Mark Vella

Danger Theory and Intrusion Detection: Possibilities and Limitations of the Analogy

Metaphors derived from Danger Theory, a hypothesized model of how the human immune system works, have been applied to the intrusion detection domain. The major contribution in this area, is the dendritic cell algorithm (DCA). This paper presents an in-depth analysis of results obtained from two previous experiments, regarding the suitability of the danger theory analogy in constructing intrusion detection systems for web applications. These detectors would be capable of detecting novel attacks while improving on the limitations of anomaly-based intrusion detectors. In particular, this analysis investigates which aspects of this analogy are suitable for this purpose, and which aspects of the analogy are counterproductive if utilized in the way originally suggested by danger theory. Several suggestions are given for those aspects of danger theory that are identified to require modification, indicating the possibility of further pursuing this approach. These modifications could be realized in terms of developing a robust signal selection schema and a suitable correlation algorithm. This would allow for an intrusion detection approach that has the potential to overcome those limitations presently associated with existing techniques.

Memory Forensics of Insecure Android Inter-app Communications.

Android is designed in a way to promote the implementation of user task flows among multiple applications inside mobile devices. Consequently, app permissions may be leaked to malicious apps without users noticing any compromise to their devices’ security. In this work we explore the possibility of detecting insecure interapp communications inside memory dumps, with forensic analysis results indicating the possibility of doing so across the various layers of Android’s architecture. Yet, for the detailed evidence reconstruction that could be required during digital investigation, current capabilities have to be complemented with evidence collected through live forensics. We propose that this process should still be based on carving forensic artifacts directly from memory.

AndroNeo: Hardening Android Malware Sandboxes by Predicting Evasion Heuristics

Sophisticated Android malware families often implement techniques aimed at avoiding detection. Split personality malware for example, behaves benignly when it detects that it is running on an analysis environment such as a malware sandbox, and maliciously when running on a real user’s device. These kind of techniques are problematic for malware analysts, often rendering them unable to detect or understand the malicious behaviour. This is where sandbox hardening comes into play. In our work, we exploit sandbox detecting heuristic prediction to predict and automatically generate bytecode patches, in order to disable the malware’s ability to detect a malware sandbox. Through the development of AndroNeo, we demonstrate the feasibility of our approach by showing that the heuristic prediction basis is a solid starting point to build upon, and demonstrating that when heuristic prediction is followed by bytecode patch generation, split personality can be defeated.

Using thumbnail affinity for fragmentation point detection of JPEG files

File carving tools carry out file recovery whenever the file-system meta-data is not available, which makes them a valuable addition to the cyber crime investigators toolkit. Existing file carvers either cannot handle fragmented files or require a probabilistic model derived using a number of training images. This training data may not always be feasible to aggregate or its sheer size could undermine practicality. Similar to existing techniques, our method exploits both the JPEG syntax and semantic-based analysis steps in order to distinguish the correct fragments required for recovering images. The thumbnail affinity-based semantic analysis constitutes the novel aspect of this approach. Comparative evaluation using three widely used benchmark test sets show that our carver compares with the state-of-the-art commercial tool that requires an a-priori model while beating a number of popular forensic tools. This outcome demonstrates the successful replacement of the probabilistic model with thumbnail affinity, rendering this technique the right complement for existing carvers in situations where thumbnail information is readily available.

SUDUTA: Script UAF Detection Using Taint Analysis

Use-after-free UAF vulnerabilities are caused by the use of dangling pointers. Their exploitation inside script engine-hosting applications, e.g. web browsers, can even bypass state-of-the-art countermeasures. This work proposes SUDUTA Script UAF Detection Using Taint Analysis, which aims at facilitating the diagnosis of UAF bugs during vulnerability analysis and improves an existent promising technique based on dynamic taint tracking. Firstly, precise taint analysis rules are presented in this work to clearly specify how SUDUTA manages the taint state. Moreover, it shifts its analysis to on-line, enabling instrumentation code to gain access to the program state of the application. Lastly, it handles the presence of custom memory allocators that are typically utilised in script-hosting applications. Results obtained using a benchmark dataset and vulnerable applications validate these three improvements.

WeXpose: Towards on-line dynamic analysis of web attack payloads using just-in-time binary modification

Web applications constitute a prime target for attacks. A subset of these inject code into their targets, posing a threat to the entire hosting infrastructure rather than just to the compromised application. Existing web intrusion detection systems (IDS) are easily evaded when code payloads are obfuscated. Dynamic analysis in the form of instruction set emulation is a well-known answer to this problem, which however is a solution for off-line settings rather than the on-line IDS setting and cannot be used for all types of web attacks payloads. Host-based approaches provide an alternative, yet all of them impose runtime overheads. This work proposes just-in-time (JIT) binary modification complemented with payload-based heuristics for the provision of obfuscation-resistant web IDS at the network level. A number of case studies conducted with WeXpose, a prototype implementation of the technique, shows that JIT binary modification fits the on-line setting due to native instruction execution, while also isolating harmful attack side-effects that consequentially become of concern. Avoidance of emulation makes the approach relevant to all types of payloads, while payload-based heuristics provide practicality.

Distress detection (poster abstract)

Web attacks are a major security concern as novel attacks can be easily created by exploiting different vulnerabilities, using different attack payloads, and/or encodings (obfuscation). Intrusion detection systems (IDS) aim to correctly detect attacks. There are two main approaches to intrusion detection: misuse and anomaly detection. Despite the difference in approach, they both fail to offer adequate resilience to novel attacks due to the difficulty in generalizing beyond known attack or normal behavior [1].

Using Weak Bisimulation for Enterprise Integration Architecture Formal Verification--I

In this paper we propose the application of weak bisimulation for enterprise application integration verification. Formal verification is carried out by taking the system specification and design models of an integrated system and converting them into value passing CCS (calculus of communicating systems) processes. If a weak bisimulation relation is found between the two models, then it could be concluded that the El Architecture is a valid one. The formal verification of an El Architecture would give value to an El project framework, allowing the challenge of cumbersome and complex testing typically faced by El projects (R. Khanna, 2005), to be alleviated, and thus increasing the possibility of a successful El project, delivered on time and within the stipulated budgeted costs. This paper shows the applicability of value passing CCS (or equivalent) formal notation to model the El systems characteristics, as well as investigates into the computation complexity of available weak bisimulation algorithms, in order to analyze the applicability of this proposition in real life