Agile defenses have been proposed to enable systems to change their defensive posture dynamically to thwart attacks. Researchers have suggested a variety of agile defenses that leverage renaming (e.g., for network services), migration (e.g., for cloud instances), variation (e.g., for application configurations), and patching (e.g., for programs), among others. These agile defenses demonstrate promise for achieving a key goal: increasing the cost of launching a successful attack. However, agile defenses also incur non-trivial costs in overhead and/or complexity to defenders as well, leaving defenders hesitant to employ such defenses without further justification for their necessity. A question we examine in this keynote is how to develop techniques that may aid defenders in choosing when to employ agile defenses and which agile defenses to employ.
{"title":"Static Analysis Opportunities for Improving Agile and Moving Target Defenses","authors":"T. Jaeger","doi":"10.1145/3411496.3421230","DOIUrl":"https://doi.org/10.1145/3411496.3421230","url":null,"abstract":"Agile defenses have been proposed to enable systems to change their defensive posture dynamically to thwart attacks. Researchers have suggested a variety of agile defenses that leverage renaming (e.g., for network services), migration (e.g., for cloud instances), variation (e.g., for application configurations), and patching (e.g., for programs), among others. These agile defenses demonstrate promise for achieving a key goal: increasing the cost of launching a successful attack. However, agile defenses also incur non-trivial costs in overhead and/or complexity to defenders as well, leaving defenders hesitant to employ such defenses without further justification for their necessity. A question we examine in this keynote is how to develop techniques that may aid defenders in choosing when to employ agile defenses and which agile defenses to employ.","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"450 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122487156","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The Cybersecurity Dynamics framework offers an approach to systematically understanding, characterizing, quantifying and managing cybersecurity from a holistic perspective. The framework looks into cyberspace through the dynamics lens because environments in cyberspace often evolve with time (e.g., software vulnerabilities, attack capabilities, defense capabilities, and cybersecurity states). The dynamics lens offers a unique viewpoint, which guides the modeling of the various situations which evolve with respect to cybersecurity. This type of evolution is driven by attackers, defenders, and users of related systems and is manifested by their attack/defense/use activities. Since its inception in 2014, there has been significant progress in characterizing and taming various kinds of cybersecurity dynamics. In this paper we discuss the landscape and way-of-thinking that guide the Cybersecurity Dynamics model, including two killer applications and the technical barriers that serve as outstanding open problems for future research.
{"title":"The Cybersecurity Dynamics Way of Thinking and Landscape","authors":"Shouhuai Xu","doi":"10.1145/3411496.3421225","DOIUrl":"https://doi.org/10.1145/3411496.3421225","url":null,"abstract":"The Cybersecurity Dynamics framework offers an approach to systematically understanding, characterizing, quantifying and managing cybersecurity from a holistic perspective. The framework looks into cyberspace through the dynamics lens because environments in cyberspace often evolve with time (e.g., software vulnerabilities, attack capabilities, defense capabilities, and cybersecurity states). The dynamics lens offers a unique viewpoint, which guides the modeling of the various situations which evolve with respect to cybersecurity. This type of evolution is driven by attackers, defenders, and users of related systems and is manifested by their attack/defense/use activities. Since its inception in 2014, there has been significant progress in characterizing and taming various kinds of cybersecurity dynamics. In this paper we discuss the landscape and way-of-thinking that guide the Cybersecurity Dynamics model, including two killer applications and the technical barriers that serve as outstanding open problems for future research.","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128330340","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
N. Burow, Ryan Burrow, R. Khazan, H. Shrobe, Bryan C. Ward
Moving-target defenses (MTDs) have been widely studied for common general-purpose and enterprise-computing applications. Indeed, such work has produced highly effective, low-overhead defenses that are now commonly deployed in many systems today. One application space that has seen comparatively little focus is that of safety- and mission-critical systems, which are often real-time systems (RTS) with temporal requirements. Furthermore, such systems are increasingly being targeted by attackers, such as in industrial control systems (ICS), including power grids. The strict timing requirements of these systems presents a different design objective than is common in general-purpose applications -- systems should be designed around the worst-case performance, rather than the average case. Perhaps in part due to these alternative design considerations, many real-time systems have not benefited from much of the work on software security that common general-purpose and enterprise applications have, despite the ubiquity of real-time systems that actively control so many applications we as a society have come to rely on, from power generation and distribution, to automotive and avionic applications, and many others. This paper explores the application of moving-target defenses in the context of real-time systems. In particular, the worst-case performance of several address-space randomization defenses are evaluated to study the implications of such designs in real-time applications. These results suggest that current moving-target defenses, while performant in the average case, can exhibit significant tail latencies, which can be problematic in real-time applications, especially if such overheads are not considered in the design and analysis of the system. These results inform future research directions for moving-target defenses in real-time applications.
