Samuel Laurén

Symbol diversification of linux binaries

In this paper, we advocate large-scale diversification as a method to protect operating systems and render malicious programs ineffective. The idea is to diversify all the indirect library entry points to the system calls on a specific computer. As a result, it becomes very difficult for a piece of malware to access resources. The diversification of indirect system call entry points in operating system libraries is unique for each computer. Therefore, a piece of malware no longer works on several computers and becomes incompatible with their environment. We also present a concrete diversification tool and results on successful diversification. We conclude that despite some challenges, our tool can successfully diversify symbols in binaries and associated libraries in order to protect the system from attacks.

Diversification of System Calls in Linux Binaries

This paper studies the idea of using large-scale diversification to protect operating systems and make malware ineffective. The idea is to first diversify the system call interface on a specific computer so that it becomes very challenging for a piece of malware to access resources, and to combine this with the recursive diversification of system library routines indirectly invoking system calls. Because of this unique diversification i.e. a unique mapping of system call numbers, a large group of computers would have the same functionality but differently diversified software layers and user applications. A malicious program now becomes incompatible with its environment. The basic flaw of operating system monoculture --- the vulnerability of all software to the same attacks --- would be fixed this way. Specifically, we analyze the presence of system calls in the ELF binaries. We study the locations of system calls in the software layers of Linux and examine how many binaries in the whole system use system calls. Additionally, we discuss the different ways system calls are coded in ELF binaries and the challenges this causes for the diversification process. Also, we present a diversification tool and suggest several solutions to overcome the difficulties faced in system call diversification. The amount of problematic system calls is small, and our diversification tool manages to diversify the clear majority of system calls present in standard-like Linux configurations. For diversifying all the remaining system calls, we consider several possible approaches.

An interface diversified honeypot for malware analysis

Defending information systems against advanced attacks is a challenging task; even if all the systems have been properly updated and all the known vulnerabilities have been patched, there is still the possibility of previously unknown zero day attack compromising the system. Honeypots offer a more proactive tool for detecting possible attacks. What is more, they can act as a tool for understanding attackers intentions. In this paper, we propose a design for a diversified honeypot. By increasing variability present in software, diversification decreases the number of assumptions an attacker can make about the target system.

Diversification of system calls in linux kernel

This paper presents system call diversification as a method for protecting operating systems and rendering malicious programs ineffective. The idea is to change all the system call numbers in the kernel and in the applications that invoke these system calls. As a result, it becomes much more difficult for a harmful program to access resources of a computer since the new system call interface is not known by malware. The diversification of system call numbers is unique for each computer and the space of possible system call remappings is huge. Consecutively, one piece of malware no longer works on several computers and becomes incompatible with their environment. In this paper, we present three different models for system call diversification in Linux kernel. We also provide a detailed discussion on our implementation of one of these models.

A Survey on Internal Interfaces Used by Exploits and Implications on Interface Diversification

The idea of interface diversification is that internal interfaces in the system are transformed into unique secret instances. On one hand, the trusted programs in the system are accordingly modified so that they can use the diversified interfaces. On the other hand, the malicious code injected into a system does not know the diversification secret, that is the language of the diversified system, and thus it is rendered useless. Based on our study of 500 exploits, this paper surveys the different interfaces that are targeted in malware attacks and can potentially be diversified in order to prevent the malware from reaching its goals. In this study, we also explore which of the identified interfaces have already been covered in existing diversification research and which interfaces should be considered in future research. Moreover, we discuss the benefits and drawbacks of diversifying these interfaces. We conclude that diversification of various internal interfaces could prevent or mitigate roughly 80 % of the analyzed exploits. Most interfaces we found have already been diversified as proof-of-concept implementations but diversification is not widely used in practical systems.

A Survey on Aims and Environments of Diversification and Obfuscation in Software Security

Diversification and obfuscation methods are promising approaches used to secure software and prevent malware from functioning. Diversification makes each software instance unique so that malware attacks cannot rely on the knowledge of the programs execution environment and/or internal structure anymore. We present a systematic literature review on the state of-the-art of diversification and obfuscation research aiming to improve software security between 1993 and 2014. As the result of systematic search, in the final phase, 209 related papers were included in this study. In this study we focus on two specific research questions: what are the aims of diversification and obfuscation techniques and what are the environments they are applied to. The former question includes the languages and the execution environments that can benefit from these two techniques, while the second question presents the goals of the techniques and also the type of attacks they mitigate.

A Survey on Anti-honeypot and Anti-introspection Methods

Modern virtual machines, debuggers, and sandboxing solutions lend themselves towards more and more inconspicuous ways to run honeypots, and to observe and analyze malware and other malicious activity. This analysis yields valuable data for threat-assessment, malware identification and prevention. However, the use of such introspection methods has caused malware authors to create malicious programs with the ability to detect and evade such environments. This paper presents an overview on existing research of anti-honeypot and anti-introspection methods. We also propose our own taxonomy of detection vectors used by malware.

Security in container-based virtualization through vTPM

Cloud computing is a wide-spread technology that enables the enterprises to provide services to their customers with a lower cost, higher performance, better availability and scalability. However, privacy and security in cloud computing has always been a major challenge to service providers and a concern to its users. Trusted computing has led its way in securing the cloud computing and virtualized environment, during the past decades. In this paper, first we study virtualized trusted platform modules and integration of vTPM in hypervisor-based virtualization. Then we propose two architectural solutions for integrating the vTPM in container-based virtualization model.

Obfuscation and Diversification for Securing Cloud Computing

The evolution of cloud computing and advancement of its services has motivated the organizations and enterprises to move towards the cloud, in order to provide their services to their customers, with greater ease and higher efficiency. Utilizing the cloud-based services, on one hand has brought along numerous compelling benefits and, on the other hand, has raised concerns regarding the security and privacy of the data on the cloud, which is still an ongoing challenge. In this regard, there has been a large body of research on improving the security and privacy in cloud computing. In this chapter, we first study the status of security and privacy in cloud computing. Then among all the existing security techniques, we narrow our focus on obfuscation and diversification techniques. We present the state-of-the-art review in this field of study, how these two techniques have been used in cloud computing to improve security. Finally, we propose an approach that uses these two techniques with the aim of improving the security in cloud computing environment and preserve the privacy of its users.

Internal Interface Diversification as a Security Measure in Sensor Networks

More actuator and sensor devices are connected to the Internet of Things (IoT) every day, and the network keeps growing, while software security of the devices is often incomplete. Sensor networks and the IoT in general currently cover a large number of devices with an identical internal interface structure. By diversifying the internal interfaces, the interfaces on each node of the network are made unique, and it is possible to break the software monoculture of easily exploitable identical systems. This paper proposes internal interface diversification as a security measure for sensor networks. We conduct a study on diversifiable internal interfaces in 20 IoT operating systems. We also present two proof-of-concept implementations and perform experiments to gauge the feasibility in the IoT environment. Internal interface diversification has practical limitations, and not all IoT operating systems have that many diversifiable interfaces. However, because of low resource requirements, compatibility with other security measures and wide applicability to several interfaces, we believe internal interface diversification is a promising and effective approach for securing nodes in sensor networks.