Malware and code-reuse attacks are the most significant threats to current systems operation. Solutions de- veloped to countermeasure them have their weaknesses exploited by attackers through sandbox evasion and anti-debug crafting. To address such weaknesses, we propose a framework that relies on modern processors branch monitor feature to allow us to analyze malware while reducing evasion effects. The use of hardware- assistance aids in increasing stealthiness, a key feature for debuggers, since modern software (malicious or benign) may be anti-analysis armored. We achieve stealthier code execution control by using the branch monitor hardwares inherent interrupt capabilities, keeping the code under execution intact. Previous work on branch monitoring have already addressed the ROP attack problem, but require code injection and/or are limited in their capture window size. Therefore, we also propose an ROP detector without these limitations.
K-means clustering is a widely used clustering analysis technique in machine learning. In this paper, we study the problem of differentially private k-means clustering. Several state-of-the-art methods follow the single-workload approach which adapts an existing machine learning algorithm by making each step private. However, most of them do not have satisfactory empirical performance. In this work, we develop techniques to analyze the empirical error behaviors of one of the state-of-the-art single-workload approaches, DPLloyd, which is a differentially private version of the Lloyd algorithm. Based on the analysis, we propose an improvement of DPLloyd. We also propose a new algorithm for k-means clustering from the perspective of the non-interactive approach which publishes a synopsis of the input dataset. After analyzing the empirical error behaviors of EUGkM, we further propose a hybrid approach that combines our DPLloyd improvement and EUGkM. Results from extensive and systematic experiments support our analysis and demonstrate the effectiveness of the DPLloyd improvement, EUGkM and the hybrid approach.
Malware analysis relies heavily on the use of virtual machines for functionality and safety. There are subtle differences in operation between virtual and physical machines. Contemporary malware checks for these differences and changes its behavior when it detects VM presence. These anti-VM techniques hinder mal- ware analysis. Existing research approaches to uncover differences between VMs and physical machines use randomized testing, and thus cannot guarantee completeness. In this paper we propose a detect-and-hide approach, which systematically addresses anti-VM techniques in malware. First, we propose cardinal pill testinga modification of red pill testing that aims to enumerate the differences between a given VM and a physical machine, through carefully designed tests. Cardinal pill testing finds five times more pills by running fifteen times fewer tests than red pill testing. We examine the causes of pills and find that, while the majority of them stem from the failure of VMs to follow CPU specifications, a significant number stem from under-specification of certain instructions by the Intel man- ual. This leads to divergent implementations in different CPU and VM architectures. Cardinal pill testing successfully enumerates the differences that stem from the first cause. Finally, we propose VM Cloak a WinDbg plug-in, which hides the presence of virtual machines from malware. VM Cloak monitors each exe- cuted malware command, detects potential pills, and modifies at run time the commands outcomes to match those that a physical machine would generate. We implemented VM Cloak and verified that it successfully hides VM presence from malware.
In many Internet of Thing (IoT) application domains security is a critical requirement, because malicious parties can undermine the effectiveness of IoT-based systems by compromising single components and/or communication channels. Thus, a security infrastructure is needed to ensure the proper functioning of such systems even under attack. However, it is also critical that security be at a reasonable resource and energy cost, as many IoT devices may not have sufficient resources to host expensive security tools. In this paper, we focus on the problem of efficiently and effectively securing IoT networks by carefully allocating security tools. We model our problem according to game theory, and provide a Pareto-optimal solution, in which the cost of the security infrastructure, its energy consumption, and the probability of a successful attack, are minimized. Our experimental evaluation shows that our technique improves the system robustness in terms of packet delivery rate for different network topologies. Furthermore, we also provide a method for handling the computation of the resource allocation plan for large-scale networks scenarios, where the optimization problem may require an unreasonable amount of time to be solved. We show how our proposed method drastically reduces the computing time, while providing a reasonable approximation of the optimal solution.
We introduce the first known mechanism providing realtime server location verification. Its uses include enhancing server authentication (e.g., augmenting TLS) by enabling browsers to automatically interpret server location information. We describe the design of this new measurement-based technique, Server Location Verification (SLV), and evaluate it using PlanetLab. We explain how SLV is compatible with the increasing trends of geographically distributed content dissemination over the Internet, without causing any new interoperability conflicts. Additionally, we introduce the notion of (verifiable) "server location pinning" within TLS (conceptually similar to certificate pinning) to support SLV, and evaluate their combined impact using a server-authentication evaluation framework. The results affirm the addition of new security benefits to the existing SSL/TLS-based authentication mechanisms. We implement SLV through a location verification service, the simplest version of which requires no server-side changes. We also implement a simple browser extension that interacts seamlessly with the verification infrastructure to obtain realtime server location-verification results.