Shohreh Hosseinzadeh

Symbol diversification of linux binaries

In this paper, we advocate large-scale diversification as a method to protect operating systems and render malicious programs ineffective. The idea is to diversify all the indirect library entry points to the system calls on a specific computer. As a result, it becomes very difficult for a piece of malware to access resources. The diversification of indirect system call entry points in operating system libraries is unique for each computer. Therefore, a piece of malware no longer works on several computers and becomes incompatible with their environment. We also present a concrete diversification tool and results on successful diversification. We conclude that despite some challenges, our tool can successfully diversify symbols in binaries and associated libraries in order to protect the system from attacks.

Diversification of System Calls in Linux Binaries

This paper studies the idea of using large-scale diversification to protect operating systems and make malware ineffective. The idea is to first diversify the system call interface on a specific computer so that it becomes very challenging for a piece of malware to access resources, and to combine this with the recursive diversification of system library routines indirectly invoking system calls. Because of this unique diversification i.e. a unique mapping of system call numbers, a large group of computers would have the same functionality but differently diversified software layers and user applications. A malicious program now becomes incompatible with its environment. The basic flaw of operating system monoculture --- the vulnerability of all software to the same attacks --- would be fixed this way. Specifically, we analyze the presence of system calls in the ELF binaries. We study the locations of system calls in the software layers of Linux and examine how many binaries in the whole system use system calls. Additionally, we discuss the different ways system calls are coded in ELF binaries and the challenges this causes for the diversification process. Also, we present a diversification tool and suggest several solutions to overcome the difficulties faced in system call diversification. The amount of problematic system calls is small, and our diversification tool manages to diversify the clear majority of system calls present in standard-like Linux configurations. For diversifying all the remaining system calls, we consider several possible approaches.

Security and Privacy in Cloud Computing via Obfuscation and Diversification: A Survey

The development of cloud computing has facilitate the organizations with its services. This makes the security and privacy of the cloud even more significant. Diversification and obfuscation approaches are of the most promising proactive techniques that protect computers from harmful malware, by preventing them to take advantage of the security vulnerabilities. There is a large body of research on the use of diversification and obfuscation techniques for improving the security in various domains, including cloud computing. Cloud computing provides an excellent setting for applying diversification/obfuscation, as the computing platforms (virtual machines) are implemented in software. The main objective of this study is to determine in what ways obfuscation and diversification techniques are used to enhance the security and privacy of the cloud computing, and discover the potential avenues for the further research. To achieve this goal, we systematically review and report the papers that discuss/propose a technique to enhance the security and privacy of the cloud, using diversification and obfuscation techniques. As the result of the search we collected 43 papers published on the topic. In this report we present the process of data collection, analysis of the results, and classification of the related studies. The classification is done based on how the diversification/obfuscation techniques are used to enhance the security in cloud computing environment. The presented study gives a clear view of the state of the art of the existing works in the field, and sheds light on the areas remained intact which could be avenues for further research. The existing works cover surprisingly a small set of the wealth of opportunities for diversification/obfuscation.

Security in the Internet of Things through obfuscation and diversification

Internet of Things (IoT) is composed of heterogeneous embedded and wearable sensors and devices that collect and share information over the Internet. This may contain private information of the users. Thus, securing the information and preserving the privacy of the users are of paramount importance. In this paper we look into the possibility of applying the two techniques, obfuscation and diversification, in IoT. Diversification and obfuscation techniques are two outstanding security techniques used for proactively protecting the software and code. We propose obfuscating and diversifying the operating systems and APIs on the IoT devices, and also some communication protocols enabling the external use of IoT devices. We believe that the proposed ideas mitigate the risk of unknown zero-day attacks, large-scale attacks, and also the targeted attacks.

