Xiaoqi Jia

Value-based program characterization and its application to software plagiarism detection

Identifying similar or identical code fragments becomes much more challenging in code theft cases where plagiarizers can use various automated code transformation techniques to hide stolen code from being detected. Previous works in this field are largely limited in that (1) most of them cannot handle advanced obfuscation techniques; (2) the methods based on source code analysis are less practical since the source code of suspicious programs is typically not available until strong evidences are collected; and (3) those depending on the features of specific operating systems or programming languages have limited applicability. Based on an observation that some critical runtime values are hard to be replaced or eliminated by semantics-preserving transformation techniques, we introduce a novel approach to dynamic characterization of executable programs. Leveraging such invariant values, our technique is resilient to various control and data obfuscation techniques. We show how the values can be extracted and refined to expose the critical values and how we can apply this runtime property to help solve problems in software plagiarism detection. We have implemented a prototype with a dynamic taint analyzer atop a generic processor emulator. Our experimental results show that the value-based method successfully discriminates 34 plagiarisms obfuscated by SandMark, plagiarisms heavily obfuscated by KlassMaster, programs obfuscated by Thicket, and executables obfuscated by Loco/Diablo.

CCA-Secure Type-based Proxy Re-encryption with Invisible Proxy

Proxy re-encryption is a useful cryptographic primitive, which allows a proxy to transform a ciphertext for Alice to another ciphertext of the same plaintext for Bob. Type-based proxy re-encryption is a specific kind of proxy re-encryption, where the proxy is restricted to transform only a subset of Alices ciphertexts. This restriction is very useful in the situation where the fine-grained transformation is required. Some applications of type-based proxy re-encryption require that the underlying scheme simultaneously achieves CCA Security and Invisible Proxy. However, to the best of our knowledge, no such scheme has been proposed. In this paper, we propose the first type-based proxy re-encryption scheme that satisfies both requirements. The CCA security proof of our proposal is given in the random oracle model based on the decisional bilinear Diffie-Hellman (DBDH) assumption, extended decisional bilinear Diffie-Hellman inversion (eDBDHI) assumption, and extended decisional linear (eDL) assumption. Furthermore, our proposal holds the invisible proxy requirement unconditionally.

SHELF: Preserving Business Continuity and Availability in an Intrusion Recovery System

Recovering from intrusions for a compromised computer system is a challenging job, especially for systems that run continuous services. Current intrusion recovery techniques often do not preserve the accumulated useful state of running applications and have very limited system availability when performing recovery routines. In this paper, we propose SHELF, an on-the-fly intrusion recovery prototype system that provides a comprehensive solution to preserve business continuity, availability and recovery accuracy. SHELF preserves accumulated clean states for infected applications and files so that they can continue with the most recent pre-infection states after recovery. Moreover, SHELF leverages OS-aware taint tracking techniques to swiftly determine the sources of intrusion and assess system-wide damages caused by the intrusion. SHELF uses quarantine methods to prevent infection propagation so that uninfected and recovered objects can provide availability during the recovery phase. We integrate SHELF prototype in a virtualization environment to achieve user transparency and protection. Our evaluation shows that SHELF can perform accurate recovery on-the-fly effectively with an acceptable performance overhead.

Efficient Secret Sharing Schemes

We propose a new XOR-based (k,n) threshold secret SSS, where the secret is a binary string and only XOR operations are used to make shares and recover the secret. Moreover, it is easy to extend our scheme to a multi-secret sharing scheme. When k is closer to n, the computation costs are much lower than existing XOR-based schemes in both distribution and recovery phases. In our scheme, using more shares (≥ k) will accelerate the recovery speed.

Efficient Ideal Threshold Secret Sharing Schemes Based on EXCLUSIVE-OR Operations

Most of secret sharing schemes have to be computed in a Galois field, such as Shamir’s scheme, which have relatively heavy computational cost. Kurihara et al. [1] recently proposed a fast secret sharing scheme using only Exclusive-OR(XOR) operations to make shares and recover the secret. Their proposed scheme was shown to be hundreds of times faster than Shamir’s (in GF(q=264)) in terms of both distribution and recovery with a 4.5 MB secret when k=3 and n=11. However, some steps in their scheme still need to be improved. Their security proofs were too complex and difficult to be understood and verified intuitively. In this paper, we present a conciser, cleaner, faster scheme which is also based on XOR. Moreover, we give two geometric explanations of making shares in both our and Kurihara’s schemes respectively, which would help to easier and further understand how the shares are made in the two schemes.

