the exploits studied, respectively. Our study suggests that when the hardware events are monitored at different time spots during the execution of the vulnerable application, our SDA- and ESN-based approaches have the potential to boost the detection accuracy for data exploits.
Email services have to put through a lot of effort in fighting spam emails. Most of the efforts go in for detecting and filtering spam emails from benign emails. On the other front, people are educated by banks and other organizations on the awareness of such emails. These approaches are essentially passive in nature, in countering spam attacks where the attacker is not directly engaged by the adversary. Despite all these efforts, many innocent people fall for such attacks leading them to share their account details or lose a large sum of money. We propose an AI based system, that is self-aware and self-defending, which sends coherent replies to spammers with the aim of consuming their time. To make it more difficult for spammers we reply from algorithmically generated mail servers. Also, to avoid simple match filtering of mails by spammers, we make the replies different from each other and genuine, by using a language model trained by LSTM to form sentences in natural language depending upon the context of the email.
SESSION: Short Papers
IoT device usually has an associated application to facilitate customers’ interactions with the device, and customers need to register an account to use this application as well. Due to the popularity of mobile phone, a customer is encouraged to register an account with his own mobile phone number. After binding the device to his account, the customer can control his device remotely with his smartphone. When a customer forgets his password, he can use his mobile phone to receive a verification code that is sent by the Short Message Service (SMS) to authenticate and reset his password. If an attacker gains this code, he can steal the victim’s account (reset password or login directly) to control the IoT device. Although IoT device vendors have already deployed a set of security countermeasures to protect account such as setting expiration time for SMS authentication code, HTTP encryption, and application packing, this paper shows that existing IoT account password reset via SMS authentication code are still vulnerable to brute-force attacks. In particular, we present an automatic brute-force attack to bypass current protections and then crack IoT device user account. Our preliminary study on popular IoT devices such as smart lock, smart watch, smart router, and sharing car has discovered six account login zero-day vulnerabilities.
The Android Plugin is a new application-level virtualization technology in Android system. Android Plugin allows a host app to create a virtual environment, in which any other APK files can be directly launched as runnable plugins without the installation. Unlike the dynamic code loading, the plugin-enabled host app provides a proxy layer between plugin apps and the Android framework. This virtualization technology has been applied in the development of hot apps, such as the “Parallel Space” app. However, the Android Plugin technology has completely changed the landscape of Android ecosystem security. We will demonstrate our perspectives by proposing some attacks via Android Plugin: a) A zero-permission app can bypass the permission check and the data isolation mechanism by exploiting two vulnerabilities we discovered in Android plugin frameworks. b) A new Android phishing attack allows attackers to phish any target apps at no cost. c) The current app promotion system can also be compromised by attackers through directly launching as many as promoted apps in the plugin environment. d) With our developed tool “Z4Plugin”, attackers can easily transform any malicious APK file to a new APK file, which can evade all engines in VirusTotal. At last, we have proposed mitigation solutions for above attacks.
This paper explores a real security vulnerability and patch management dataset from an electric utility in order to shed light on characteristics of the vulnerabilities that electric utility assets have and how they are remediated in practice. Specifically, it first analyzes the distribution of vulnerabilities over software, assets, and other metric. Then it analyzes how vulnerability features affect remediate actions.
Malware detection has witnessed a rapid transition from manual signature release to fully automation in recent years. In particular, with the accumulation of huge malware sample sets, machine learning (ML) and deep learning (DL) have been proposed for verdict predicting and family attribution. Despite the high accuracy and efficiency, existing proposals fall short in providing explanation for their detection results. To fill in the gap between classification decisions and reasoning behind, we propose Galaxy, a generic approach for automatic malware family signature generation. Briefly, Galaxy selects meaningful metadata fields from static and dynamic analysis reports of the given samples. Based on the selected fields, all input samples will be clustered into groups according to similarity measurement. The observed similarities will then be converted into patterns and validated against multiple intelligence sources to decide whether it is suitable for malware detection. In the end, Galaxy launches a refine process to improve the grouping results and increase sample coverage. We have applied the Galaxy framework on daily incoming Android samples to our WildFire production since September 2016. Up to know, Galaxy has generated more than 12,500 unique family signatures covering a total of 1.75 million Android malwares. Those family signatures have provided valuable insights for the discovery of undocumented malicious domains and identification of Communication & Control (C&C) servers. Because of our rigid quality requirement, all released signatures have been proven to cause no false positives in production.