Zhongshu Gu

LEAPS: Detecting Camouflaged Attacks with Statistical Learning Guided by Program Analysis

Currently cyber infrastructures are facing increasingly stealthy attacks that implant malicious payloads under the cover of benign programs. Existing attack detection approaches based on statistical learning methods may generate misleading decision boundaries when processing noisy data with such a mixture of benign and malicious behaviors. On the other hand, attack detection based on formal program analysis may lack completeness or adaptivity when modelling attack behaviors. In light of these limitations, we have developed LEAPS, an attack detection system based on supervised statistical learning to classify benign and malicious system events. Furthermore, we leverage control flow graphs inferred from the system event logs to enable automatic pruning of the training data, which leads to a more accurate classification model when applied to the testing data. Our extensive evaluation shows that, compared with pure statistical learning models, LEAPS achieves consistently higher accuracy when detecting real-world camouflaged attacks with benign program cover-up.

VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images

The ubiquity of modern smartphones means that nearly everyone has easy access to a camera at all times. In the event of a crime, the photographic evidence that these cameras leave in a smartphones memory becomes vital pieces of digital evidence, and forensic investigators are tasked with recovering and analyzing this evidence. Unfortunately, few existing forensics tools are capable of systematically recovering and inspecting such in-memory photographic evidence produced by smartphone cameras. In this paper, we present VCR, a memory forensics technique which aims to fill this void by enabling the recovery of all photographic evidence produced by an Android devices cameras. By leveraging key aspects of the Android framework, VCR extends existing memory forensics techniques to improve vendor-customized Android memory image analysis. Based on this, VCR targets application-generic artifacts in an input memory image which allow photographic evidence to be collected no matter which application produced it. Further, VCR builds upon the Android frameworks existing image decoding logic to both automatically recover and render any located evidence. Our evaluation with commercially available smartphones shows that VCR is highly effective at recovering all forms of photographic evidence produced by a variety of applications across several different Android platforms.

FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine

Kernel minimization has already been established as a practical approach to reducing the trusted computing base. Existing solutions have largely focused on whole-system profiling - generating a globally minimum kernel image that is being shared by all applications. However, since different applications use only part of the kernels code base, the minimized kernel still includes an unnecessarily large attack surface. Furthermore, once the static minimized kernel is generated, it is not flexible enough to adapt to an altered execution environment (e.g., new workload). FACE-CHANGE is a virtualization-based system to facilitate dynamic switching at runtime among multiple minimized kernels, each customized for an individual application. Based on precedent profiling results, FACE-CHANGE transparently presents a customized kernel view for each application to confine its reach ability of kernel code. In the event that the application exceeds this boundary, FACE-CHANGE is able to recover the missing code and back trace its attack/exception provenance to analyze the anomalous behavior.

DRIP: A framework for purifying trojaned kernel drivers

Kernel drivers are usually provided in the form of loadable kernel extensions, which can be loaded/unloaded dynamically at runtime and execute with the same privilege as the core operating system kernel. The unrestricted security access from the drivers to the kernel is nevertheless a double-edged sword that makes them susceptible targets of trojan attacks. Given a benign driver, it is now easy to implant malicious logic with existing hacking tools. Once implanted, such malicious logic is difficult to detect. In this paper we propose DRIP, a framework for detecting and eliminating malicious logic embedded in a kernel driver through iteratively eliminating unnecessary kernel API invocations from the driver. When provided with the binary of a trojaned driver, DRIP generates a purified driver with benign functionalities preserved and malicious ones eliminated. Our evaluation shows that DRIP successfully eliminates malicious effects of trojaned drivers in the system, with the purified drivers maintaining or even improving their performance over the trojaned drivers.

Gemini: Guest-transparent honey files via hypervisor-level access redirection

Abstract Data safety has become a critical problem in the face of various cyber-attacks aiming at stealing or divulging sensitive information. In the event that adversaries have gained access to a system storing classified data, such crucial systems should actively protect the integrity of this data. To purposely deceive an attacker, we propose that accesses to sensitive data can be dynamically partitioned to prevent malicious tampering. In this paper, we present G emini , a virtualization-based system to transparently redirect accesses to classified files based on the context of the access (e.g., process, user, time-of-day, etc.). If an access violates preconfigured data-use policies then it will be rerouted to a honey version of the file, specifically crafted to be manipulated by the adversary. Thus, G emini transforms static, sensitive files into moving targets and provides strong transparency and tamper-resistance as it is located at the hypervisor level. Our evaluation shows that G emini effectively neutralizes several real-world attacks on various sensitive files and can be integrated seamlessly into current cloud environments.

vMocity: Traveling VMs Across Heterogeneous Clouds

Current IaaS cloud providers typically adopt different underlying cloud infrastructures and are reluctant to provide consistent interfaces to facilitate cross-cloud interoperability. Such status quo significantly complicates inter-cloud virtual machine relocation and impedes the adoption of cloud services for more enterprises and individual users. In this paper, we propose vMocity, a middleware framework enabling VM relocation across heterogeneous IaaS clouds. vMocity extends the principles of cold migration and decouples VMs storage stack from their underlying virtualization platforms, which presents a homogeneous view of storage to cloud users. We deploy our prototype system across three representative commercial cloud platforms — Amazon EC2, Google Compute Engine, and VMware vSphere-based private cloud. Compared to existing approaches on both synthetic and real-world work-loads, vMocity can significantly reduce the disruption time, up to 27 times shorter, of relocated services and boost the recovery time, up to 1.8 times faster, to pre-relocation performance level. Our results demonstrate that vMocity is efficient and convenient for relocating VMs across clouds, offering freedom of choice to customers when facing a market of IaaS clouds to align with business objectives (cost, performance, service availability, etc.)