Security monitoring has long been considered as a fundamental mechanism to mitigate the damage of a security attack. Recently, intra-level security systems have been proposed that can efficiently and securely monitor system software without any involvement of more privileged entity. Unfortunately, there exists no full intra-level security system that can universally operate at any privilege level on ARM. However, as malware and attacks increase against virtually every level of privileged software including an OS, a hypervisor and even the highest privileged software armored by TrustZone, we have been motivated to develop an intra-level security system, named as Hilps. Hilps realizes true intra-level scheme in all these levels of privileged software on ARM by elaborately exploiting a new hardware feature of ARM's latest 64-bit architecture, called TxSZ, that enables elastic adjustment of the accessible virtual address range. Furthermore, Hilps newly supports the sandbox mechanism that provides security tools with individually isolated execution environments, thereby minimizing security threats from untrusted security tools. We have implemented a prototype of Hilps on a real machine. The experimental results demonstrate that Hilps is quite promising for practical use in real deployments.
Secure email is increasingly being touted as usable by novice users, with a push for adoption based on recent concerns about government surveillance. To determine whether secure email is ready for grassroots adoption, we employ a laboratory user study that recruits pairs of novice users to install and use several of the latest systems to exchange secure messages. We present both quantitative and qualitative results from 28 pairs of novices as they use Pwm, Tutanota, and Virtru and 10 pairs of novices as they use Mailvelope. Participants report being more at ease with this type of study and better able to cope with mistakes since both participants are "on the same page." We find that users prefer integrated solutions over depot-based solutions and that tutorials are important in helping First-time users. Additionally, hiding the details of how a secure email system provides security can lead to a lack of trust in the system. Finally, our results demonstrate that PGP using manual key management is still unusable for novice users, with 9 out of 10 participant pairs failing to complete the study.
We propose a new authentication mechanism, called ``life-experience passwords (LEPs).'' Sitting somewhere between passwords and security questions, a LEP consists of several facts about a user-chosen life event, such as a trip, a graduation, a wedding, etc. At LEP creation, the system extracts these facts from the user's input and transforms them into questions and answers. At authentication, the system prompts the user with questions and matches her answers with the stored ones. We show that question choice and design make LEPs much more secure than security questions and passwords, while the question-answer format promotes password diversity and recall, lowering reuse. Specifically, we find that: (1) LEPs are 10^9 -10^14 x stronger than an ideal, randomized, 8-character password, (2) LEPs are up to 3 x more memorable than passwords and on par with security questions, and (3) LEPs are reused half as often as passwords. While both LEPs and security questions use personal experiences for authentication, LEPs use several questions, which are closely tailored to each user. This increases LEP security against guessing attacks. In our evaluation, only 0.7% of LEPs were guessed by casual friends, and 9.5% by family members or close friends, roughly half of the security question guessing rate. On the downside, LEPs take around 5 x longer to input than passwords. So, these qualities make LEPs suitable for multi-factor authentication at high-value servers, such as financial or sensitive work servers, where stronger authentication strength is needed.
The consumer drone market is booming. Consumer drones are predominantly used for aerial photography; however, their use has been expanding because of their autopilot technology. Unfortunately, terrorists have also begun to use consumer drones for kamikaze bombing and reconnaissance. To protect against such threats, several companies have started anti-drone services that primarily focus on disrupting or incapacitating drone operations. However, the approaches employed are inadequate because they make any drone that has intruded stop and remain over the protected area. We specify this issue by introducing the concept of safe-hijacking, which enables a hijacker to expel the intruding drone from the protected area remotely. As a safe-hijacking strategy, we investigated whether consumer drones in the autopilot mode can be hijacked via adaptive GPS spoofing. Specifically, as consumer drones activate GPS fail-safe and change their flight mode whenever a GPS error occurs, we examined the conditions under which the fail-safe is activated and the corresponding recovery procedures. To this end, we performed black- and white-box analyses of the fail-safe mechanisms of three popular drones: DJI Phantom 3 Standard, DJI Phantom 4, and 3DR Solo. Based on our analyses result, we designed safe-hijacking strategies for each drone. The results of field experiments and software simulations verified the efficacy of our safe-hijacking strategies against these drones and demonstrated that the strategies can force the drones to move in any direction with high accuracy.
While the logical centralization of functional properties of the network in Software-Defined Networking (SDN) brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties like security or dependability. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the re-iteration of the successful formula behind SDN - logical centralization. As a general concept, we propose ANCHOR, a subsystem architecture that promotes the logical centralization of non-functional properties. To show its effectiveness, we focus on security in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms. ANCHOR sets to provide essential security mechanisms such as secure device registration and association. We claim and justify in the paper that centralizing such mechanisms is key for their e effectiveness, by allowing us to: define and enforce global policies for those properties; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and better foster the resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms.
Kickstarted by the DFRWS conference in 2005, modern memory analysis is now one of most active areas of computer forensics and it mostly focuses on techniques to locate key operating system data structures and extract high-level information. These techniques work on the assumption that the information inside a memory dump is consistent and the copy of the physical memory was obtained in an atomic operation. Unfortunately, this is seldom the case in real investigations, where software acquisition tools record information while the rest of the system is running. Thus, since the content of the memory is changing very rapidly, the resulting memory dump may contain inconsistent data. While this problem is known, its consequences are unclear and often overlooked. Unfortunately, errors can be very subtle and can affect the results of an analysis in ways that are difficult to detect. In this paper, we argue that memory forensic should also consider the time in which each piece of data was acquired. This new temporal dimension provides a preliminary way to assess the reliability of a given result and opens the door to new research directions that can minimize the effect of the acquisition time or detect inconsistencies. To support our hypothesis, we conducted several experiments to show that inconsistencies are very frequent and can negatively impact an analysis. We then discuss modifications we made to popular memory forensic tools to make the temporal dimension explicit during the analysis and to minimize its effect by resorting to a locality-based acquisition.
The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, like in web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of code snippets in order to construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself. In this paper, we fill this gap by presenting kR^X: a kernel hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR^X is readily applicable to x86 Linux kernels (both 32- and 64-bit) and can benefit from hardware support (segmentation on x86, MPX on x86-64) to optimize performance. In full protection mode, kR^X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available, and 1.32% when memory segmentation is in use.
The constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce MaMaDroid, a static-analysis based system that abstracts apps API calls to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate MaMaDroid using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure two years after training). We also show that MaMaDroid re- markably improves over DroidAPIMiner, a state-of-the-art detection system that relies on the frequency of (raw) API calls. Aiming to assess whether MaMaDroid's effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples including API calls that are equally or more frequently used by benign apps.