Purui Su

CloudSEC: A Cloud Architecture for Composing Collaborative Security Services

Massive Internet invasions implemented through the distributed platform fabricated by rapid diffusion of malwares, has become a significant issue in network security. We argue that the notion of “Collaborative Security” is an emerging trend in resisting distributed attacks originated from malware. Therefore, this paper proposes a new architecture: CloudSEC, for composing collaborative security-related services in clouds, such as correlated intrusion analysis, anti-spam, anti-DDOS, automated malware detection and containment. CloudSEC is modeled as a dynamic peer-to-peer overlay hierarchy with three types of top-down architectural components. Based on, this architecture, both data distribution and task scheduling overlays can be simultaneously implemented in a loosely coupled fashion, which can efficiently retrieve data resources from heterogeneous network security facilities, and harness distributed collection of computational resources to process data-intensive tasks. Hence, CloudSEC endues the network security infrastructure with the capability of dynamic adaptation and collaboration on an inter-organizational scale. The results of preliminary evaluation demonstrate that, CloudSEC not only delivers a sample service of distributed intrusion correlation with high scalability and robustness, but also achieves remarkable effectiveness in data sharing and task scheduling.

Bind your phone number with caution: automated user profiling through address book matching on smartphone

Due to the cost-efficient communicating manner and attractive user experience, messenger applications have dominated every smartphone in recent years. Nowadays, Address Book Matching, a new feature that helps people keep in touch with real world contacts, has been loaded in many popular messenger applications, which unfortunately as well brings severe privacy issues to users. In this paper, we propose a novel method to abuse such feature to automatically collect user profiles. This method can be applied to any application equipped with Address Book Matching independent of mobile platforms. We also build a prototype on Android to verify the effectiveness of our method. Moreover, we integrate profiles gathered from different messenger applications and provide insights by performing a consistency and authenticity analysis on user profile fields. As our experiments show, the abuse of Address Book Matching can cause severe user privacy leakage. Finally, we provide some countermeasures for developers to avoid this issue when designing messenger applications.

Binary Code Continent: Finer-Grained Control Flow Integrity for Stripped Binaries

Control Flow Integrity (CFI) is an effective technique to mitigate threats such as code-injection and code-reuse attacks in programs by protecting indirect transfers. For stripped binaries, a CFI policy has to be made conservatively due to the lack of source code level semantics. Existing binary-only CFI solutions such as BinCFI and CCFIR demonstrate the ability to protect stripped binaries, but the policies they apply are too permissive, allowing sophisticated code-reuse attacks. In this paper, we propose a new binary-only CFI protection scheme called BinCC, which applies static binary rewriting to provide finer-grained protection for x86 stripped ELF binaries. Through code duplication and static analysis, we divide the binary code into several mutually exclusive code continents. We further classify each indirect transfer within a code continent as either an Intra-Continent transfer or an Inter-Continent transfer, and apply separate, strict CFI polices to constrain these transfers. To evaluate BinCC, we introduce new metrics to estimate the average amount of legitimate targets of each kind of indirect transfer as well as the difficulty to leverage call preceded gadgets to generate ROP exploits. Compared to the state of the art binary-only CFI, BinCFI, the experimental results show that BinCC significantly reduces the legitimate transfer targets by 81.34% and increases the difficulty for adversaries to bypass CFI restriction to launch sophisticated ROP attacks. Also, BinCC achieves a reasonable performance, around 14% of the space overhead decrease and only 4% runtime overhead increase as compared to BinCFI.

Invalidating Idealized BGP Security Proposals and Countermeasures

Border Gateway Protocol (BGP) is vulnerable to routing attacks because of the lack of inherent verification mechanism. Several secure BGP schemes have been proposed to prevent routing attacks by leveraging cryptographic verification of BGP routing updates. In this paper, we present a new type of attacks, called TIGER, which aims to invalidate the “proven” security of these secure BGP schemes and allow ASes to announce forged routes even under full deployment of any existing secure BGP proposal. By launching TIGER attacks, malicious ASes can easily generate and announce forged routes which can be successfully verified by the existing secure BGP schemes. Furthermore, TIGER attacks can evade existing routing anomaly detection schemes by guaranteeing routing data-plane availability and consistency of control- and data-plane. Toward a new securing BGP scheme, we propose Anti-TIGER to detect and defend against TIGER attacks. Anti-TIGER enables robust TIGER detection by collaborations between ASes. In particular, we leverage Spread Spectrum Communication technique to watermark certain special probing packets, which manifest the existence of TIGER attacks. Anti-TIGER does not require any modifications in routing data-plane, therefore it is easy to deploy and incrementally deployable. We evaluate the effectiveness of TIGER and Anti-TIGER by experiments with real AS topologies of the Internet. Our experiment results show that TIGER attacks can successfully hijack a considerable number of prefixes. In the meanwhile, Anti-TIGER can achieve 100 percent detection ratio of TIGER attacks.

