Yingjun Zhang

TMSUI: A Trust Management Scheme of USB Storage Devices for Industrial Control Systems

The security of sensitive data and the safety of control signal are two core issues in industrial control system (ICS). However, the prevalence of USB storage devices brings a great challenge on protecting ICS in those respects. Unfortunately, there is currently no solution specially for ICS to provide a complete defense against communication between untrusted USB storage devices and critical equipment without forbidding normal USB device function. This paper proposes a trust management scheme of USB storage devices for ICS (TMSUI). By fully considering application scenarios, TMSUI is designed based on security chip to flexibly achieve authorizing a certain USB storage device to only access some exact protected terminals in ICS for a particular period of time. The scheme enables administrators to revoke authorized devices. We analyze six security properties of TMSUI. The prototype system is finally implemented. The evaluation results indicate that our scheme meets the security goals with high compatibility and good efficiency.

Automatically generating patch in binary programs using attribute-based taint analysis

Vulnerabilities in software threaten safety of hosts. Generating patches could overcome this problem. Patches are usually generated with human intervention, which is very time-consuming and needs a lot of experience. A few heuristic methods can generate patches automatically. But they usually have high false negative and/or false positive rate. We proposed a novel solution and implemented a real system called Patch-Gen that can automatically generate patches for vulnerabilities. Patch-Gen innovatively combines several techniques: (1) It can automatically generate patches for Windows x86 binaries without any need for source code, debugging information or human intervention. (2) Attribute-based taint analysis method (ATAM) is proposed to find attack point and overflow point with no need to record or analyze program execution traces, which saves both analysis time and memory. (3) PatchGen automatically tunes the candidate position to find the most suitable position to patch. We made several experiments on PatchGen. The results show that Patch-Gen can successfully generate patches for buffer overflow vulnerabilities in several minutes. The running overhead of the patched applications is less than 1% in average.

Black-box testing based on colorful taint analysis

Software vulnerability detection is one of the most important methods for guaranteeing software security. Two main classes of methods can detect vulnerabilities in binary files: white-box testing and black-box testing. The former needs to construct and solve path constraints to detect vulnerabilities. It has two main drawbacks: path exploding and complexity of constraints. The latter often aimlessly exhausts various inputs to test binary files. This paper combines both testing methods to detect vulnerabilities in binary files. By analyzing the input elements that affect check condition corresponding to a certain check point, we can generate one class of inputs that get to the check point to increase fuzzing efficiency. By analyzing the relationship between guard conditions and check condition, the redundant check points are removed. Colorful taint analysis method (CTAM) is proposed to compute guard conditions, which is more efficient than traditional taint analysis method (TTAM). We implemented a prototype and made several experiments on it. The results showed that our method could increase the efficiency of black-box testing.

Dynamically Discovering Likely Memory Layout to Perform Accurate Fuzzing

Malicious Input through Buffer Overflow (MiBO) vulnerabilities play important roles in cyber security. To identify MiBO vulnerabilities, white-box testing approaches analyze instructions in all possible execution paths. Black-box testing approaches try to trigger MiBO vulnerabilities using different inputs. However, only limited coverage can be achieved: the identified MiBO vulnerabilities, when being “hit” by a test input, must cause exceptions (e.g., crashes). Type information could help to catch the non-crash MiBO vulnerabilities, but such information is not contained in binary code. In this paper, we present a white-box fuzzing method to detect non-crash MiBO vulnerabilities. Without source code, we dynamically discover likely memory layouts to help the fuzzing process. This is very challenging since memory addresses and layouts keep changing with the running of software. In different executions with different inputs, the layouts may also change. To address these challenges, we selectively analyze memory operations to identify memory layouts. If a buffer border identified from the memory layout is exceeded, an error will be reported. The fuzzing results will be compared with the layout for future input generation, which greatly increases the opportunity to expose MiBO vulnerabilities. We implemented a prototype called ArtFuzz and performed several evaluations. ArtFuzz discovered 23 real MiBO vulnerabilities (including 8 zero-day MiBO vulnerabilities) in nine applications.

AppMark: A Picture-Based Watermark for Android Apps

Smartphones have become common tools in peoples daily life. Lots of popular applications (e.g., social network applications) have immigrated from traditional computers to smartphones. With the growth of the apps, attacks on these apps are also increasing. One serious attack adds malicious payloads or advertisements to legitimate apps. These modified apps, called repackaged apps, share similar functionalities with the original apps, which makes them easily spread. To mitigate this attack, we embed watermarks into Android apps. Specially, to make the watermarks robust, we embed a new kind of watermarks called picture-based watermarks into Android apps. By making the inherent characteristics of pictures, it is resilient to obfuscation. We implemented a prototype call AppMark. We evaluated its effectiveness and performance overhead. According to the results, the picture-based watermark is both effective and efficient.

Vulnerability-Based Backdoors: Threats from Two-step Trojans

Attackers like to install trojans in a target system to control it. However, it becomes more and more difficult to deceive a user into installing such trojans. One reason is that antivirus software uses more strict policies on the first run of unknown software. The other reason is that users also become more cautious. Some attackers try to find system vulnerabilities to evade the antivirus software and users. But it is not easy to find suitable vulnerabilities because they are usually patched in a short time. In this paper, we present a new type of threat called vulnerability-based backdoor (VBB). It is a two-step trojan. In the first step, attackers deceive users into installing an application. This application is transformed from the original one such as “Adobe PDF Reader” by only creating one or more vulnerabilities in it. It runs as a normal one without any malicious code. So it can escape the detection of antivirus software and users. In the second step, attackers can make use of the vulnerability and control the target system just as they use a pre-existing vulnerability. We present a method to automatically create a VBB in several minutes. In this process, no source code is needed. VBB is stable enough to reside in a system for a long time since it does not conflict with operating systems, antivirus software, other backdoors or even other VBBs. We also show how to prevent VBBs.

A map-layer-based access control model

Access control is very important for database management systems. Although several access control models have been proposed for geographical maps, most of them are based on the concept of authorization window. If there are many complex authorizations, we have to define many windows and the processing of evaluation will be time-consuming. This paper presents a new access control model, which supports authorization on map layers. This model also supports both positive and negative authorizations, time constraint and so on. In order to compose a roles authorizations in several layers, Multicolor Combination Theory is defined here. Then we can overlay the authorization layers to map layers in authorization evaluation, which is more efficient. At last some propagation rules are defined to makes authorization simpler and more flexible. abstract environment.

Timing-Based Clone Detection on Android Markets

With the growth of smartphone users, mobile phone applications increase exponentially. But a lot of apps are cloned. We design a timing-based clone detection method. By choosing several lists of inputs, we can get the corresponding CPU time usage, which composes a CPU time usage tuple. After comparing these tuples, we can find the clone apps. At last, we do some experiments to verify our methods.

Optimal Defense Strategies for DDoS Defender Using Bayesian Game Model

In a typical DDoS attack and defense scenario, both the attacker and the defender will take actions to maximize their utilities. However, each player does not know his opponent’s investment and cannot adopt the optimal strategies. We formalize a Bayesian game model to handle these uncertainties and specify two problems usually faced by the defender when choosing defense measures. A nonlinear programming method is proposed to handle policies’ permutation in order to maximize the defender’s utility. Followed the Nash equilibrium, security administrators can take optimal strategies. Finally, the practicality and effectiveness of the model and method are illustrated by an example.

Leveraging Information Asymmetry to Transform Android Apps into Self-Defending Code Against Repackaging Attacks

By simply adding malicious code or advertisements in legitimate smartphone apps, attackers could benefit a lot from repackaging. The existing license protection mechanisms can be easily subverted by repackaged apps. A major defense is to detect. However, detection requires finding at least two “similar” apps simultaneously. We propose a self-defending approach: let a repackaged app automatically expose itself. However, it is very challenging to achieve this goal. If developers and smartphones/users do not share any secret, attackers’ app repackaging studio would be able to do whatever legitimate smartphones/users are able to do. We find that there exists a unique information asymmetry between developers and attackers. Leveraging this asymmetry, our new self-defending code (SDC) approach encrypts parts of the app code at compile time and dynamically decrypts the ciphertext code at run-time. Different from previous work, the key is derived from both the information asymmetry and the apps checksum. Once the app is repackaged, the changed checksum will let the app run abnormally, further exposing the repackaging. The information asymmetry protects the key from being attacked. We build a smartphone anti-repackaging system prototype. To the best of our knowledge, this is the first work that lets repackaged apps automatically malfunction while having none effect on a benign apps function.