This paper proposes a new way of simulating leakage traces using high level of abstraction models and presents a proof of concept implementation simulator called SILK -- a tool for leakage simulation for side channel analysis of microcontrollers and microprocessors. SILK is a high level of abstraction simulator that builds a leakage trace based on a source code of an algorithm and several user-defined parameters. One of the main purposes of SILK is data generation for quick analysis of new attacks, countermeasures or preprocessing methods. SILK might also be used to compare different types of attacks, analysis techniques or software countermeasures. This paper presents general structure and parameters of SILK and a typical example of use case. Our experiments were done with two algorithms that run on a microcontroller in order to compare our simulations with real power traces. We compared simulated traces with real power traces using Dynamic Time Warping technique with two different distance metrics. We also compared our simulations with real power traces using Correlation Power Analysis (CPA). We were also able to show that using a high level of abstraction simulation we are able to produce datasets that might be used for side channel analysis.
{"title":"SILK: high level of abstraction leakage simulator for side channel analysis","authors":"Nikita Veshchikov","doi":"10.1145/2689702.2689706","DOIUrl":"https://doi.org/10.1145/2689702.2689706","url":null,"abstract":"This paper proposes a new way of simulating leakage traces using high level of abstraction models and presents a proof of concept implementation simulator called SILK -- a tool for leakage simulation for side channel analysis of microcontrollers and microprocessors. SILK is a high level of abstraction simulator that builds a leakage trace based on a source code of an algorithm and several user-defined parameters. One of the main purposes of SILK is data generation for quick analysis of new attacks, countermeasures or preprocessing methods. SILK might also be used to compare different types of attacks, analysis techniques or software countermeasures. This paper presents general structure and parameters of SILK and a typical example of use case. Our experiments were done with two algorithms that run on a microcontroller in order to compare our simulations with real power traces. We compared simulated traces with real power traces using Dynamic Time Warping technique with two different distance metrics. We also compared our simulations with real power traces using Correlation Power Analysis (CPA). We were also able to show that using a high level of abstraction simulation we are able to produce datasets that might be used for side channel analysis.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115865367","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","authors":"M. Preda, J. McDonald","doi":"10.1145/2689702","DOIUrl":"https://doi.org/10.1145/2689702","url":null,"abstract":"","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134352816","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jing Qiu, B. Yadegari, Brian Johannesmeyer, S. Debray, Xiaohong Su
Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.
{"title":"A Framework for Understanding Dynamic Anti-Analysis Defenses","authors":"Jing Qiu, B. Yadegari, Brian Johannesmeyer, S. Debray, Xiaohong Su","doi":"10.1145/2689702.2689704","DOIUrl":"https://doi.org/10.1145/2689702.2689704","url":null,"abstract":"Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128571298","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Tristan Ravitch, E. Creswick, Aaron Tomb, Adam Foltzer, Trevor Elliott, L. Casburn
Android's popularity has given rise to myriad application analysis techniques to improve the security and robustness of mobile applications, motivated by the evolving adversarial landscape. These techniques have focused on identifying undesirable behaviors in individual applications, either due to malicious intent or programmer error. We present a collection of tools that provide a static information flow analysis across a set of applications, showing a holistic view of all the applications destined for a particular device. The techniques we present include a static binary single-app analysis, a security lint tool to mitigate the limits of static binary analysis, a multi-app information flow analysis, and an evaluation engine to detect information flows that violate specified security policies. We show that our single-app analysis is comparable with the leading approaches on the DroidBench benchmark suite; we present a brief listing of lint-like heuristics used to show the limits of the single-app analysis in the context of an application; we present a multi-app analysis, and demonstrate information flows that cannot be detected by single-app analyses; and we present a policy evaluation engine to automatically detect violations in collections of Android apps.
