The advancing digitalization of vehicles and automotive systems bears many advantages for creating and enhancing comfort and safety-related systems ranging from drive-by-wire, inclusion of advanced displays, entertainment systems up to sophisticated driving assistance and autonomous driving. It, however, also contains the inherent risk of being used for purposes that are not intended for, raging from small non-authorized customizations to the possibility of full-scale cyberattacks that affect several vehicles to whole fleets and vital systems such as steering and engine control. To prevent such conditions and mitigate cybersecurity risks from affecting the safety of road traffic, testing cybersecurity must be adopted into automotive testing at a large scale. Currently, the manual penetration testing processes cannot uphold the increasing demand due to time and cost to test complex systems. We propose an approach for an architecture that (semi-)automates automotive cybersecurity test, allowing for more economic testing and therefore keeping up to the rising demand induced by new vehicle functions as well as the development towards connected and autonomous vehicles.
{"title":"Approaching the Automation of Cyber Security Testing of Connected Vehicles","authors":"Stefan Marksteiner, Zhendong Ma","doi":"10.1145/3360664.3360729","DOIUrl":"https://doi.org/10.1145/3360664.3360729","url":null,"abstract":"The advancing digitalization of vehicles and automotive systems bears many advantages for creating and enhancing comfort and safety-related systems ranging from drive-by-wire, inclusion of advanced displays, entertainment systems up to sophisticated driving assistance and autonomous driving. It, however, also contains the inherent risk of being used for purposes that are not intended for, raging from small non-authorized customizations to the possibility of full-scale cyberattacks that affect several vehicles to whole fleets and vital systems such as steering and engine control. To prevent such conditions and mitigate cybersecurity risks from affecting the safety of road traffic, testing cybersecurity must be adopted into automotive testing at a large scale. Currently, the manual penetration testing processes cannot uphold the increasing demand due to time and cost to test complex systems. We propose an approach for an architecture that (semi-)automates automotive cybersecurity test, allowing for more economic testing and therefore keeping up to the rising demand induced by new vehicle functions as well as the development towards connected and autonomous vehicles.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129105887","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Many modern stream ciphers combine linear and nonlinear operations with a certain amount of initial clock steps without producing keystream bits for encryption. As a result of this behaviour, the resulting system of equations get more and more complex and difficult to solve. Due to the increasing number of monomials, as well as the increasing algebraic degree, the resulting system of equations get immune to a SAT-based cryptanalysis. A stream cipher realizing this principle is Grain v1. Grain is a stream cipher family, whose first version was submitted as a proposal to the eSTREAM project in the year 2004. Through a key recovery attack in the year 2006, a new revised version was published, referred as Grain Version 1. Within this paper, we examine the initialization phase of Grain v1 for SAT-based cryptanalysis. In the first step, the paper presents the necessary steps for establishing the Boolean system of equations. The second step describes the formulation of the SAT-Problem and the related possibilities and limitations.
{"title":"SAT Solvers and their Limits with NFSR-based Stream Ciphers: an Example with Grain v1","authors":"A. Schaffhauser","doi":"10.1145/3360664.3360683","DOIUrl":"https://doi.org/10.1145/3360664.3360683","url":null,"abstract":"Many modern stream ciphers combine linear and nonlinear operations with a certain amount of initial clock steps without producing keystream bits for encryption. As a result of this behaviour, the resulting system of equations get more and more complex and difficult to solve. Due to the increasing number of monomials, as well as the increasing algebraic degree, the resulting system of equations get immune to a SAT-based cryptanalysis. A stream cipher realizing this principle is Grain v1. Grain is a stream cipher family, whose first version was submitted as a proposal to the eSTREAM project in the year 2004. Through a key recovery attack in the year 2006, a new revised version was published, referred as Grain Version 1. Within this paper, we examine the initialization phase of Grain v1 for SAT-based cryptanalysis. In the first step, the paper presents the necessary steps for establishing the Boolean system of equations. The second step describes the formulation of the SAT-Problem and the related possibilities and limitations.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"72 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131839247","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Agile methods are becoming increasingly popular and compared to traditional methods offer higher adaptability, quicker response to changing requirements and more efficient customer-developer collaboration throughout the entire software development process. However, they may not be the best way for achieving satisfactory security of the developed software due to their focus on the functional requirements. To address this issue, we developed a novel approach for achieving secure software with agile methods without adding unnecessary complexity or rigidity which is a key drawback of existing approaches eroding the agility. The proposed approach builds on delegation of responsibility for security, generic security user stories, and game of votes.