A semantic security framework and context-aware role-based access control ontology for smart spaces

Smart Spaces are composed of heterogeneous sensors and devices that collect and share information. This information may contain personal information of the users. Thus, securing the data and preserving the privacy are of paramount importance. In this paper, we propose techniques for information security and privacy protection for Smart Spaces based on the Smart-M3 platform. We propose a) a security framework, and b) a context-aware role-based access control scheme. We model our access control scheme using ontological techniques and Web Ontology Language (OWL), and implement it via CLIPS rules. To evaluate the efficiency of our access control scheme, we measure the time it takes to check the access rights of the access requests. The results demonstrate that the highest response time is approximately 0.2 seconds in a set of 100000 triples. We conclude that the proposed access control scheme produces low overhead and is therefore, an efficient approach for Smart Spaces.

A Survey on Internal Interfaces Used by Exploits and Implications on Interface Diversification

The idea of interface diversification is that internal interfaces in the system are transformed into unique secret instances. On one hand, the trusted programs in the system are accordingly modified so that they can use the diversified interfaces. On the other hand, the malicious code injected into a system does not know the diversification secret, that is the language of the diversified system, and thus it is rendered useless. Based on our study of 500 exploits, this paper surveys the different interfaces that are targeted in malware attacks and can potentially be diversified in order to prevent the malware from reaching its goals. In this study, we also explore which of the identified interfaces have already been covered in existing diversification research and which interfaces should be considered in future research. Moreover, we discuss the benefits and drawbacks of diversifying these interfaces. We conclude that diversification of various internal interfaces could prevent or mitigate roughly 80 % of the analyzed exploits. Most interfaces we found have already been diversified as proof-of-concept implementations but diversification is not widely used in practical systems.

A Survey on Aims and Environments of Diversification and Obfuscation in Software Security

Diversification and obfuscation methods are promising approaches used to secure software and prevent malware from functioning. Diversification makes each software instance unique so that malware attacks cannot rely on the knowledge of the programs execution environment and/or internal structure anymore. We present a systematic literature review on the state of-the-art of diversification and obfuscation research aiming to improve software security between 1993 and 2014. As the result of systematic search, in the final phase, 209 related papers were included in this study. In this study we focus on two specific research questions: what are the aims of diversification and obfuscation techniques and what are the environments they are applied to. The former question includes the languages and the execution environments that can benefit from these two techniques, while the second question presents the goals of the techniques and also the type of attacks they mitigate.

Obfuscation and diversification for securing the internet of things (IoT)

Internet of Things (IoT) is made up of heterogeneous sensors and devices that work together to make the humans’ lives more intelligent. These devices work together by sharing the collected information about the environment. This information may contain private information of the users, which makes it highly significant to protect the information in order to preserve the privacy of the users. In this chapter, we propose using the two proactive techniques, obfuscation and diversification, for securing IoT. The proposed idea includes diversifying and obfuscating the operating systems of the devices participating in IoT, and also communication protocols among the devices. Diversification and obfuscation are two successful techniques used for securing the software and code. We believe that the proposed methods can be used in defeating the unknown zero-day attacks, targeted attacks, and also massive-scale attacks.

Investigating the Possibility of Data Leakage in Time of Live VM Migration

Virtual machine migration is a powerful technique used to balance the workload of hosts in environments such as a cloud data center. In that technique, VMs can be transferred from a source host to a destination host due to various reasons such as maintenance of the source host or resource requirements of the VMs. The VM migration can happen in two ways, live and offline migration. In time of live VM migration, VMs get transferred from a source host to a destination host while running. In that situation, the state of the running VM and information such as memory pages get copied from a host and get transferred to the destination by the VM migration system.

Security in container-based virtualization through vTPM

Cloud computing is a wide-spread technology that enables the enterprises to provide services to their customers with a lower cost, higher performance, better availability and scalability. However, privacy and security in cloud computing has always been a major challenge to service providers and a concern to its users. Trusted computing has led its way in securing the cloud computing and virtualized environment, during the past decades. In this paper, first we study virtualized trusted platform modules and integration of vTPM in hypervisor-based virtualization. Then we propose two architectural solutions for integrating the vTPM in container-based virtualization model.