{"title":"Moving Target Defense Considerations in Real-Time Safety- and Mission-Critical Systems","authors":"N. Burow, Ryan Burrow, R. Khazan, H. Shrobe, Bryan C. Ward","doi":"10.1145/3411496.3421224","DOIUrl":"https://doi.org/10.1145/3411496.3421224","url":null,"abstract":"Moving-target defenses (MTDs) have been widely studied for common general-purpose and enterprise-computing applications. Indeed, such work has produced highly effective, low-overhead defenses that are now commonly deployed in many systems today. One application space that has seen comparatively little focus is that of safety- and mission-critical systems, which are often real-time systems (RTS) with temporal requirements. Furthermore, such systems are increasingly being targeted by attackers, such as in industrial control systems (ICS), including power grids. The strict timing requirements of these systems presents a different design objective than is common in general-purpose applications -- systems should be designed around the worst-case performance, rather than the average case. Perhaps in part due to these alternative design considerations, many real-time systems have not benefited from much of the work on software security that common general-purpose and enterprise applications have, despite the ubiquity of real-time systems that actively control so many applications we as a society have come to rely on, from power generation and distribution, to automotive and avionic applications, and many others. This paper explores the application of moving-target defenses in the context of real-time systems. In particular, the worst-case performance of several address-space randomization defenses are evaluated to study the implications of such designs in real-time applications. These results suggest that current moving-target defenses, while performant in the average case, can exhibit significant tail latencies, which can be problematic in real-time applications, especially if such overheads are not considered in the design and analysis of the system. These results inform future research directions for moving-target defenses in real-time applications.","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"111 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116852217","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
R. Brown, Alex Marti, C. Jenkins, Susmit Shannigrahi
This paper presents Dynamic Address Validation Array (DAVA), a novel moving target defense protocol for the Controller Area Network Bus (CAN bus). DAVA's primary goal is to mitigate the common CAN bus vulnerability of an unauthorized entity misappropriating components in the vehicle through sniffing and reusing ECU IDs for replaying messages. Using a dynamically allocated array stored in the ECU that is updated and validated frequently, DAVA limits an attacker's ability to reuse ECU IDs for replay attacks. The protocol strives to be minimally invasive and lightweight for application in CAN bus while still being secure. This paper discusses the DAVA protocol, a proof of concept implementation, and initial performance measurements. This paper explains how DAVA is able to provide a robust security framework for CAN bus without the need for a large amount of storage or CAN bus standard modification.
{"title":"Dynamic Address Validation Array (DAVA): A Moving Target Defense Protocol for CAN bus","authors":"R. Brown, Alex Marti, C. Jenkins, Susmit Shannigrahi","doi":"10.1145/3411496.3421221","DOIUrl":"https://doi.org/10.1145/3411496.3421221","url":null,"abstract":"This paper presents Dynamic Address Validation Array (DAVA), a novel moving target defense protocol for the Controller Area Network Bus (CAN bus). DAVA's primary goal is to mitigate the common CAN bus vulnerability of an unauthorized entity misappropriating components in the vehicle through sniffing and reusing ECU IDs for replaying messages. Using a dynamically allocated array stored in the ECU that is updated and validated frequently, DAVA limits an attacker's ability to reuse ECU IDs for replay attacks. The protocol strives to be minimally invasive and lightweight for application in CAN bus while still being secure. This paper discusses the DAVA protocol, a proof of concept implementation, and initial performance measurements. This paper explains how DAVA is able to provide a robust security framework for CAN bus without the need for a large amount of storage or CAN bus standard modification.","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122905800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Richard Poschinger, Nils Rodday, Raphael Labaca-Castro, Gabi Dreo Rodosek
Moving Target Defense (MTD) represents a way of defending networked systems on different levels. It mainly focuses on shifting the different surfaces of the protected environment. Existing approaches studied on network-level are Port Hopping (PH), which shifts ports, and Network Address Shuffling (NAS), which steadily alters the network addresses of hosts. As a result, the formerly static attack surface now behaves dynamically whilst the relationship of ports to services and network addresses to hosts can be changed. Most MTD approaches have only been evaluated theoretically and comparisons are still lacking. Hence, based on existing results, it is not possible to contrast implementations like PH and NAS in terms of security and network performance. Finally, implementation details are usually not shared publicly. To mitigate these shortcomings, we developed a hybrid platform that evaluates such techniques and reimplemented PH and NAS with additional features such as connection tracker with fingerprinting service and a honeypot module, which is helpful to bypass attackers attempts. We created a common software platform to integrate approaches using the same gateway components and providing graphic network usability. The environment, named OpenMTD, has been open-sourced and works in a modular fashion allowing for easy extensions and future developments. We show that common attacks, starting with a reconnaissance phase were not able to successfully reach vulnerable hosts that are part of the OpenMTD-protected network. A new worm has been developed to spread across the network and the propagation paths showed that OpenMTD can lay the ground for extending protection mechanisms against self-propagating threats.