{"title":"Towards a delegation-type secure software development method","authors":"Anže Mihelič, T. Hovelja, Simon L. R. Vrhovec","doi":"10.1145/3360664.3360728","DOIUrl":"https://doi.org/10.1145/3360664.3360728","url":null,"abstract":"Agile methods are becoming increasingly popular and compared to traditional methods offer higher adaptability, quicker response to changing requirements and more efficient customer-developer collaboration throughout the entire software development process. However, they may not be the best way for achieving satisfactory security of the developed software due to their focus on the functional requirements. To address this issue, we developed a novel approach for achieving secure software with agile methods without adding unnecessary complexity or rigidity which is a key drawback of existing approaches eroding the agility. The proposed approach builds on delegation of responsibility for security, generic security user stories, and game of votes.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115263952","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Antonios Dimitriadis, George Drosatos, P. Efraimidis
Android devices contain a vast amount of personal data of their owners. These data are stored on the device and are protected by the Android permission scheme. Android apps can obtain access to specific data items by requesting the appropriate permissions from the user. However, in Android, the access to certain assets is granted by default to the installed apps. For example, any Android app has the right to get the device's network operator, which may be used to infer information about user's country and nationality. Similarly, any app has access to the clipboard which may occasionally contain very sensitive information, like a password. Consequently, a honest but curious Android app may leverage the implicit access rights to accumulate such unguarded information pieces and gradually build a detailed profile of the user. The device owner has no immediate way to control this flow of information and, even worse, may not even be aware that this type personal data flow can take place. In this work, we examine the issue of default access rights of Android apps and discuss the potential threat against user privacy. We assess the user awareness and present a prototype zero-permission app that collects user data.
{"title":"How much does a zero-permission Android app know about us?","authors":"Antonios Dimitriadis, George Drosatos, P. Efraimidis","doi":"10.1145/3360664.3360671","DOIUrl":"https://doi.org/10.1145/3360664.3360671","url":null,"abstract":"Android devices contain a vast amount of personal data of their owners. These data are stored on the device and are protected by the Android permission scheme. Android apps can obtain access to specific data items by requesting the appropriate permissions from the user. However, in Android, the access to certain assets is granted by default to the installed apps. For example, any Android app has the right to get the device's network operator, which may be used to infer information about user's country and nationality. Similarly, any app has access to the clipboard which may occasionally contain very sensitive information, like a password. Consequently, a honest but curious Android app may leverage the implicit access rights to accumulate such unguarded information pieces and gradually build a detailed profile of the user. The device owner has no immediate way to control this flow of information and, even worse, may not even be aware that this type personal data flow can take place. In this work, we examine the issue of default access rights of Android apps and discuss the potential threat against user privacy. We assess the user awareness and present a prototype zero-permission app that collects user data.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117124409","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Many Android applications are uploaded to app stores every day. A relatively small fraction of these applications, or apps, is malware. Several research teams developed tools which automate malware detection for apps, to keep up with the never-ending stream of uploaded apks (Android PacKages). Every tool seemed better than the last, some even claiming accuracy scores well over 90%. However, all of these designs were tested against test sets containing only self-written apks, synthetic malicious apks, or otherwise statistically unsound samples. Many of these tools are open source. We propose Meizodon, a novel framework to install Android static security analysis tools and run them efficiently in a distributed fashion, in equal environments and against a suitable dataset. This allows us to make a fair and statistically sound comparison of the most recent and best known tools, on real, 'practical' malware: malware created by malware creators, not by researchers, and found in the wild. From the results, we conclude that Android static security analysis tools do show great promise to classify apks in practice, but are not quite there yet. We demonstrate that Meizodon allows us to efficiently test analysis tools, and find that the accuracy of tested analysis tools is low (F1 scores are just over 58%), and analysis fails for many apks. Additionally, we investigate why accuracy is low, and why so many analyses result in errors.
