Check out the new USENIX Web site.
WORK-IN-PROGRESS REPORTS (WIPS)

Friday, August 10, 2:00 p.m.–3:30 p.m., Constitution Ballroom
Session Chair: Martin Casado, Stanford University

Accepted WiPs and Abstracts

VM-Based Malware Detection System
Yuhei Kawakoya, NTT Information Sharing Platform Laboratories

The development of malware has been very rapid. Malware has functions that attack security software such as antivirus software, personal firewalls, and host-based IDS. If a computer is attacked and infected by malware, security software does not work well, and finding malware has become a very difficult problem.

In this paper, a new architecture used in observing computer behavior and two techniques for implementing the architecture will be introduced. Generally, security software is installed within a computer that you want to protect. Our approach is to remove security software from within a computer and to place it outside of a computer using virtual machines. The outside of a guest OS is a safe place because malware in a guest OS is unable to access the host OS environment. There are two techniques to implement this architecture. The first technique is called Outside System Call Hooking. When privileged instructions like sysenter, syscall, and int 3, which are needed for invoking a system call, are executed in a guest OS, the host OS recognizes that event and investigates the status of the guest OS, such as System Call Number, Process ID, and Arguments of the System Call. The second technique is the Execution Cache Investigation. This technique compares the cache, which is used in translating the binary program of the guest OS to that of the host OS using the VMM, with the signatures, which are prepared for detecting malicious code by pattern matching. Using these two techniques, the malware detection system for finding malware activities in guest OS from outside of guest OS have been implemented. In experiments, actual malware, which is collected from the Internet, is used as sample malware. The results demonstrate the effectiveness of our proposals. Malware was detected in a guest OS from outside that guest OS. This architecture will be adopted in malware detection and other security software.


Controlled Reincarnation Attack to Subvert Digital Rights Management
F. John Krautheim and Dhananjay S. Phatak, University of Maryland, Baltimore County

Today's modern processors enable a virtual machine to operate at near "bare metal" speeds through virtualization technology built into the hardware. This high speed virtual environment allows a type of attack previously not available, malicious middleware through the use of a hypervisor. The malicious middleware allows an attacker to encapsulate an operating system such that activated software and encrypted content played within it (e.g. Blu-ray, HD-DVD, video rental downloads, etc.) can be replayed indefinitely without breaking the encryption.

It is conceptually easy to defeat a licensing mechanism based solely on local state (i.e. system time, processor identification number, etc.) by simply ensuring that the virtual machine starts at the same point every startup. This can be done by capturing the state of a pristine virtual machine immediately after activation of a license. The virtual machine could then be restarted from the pristine state at all future time, thus ensuring the indefinite use of the pirated software. Furthermore, since the virtual machine can be contained in a file, it can easily be distributed in the pristine state allowing multiple copies of the software to be used simultaneously. This attack is easily defeated by using an ongoing communication with an activation server to ensure that the license remains valid throughout the session and life of the product. However, an even more hideous attack would involve capturing those activation communications between the software and activation server and performing a replay attack. Normally, a replay attack would not be possible since two machines communicate through an encrypted channel. Enter the controlled reincarnation attack. Since the virtual machine is started in a known state, all communication with the outside world should be exactly the same every time, allowing the malicious middleware to fake the software into believing it is actually talking to a real activation server. Furthermore, a license server could also be virtualized and synced to the pristine virtual machine to ensure that the communications are genuine. We have demonstrated the above attacks and are currently testing defense mechanisms against them. The current approach is to build in a virtualization detection wizard into the licensed software to detect for the presence of virtualization technology and hypervisor that would disable the software in event the software is run in a virtual environment. The detection works by comparing a set of random instruction sequences' execution time against known times of the same sequence on a bare metal system with no virtualization. We propose to eventually develop a suite of detection mechanisms that can be used by software vendors to embed into their applications such that they are protected against not only the attacks presented here, but against other forms of malware including root kits, malicious hypervisors, malicious middleware, bots and spyware.