{"title":"Multi-App Security Analysis with FUSE: Statically Detecting Android App Collusion","authors":"Tristan Ravitch, E. Creswick, Aaron Tomb, Adam Foltzer, Trevor Elliott, L. Casburn","doi":"10.1145/2689702.2689705","DOIUrl":"https://doi.org/10.1145/2689702.2689705","url":null,"abstract":"Android's popularity has given rise to myriad application analysis techniques to improve the security and robustness of mobile applications, motivated by the evolving adversarial landscape. These techniques have focused on identifying undesirable behaviors in individual applications, either due to malicious intent or programmer error. We present a collection of tools that provide a static information flow analysis across a set of applications, showing a holistic view of all the applications destined for a particular device. The techniques we present include a static binary single-app analysis, a security lint tool to mitigate the limits of static binary analysis, a multi-app information flow analysis, and an evaluation engine to detect information flows that violate specified security policies. We show that our single-app analysis is comparable with the leading approaches on the DroidBench benchmark suite; we present a brief listing of lint-like heuristics used to show the limits of the single-app analysis in the context of an application; we present a multi-app analysis, and demonstrate information flows that cannot be detected by single-app analyses; and we present a policy evaluation engine to automatically detect violations in collections of Android apps.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125256322","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Shabnam Aboughadareh, Christoph Csallner, M. Azarmi
Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixed-mode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.
{"title":"Mixed-Mode Malware and Its Analysis","authors":"Shabnam Aboughadareh, Christoph Csallner, M. Azarmi","doi":"10.1145/2689702.2689703","DOIUrl":"https://doi.org/10.1145/2689702.2689703","url":null,"abstract":"Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixed-mode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128558932","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Yampolskiy, T. Andel, J. McDonald, W. Glisson, Alec Yasinsac
Additive Layer Manufacturing (ALM) is a new technology to produce 3D objects adding layer by layer. Agencies and companies like NASA, ESA, and SpaceX are exploring a broad range of application areas of ALM, which includes printing of device components, replacement parts, houses, and even food. They expect that this technology will greatly reduce production costs, manufacturing time, and necessary storage space. The broad variety of application areas and the high grade of computerization of this manufacturing process will inevitably make ALM an attractive target of various attacks. This research examines the problem of Intellectual Property (IP) protection in the case of outsourcing the ALM manufacturing process. We discuss the existing process and introduce a new model for the outsourcing of ALM-based production. For the proposed outsourcing model, focusing on IP protection, we present a risk assessment, specify requirements addressing mitigation of the identified risks, and outline approaches to implement the specified requirements. The fulfillment of the specified requirements will enable secure outsourcing of ALM production.
{"title":"Intellectual Property Protection in Additive Layer Manufacturing: Requirements for Secure Outsourcing","authors":"M. Yampolskiy, T. Andel, J. McDonald, W. Glisson, Alec Yasinsac","doi":"10.1145/2689702.2689709","DOIUrl":"https://doi.org/10.1145/2689702.2689709","url":null,"abstract":"Additive Layer Manufacturing (ALM) is a new technology to produce 3D objects adding layer by layer. Agencies and companies like NASA, ESA, and SpaceX are exploring a broad range of application areas of ALM, which includes printing of device components, replacement parts, houses, and even food. They expect that this technology will greatly reduce production costs, manufacturing time, and necessary storage space. The broad variety of application areas and the high grade of computerization of this manufacturing process will inevitably make ALM an attractive target of various attacks. This research examines the problem of Intellectual Property (IP) protection in the case of outsourcing the ALM manufacturing process. We discuss the existing process and introduce a new model for the outsourcing of ALM-based production. For the proposed outsourcing model, focusing on IP protection, we present a risk assessment, specify requirements addressing mitigation of the identified risks, and outline approaches to implement the specified requirements. The fulfillment of the specified requirements will enable secure outsourcing of ALM production.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122130182","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Danger, S. Guilley, Thibault Porteboeuf, Florian Praden, Michaël Timbert
Cyber-attacks are widely known to be a major threat on computing devices. Many attacks exploit a latent problem in the host program. This can be a misconfiguration or a real programming error (e.g., lack of user-provided input verification or untested corner cases). Once such a bug is identified, attack programs can be devised, which will for instance install a payload on the victim host. Many features have been developed to protect from these infection vectors. In this paper we present a simple hardware/software solution able to check good execution of one program by checking that each basic block is correctly executed and that the Control Flow Graph (CFG) is respected. We call this control-flow integrity (CFI). We are able to do so in real time without adding new opcodes in the processor, but by modifying slightly the executed code. Moreover, we also aim at verifying that the sequence of instructions is correctly executed within each basic block. In this respect, we implement a hardware module called HCODE, (short for Hashing CODE), into the processor which reads each instruction executed by the processor and computes some signature to check against a genuine copy of precomputed signatures.
