Giuseppe Petracca

AuDroid: Preventing Attacks on Audio Channels in Mobile Devices

Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks. We design and implement AuDroid, an extension to the SE Linux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the microphone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead.

Situational awareness through reasoning on network incidents

Corporations worldwide work with teams of often dedicated system administrators to maintain, detect and prevent network infringements. This is a highly user-driven process that consumes hundreds (if not thousands) of man hours yearly. User reporting, the basis of most of these incident detection systems suffers from various biases and leads to below-par security measures. In the paper, we provide an approach for near real-time analysis of ongoing events on controlled networks, while requiring no end-user interaction and saving on system administrators effort. Our proposed solution, ReasONets, a lightweight, distributed system, provides situational awareness in case of network incidents. ReasONets combines aspects of anomaly detection with Case-Based Reasoning (CBR) methodologies to reason about ongoing security events in a network, including their nature, severity and sources. We build a fully running prototype of ReasONets, to demonstrate the accuracy of the system, in doing reasoning and inference on the network status by exploiting events and network features. To the best of our knowledge, ReasONets is the first of its kind system combining detection and classification of network events with realtime reasoning while being capable of scaling up to large network sizes.

Early Detection of Policies Violations in a Social Media Site: A Bayesian Belief Network Approach

One of the main goals of all online social communities is to promote a stable, or perhaps, growing membership built around topics of like interest. Yet, communities are not impermeable to the potentially damaging effects resulting from those few participants that choose to behave in a manner that is counter to established norms of behavior. Typical moderators in online social communities are the ones tasked to reduce the risks associated with unhealthy user behavior by rapidly identifying and removing damaging posts and consequently taking action against the perpetrating user. Yet, the sheer volume of posts relative to the number of moderators available for review suggests a need for modern tools aimed at prioritizing posts based on the assessed risk each user poses to the community. To accomplish this, we propose a threat analysis model. Our model, referred to as TrICO (Threat requires Intent Capability and Opportunity) is implemented using Bayesian Networks, and achieves early detection of damaging behavior in online social communities. To the best of our knowledge, this is the first user-centered model for usage policy enforcement in online sites. We apply our model to a comprehensive data set characterizing the entirety of a popular discussion forum. Our results show that the TrICO model provides accurate results.

Analysis of Trusted Execution Environment usage in Samsung KNOX

Mobile systems have become widely adopted by users to perform sensitive operations ranging from on-line payments for personal use to remote access to enterprise assets. Thus, attacks on mobile devices can cause significant loss to users personal data as well as to valuable enterprise assets. In order to mitigate risks arising from attacks, various approaches have been proposed including the use of Trusted Execution Environment (TEE) to isolate and protect the execution of sensitive code from the rest of the system, e.g. applications and other software.However, users remain at risk of exploits via several types of software vulnerabilities - indicating that enterprises have failed to deliver the required protection, despite the use of existing isolation technologies. In this paper, we investigate Samsung KNOX and its usage of TEE as being the current technology providing secure containers. First, we study how KNOX uses TEE and perform analysis on its design consideration from a system vulnerabilities perspective. Second, we analyse and discuss recent attacks on KNOX and how those attacks exploit system vulnerabilities. Finally, we present new shortcomings emerging from our analysis of KNOX architecture. Our research exhibits that system vulnerabilities are the underlying cause of many attacks on systems and it reveals how they affect fundamental design security principles when the full potential of TEE is not exploited.

On Risk in Access Control Enforcement

While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.

A framework for application partitioning using trusted execution environments

The size and complexity of modern applications are the underlying causes of numerous security vulnerabilities. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (such as the operating system). New technologies, notably Intels Software Guard Extensions (SGX), are becoming available to enhance the security of partitioned applications. SGX provides a trusted execution environment (TEE), called an enclave, that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system (OS). However, even with these partitioning techniques, it is not immediately clear exactly how they can and should be used to partition applications. How should a particular application be partitioned? How many TEEs should be used? What granularity of partitioning should be applied? To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. However, as partitioning becomes increasingly common, there is a need for systematisation in the design of partitioning schemes.

Agility maneuvers to mitigate inference attacks on sensed location data

Sensed location data is subject to inference attacks by cybercriminals that aim to obtain the exact position of sensitive locations, such as the victims home and work locations, to launch a variety of different attacks. Various Location-Privacy Preserving Mechanisms (LPPMs) exist to reduce the probability of success of inference attacks on location data. However, such mechanisms have been shown to be less effective when the adversary is informed of the protection mechanism adopted, also known as white-box attacks. We propose a novel approach that makes use of targeted agility maneuvers as a more robust defense against white-box attacks. Agility maneuvers are systematically activated in response to specific system events to rapidly and continuously control the rate of change in system configurations and increase diversity in the space of readings, which would decrease the probability of success of inference attacks by an adversary. Experimental results, performed on a real data set, show that the adoption of agility maneuvers reduces the probability of success of white-box attacks to 2.68% on average, compared to 56.92% when using state-of-the-art LPPMs.

ReasONets: a fuzzy-based approach for reasoning on network incidents

We provide an approach for real-time analysis of ongoing events in a controlled network. We propose ReasONets, i.e. Reasoning on Networks, a distributed and lightweight system, able to process and reason about anomalies and incidents observed in closed net- works. To the best of our knowledge this is the first system combining detections and classification of network events with real-time reasoning. Our demo will show a running prototype of the ReasONets, demonstrating the power and accuracy of the reasoning process in presence of incidents of various nature.