Shengzhi Zhang

TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone

The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make them smarter. A variety of applications now run simultaneously on an ARM-based processor. For example, devices on the edge of the Internet are provided with higher horsepower to be entrusted with storing, processing and analyzing data collected from IoT devices. This significantly improves efficiency and reduces the amount of data that needs to be transported to the cloud for data processing, analysis and storage. However, commodity OSes are prone to compromise. Once they are exploited, attackers can access the data on these devices. Since the data stored and processed on the devices can be sensitive, left untackled, this is particularly disconcerting. In this paper, we propose a new system, TrustShadow that shields legacy applications from untrusted OSes. TrustShadow takes advantage of ARM TrustZone technology and partitions resources into the secure and normal worlds. In the secure world, TrustShadow constructs a trusted execution environment for security-critical applications. This trusted environment is maintained by a lightweight runtime system that coordinates the communication between applications and the ordinary OS running in the normal world. The runtime system does not provide system services itself. Rather, it forwards requests for system services to the ordinary OS, and verifies the correctness of the responses. To demonstrate the efficiency of this design, we prototyped TrustShadow on a real chip board with ARM TrustZone support, and evaluated its performance using both microbenchmarks and real-world applications. We showed TrustShadow introduces only negligible overhead to real-world applications.

Cross-Layer Damage Assessment for Cyber Situational Awareness

Damage assessment plays a very important role in securing enterprise networks and systems. Gaining good awareness about the effects and impact of cyber attack actions would enable security officers to make the right cyber defense decisions and take the right cyber defense actions. A good number of damage assessment techniques have been proposed in the literature, but they typically focus on a single abstraction level (of the software system in concern). As a result, existing damage assessment techniques and tools are still very limited in satisfying the needs of comprehensive damage assessment which should not result in any “blind spots”.

Fast Recovery from Hidden Node Collision for IEEE 802.15.4 LR-WPANs

The IEEE 802.15.4 specification does not include RTS/CTS mechanism to avoid the hidden/exposed node problem, for the consideration of constructing the low energy consumption networks. However, based on the modified CSMA/CA algorithm in LR-WPANs, the hidden node collisions will repeat up to aMaxframeRetries (default value is 3) times until the collided packets are discarded with a high probability. Therefore, a fast recovery mechanism is proposed in this paper to achieve the fast self-healing with negligible control overheads when the networks suffer the hidden node collisions. When the coordinator recognizes the hidden node collision occurs, it will issue a group polling ACK (PACK) to indicate the priority of the collided packets retransmission. Simulation results demonstrate that the proposed PACK mechanism is able to improve the network throughput and avoid the continuous hidden node collisions efficiently.

LeakProber: a framework for profiling sensitive data leakage paths

In this paper, we present the design, implementation, and evaluation of LeakProber, a framework that leverages the whole system dynamic instrumentation and the inter-procedural analysis to enable data propagation path profiling in production system. We integrate both the static analysis and runtime tracking to establish a holistic and practical approach to generating the sensitive data propagation graph (sDPG) with minimum runtime overhead. We evaluate our system on several data stealing attacks scenario for generating sDPG. The sDPG generated by our system captures multiple aspects of data accessing patterns and provides clear insights into the data leakage path. We also measure the performance of our system and find that it degrades the production system about 6% in the trace-on mode. When our prototype works in the trace-off mode, the runtime overhead is even lower, on an average of 1.5% across each benchmark we run. We believe that it is feasible to directly apply our prototype into production system environment.

Machine Learning Based Cross-Site Scripting Detection in Online Social Network

Nowadays online social network (OSN) is one of the most popular internet services in the world. It allows us to communicate with others and share knowledge. However, from the securitys point of view, OSN is becoming the favorite target for the attackers, and is under a lot of threats such as cross-site scripting (XSS) attacks. In this paper, we present a novel approach using machine learning to do XSS detection in OSN. Firstly, we leverage a new method to capture identified features from web pages and then establish classification models which can be used in XSS detection. Secondly, we propose a novel method to simulate XSS worm spreading and build our webpage database. Finally, we set up experiments to verify the classification models using our test database. Our experiment results demonstrate that our approach is an effective countermeasure to detect the XSS attack.

