Kapil Singh

Evaluating Bluetooth as a medium for botnet command and control

Malware targeting mobile phones is being studied with increasing interest by the research community. While such attention has previously focused on viruses and worms, many of which use near-field communications in order to propagate, none have investigated whether more complex malware such as bot-nets can effectively operate in this environment. In this paper, we investigate the challenges of constructing and maintaining mobile phone-based botnets communicating nearly exclusively via Bluetooth. Through extensive large-scale simulation based on publicly available Bluetooth traces, we demonstrate that such a malicious infrastructure is possible in many areas due to the largely repetitive nature of human daily routines. In particular, we demonstrate that command and control messages can propagate to approximately 2/3 of infected nodes within 24 hours of being issued by the botmaster. We then explore how traditional defense mechanisms can be modified to take advantage of the same information to more effectively mitigate such systems. In so doing, we demonstrate that mobile phone-based botnets are a realistic threat and that defensive strategies should be modified to consider them.

Biometric authentication on a mobile device: a study of user effort, error and task disruption

We examine three biometric authentication modalities -- voice, face and gesture -- as well as password entry, on a mobile device, to explore the relative demands on user time, effort, error and task disruption. Our laboratory study provided observations of user actions, strategies, and reactions to the authentication methods. Face and voice biometrics conditions were faster than password entry. Speaking a PIN was the fastest for biometric sample entry, but short-term memory recall was better in the face verification condition. None of the authentication conditions were considered very usable. In conditions that combined two biometric entry methods, the time to acquire the biometric samples was shorter than if acquired separately but they were very unpopular and had high memory task error rates. These quantitative results demonstrate cognitive and motor differences between biometric authentication modalities, and inform policy decisions in selecting authentication methods.

Evaluating email’s feasibility for botnet command and control

The usefulness of email has been tempered by its role in the widespread distribution of spam and malicious content. Security solutions have focused on filtering out malicious payloads and weblinks from email; the potential dangers of email go past these boundaries: harmless-looking emails can carry dangerous, hidden botnet content. In this paper, we evaluate the suitability of email communication for botnet command and control. What makes email-based botnets interesting is the lack of clear detection and mitigation strategies that defenders could use to disrupt the botnet. We first demonstrate that botnet commands can remain hidden in spam due to its enormous volume. If email providers deploy specialized detection of spam-based botnets, botmasters can alternatively communicate with bots via non-spam email that cannot be safely discarded. We show the viability of such communication by means of simulations and a prototype, and we discuss the limited prospects for detection of email botnets.

Practical Context-Aware Permission Control for Hybrid Mobile Applications

The rapid growth of mobile computing has resulted in the development of new programming paradigms for quick and easy development of mobile applications. Hybrid frameworks, such as PhoneGap, allow the use of web technologies for development of applications with native access to devices resources. These untrusted third-party applications desire access to users data and devices resources, leaving the content vulnerable to accidental or malicious leaks by the applications. The hybrid frameworks present new opportunities to enhance the security of mobile platforms by providing an application-layer runtime for controlling an applications behavior. In this work, we present a practical design of a novel framework, named MobileIFC, for building privacy-preserving hybrid applications for mobile platforms. We use information flow models to control what untrusted applications can do with the information they receive. We utilize the framework to develop a fine-grained, context-sensitive permission model that enables users and application developers to specify rich policies. We show the viability of our design by means of a framework prototype. The usability of the framework and the permission model is further evaluated by developing sample applications using the framework APIs. Our evaluation and experience suggests that MobileIFC provides a practical and performant security solution for hybrid mobile applications.

Understanding Precision in Host Based Intrusion Detection

Many host-based anomaly detection systems monitor process execution at the granularity of system calls. Other recently proposed schemes instead verify the destinations of control-flow transfers to prevent the execution of attack code. This paper formally analyzes and compares real systems based on these two anomaly detection philosophies in terms of their attack detection capabilities, and proves and disproves several intuitions. We prove that for any system-call sequence model, under the same (static or dynamic) program analysis technique, there always exists a more precise control-flow sequence based model. While hybrid approaches combining system calls and control flows intuitively seem advantageous, especially when binary analysis constructs incomplete models, we prove that they have no fundamental advantage over simpler control-flow models. Finally, we utilize the ideas in our framework to make external monitoring feasible at the precise control-flow level. Our experiments show that external control-flow monitoring imposes performance overhead comparable to previous system call based approaches while detecting synthetic and real world attacks as effectively as an inlined monitor.

Practical end-to-end web content integrity

Widespread growth of open wireless hotspots has made it easy to carry out man-in-the-middle attacks and impersonate web sites. Although HTTPS can be used to prevent such attacks, its universal adoption is hindered by its performance cost and its inability to leverage caching at intermediate servers (such as CDN servers and caching proxies) while maintaining end-to-end security. To complement HTTPS, we revive an old idea from SHTTP, a protocol that offers end-to-end web integrity without confidentiality. We name the protocol HTTPi and give it an efficient design that is easy to deploy for todays web. In particular, we tackle several previously-unidentified challenges, such as supporting progressive page loading on the clients browser, handling mixed content, and defining access control policies among HTTP, HTTPi, and HTTPS content from the same domain. Our prototyping and evaluation experience show that HTTPi incurs negligible performance overhead over HTTP, can leverage existing web infrastructure such as CDNs or caching proxies without any modifications to them, and can make many of the mixed-content problems in existing HTTPS web sites easily go away. Based on this experience, we advocate browser and web server vendors to adopt HTTPi.

VulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security

Porting browsers to mobile platforms may lead to new vulnerabilities whose solutions require careful balancing between usability and security and might not always be equivalent to those in desktop browsers. In this paper, we perform the first large-scale security comparison between mobile and desktop browsers. We focus our efforts on display security given the inherent screen limitations of mobile phones. We evaluate display elements in ten mobile, three tablet and five desktop browsers. We identify two new classes of vulnerabilities specific to mobile browsers and demonstrate their risk by launching real-world attacks including display ballooning, login CSRF and clickjacking. Additionally, we implement a new phishing attack that exploits a default policy in mobile browsers. These previously unknown vulnerabilities have been confirmed by browser vendors. Our observations, inputs from browser vendors and the pervasive nature of the discovered vulnerabilities illustrate that new implementation errors leading to serious attacks are introduced when browser software is ported from the desktop to mobile environment. We conclude that usability considerations are crucial while designing mobile solutions and display security in mobile browsers is not comparable to that in desktop browsers.

WebCapsule: Towards a Lightweight Forensic Engine for Web Browsers

Performing detailed forensic analysis of real-world web security incidents targeting users, such as social engineering and phishing attacks, is a notoriously challenging and time-consuming task. To reconstruct web-based attacks, forensic analysts typically rely on browser cache files and system logs. However, cache files and logs provide only sparse information often lacking adequate detail to reconstruct a precise view of the incident. To address this problem, we need an always-on and lightweight (i.e., low overhead) forensic data collection system that can be easily integrated with a variety of popular browsers, and that allows for recording enough detailed information to enable a full reconstruction of web security incidents, including phishing attacks. To this end, we propose WebCapsule, a novel record and replay forensic engine for web browsers. WebCapsule functions as an always-on system that aims to record all non-deterministic inputs to the core web rendering engine embedded in popular browsers, including all user interactions with the rendered web content, web traffic, and non-deterministic signals and events received from the runtime environment. At the same time, WebCapsule aims to be lightweight and introduce low overhead. In addition, given a previously recorded trace, WebCapsule allows a forensic analyst to fully replay and analyze past web browsing sessions in a controlled isolated environment. We design WebCapsule to also be portable, so that it can be integrated with minimal or no changes into a variety of popular web-rendering applications and platforms. To achieve this goal, we build WebCapsule as a self-contained instrumented version of Googles Blink rendering engine and its tightly coupled V8 JavaScript engine. We evaluate WebCapsule on numerous real-world phishing attack instances, and demonstrate that such attacks can be recorded and fully replayed. In addition, we show that WebCapsule can record complex browsing sessions on popular websites and different platforms (e.g., Linux and Android) while imposing reasonable overhead, thus making always-on recording practical.

Owner-Centric Protection of Unstructured Data on Smartphones

Modern smartphone apps tend to contain and use vast amounts of data that can be broadly classified as structured and unstructured. Structured data, such as an users geolocation, has predefined semantics that can be retrieved by well-defined platform APIs. Unstructured data, on the other hand, relies on the context of the apps to reflect its meaning and value, and is typically provided by the user directly into an apps interface. Recent research has shown that third-party apps are leaking highly-sensitive unstructured data, including users banking credentials. Unfortunately, none of the current solutions focus on the protection of unstructured data. In this paper, we propose an owner-centric solution to protect unstructured data on smartphones. Our approach allows the data owners to specify security policies when providing their untrusted data to third-party apps. It tracks the flow of information to enforce the owners policies at strategic exit points. Based on this approach, we design and implement a system, called DataChest . We develop several mechanisms to reduce user burden and keep interruption to the minimum, while at the same time preventing the malicious apps from tricking the user. We evaluate our system against a set of real-world malicious apps and a series of synthetic attacks to show that it can successfully prevent the leakage of unstructured data while incurring reasonable performance overhead.

Perceptions of Risk in Mobile Transaction

Mobile users are unlikely to guard against information security risks that do not come to mind in typical situations. As more people conduct sensitive transactions through mobile devices, what risks do they perceive? To inform the design of mobile applications we present a user study of perceived risk for information technology workers accessing company data, consumers using mobile personal banking, and doctors accessing medical records. Shoulder surfing and network snooping were the most commonly cited classes of risk, and perceived risk was influenced by the surrounding environment and source of information. However, overall risk awareness was low. The possible risks of device theft and loss, hacking, malware and data stored on devices were not prominent concerns. The study also revealed differences in the way the groups think about network-related threats. Based on these results, we suggest research directions for effective protection of sensitive data in mobile environments.