{"title":"Meizodon","authors":"Sebastiaan Alvarez Rodriguez, Erik van der Kouwe","doi":"10.1145/3360664.3360672","DOIUrl":"https://doi.org/10.1145/3360664.3360672","url":null,"abstract":"Many Android applications are uploaded to app stores every day. A relatively small fraction of these applications, or apps, is malware. Several research teams developed tools which automate malware detection for apps, to keep up with the never-ending stream of uploaded apks (Android PacKages). Every tool seemed better than the last, some even claiming accuracy scores well over 90%. However, all of these designs were tested against test sets containing only self-written apks, synthetic malicious apks, or otherwise statistically unsound samples. Many of these tools are open source. We propose Meizodon, a novel framework to install Android static security analysis tools and run them efficiently in a distributed fashion, in equal environments and against a suitable dataset. This allows us to make a fair and statistically sound comparison of the most recent and best known tools, on real, 'practical' malware: malware created by malware creators, not by researchers, and found in the wild. From the results, we conclude that Android static security analysis tools do show great promise to classify apks in practice, but are not quite there yet. We demonstrate that Meizodon allows us to efficiently test analysis tools, and find that the accuracy of tested analysis tools is low (F1 scores are just over 58%), and analysis fails for many apks. Additionally, we investigate why accuracy is low, and why so many analyses result in errors.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"68 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126328335","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Malware is one of the most popular cyber-attack methods in the digital world. According to the independent test company AV-TEST, 350,000 new malware samples are created every day. To analyze all samples by hand to discover whether they are malware does not scale, so antivirus companies automate the process e.g., using sandboxes where samples can be run, observed, and classified. Malware authors are aware of this fact, and try to evade detection. In this paper we describe one of such evasion technique: unprecedented, we discovered it while analyzing a ransomware sample. Analyzed in a Cuckoo Sandbox, the sample was able to avoid triggering malware indicators, thus scoring significantly below the minimum severity level. Here, we discuss what strategy the sample follows to evade the analysis, proposing practical defense methods to nullify, in our turn, the sample's furtive strategy.
{"title":"Case Study: Analysis and Mitigation of a Novel Sandbox-Evasion Technique","authors":"Ziya Alper Genç, G. Lenzini, D. Sgandurra","doi":"10.1145/3360664.3360673","DOIUrl":"https://doi.org/10.1145/3360664.3360673","url":null,"abstract":"Malware is one of the most popular cyber-attack methods in the digital world. According to the independent test company AV-TEST, 350,000 new malware samples are created every day. To analyze all samples by hand to discover whether they are malware does not scale, so antivirus companies automate the process e.g., using sandboxes where samples can be run, observed, and classified. Malware authors are aware of this fact, and try to evade detection. In this paper we describe one of such evasion technique: unprecedented, we discovered it while analyzing a ransomware sample. Analyzed in a Cuckoo Sandbox, the sample was able to avoid triggering malware indicators, thus scoring significantly below the minimum severity level. Here, we discuss what strategy the sample follows to evade the analysis, proposing practical defense methods to nullify, in our turn, the sample's furtive strategy.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129686567","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The fourth industrial revolution leads to an increased use of embedded computation and intercommunication in an industrial environment. While reducing cost and effort for set up, operation and maintenance, and increasing the time to operation or market respectively as well as the efficiency, this also increases the attack surface of enterprises. Industrial enterprises have become targets of cyber criminals in the last decade, reasons being espionage but also politically motivated. Infamous attack campaigns as well as easily available malware that hits industry in an unprepared state create a large threat landscape. As industrial systems often operate for many decades and are difficult or impossible to upgrade in terms of security, legacy-compatible industrial security solutions are necessary in order to create a security parameter. One plausible approach in industry is the implementation and employment of side-channel sensors. Combining readily available sensor data from different sources via different channels can provide an enhanced insight about the security state. In this work, a data set of an experimental industrial set up containing side channel sensors is discussed conceptually and insights are derived.