Defending return-oriented programming based on virtualization techniques

Over the past few years, return-oriented programming (ROP) has drawn great attention of both academia and industry. Because of its Turing completeness, ROP reuses short instruction sequences already present in the victim programs address space to perform arbitrary computation. Hence, it can successfully bypass state-of-the-art code integrity check mechanisms. In this paper, we look into using virtualization technologies to defeat return-oriented programming. We design and implement HyperCropII, a virtualization-based automatic runtime approach to defend such attacks. ROP attackers extract short instruction sequences ending in ret called “gadgets” and craft stack content to “chain” these gadgets together. We observe that a key characteristic of ROP is to fill the stack with plenty of addresses that are within the range of the programs libraries. Accordingly, we inspect the content of the stack to see if a potential ROP attack exists and quarantine the damages for further security purposes. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient. Copyright

Towards transparent and distributed workload management for large scale web servers

The rapid expansion of cloud offerings poses fundamental tasks for workload management in a large scale server farm. In order to achieve satisfactory Quality of Service (QoS) and reduce operation cost, we present a fully distributed workload management system in a large scale server environment, e.g., cloud. Different from existing centralized control approaches, the workload management logic hierarchically spreads on each back-end server and front-end proxy. The control solution is designed to offer both overload protection and resource efficiency for the back-end servers, while achieving service differentiation based on Service Level Agreement (SLA). The proposed system can directly work with legacy software stack, because the implementation requires no changes to the target operating system, application servers, or web applications. Our evaluation shows that it achieves both overload protection and service classification under dynamic heavy workload. Furthermore, it also demonstrates negligible management overhead, satisfactory fault-tolerance and fast convergence.

A Comprehensive Study of Co-residence Threat in Multi-tenant Public PaaS Clouds

Public Platform-as-a-Service (PaaS) clouds are always multi-tenant. Applications from different tenants may reside on the same physical machine, which introduces the risk of sharing physical resources with a potentially malicious application. This gives the malicious application the chance to extract secret information of other tenants via side-channels. Though large numbers of researchers focus on the information extraction, there are few studies on the co-residence threat in public clouds, especially PaaS clouds. In this paper, we in detail studied the co-residence threat of public PaaS clouds. Firstly, we investigate the characteristics of different PaaS clouds and implement a memory bus based covert-channel detection method that works for various PaaS cloud platforms. Secondly, we study three popular PaaS clouds Amazon Elastic Beanstalk, IBM Bluemix and OpenShift, to identify the co-residence threat in their placement policies. We evaluate several placement variables (e.g., application type, number of the instances, time launched, data center region, etc.) to study their influence on achieving co-residence. The results show that all the three PaaS clouds are vulnerable to the co-residence threat and the application type plays an important role in achieving co-residence on container-based PaaS clouds. At last, we present an efficient launch strategy to achieve co-residence with the victim on public PaaS clouds.

PEDA: Comprehensive Damage Assessment for Production Environment Server Systems

Analyzing the intrusion to production servers is an onerous and error-prone work for system security technicians. Existing tools or techniques are quite limited. For instance, system events tracking lacks completeness of intrusion propagation, while dynamic taint tracking is not feasible to be deployed due to significant runtime overhead. Thus, we propose production environment damage assessment (PEDA), a systematic approach to do postmortem intrusion analysis for production workload servers. PEDA replays the “has-been-infected” execution with high fidelity on a separate analyzing instrumentation platform to conduct the heavy workload analysis. Though the replayed execution runs atop the instrumentation platform (i.e., binary-translation-based virtual machine), PEDA allows the first-run execution to run atop the hardware-assisted virtual machine to ensure minimum runtime overhead. Our evaluation demonstrates the efficiency of the PEDA system with a runtime overhead as low as 5%. The real-life intrusion studies show the advantage of PEDA intrusion analysis over existing techniques.

Comprehensive Analysis of the Android Google Play’s Auto-update Policy

Google Play provides a large Android application repository and the companion service application handles the initial installation and update processes. For the ease of management effort, a recent policy change by Google allows users to configure auto-update for installed applications based on permission groups, rather than individual permission. By analyzing the effects of the new auto-update policy on Android permission system with an emphasis on permission groups and protection levels, we find a new privilege escalation attack vector. Then 1200 Android applications are evaluated to identify potential privilege escalation candidates, and 1260 malware samples are investigated to study how the new attack vector could be utilized by the malware to increase the chance of distribution without users’ attention. Based on the evaluation results, we confirm that such new policy can be easily manipulated by malicious developers to gain high privileged permissions without users’ consent. It is highly recommended that users of the new auto-update feature carefully review permissions obtained after each update via global setting, or simply turn off the feature.