Marco Ramilli

Man-in-the-Middle Attack to the HTTPS Protocol

Web-based applications rely on the HTTPS protocol to guarantee privacy and security in transactions ranging from home banking, e-commerce, and e-procurement to those that deal with sensitive data such as career and identity information. Users trust this protocol to prevent unauthorized viewing of their personal, financial, and confidential information over the Web.

Return-Oriented Programming

Attackers able to compromise the memory of a target machine can change its behavior and usually gain complete control over it. Despite the ingenious prevention and protection mechanisms that have been implemented in modern operating systems, memory corruption attacks still account for a big share of the security breaches afflicting software systems. This article describes a growing attack trend that uses return-oriented programming (ROP) techniques to bypass the most common memory protection systems.

Multi-stage delivery of malware

Malware signature detectors use patterns of bytes, or variations of patterns of bytes, to detect malware attempting to enter a systems. This approach assumes the signatures are both or sufficient length to identify the malware, and to distinguish it from non-malware objects entering the system. We describe a technique that can increase the difficulty of both to an arbitrary degree. This technique can exploit an optimization that many anti-virus systems use to make inserting the malware simple; fortunately, this particular exploit is easy to detect, provided the optimization is not present. We describe some experiments to test the effectiveness of this technique in evading existing signature-based malware detectors.

Multiprocess malware

Malware behavior detectors observe the behavior of suspected malware by emulating its execution or executing it in a sandbox or other restrictive, instrumented environment. This assumes that the process, or process family, being monitored will exhibit the targeted behavior if it contains malware. We describe a technique for evading such detection by distributing the malware over multiple processes. We then present a method for countering this technique, and present results of tests that validate our claims.

Always the Same, Never the Same

In this paper, existing sophisticated techniques can provide a deep and effective analysis to discover whether files hide a computer virus or other malware. Examples of the most effective approaches are heuristic or exhaustive static code analysis and behavior alanalysis in a sandbox environment. However, given the huge number of circulating malware and the high-performance impact associated with the aforementioned approaches, the most frequently employed tool remains signature detection. Antivirus software (AVS) is endowed with a database of patterns signatures, each characterizing a known malware or variant thereof. By scanning a target file, an AVS is able to tell whether it contains traces revealing the presence of malware, or if its clean-a generally applicable approach, valued for its efficiency, which makes it suitable for real-time analysis of user-requested content. Unfortunately, todays malware writers can easily sneak their creations past most signature-based antimalware programs by beating the raw speed at which the signature databases can be updated after a new malware is observed in the wild, and, most notably, by creating countless variants of the same malware, each one sporting a different signature. The author mentions that the installment of Attack Trends foresees the inclusion of AVS in the design loop, leading to a more effective process for the generation of new variants of malware based on the direct manipulation of binary code.

Frightened by Links

This article describes a recent attack trend called clickjacking, which exploits hyperlinks as the attack vehicle. This article introduces the reader to the attack concept and to the possible ways to implement it, by means of some practical example. Then it discusses the detectability of such an attack and some possible countermeasures.

Splitting the HTTPS Stream to Attack Secure Web Connections

Secure transactions over the World Wide Web are required for implementing services of economic value or dealing with sensitive data. The HTTPS protocol lets a browser verify a Web servers authenticity and establish an encrypted channel for protecting exchanged data.

Towards a practical and effective security testing methodology

Security testing is an important step in the lifetime of both newly-designed and existing systems. Different methodologies exist to guide testers to the selection, design, and implementation of the most appropriate testing procedures for various contexts. Typically, each methodology stems from the specific needs of a particular category of actors, and consequently is biased towards some aspect of peculiar interest to them. This work compares the most commonly adopted methodologies to point out their strengths and weaknesses, and, building on the results of the performed analysis, proposes a path towards the definition of an integrated approach, by defining the characteristics that a new methodology should exhibit in order to combine the best aspects of the existing ones.

Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data

Network intrusion detection is a key security issue that can be tackled by means of different approaches. This paper describes a novel methodology for network attack detection based on the use of data mining techniques to process traffic information collected by a monitoring station from a set of hosts using the Simple Network Management Protocol (SNMP). The proposed approach, adopting unsupervised clustering techniques, allows to effectively distinguish normal traffic behavior from malicious network activity and to determine with very good accuracy what kind of attack is being perpetrated. Several monitoring stations are then interconnected according to any peer-to-peer network in order to share the knowledge base acquired with the proposed methodology, thus increasing the detection capabilities. An experimental test-bed has been implemented, which reproduces the case of a real web server under several attack techniques. Results of the experiments show the effectiveness of the proposed solution, with no detection failures of true attacks and very low false-positive rates (i.e. false alarms).

Comment Spam Injection Made Easy

Social networks heavily rely on the concept of reputation. Some platforms implement formalized systems to express reputation, for example as a rating, but the concept is broader and very often the reputation of a user, the perceived quality of a product, the popularity of a TV show or any other subject of published information stems from a more informal collection of comments and recommendations. Thus, guaranteeing the authenticity of the published data has become very important, and various systems have been developed to deal with this problem. However, in this paper we are going to demonstrate that the most commonly adopted filtering techniques do not adequately protect the messaging platforms from the automated injection of comments. The adopted methodology is quite empirical, but nonetheless it allows to point out not only the existence of the vulnerability, but also to make some educated guess about the reasons behind the failure of the tested filters. In the conclusion, we trace a possible path leading to a more effective solution.