{"title":"OpenMTD","authors":"Richard Poschinger, Nils Rodday, Raphael Labaca-Castro, Gabi Dreo Rodosek","doi":"10.1145/3411496.3421223","DOIUrl":"https://doi.org/10.1145/3411496.3421223","url":null,"abstract":"Moving Target Defense (MTD) represents a way of defending networked systems on different levels. It mainly focuses on shifting the different surfaces of the protected environment. Existing approaches studied on network-level are Port Hopping (PH), which shifts ports, and Network Address Shuffling (NAS), which steadily alters the network addresses of hosts. As a result, the formerly static attack surface now behaves dynamically whilst the relationship of ports to services and network addresses to hosts can be changed. Most MTD approaches have only been evaluated theoretically and comparisons are still lacking. Hence, based on existing results, it is not possible to contrast implementations like PH and NAS in terms of security and network performance. Finally, implementation details are usually not shared publicly. To mitigate these shortcomings, we developed a hybrid platform that evaluates such techniques and reimplemented PH and NAS with additional features such as connection tracker with fingerprinting service and a honeypot module, which is helpful to bypass attackers attempts. We created a common software platform to integrate approaches using the same gateway components and providing graphic network usability. The environment, named OpenMTD, has been open-sourced and works in a modular fashion allowing for easy extensions and future developments. We show that common attacks, starting with a reconnaissance phase were not able to successfully reach vulnerable hosts that are part of the OpenMTD-protected network. A new worm has been developed to spread across the network and the propagation paths showed that OpenMTD can lay the ground for extending protection mechanisms against self-propagating threats.","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122593238","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 2: Systematization of MTD 1","authors":"Hamed Okhravi","doi":"10.1145/3433234","DOIUrl":"https://doi.org/10.1145/3433234","url":null,"abstract":"","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"108 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115680394","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Wireless is a key component in most of today's network infrastructures. Yet, it is highly susceptible to network attacks because wireless communication and infrastructure, such as Access Point(AP) and clients, can be easily discovered and targeted. Particularly,the static nature of the wireless AP topology and its configuration offers a significant advantage to adversaries to identify network targets and plan devastating attacks such as denial of service or eavesdropping. This is critically important in hostile military environment in which soldiers depend on wireless infrastructure for communication and coordination. In this paper, we present formal foundations for two wireless agility techniques: (1) Random Range Mutation (RNM) that allows for periodic changes of AP coverage range randomly, and (2) Random Topology Mutation (RTM) that allows for random motion and placement of APs in the wireless infrastructure. The goal of these techniques is to proactively defend against targeted attacks (e.g.,DoS and eavesdropping) by forcing the wireless clients to change their AP association randomly. We apply Satisfiability Modulo Theories (SMT) and Answer Set Programming (ASP) based constraint solving methods that allow for optimizing wireless AP mutation while maintaining service requirements including coverage, security and energy properties under incomplete information about the adversary strategies. Our evaluation validates the feasibility,scalability, and effectiveness of the formal methods based technical approaches.