Cross-Layer Damage Assessment for Cyber Situational Awareness

Damage assessment plays a very important role in securing enterprise networks and systems. Gaining good awareness about the effects and impact of cyber attack actions would enable security officers to make the right cyber defense decisions and take the right cyber defense actions. A good number of damage assessment techniques have been proposed in the literature, but they typically focus on a single abstraction level (of the software system in concern). As a result, existing damage assessment techniques and tools are still very limited in satisfying the needs of comprehensive damage assessment which should not result in any “blind spots”.

Program Characterization Using Runtime Values and Its Application to Software Plagiarism Detection

Illegal code reuse has become a serious threat to the software community. Identifying similar or identical code fragments becomes much more challenging in code theft cases where plagiarizers can use various automated code transformation or obfuscation techniques to hide stolen code from being detected. Previous works in this field are largely limited in that (i) most of them cannot handle advanced obfuscation techniques, and (ii) the methods based on source code analysis are not practical since the source code of suspicious programs typically cannot be obtained until strong evidences have been collected. Based on the observation that some critical runtime values of a program are hard to be replaced or eliminated by semantics-preserving transformation techniques, we introduce a novel approach to dynamic characterization of executable programs. Leveraging such invariant values, our technique is resilient to various control and data obfuscation techniques. We show how the values can be extracted and refined to expose the critical values and how we can apply this runtime property to help solve problems in software plagiarism detection. We have implemented a prototype with a dynamic taint analyzer atop a generic processor emulator. Our value-based plagiarism detection method (VaPD) uses the longest common subsequence based similarity measuring algorithms to check whether two code fragments belong to the same lineage. We evaluate our proposed method through a set of real-world automated obfuscators. Our experimental results show that the value-based method successfully discriminates 34 plagiarisms obfuscated by SandMark, plagiarisms heavily obfuscated by KlassMaster, programs obfuscated by Thicket, and executables obfuscated by Loco/Diablo.

Machine Learning Based Cross-Site Scripting Detection in Online Social Network

Nowadays online social network (OSN) is one of the most popular internet services in the world. It allows us to communicate with others and share knowledge. However, from the securitys point of view, OSN is becoming the favorite target for the attackers, and is under a lot of threats such as cross-site scripting (XSS) attacks. In this paper, we present a novel approach using machine learning to do XSS detection in OSN. Firstly, we leverage a new method to capture identified features from web pages and then establish classification models which can be used in XSS detection. Secondly, we propose a novel method to simulate XSS worm spreading and build our webpage database. Finally, we set up experiments to verify the classification models using our test database. Our experiment results demonstrate that our approach is an effective countermeasure to detect the XSS attack.

An efficient group-based secret sharing scheme

We propose a new secret sharing scheme which can be computed over an Abelian group, such as (Binary string, XOR) and (Integer, Addition). Therefore, only the XOR or the addition operations are required to implement the scheme. It is very efficient and fits for low-cost low-energy applications such as RFID tags. Making shares has a geometric presentation which makes our scheme be easily understood and analyzed.

Defending return-oriented programming based on virtualization techniques

Over the past few years, return-oriented programming (ROP) has drawn great attention of both academia and industry. Because of its Turing completeness, ROP reuses short instruction sequences already present in the victim programs address space to perform arbitrary computation. Hence, it can successfully bypass state-of-the-art code integrity check mechanisms. In this paper, we look into using virtualization technologies to defeat return-oriented programming. We design and implement HyperCropII, a virtualization-based automatic runtime approach to defend such attacks. ROP attackers extract short instruction sequences ending in ret called “gadgets” and craft stack content to “chain” these gadgets together. We observe that a key characteristic of ROP is to fill the stack with plenty of addresses that are within the range of the programs libraries. Accordingly, we inspect the content of the stack to see if a potential ROP attack exists and quarantine the damages for further security purposes. We have implemented a proof-of-concept system based on the open source Xen hypervisor. The evaluation results exhibit that our solution is effective and efficient. Copyright