Michael Liljenstam

Can you infect me now?: malware propagation in mobile phone networks

In this paper we evaluate the effects of malware propagating usingcommunication services in mobile phone networks. Although self-propagating malware is well understood in the Internet, mobile phone networks have very different characteristics in terms of topologies, services, provisioning and capacity, devices, and communication patterns. To investigate malware in this new environment, we have developed an event-driver simulator that captures the characteristics and constraints of mobile phone networks. In particular, the simulator models realistic topologies and provisioned capacities of the network infrastructure, as well as the contactgraphs determined by cell phone address books. We evaluate the speedand severity of random contact worms in mobile phone networks, characterize the denial-of-service effects such worms could have on the network, investigate approaches to accelerate malware propagation, and discuss the implications of defending networks against such attacks.

Defending Mobile Phones from Proximity Malware

As mobile phones increasingly become the target of propagating malware, their use of direct pair-wise communication mechanisms, such as Bluetooth and WiFi, pose considerable challenges to malware detection and mitigation. Unlike malware that propagates using the network, where the provider can employ centralized defenses, proximity malware can propagate in an entirely distributed fashion. In this paper we consider the dynamics of mobile phone malware that propagates by proximity contact, and we evaluate potential defenses against it. Defending against proximity malware is particularly challenging since it is difficult to piece together global dynamics from just pair-wise device interactions. Whereas traditional network defenses depend upon observing aggregated network activity to detect correlated or anomalous behavior, proximity malware detection must begin at the device. As a result, we explore three strategies for detecting and mitigating proximity malware that span the spectrum from simple local detection to a globally coordinated defense. Using insight from a combination of real-world traces, analytic epidemic models, and synthetic mobility models, we simulate proximity malware propagation and defense at the scale of a university campus. We find that local proximity-based dissemination of signatures can limit malware propagation. Globally coordinated strategies with broadcast dissemination are substantially more effective, but rely upon more demanding infrastructure within the provider.

Lightweight Dispatcher Constructions for Control Flow Flattening

The objective of control flow obfuscation is to protect the program control flow from analysis. A technique called control flow flattening addresses static analysis by hiding edges between basic blocks in a program and introduces a dispatcher block that determines the execution order of the randomized blocks. In this paper we propose a novel flattening construction and lightweight dispatchers that do not impose high runtime performance impact on the program but still give good protection of the control flow against static analysis. We also present an attack model that allows us to quantitatively evaluate the protection the constructions give and compare against other suggestions from the literature. We have implemented our construction in the open source obfuscator OLLVM and present experimental results on overheads from different dispatcher implementations.

Limitations of scanned human copresence encounters for modelling proximity-borne malware

Patterns of human encounters, which are difficult to observe directly, are fundamental to the propagation of mobile malware aimed at infecting devices in spatial proximity. We investigate errors introduced by using scanners that detect the presence of devices on the assumption that device copresence at a scanner corresponds to a device encounter. We show in an ideal static model that only 59% of inferred encounters correspond to actual device copresence. To investigate the effects of mobility, we use a simulator to compare encounters between devices with those inferred by scanners. We show that the statistical properties of scanned encounters differ from actual device encounters in ways which impact malware propagation dynamics, a form of aggressive data dissemination. In addition to helping us understand the limitations of encounter data gathered by scanners in the field, our use of virtual scanners suggests a practical method for using these empirical datasets to better inform simulations of proximity malware outbreaks and similar data dissemination applications.