Revisiting Node Injection of P2P Botnet

Botnet armed with P2P protocol is especially robust against various attacks used to be very effective against centralized network. It’s especially significant to enhance our understanding of unstructured P2P Botnets which prove to be resilient against various dismantle efforts. Node injection technique is quite effective in enumerating infected hosts from P2P Botnets, but no previous work has investigated the effectiveness of this method in a quantitative manner. In this paper, we propose a peer popularity boosting algorithm to put the popularity of injected peer under control, and a method to tune the node injection rate to achieve better compromise between consumed bandwidth and completeness of node enumeration. Furthermore, we evaluate our methods with varied level of node injections on three live P2P Botnets, the result shows that our method is quite effective in boosting and manipulating injected peer’s popularity. In contrast to other methods without manipulation of injected peer’s magnitude of dispersion in network, our method not only unlock the full potential of node injections, but also could be adapted to measurements of various needs.

Automatic Polymorphic Exploit Generation for Software Vulnerabilities

Generating exploits from the perspective of attackers is an effective approach towards severity analysis of known vulnerabilities. However, it remains an open problem to generate even one exploit using a program binary and a known abnormal input that crashes the program, not to mention multiple exploits. To address this issue, in this paper, we propose PolyAEG, a system that automatically generates multiple exploits for a vulnerable program using one corresponding abnormal input. To generate polymorphic exploits, we fully leverage different trampoline instructions to hijack control flow and redirect it to malicious code in the execution context. We demonstrate that, given a vulnerable program and one of its abnormal inputs, our system can generate polymorphic exploits for the program. We have successfully generated control flow hijacking exploits for 8 programs in our experiment. Particularly, we have generated 4,724 exploits using only one abnormal input for IrfanView, a widely used picture viewer.

ReconBin: Reconstructing Binary File from Execution for Software Analysis

Static analysis is one of the most popular approaches of software analysis. As more and more software protects their code by transformation or encryption, then releases them at runtime dynamically, it is hard to statically analyze these protected executables because of the failure of disassembling. In this paper, we propose a novel and general technique to reconstruct binary files for static analysis by monitoring the executions of protected executables. Our approach can identify and extract the dynamically released code at runtime, and at the same time record the control transfers information, and then reconstruct a binary file based on the original executable. The whole process does not depend on any prior knowledge on the protection methods. Experiments on our prototype ReconBin show that our approach can properly reconstruct the executables protected by SMC and packers, and the reconstructed binary files can be successfully analyzed by static analysis tools such as IDA Pro. We show that it also can be used to analyze the code dynamically generated by virtual machines, emulators, and buffer overflow attacks, which also dynamically inject attack code into stack and direct execution flow to it.

A Rapid and Scalable Method for Android Application Repackaging Detection

Nowadays the security issues of Android applications (apps) are more and more serious. One of the main security threats come from repackaged apps. There already are some researches detecting repackaged apps using similarity measurement. However, so far, all the existing techniques for repackaging detection are based on code similarity or feature (e.g., permission set) similarity evaluation. In this paper, we propose a novel approach called ImageStruct that applies image similarity technique to locate and detect the changes coming from repackaging effectively. ImageStruct performs a quick repackaging detection by considering the similarity of images in target apps. The intuition behind our approach is that the repackaged apps still need to maintain the ”look and feel” of the original apps by including the original images, even they might have their additional code included or some of the original code removed. To prove the effectiveness and evaluate the reliability of our approach, we carry out the compare experiments between ImageStruct and the code based similarity scores of AndroGuard. The results demonstrate that ImageStruct is not only with good performance and scalability, but also able to resistant to code obfuscation.

Long Term Tracking and Characterization of P2P Botnet

P2P Botnet is quite robust against various attacks once very effective against centralized network. In this paper, we concentrate on the tracking of P2P botnets, investigate botnet victims which are routable on the Internet, also known as super peers. The super peers are the backbone of the botnet to disseminate its commands and payload updates. Through tracking of three typical live P2P botnets over 6 months and analysis of their network dynamics, we outline a number of descriptive and statistical characterization of super peers, such as geo-location, peer session time and intersession time, in-degree and out-degree distribution, pattern of arrival and departure. In addition, based on the assumption that IP dynamic allocation will not cross the AS (Autonomous System) border, we give out a lower bound estimate of total infected super peers in a conservative manner. We also propose several guidelines on disrupting P2P botnets concerning its various features we have characterized which could be helpful to the security community.

Exploring Malware Behaviors Based on Environment Constitution

Executing malware in a controlled environment is one of the most popular and effective methods of extracting the behavior characters of malware. In this paper, we propose a dynamic analysis technique to explore the different behaviors of malware. We utilized environment constitution to create comprehensive reports on malware. This allowed us to extract common paths and identify what seems to be typical malware behavior. We likewise used static analysis to document interactions between malware and environment, after which, based on environment constitution, we dynamically triggered different path selections that we observed have been pursued by malware. Different malware inputs were generated based on the reverse analysis of path selection conditions, a method that allowed for the exploration of all possible malware paths, and thereby permitted us to generate a relatively comprehensive report for this study. The method also allowed us to filter invalid data that we were unable to identify in the earlier process. The method became even more helpful when we implemented vulnerability analysis among the different types of commercial software; here, a prototype of the system was set up, and we have finished experiments to evaluate the system. The result showed that the system could identify typical behaviors of malware without exploring all its possible paths.