{"title":"HCODE: Hardware-Enhanced Real-Time CFI","authors":"J. Danger, S. Guilley, Thibault Porteboeuf, Florian Praden, Michaël Timbert","doi":"10.1145/2689702.2689708","DOIUrl":"https://doi.org/10.1145/2689702.2689708","url":null,"abstract":"Cyber-attacks are widely known to be a major threat on computing devices. Many attacks exploit a latent problem in the host program. This can be a misconfiguration or a real programming error (e.g., lack of user-provided input verification or untested corner cases). Once such a bug is identified, attack programs can be devised, which will for instance install a payload on the victim host. Many features have been developed to protect from these infection vectors. In this paper we present a simple hardware/software solution able to check good execution of one program by checking that each basic block is correctly executed and that the Control Flow Graph (CFG) is respected. We call this control-flow integrity (CFI). We are able to do so in real time without adding new opcodes in the processor, but by modifying slightly the executed code. Moreover, we also aim at verifying that the sequence of instructions is correctly executed within each basic block. In this respect, we implement a hardware module called HCODE, (short for Hashing CODE), into the processor which reads each instruction executed by the processor and computes some signature to check against a genuine copy of precomputed signatures.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133439462","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Joshua Cazalas, J. McDonald, T. Andel, Natalia Stakhanova
Virtualization is becoming a prominent field of research not only in distributed systems, but also in software protection and obfuscation. Software virtualization has given rise to advanced techniques that may provide intellectual property protection and anti-cloning resilience. We present results of an empirical study that answers whether integrity of execution can be preserved for process-level virtualization protection schemes in the face of adversarial analysis. Our particular approach considers exploits that target the virtual execution environment itself and how it interacts with the underlying host operating system and hardware. We give initial results that indicate such protection mechanisms may be vulnerable at the level where the virtualized code interacts with the underlying operating system. The resolution of whether such attacks can undermine security will help create better detection and analysis methods for malware that also employ software virtualization. Our findings help frame research for additional mitigation techniques using hardware-based integration or hybrid virtualization techniques that can better defend legitimate uses of virtualized software protection.
{"title":"Probing the Limits of Virtualized Software Protection","authors":"Joshua Cazalas, J. McDonald, T. Andel, Natalia Stakhanova","doi":"10.1145/2689702.2689707","DOIUrl":"https://doi.org/10.1145/2689702.2689707","url":null,"abstract":"Virtualization is becoming a prominent field of research not only in distributed systems, but also in software protection and obfuscation. Software virtualization has given rise to advanced techniques that may provide intellectual property protection and anti-cloning resilience. We present results of an empirical study that answers whether integrity of execution can be preserved for process-level virtualization protection schemes in the face of adversarial analysis. Our particular approach considers exploits that target the virtual execution environment itself and how it interacts with the underlying host operating system and hardware. We give initial results that indicate such protection mechanisms may be vulnerable at the level where the virtualized code interacts with the underlying operating system. The resolution of whether such attacks can undermine security will help create better detection and analysis methods for malware that also employ software virtualization. Our findings help frame research for additional mitigation techniques using hardware-based integration or hybrid virtualization techniques that can better defend legitimate uses of virtualized software protection.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126700606","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: