Sampsa Rauti

Browser extension-based man-in-the-browser attacks against Ajax applications with countermeasures

As the web pages today rely on Ajax and JavaScript, a larger attack surface becomes available. This paper presents in detail several different man-in-the-browser attacks against Ajax applications. We implemented browser extensions for Mozilla Firefox to demonstrate these attacks and their effectiveness. Some countermeasures to mitigate the problem are also considered. We conclude that man-in-the-browser attacks are a serious threat to online applications and there are only partial countermeasures to alleviate the problem.

Symbol diversification of linux binaries

In this paper, we advocate large-scale diversification as a method to protect operating systems and render malicious programs ineffective. The idea is to diversify all the indirect library entry points to the system calls on a specific computer. As a result, it becomes very difficult for a piece of malware to access resources. The diversification of indirect system call entry points in operating system libraries is unique for each computer. Therefore, a piece of malware no longer works on several computers and becomes incompatible with their environment. We also present a concrete diversification tool and results on successful diversification. We conclude that despite some challenges, our tool can successfully diversify symbols in binaries and associated libraries in order to protect the system from attacks.

Diversification of System Calls in Linux Binaries

This paper studies the idea of using large-scale diversification to protect operating systems and make malware ineffective. The idea is to first diversify the system call interface on a specific computer so that it becomes very challenging for a piece of malware to access resources, and to combine this with the recursive diversification of system library routines indirectly invoking system calls. Because of this unique diversification i.e. a unique mapping of system call numbers, a large group of computers would have the same functionality but differently diversified software layers and user applications. A malicious program now becomes incompatible with its environment. The basic flaw of operating system monoculture --- the vulnerability of all software to the same attacks --- would be fixed this way. Specifically, we analyze the presence of system calls in the ELF binaries. We study the locations of system calls in the software layers of Linux and examine how many binaries in the whole system use system calls. Additionally, we discuss the different ways system calls are coded in ELF binaries and the challenges this causes for the diversification process. Also, we present a diversification tool and suggest several solutions to overcome the difficulties faced in system call diversification. The amount of problematic system calls is small, and our diversification tool manages to diversify the clear majority of system calls present in standard-like Linux configurations. For diversifying all the remaining system calls, we consider several possible approaches.

Towards a diversification framework for operating system protection

In order to use resources of a computer, malware has to know the interfaces provided by the operating system. If we make these critical interfaces unique by diversifying the operating system and user applications, a piece of malware can no longer successfully interact with its environment. Diversification can be considered as a computer-specific secret. This paper discusses how this API diversification could be performed. We also study how much work would be needed to diversify the Linux kernel in order to hide the system call interface from malware.

Security in the Internet of Things through obfuscation and diversification

Internet of Things (IoT) is composed of heterogeneous embedded and wearable sensors and devices that collect and share information over the Internet. This may contain private information of the users. Thus, securing the information and preserving the privacy of the users are of paramount importance. In this paper we look into the possibility of applying the two techniques, obfuscation and diversification, in IoT. Diversification and obfuscation techniques are two outstanding security techniques used for proactively protecting the software and code. We propose obfuscating and diversifying the operating systems and APIs on the IoT devices, and also some communication protocols enabling the external use of IoT devices. We believe that the proposed ideas mitigate the risk of unknown zero-day attacks, large-scale attacks, and also the targeted attacks.

A Survey on Fake Entities as a Method to Detect and Monitor Malicious Activity

This paper surveys research concentrating on fake entities as a method to detect and monitor malware. A fake entity is a digital entity (such as a file) no one except a malicious attacker should access. When the entity is accessed, the defender immediately knows there is unwanted activity in the system and can start to monitor it. We discuss both faking different entities on one machine and in a network using virtual groups of fake hosts.

Chapter 28 – Man-in-the-Browser Attacks in Modern Web Browsers

Man-in-the-browser is a Trojan that infects a Web browser. A Trojan has the ability to modify Web pages and online transaction content, or insert itself in a covert manner, without the user noticing anything suspicious. This chapter presents a study of several man-in-the-browser attacks that tamper with the user’s transactions and examines different attack vectors on several software layers. We conclude that there are many possible points of attack on different software layers and components of a Web browser, as the user’s transaction data flows through these layers. We also propose some countermeasures to mitigate these attacks. Our conceptual solution is based on cryptographic identification and integrity monitoring of software components.

An interface diversified honeypot for malware analysis

Defending information systems against advanced attacks is a challenging task; even if all the systems have been properly updated and all the known vulnerabilities have been patched, there is still the possibility of previously unknown zero day attack compromising the system. Honeypots offer a more proactive tool for detecting possible attacks. What is more, they can act as a tool for understanding attackers intentions. In this paper, we propose a design for a diversified honeypot. By increasing variability present in software, diversification decreases the number of assumptions an attacker can make about the target system.

Diversification of system calls in linux kernel

This paper presents system call diversification as a method for protecting operating systems and rendering malicious programs ineffective. The idea is to change all the system call numbers in the kernel and in the applications that invoke these system calls. As a result, it becomes much more difficult for a harmful program to access resources of a computer since the new system call interface is not known by malware. The diversification of system call numbers is unique for each computer and the space of possible system call remappings is huge. Consecutively, one piece of malware no longer works on several computers and becomes incompatible with their environment. In this paper, we present three different models for system call diversification in Linux kernel. We also provide a detailed discussion on our implementation of one of these models.

Mining social networks of open source CVE coordination

Coordination is one central tenet of software engineering practices and processes. In terms of software vulnerabilities, coordination is particularly evident in the processes used for obtaining Common Vulnerabilities and Exposures (CVEs) identifiers for discovered and disclosed vulnerabilities. As the central CVE tracking infrastructure maintained by the non-profit MITRE Corporation has recently been criticized for time delays in CVE assignment, almost an ideal case is available for studying software and security engineering coordination practices with practical relevance. Given this pragmatic motivation, this paper examines open source CVE coordination that occurs on the public oss-security mailing list. By combining social network analysis with a data-driven, exploratory research approach, the paper asks six data mining questions with practical relevance. By contemplating about answers to the questions asked by means of descriptive statistics, the paper consequently contributes not only to the contemporary industry debates, but also to the tradition of empirical vulnerability research. The perspective and the case are both novel in this tradition, thus opening new avenues for further empirical inquiries and practical improvements for the contemporary CVE coordination.