{"title":"Range and Topology Mutation Based Wireless Agility","authors":"Qi Duan, E. Al-Shaer, Jiang Xie","doi":"10.1145/3411496.3421228","DOIUrl":"https://doi.org/10.1145/3411496.3421228","url":null,"abstract":"Wireless is a key component in most of today's network infrastructures. Yet, it is highly susceptible to network attacks because wireless communication and infrastructure, such as Access Point(AP) and clients, can be easily discovered and targeted. Particularly,the static nature of the wireless AP topology and its configuration offers a significant advantage to adversaries to identify network targets and plan devastating attacks such as denial of service or eavesdropping. This is critically important in hostile military environment in which soldiers depend on wireless infrastructure for communication and coordination. In this paper, we present formal foundations for two wireless agility techniques: (1) Random Range Mutation (RNM) that allows for periodic changes of AP coverage range randomly, and (2) Random Topology Mutation (RTM) that allows for random motion and placement of APs in the wireless infrastructure. The goal of these techniques is to proactively defend against targeted attacks (e.g.,DoS and eavesdropping) by forcing the wireless clients to change their AP association randomly. We apply Satisfiability Modulo Theories (SMT) and Answer Set Programming (ASP) based constraint solving methods that allow for optimizing wireless AP mutation while maintaining service requirements including coverage, security and energy properties under incomplete information about the adversary strategies. Our evaluation validates the feasibility,scalability, and effectiveness of the formal methods based technical approaches.","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"30 20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123258315","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 1: New Techniques, Models, and Evaluation","authors":"Cliff X. Wang","doi":"10.1145/3433232","DOIUrl":"https://doi.org/10.1145/3433232","url":null,"abstract":"","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"62 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123920435","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Caused by coronavirus SARS-CoV-2, the COVID-19 disease spreads particularly through direct contact between people. Health authorities face the challenge of identifying and isolating infection chains to prevent the pandemic from spreading further. To improve the efficiency and effectiveness of manual contact tracing, many countries have recently introduced digital contact tracing apps running on smartphones of users for helping to identify contacts between individual users. These apps are usually based on beaconing pseudonymous identifiers over a proximity communication protocol like Bluetooth LE. The identification of potentially critical contacts is then performed by comparing the identifiers emitted by persons reported as infected and the identifiers observed by other users of the system and issuing appropriate warnings to them in case a matching identifier is found. However, by beaconing identifiers into their proximity, individual users potentially become traceable by entities that systematically collect observations in various places. To preserve privacy of users and be compliant to various privacy regulations many proposed systems use ephemeral, pseudo-random identifiers that are more difficult to link together. In this paper, we briefly analyze and discuss privacy properties of a selected number of proposed contact tracing solutions and the impact of the applied randomization approaches. We also discuss the pros and cons of these tracing schemes.
{"title":"Long Live Randomization: On Privacy-preserving Contact Tracing in Pandemic","authors":"T. D. Nguyen, Markus Miettinen, A. Sadeghi","doi":"10.1145/3411496.3421229","DOIUrl":"https://doi.org/10.1145/3411496.3421229","url":null,"abstract":"Caused by coronavirus SARS-CoV-2, the COVID-19 disease spreads particularly through direct contact between people. Health authorities face the challenge of identifying and isolating infection chains to prevent the pandemic from spreading further. To improve the efficiency and effectiveness of manual contact tracing, many countries have recently introduced digital contact tracing apps running on smartphones of users for helping to identify contacts between individual users. These apps are usually based on beaconing pseudonymous identifiers over a proximity communication protocol like Bluetooth LE. The identification of potentially critical contacts is then performed by comparing the identifiers emitted by persons reported as infected and the identifiers observed by other users of the system and issuing appropriate warnings to them in case a matching identifier is found. However, by beaconing identifiers into their proximity, individual users potentially become traceable by entities that systematically collect observations in various places. To preserve privacy of users and be compliant to various privacy regulations many proposed systems use ephemeral, pseudo-random identifiers that are more difficult to link together. In this paper, we briefly analyze and discuss privacy properties of a selected number of proposed contact tracing solutions and the impact of the applied randomization approaches. We also discuss the pros and cons of these tracing schemes.","PeriodicalId":288218,"journal":{"name":"Proceedings of the 7th ACM Workshop on Moving Target Defense","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121933180","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: