Secure (S)Hell: Introducing an SSH Deception Proxy Framework
(preprint) Cryptography and Security (cs.CR) 2021 [PDF, INFO]
Deceiving an attacker in the network security domain is a well established approach, mainly achieved through deployment of honeypots consisting of open network ports with the sole purpose of raising an alert on a connection. With attackers becoming more careful to avoid honeypots, other decoy elements on real host systems continue to create uncertainty for attackers. This uncertainty makes an attack more difficult, as an attacker cannot be sure whether the system does contain deceptive elements or not. Consequently, each action of an attacker could lead to the discovery. In this paper a framework is proposed for placing decoy elements through an SSH proxy, allowing to deploy decoy elements on-the-fly without the need for a modification of the protected host system.
Can You Accept LaTeX Files from Strangers? Ten Years Later
(preprint) Cryptography and Security (cs.CR) 2021 [PDF, INFO]
It is well-known that Microsoft Word/Excel compatible documents or PDF files can contain malicious content. LaTeX files are unfortunately no exception either. LaTeX users often include third-party codes through sources or packages (.sty or .cls files). But those packages can execute malicious commands on the users' system, in order to capture sensitive information or to perform denial of service attacks. Checkoway et al.  were the first to warn LaTeX users of these threats. Collaborative cloud-based LaTeX editors and services compiling LaTeX sources are particularly concerned. In this paper, we have created a LaTeX package that collects system data and hides them inside the PDF file produced by the target. Then, we have measured what can be recovered by hackers using malicious LaTeX file on online services, and which measures those services have enforced to thwart the threats. Services defend themselves using sandbox or commands restrictions. Commands restrictions are more difficult to setup and we found one service (PMLatex) which is too permissive.
The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion
Privacy Enhancing Technologies 2021 [PDF, INFO]
Online tracking is a whack-a-mole game between trackers who build and monetize behavioral user profiles through intrusive data collection, and anti-tracking mechanisms, deployed as a browser extension, built-in to the browser, or as a DNS resolver. As a response to pervasive and opaque online tracking, more and more users adopt anti-tracking tools to preserve their privacy. Consequently, as the information that trackers can gather on users is being curbed, some trackers are looking for ways to evade these tracking countermeasures. In this paper we report on a large-scale longitudinal evaluation of an anti-tracking evasion scheme that leverages CNAME records to include tracker resources in a same-site context, effectively bypassing anti-tracking measures that use fixed hostname-based block lists. Using historical HTTP Archive data we find that this tracking scheme is rapidly gaining traction, especially among high-traffic websites. Furthermore, we report on several privacy and security issues inherent to the technical setup of CNAME-based tracking that we detected through a combination of automated and manual analyses. We find that some trackers are using the technique against the Safari browser, which is known to include strict anti-tracking configurations. Our findings show that websites using CNAME trackers must take extra precautions to avoid leaking sensitive information to third parties.
CADE: Detecting and Explaining Concept Drift Samples for Security Applications
USENIX Security ‘21 [PDF, INFO]
Concept drift poses a critical challenge to deploy machine learning models to solve practical security problems. Due to the dynamic behavior changes of attackers (and/or the benign counterparts), the testing data distribution is often shifting from the original training data over time, causing major failures to the deployed model.
To combat concept drift, we present a novel system CADE aiming to 1) detect drifting samples that deviate from existing classes, and 2) provide explanations to reason the detected drift. Unlike traditional approaches (that require a large number of new labels to determine concept drift statistically), we aim to identify individual drifting samples as they arrive. Recognizing the challenges introduced by the high-dimensional outlier space, we propose to map the data samples into a low-dimensional space and automatically learn a distance function to measure the dissimilarity between samples. Using contrastive learning, we can take full advantage of existing labels in the training dataset to learn how to compare and contrast pairs of samples. To reason the meaning of the detected drift, we develop a distance-based explanation method. We show that explaining “distance” is much more effective than traditional methods that focus on explaining a “decision boundary” in this problem context. We evaluate CADE with two case studies: Android malware classification and network intrusion detection. We further work with a security company to test CADE on its malware database. Our results show that CADE can effectively detect drifting samples and provide semantically meaningful explanations.
Home Router Security Report 2020
Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie, FKIE [PDF]
This report analyses 127 current routers for private use developed by seven different large vendors selling their products in Europe. An automated approach was used to check the router’s most recent firmware versions for five security related aspects. We were able to extract completely 117 of the 127 firmware images. Four firmware images could be extracted partly and six firmware images could not be extracted at all. 116 of 127 (91%) devices are powered by Linux. One was powered by ThreadX and another one by eCos. The security aspects addressed in this report are:
- When were the devices updated last time?
- Which operating system versions are used and how many known critical vulnerabilities affect these operating system versions?
- Which exploit mitigation techniques do the vendors use? How often do they activate these techniques?
- Do the firmware images contain private cryptographic key material?
- Are there any hard-coded login credentials?
Our results are alarming. There is no router without flaws. 46 routers did not get any security up-date within the last year. Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely. Some routers have easy crackable or even well known passwords that cannot be changed by the user. Most firmware images provide private cryptographic key material. This means, whatever they try to secure with a public-private crypto mechanism is not secure at all. Nonetheless, vendors seem to prioritize security differently. Especially AVM does a better job than the other vendors regarding most of the security aspects. However, AVM routers are not flawless as well. ASUS and Netgear do a better job on some aspects than D-Link, Linksys, TP-Linkand Zyxel.To sum it up, much more effort is needed to make home routers as secure as current desktop or server systems. Additionally, our evaluation showed that large scale automated security analysis of embedded devices is possible today. We used the the Firmware Analysis and Comparison Tool (FACT) and it worked very well for almost all firmware images analyzed during this study. FACT is an opensource software available on GitHub
Its all in a name: detecting and labeling bots by their name Computational and Mathematical Organization Theory (2018) [PDF, INFO]
Automated social media bots have existed almost as long as the social media environments they inhabit. Their emergence has triggered numerous research efforts to develop increasingly sophisticated means to detect these accounts. These efforts have resulted in a cat and mouse cycle in which detection algorithms evolve trying to keep up with ever evolving bots. As part of this continued evolution, our research proposes a multi-model ‘tool-box’ approach in order to conduct detection at various tiers of data granularity. To support this toolbox approach this research also uses random string detection applied to user names to filter twitter streams for bot accounts and use this as labeled training data for follow on research.
SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery
Network and Distributed System Security (NDSS), 2020 [PDF]
A key characteristic of commonly deployed deep packet inspection (DPI) systems is that they implement a simplified state machine of the network stack that often differs from that of end hosts. The discrepancies between the two state machines have been exploited to bypass such DPI based middleboxes.However, most prior approaches to do so rely on manually crafted adversarial packets, which not only are labor intensive but may not work well across a plurality of DPI-based middleboxes.Our goal in this work is to develop an automated way to craft candidate adversarial packets, targeting TCP implementations in particular. Our approach to achieving this goal hinges on the key insight that while the TCP state machines of DPI implementations are obscure, those of the end hosts are well established. Thus, in our system SYMTCP, using symbolic execution, we systematically explore the TCP implementation of an end host, identifying candidate packets that can reach critical points in the code (e.g.,which causes the packets to be accepted or dropped/ignored);such automatically identified packets are then fed through theDPI middlebox to determine if a discrepancy is induced and the middlebox can be eluded.
We find that our approach is extremely effective. It can generate tens of thousands of candidate adversarial packets in less than an hour. When evaluating against multiple state-of-the-art DPI systems such as Zeek and Snort, aswell as a state-level censorship system, viz. the Great Firewall ofChina, we identify not only previously known evasion strategies,but also novel ones that were never previously reported (e.g.,involving the urgent pointer). The system can be extended easily towards other combinations of operating systems and DPImiddleboxes, and serves as a valuable tool for testing future DPIs’robustness against evasion attempts.
Designing Actively Secure, Highly Available Industrial Automation Applications 17th International Conference on Industrial Informatics (INDIN2019) [PDF]
Programmable Logic Controllers (PLCs) execute critical control software that drives Industrial Automation and Control Systems (IACS). PLCs can become easy targets for cyber-adversaries as they are resource-constrained and are usually built using legacy, less-capable security measures. Security attacks can significantly affect system availability, which is an essential requirement for IACS. We propose a method to make PLC applications more security-aware. Based on the well-known IEC 61499 function blocks standard for developing IACS software, our method allows designers to annotate critical parts of an application during design time. On deployment, these parts of the application are automatically secured using appropriate security mechanisms to detect and prevent attacks. We present a summary of availability attacks on distributed IACS applications that can be mitigated by our proposed method. Security mechanisms are achieved using IEC 61499 Service-Interface Function Blocks (SIFBs) embedding Intrusion Detection and Prevention System (IDPS), added to the application at compile time. This method is more amenable to providing active security protection from attacks on previously unknown (zero-day) vulnerabilities. We test our solution on an IEC 61499 application executing on Wago PFC200 PLCs. Experiments show that we can successfully log and prevent attacks at the application level as well as help the application to gracefully degrade into safe mode, subsequently improving availability.
Refactoring the FreeBSD Kernel with Checked C
2020 IEEE Secure Development (SecDev) [PDF]
Most modern operating system kernels are written in C, making them vulnerable to buffer overflow and buffer over-read attacks. Microsoft has developed an extension to the C language named Checked C which provides new source language constructs that allow the compiler to prevent NULL pointer dereferences and spatial memory safety errors through static analysis and run-time check insertion. We evaluate the use of Checked C on operating system kernel code by refactoring parts of the FreeBSD kernel to use Checked C extensions. We describe our experience refactoring the code that implements system calls and UDP and IP networking. We then evaluate the refactoring effort and the performance of the refactored kernel. It took two undergraduate students approximately three months to refactor the system calls, the network packet (mbuf) utility routines, and parts of the IP and UDP processing code. Our experiments show that using Checked C incurred no performance or code size overheads.
Keystone: An Open Framework for Architecting Trusted Execution Environments
Proceedings of the Fifteenth European Conference on Computer Systems (EuroSys) 2020 [PDF, Info Slides]
Trusted execution environments (TEEs) see rising use in devices from embedded sensors to cloud servers and encompass a range of cost, power constraints, and security threat model choices. On the other hand, each of the current vendor-specific TEEs makes a fixed set of trade-offs with little room for customization. We present Keystone—the first open-source framework for building customized TEEs. Keystone uses simple abstractions provided by the hardware such as memory isolation and a programmable layer underneath untrusted components (e.g., OS). We build reusable TEE core primitives from these abstractions while allowing platform-specific modifications and flexible feature choices. We showcase how Keystone-based TEEs run on unmodified RISC-V hardware and demonstrate the strengths of our design in terms of security, TCB size, execution of a range of benchmarks, applications, kernels, and deployment models.
How China Detects and Blocks Shadowsocks
Internet Measurement Conference (IMC) 2020 [PDF, Info]
Shadowsocks is one of the most popular circumvention tools inChina. Since May 2019, there have been numerous anecdotal reportsof the blocking of Shadowsocks from Chinese users. In this study,we reveal how the Great Firewall of China (GFW) detects and blocksShadowsocks and its variants. Using measurement experiments,we find that the GFW uses the length and entropy of the first datapacket in each connection to identify probable Shadowsocks traffic,then sends seven different types of active probes, in different stages,to the corresponding servers to test whether its guess is correct.
We developed a prober simulator to analyze the effect of differ-ent types of probes on various Shadowsocks implementations, andused it to infer what vulnerabilities are exploited by the censor. Wefingerprinted the probers and found differences relative to previ-ous work on active probing. A network-level side channel revealsthat the probers, which use thousands of IP addresses, are likelycontrolled by a set of centralized structures.
Based on our gained understanding, we present a temporaryworkaround that successfully mitigates the traffic analysis attack bythe GFW. We further discuss essential strategies to defend againstactive probing. We responsibly disclosed our findings and sugges-tions to Shadowsocks developers, which has led to more censorship-resistant tools.
Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections
29th USENIX Security Symposium, 2020 [PDF, Info]
To perform successful remote timing attacks, an adversarytypically collects a series of network timing measurementsand subsequently performs statistical analysis to reveal a dif-ference in execution time. The number of measurements thatmust be obtained largely depends on the amount of jitter thatthe requests and responses are subjected to. In remote tim-ing attacks, a significant source of jitter is the network pathbetween the adversary and the targeted server, making it prac-tically infeasible to successfully exploit timing side-channelsthat exhibit only a small difference in execution time.
In this paper, we introduce a conceptually novel type of tim-ing attack that leverages the coalescing of packets by networkprotocols and concurrent handling of requests by applica-tions. These concurrency-based timing attacks infer a relativetiming difference by analyzing the order in which responsesare returned, and thus do not rely on any absolute timing in-formation. We show how these attacks result in a 100-foldimprovement over typical timing attacks performed over theInternet, and can accurately detect timing differences as smallas 100ns, similar to attacks launched on a local system. Wedescribe how these timing attacks can be successfully de-ployed against HTTP/2 webservers, Tor onion services, andEAP-pwd, a popular Wi-Fi authentication method.
A Side Journey to Titan: Side-Channel Attack on the Google Titan Security Key
NinjaLab.io, 2021 [PDF Info]
The Google Titan Security Key is a FIDO U2F hardware device proposed by Google (available since July 2018) as a two-factor authentication token to sign in to applications (e.g. your Google account). Our work describes a side-channel attack that targets the Google Titan Security Key’s secure element (the NXP A700X chip) by the observation of its local electromagnetic radiations during ECDSA signatures (the core cryptographic operation of the FIDO U2F protocol). In other words, an attacker can create a clone of a legitimate Google Titan Security Key.
To understand the NXP ECDSA implementation, find a vulnerability and design a key-recovery attack, we had to make a quick stop on Rhea (NXP J3D081 JavaCard smartcard). Freely available on the web, this product looks very much like the NXP A700X chip and uses the same cryptographic library. Rhea, as an open JavaCard platform, gives us more control to study the ECDSA engine.
We could then show that the electromagnetic side-channel signal bears partial information about the ECDSA ephemeral key. The sensitive information is recovered with a non-supervised machine learning method and plugged into a customized lattice-based attack scheme.
Finally, 4000 ECDSA observations were enough to recover the (known) secret key on Rhea and validate our attack process. It was then applied on the Google Titan Security Key with success (this time by using 6000 observations) as we were able to extract the long term ECDSA private key linked to a FIDO U2F account created for the experiment.
After last weeks meeting, we decided each meeting we will discuss three papers.
Last Updated on 9 Apr 2021 (CC BY-SA 4.0)