Georg Merzdovnik

Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis?

Software obfuscation has always been a controversially discussed research area. While theoretical results indicate that provably secure obfuscation in general is impossible, its widespread application in malware and commercial software shows that it is nevertheless popular in practice. Still, it remains largely unexplored to what extent today’s software obfuscations keep up with state-of-the-art code analysis and where we stand in the arms race between software developers and code analysts. The main goal of this survey is to analyze the effectiveness of different classes of software obfuscation against the continuously improving deobfuscation techniques and off-the-shelf code analysis tools. The answer very much depends on the goals of the analyst and the available resources. On the one hand, many forms of lightweight static analysis have difficulties with even basic obfuscation schemes, which explains the unbroken popularity of obfuscation among malware writers. On the other hand, more expensive analysis techniques, in particular when used interactively by a human analyst, can easily defeat many obfuscations. As a result, software obfuscation for the purpose of intellectual property protection remains highly challenging.

Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools

In this paper, we quantify the effectiveness of third-party tracker blockers on a large scale. First, we analyze the architecture of various state-of-the-art blocking solutions and discuss the advantages and disadvantages of each method. Second, we perform a two-part measurement study on the effectiveness of popular tracker-blocking tools. Our analysis quantifies the protection offered against trackers present on more than 100,000 popular websites and 10,000 popular Android applications. We provide novel insights into the ongoing arms race between trackers and developers of blocking tools as well as which tools achieve the best results under what circumstances. Among others, we discover that rule-based browser extensions outperform learning-based ones, trackers with smaller footprints are more successful at avoiding being blocked, and CDNs pose a major threat towards the future of tracker-blocking tools. Overall, the contributions of this paper advance the field of web privacy by providing not only the largest study to date on the effectiveness of tracker-blocking tools, but also by highlighting the most pressing challenges and privacy issues of third-party tracking.

Network Security Challenges in Android Applications

The digital world is in constant battle for improvement - especially in the security field. Taking into consideration the revelations from Edward Snowden about the mass surveillance programs conducted by governmental authorities, the number of users that raised awareness towards security is constantly increasing. More and more users agree that additional steps must be taken to ensure the fact that communication will remain private as intended in the first place. Taking in consideration the ongoing transition in the digital world, there are already more mobile phones than people on this planet. According to recent statistics there are around 7 billion active cell phones by 2014 out of which nearly 2 billion are smartphones. The use of smartphones by itself could open a great security hole. The most common problem when it comes to Android applications is the common misuse of the HTTPS protocol. Having this in mind, this paper addresses the current issues when it comes to misuse of the HTTPS protocol and proposes possible solutions to overcome this common problem. In this paper we evaluate the SSL implementation in a recent set of Android applications and present some of the most common missuses. The goal of this paper is to raise awareness to current and new developers to actually consider security as one of their main goals during the development life cycle of applications.

Pin it! Improving Android network security at runtime

Smartphones are increasingly used worldwide and are now an essential tool for our everyday tasks. These tasks are supported by smartphone applications (apps) which commonly rely on network communication to provide a certain utility such as online banking. From a security and privacy point of view a properly secured (encrypted) communication channel is important in order to protect sensitive information against passive and active attacks. Previous research outlined that developers often fail to implement proper certificate validation in their custom SSL/TLS implementations and thus fail to secure the network communication. Previous research however proposed solutions for developers and not for the affected users. This global growth introduced drastic changes to the network utilization. In this paper we discuss this issue on the basis of Android apps. We analyzed over 50,000 Android apps, collected during two consecutive years, regarding the correct use of SSL/TLS protocols. Furthermore, we discuss the current situation. We propose dynamic certificate pinning, a device-based solution that overcomes the problem of broken SSL/TLS implementations in Android apps. To the best of our knowledge, we are the first to solve this problem by combining established techniques such as certificate pinning with dynamic instrumentation techniques to tackle one of the major security challenges in the network communication of smartphone applications.

AES-SEC: Improving Software Obfuscation through Hardware-Assistance

While the resilience of software-only code obfuscation remains unclear and ultimately depends only on available resources and patience of the attacker, hardware-based software protection approaches can provide a much higher level of protection against program analysis. Almost no systematic research has been done on the interplay between hardware and software based protection mechanism. In this paper, we propose modifications to Intels AES-NI instruction set in order to make it suitable for application in software protection scenarios and demonstrate its integration into a control flow obfuscation scheme. Our novel approach provides strong hardware-software binding and restricts the attack context to pure dynamic analysis - two major limiting factors of reverse engineering - to delay a successful attack against a program.

Lightweight Address Hopping for Defending the IPv6 IoT

The rapid deployment of IoT systems on the public Internet is not without concerns for the security and privacy of consumers. Security in IoT systems is often poorly engineered and engineering for privacy does notseemtobea concern for vendors at all. Thecombination of poor security hygiene and access to valuable knowledge renders IoT systems a much-sought target for attacks. IoT systems are not only Internet-accessible but also play the role of servers according to the established client-server communication model and are thus configured with static and/or easily predictable IPv6 addresses, rendering them an easy target for attacks. We present 6HOP, a novel addressing scheme for IoT devices. Our proposal is lightweight in operation, requires minimal administration overhead, and defends against reconnaissance attacks, address based correlation as well as denial-of-service attacks. 6HOP therefore exploits the ample address space available in IPv6 networks and provides effective protection this way.

Whom You Gonna Trust? A Longitudinal Study on TLS Notary Services

TLS is currently the most widely-used protocol on the Internet to facilitate secure communications, in particular secure web browsing. TLS relies on X.509 certificates as a major building block to establish a secure communication channel. Certificate Authorities (CAs) are trusted third parties that validate the TLS certificates and establish trust relationships between communication entities. To counter prevalent attack vectors - like compromised CAs issuing fraudulent certificates and active man-in-the-middle (MitM) attacks - TLS notary services were proposed as a solution to verify the legitimacy of certificates using alternative communication channels.

Towards Practical Methods to Protect the Privacy of Location Information with Mobile Devices

Smartphones and tablet computers continue to replace traditional mobile phones and are used by over one billion people worldwide. A number of novel security and privacy challenges result from the possibility to extend the functionality of smartphones with third-party applications. These third-party applications require that users provide personal information to third-party applications in exchange for additional features. This paper focuses on one specifically sensitive information requested by third-party applications, namely: location information. We discuss current methods to protect the privacy of location information and evaluate two approaches in depth. First, we introduce an extension to improve the usability of current interception methods on an operating system level. Second, we evaluate the applicability of proxy-level interception on basis of real-world Android applications. Our findings significantly extend the state-of-the-art regarding the protection of location information on mobile devices and further highlight open research challenges.

A Performance Assessment of Network Address Shuffling in IoT Systems

While the large scale distribution and unprecedented connectivity of embedded systems in the Internet of Things (IoT) has enabled various useful application scenarios, it also poses a risk to users and infrastructure alike. Recent incidents, like the Mirai botnet, have shown that these devices are often not sufficiently protected against attacks and can therefore be abused for malicious purposes, like distributed denial of service (DDoS) attacks. While it may be an impossible task to completely secure all systems against attacks, moving target defense (MTD) has been proposed as an alternative to prevent attackers from finding devices and endpoints and eventually launching their attacks against them. One of these approaches is network-based moving target defense which relies on the obfuscation and change of network level information, like IP addresses and ports. Since most of these approaches have been developed with desktop applications in mind, their usefulness in IoT applications has not been investigated.

Notary-Assisted Certificate Pinning for Improved Security of Android Apps

The security provided to Internet applications by the TLS protocol relies on the trust we put on Certificate Authorities (CAs) issuing valid identity certificates. TLS certificate pinning is a proposed approach to defend against man-in-the-middle (MitM) attacks that are realized using valid albeit fraudulent certificates. Yet, the implementation of certificate pinning for mobile applications, and especially for Google Android apps, is cumbersome and error-prone, resulting in inappropriate connection handling and privacy leaks of user information. We propose the use of TLS notary-assisted certificate pinning at the Android Runtime level. Our approach defends against a wide range of MitM attacks without needing to update the application using TLS. Furthermore, by relying on the collective knowledge of the trusted TLS notaries, we increase both the security and the usability, while at the same time we remove the burden for the user making trust decisions about system security issues. We describe a proof-of-concept implementation demonstrating its capabilities and discuss the next steps necessary towards general availability of our solution.