{"title":"Discussing the Feasibility of Acoustic Sensors for Side Channel-aided Industrial Intrusion Detection: An Essay","authors":"S. D. Antón, A. Lohfink, H. Schotten","doi":"10.1145/3360664.3360667","DOIUrl":"https://doi.org/10.1145/3360664.3360667","url":null,"abstract":"The fourth industrial revolution leads to an increased use of embedded computation and intercommunication in an industrial environment. While reducing cost and effort for set up, operation and maintenance, and increasing the time to operation or market respectively as well as the efficiency, this also increases the attack surface of enterprises. Industrial enterprises have become targets of cyber criminals in the last decade, reasons being espionage but also politically motivated. Infamous attack campaigns as well as easily available malware that hits industry in an unprepared state create a large threat landscape. As industrial systems often operate for many decades and are difficult or impossible to upgrade in terms of security, legacy-compatible industrial security solutions are necessary in order to create a security parameter. One plausible approach in industry is the implementation and employment of side-channel sensors. Combining readily available sensor data from different sources via different channels can provide an enhanced insight about the security state. In this work, a data set of an experimental industrial set up containing side channel sensors is discussed conceptually and insights are derived.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128515814","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Due to the fourth industrial revolution, industrial applications make use of the progress in communication and embedded devices. This allows industrial users to increase efficiency and manageability while reducing cost and effort. Furthermore, the fourth industrial revolution, creating the so-called Industry 4.0, opens a variety of novel use and business cases in the industrial environment. However, this progress comes at the cost of an enlarged attack surface of industrial companies. Operational networks that have previously been phyiscally separated from public networks are now connected in order to make use of new communication capabilites. This motivates the need for industrial intrusion detection solutions that are compatible to the long-term operation machines in industry as well as the heterogeneous and fast-changing networks. In this work, process data is analysed. The data is created and monitored on real-world hardware. After a set up phase, attacks are introduced into the systems that influence the process behaviour. A time series-based anomaly detection approach, the Matrix Profiles, are adapted to the specific needs and applied to the intrusion detection. The results indicate an applicability of these methods to detect attacks in the process behaviour. Furthermore, they are easily integrated into existing process environments. Additionally, one-class classifiers One-Class Support Vector Machines and Isolation Forest are applied to the data without a notion of timing. While Matrix Profiles perform well in terms of creating and visualising results, the one-class classifiers perform poorly.
{"title":"Security in Process: Detecting Attacks in Industrial Process Data","authors":"S. D. Antón, A. Lohfink, C. Garth, H. Schotten","doi":"10.1145/3360664.3360669","DOIUrl":"https://doi.org/10.1145/3360664.3360669","url":null,"abstract":"Due to the fourth industrial revolution, industrial applications make use of the progress in communication and embedded devices. This allows industrial users to increase efficiency and manageability while reducing cost and effort. Furthermore, the fourth industrial revolution, creating the so-called Industry 4.0, opens a variety of novel use and business cases in the industrial environment. However, this progress comes at the cost of an enlarged attack surface of industrial companies. Operational networks that have previously been phyiscally separated from public networks are now connected in order to make use of new communication capabilites. This motivates the need for industrial intrusion detection solutions that are compatible to the long-term operation machines in industry as well as the heterogeneous and fast-changing networks. In this work, process data is analysed. The data is created and monitored on real-world hardware. After a set up phase, attacks are introduced into the systems that influence the process behaviour. A time series-based anomaly detection approach, the Matrix Profiles, are adapted to the specific needs and applied to the intrusion detection. The results indicate an applicability of these methods to detect attacks in the process behaviour. Furthermore, they are easily integrated into existing process environments. Additionally, one-class classifiers One-Class Support Vector Machines and Isolation Forest are applied to the data without a notion of timing. While Matrix Profiles perform well in terms of creating and visualising results, the one-class classifiers perform poorly.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127449067","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the Third Central European Cybersecurity Conference","authors":"","doi":"10.1145/3360664","DOIUrl":"https://doi.org/10.1145/3360664","url":null,"abstract":"","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131781513","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: