Eric Alata

Lessons learned from the deployment of a high-interaction honeypot

This paper presents an experimental study and the lessons learned from the observation of the attackers when logged on a compromised machine. The results are based on a six months period during which a controlled experiment has been run with a high interaction honeypot. We correlate our findings with those obtained with a worldwide distributed system of low-interaction honeypots

A Clustering Approach for Web Vulnerabilities Detection

This paper presents a new algorithm aimed at the vulnerability assessment of web applications following a black-box approach. The objective is to improve the detection efficiency of existing vulnerability scanners and to move a step forward toward the automation of this process. Our approach covers various types of vulnerabilities but this paper mainly focuses on SQL injections. The proposed algorithm is based on the automatic classification of the responses returned by the web servers using data clustering techniques and provides especially crafted inputs that lead to successful attacks when vulnerabilities are present. Experimental results on several vulnerable applications and comparative analysis with some existing tools confirm the effectiveness of our approach.

Smart-TV Security Analysis: Practical Experiments

Modern home networks are becoming more and more complex with the integration of various types of interconnected smart devices, using heterogeneous networking technologies. Many of these devices are also connected to the Internet, generally through an integrated access device. Those smart devices are potentially vulnerable to several types of attacks. In this practical experience report we investigate the specific case of smart TVs. The main objective is to experimentally explore possible attack vectors and identify practically exploitable vulnerabilities and attack scenarios. In particular, the study covers local and remote attacks using different entry points, including the Digital Video Broadcasting (DVB) transmission channel and the copper-pair local loop. Several methods, allowing to observe and simulate service provider networks, are used to support several experiments considering four types of commercially available smart TVs for a comparative analysis. We also discuss several methods allowing to extract and analyze the embedded firmware, and obtain relevant information concerning target devices.

Internet attacks monitoring with dynamic connection redirection mechanisms

High-interaction honeypots are interesting as they help understand how attacks unfold on a compromised machine. However, observations are generally limited to the operations performed by the attackers on the honeypot itself. Outgoing malicious activities carried out from the honeypot towards remote machines on the Internet are generally disallowed for legal liability reasons. It is particularly instructive, however, to observe activities initiated from the honeypot in order to monitor attacker behavior across different, possibly compromised remote machines. This paper proposes to this end a dynamic redirection mechanism of connections initiated from the honeypot. This mechanism gives the attacker the illusion of being actually connected to a remote machine whereas he is redirected to another local honeypot. The originality of the proposed redirection mechanism lies in its dynamic aspect: the redirections are made automatically on the fly. This mechanism has been implemented and tested on a Linux kernel. This paper presents the design and the implementation of this mechanism.

Design and Implementation of a Hardware Assisted Security Architecture for Software Integrity Monitoring

The increasing complexity of software and hardware layers makes them likely to include vulnerabilities. Recent research has shown that subtle attacks are able to successfully exploit (through compromised peripherals performing DMA attacks for instance) vulnerabilities in low-level software, even running in the most privileged mode of the processors. Therefore, the security of such systems should not be solely based on components running on the processor. This paper describes the design and the implementation of a security architecture that is designed to securely execute integrity checks of any software running on top of this architecture. It is composed of a security hypervisor, running in the most privileged level of the processor, assisted by a trusted hardware component, autonomous and independent of the processor, regularly checking the integrity of the security hypervisor itself. The design, the implementation of this security architecture, as well as experiments showing the relevance of our approach, are detailed in this paper.

Bypassing IOMMU Protection against I/O Attacks

Attacks targeting computer systems become more and more complex and various. Some of them, so-called I/O attacks, are performed by malicious peripherals that make read or write accesses to DRAM memory or to memory embedded in other peripherals, through DMA (Direct Memory Access) requests. Some protection mechanisms to face these attacks exist and have been implemented for several years now in modern architectures. A typical example is the IOMMU proposed by Intel. However, such mechanisms are not necessarily properly configured and used by the firmware and the operating system. This experimental paper describes a design weakness that we discovered in the configuration of an IOMMU by the Intel IOMMU Linux driver and a possible exploitation scenario that would allow a malicious peripheral to bypass the underlying protection mechanism. The exploitation scenario is implemented with a PCI Express peripheral FPGA, based on Intel specifications and Linux source code analysis.

Toward an Intrusion Detection Approach for IoT Based on Radio Communications Profiling

Nowadays, more and more Internet-of-Things (IoT) smart products, interconnected through various wireless communication technologies (Wifi, Bluetooth, Zigbee, Z-wave, etc.) are integrated in daily life, especially in homes, factories, cities, etc. Such IoT technologies have become very attractive with a large variety of new services offered to improve the quality of life of the endusers or to create new economic markets.However, the security of such connected objects is a real concern due to weak or flawed security designs, configuration errors or imperfect maintenance. Moreover, the vulnerabilities discovered in IoT products are often difficult to eliminate because, most of the time, they cannot be patched easily. Therefore, protection mechanisms are needed to mitigate the potential risks induced by such objects in private and public connected areas.In this paper, we propose a novel approach to detect potential attacks in smart places (e.g. smart homes) by detecting deviations from legitimate communication behavior, in particular at the physical layer. The proposed solution is based on the profiling and monitoring of the Radio Signal Strenght Indication (RSSI) associated to the wireless transmissions of the connected objects. A machine learning neural network algorithm is used to characterize legitimate communications and to identify suspiscious scenarios. We show the feasibility of this approach and discuss some possible application cases.

Security of ISP Access Networks: Practical Experiments

Home Internet connections are becoming more and more important in our every day life. Many Internet Service Providers (ISP) include an Integrated Access Device (IAD) in their offers allowing the customer to easily take advantage of all the included services. This IAD is connected to a local loop, most of the time based on the Public Switched Telephone Network (PSTN). The local loop and the IAD together constitute the access network of an ISP. To our knowledge, very few studies addressed the security of these access networks. This is the purpose of this paper. We first present a platform and a set of experiments aiming at capturing and analysing communications on the local loop. This platform allowed us to carry out a comparative study of the security of six IADs from different ISPs, by analysing the network protocols used during their boot-up process. The results of this first study revealed a security weakness for two of the six access networks, especially during the firmware update procedure of the IADs. A second platform and set of experimentsare then presented, which allow us to experimentaly test the possible exploitation scenarios of the identified weakness. Finally, we show that the security issues pointed out above, dont only impact the IAD, but also any other home Internet connected device, implementing firmware updates.

An Automated Approach to Generate Web Applications Attack Scenarios

Web applications have become one of the most popular targets of attacks during the last years. Therefore it is important to identify the vulnerabilities of such applications and to remove them to prevent potential attacks. This paper presents an approach that is aimed at the vulnerability assessment of Web applications following a black-box approach. The objective is to detect vulnerabilities in Web applications and their dependencies and to generate attack scenarios that reflect such dependencies. Our approach aims to move a step forward toward the automation of this process. The paper presents the main concepts behind the proposed approach and an example that illustrates the main steps of the algorithm leading to the identification of the vulnerabilities of a Web application and their dependencies.

SEcuring Integrated Modular Avionics Computers

The evolution of aircraft IT infrastructure tends to increasingly share computing resources between different applications, use COTS hardware and software, be open to applications and equipment provided by the airlines, and communicate with the outside world. This trend would give more opportunities for potential attackers to corrupt the onboard computing systems, if adequate security measures were not taken to counter these threats. This paper proposes 1) a classification of the potential attacks that may target avionics embedded systems and 2) a description of attack experiments that have been carried out on an experimental real-time kernel compliant with the ARINC-653 standard. It also proposes several generic countermeasures in order to improve the security of avionic embedded systems.