The Performance of Public Key-based Authentication Protocols

Kerberos has revolved over the past 15 years and rapidly since 1999. Among them, there have been numerous proposals to integrate public key cryptography into Kerberos. Public-Key Cross Realm Authentication in Kerberos (PKCROSS) has been proposed to simplify the administrative burden of maintaining cross-realm keys so that it improves the scalability of Kerberos in large multi-realm networks. Public Key Utilizing Tickets for Application Servers (PKTAPP) has been suggested to improve the scalability issue of PKCROSS. Performance evaluation is a fundamental consideration in the design of security protocols. But, performance associated with most of these two protocols has been poorly understood in a large-scale network.

In this research, we present an efficient way to study the performance of PKCROSS and PKTAPP. Our thorough performance analysis of these two techniques shows that PKTAPP does not scale better than PKCROSS. In this talk, we will briefly report our recent results of when PKCROSS still outperforms than PKTAPP in multiple remote realms.


Automatic Vulnerability Management based on Platform Integrity
Megumi Nakamura, Seiji Munetoh, Michiharu Kudo, IBM, Tokyo Research Laboratory

To compose and maintain a secure platform against various kinds of security attacks, the administrator must continually do many things. Automatic vulnerability checking aims to reduce the work for maintenance while making the platform more secure. Adapting an XML format to the vulnerability management for automatic management has appeared in some previous research. The National Vulnerability Database recently described a method for using CVE, OVAL, and XCCDF, which enables automatic vulnerability assessment, management, and policy compliance evaluation. We use these same descriptions because CVE is broadly used to describe vulnerabilities.

Security tools to check and manage vulnerabilities have various features. We seek to use those tools together to broaden their effective scope. However they have shared defects, too, in the security vulnerabilities of the tools themselves. To detect vulnerable tools being used for security inspections, we use TCG technology to make and verify integrity measurements that are recorded in the security chip. These measurements are the digest values of the components running on the platform. The integrity data and the vulnerability information are linked in our system, so we can check the integrity of the components and detect the existence of vulnerabilities. We describe the evaluation tests for a security guideline using XCCDF and OVAL, and then inspect the platform based on the test. The tool for testing was also tested using the trust-chain from the starting time and its integrity is assured. In our system, the data and tools used in vulnerability checking are based on hardware security, which is more secure than software-only testing.


Attacking the Kad Network
P. Wang, J. Tyra, T. Malchow, Y. Kim, N. Hopper, D. Foo Kune, E. Chan-Tin, University of Minnesota

The Kad network, an implementation of the Kademlia protocol, supports the popular eDonkey peer-to-peer file sharing network and has over 1.5 million concurrent nodes. By exploiting critical implementation weaknesses, we successfully launch an attack on Kad that prevents completion of a significant fraction of all Kad keyword searches, with reasonable costs in terms of communication and computational resources—for example, experiments suggest that a single node with a 100Mbps link could stop 65% of all Kad searches. Experimental results show that our attack is effective against eMule and aMule, the most popular Kad clients. We briefly explain other consequences of these weaknesses, including low-cost disruption of targeted keyword searches and the use of the Kad network to mount distributed denial of service attacks.


Virtual Machine Introspection for Cognitive Immunity (VICI)
Timothy Fraser, Komoku, Inc.

The VICI project combines Virtual Machine Introspection, a variety of repair techniques adapted from Nooks, Microreboot, and other sources, and a little AI to monitor the integrity of operating system kernels. The VICI prototype observes GNU/Linux kernels running in Xen virtual machines, detects tampering caused by kernel-modifying rootkits, and automatically repairs this tampering to thwart the rootkit and restore the system to health. Current development focuses on a control system derived from the Brooks Subsumption architecture for autonomous robots. This control system will choose repair strategies based on diagnoses and will (hopefully) learn to make better choices over time.


Polymorphic Shellcode Detection Using Emulation
Michalis Polychronakis, Foundation for Research & Technology—Hellas (FORTH)

In this talk I will present our recent work on network-level shellcode detection using code emulation. The approach is based on a NIDS-embedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of certain shellcode classes, such as self-decrypting polymorphic shellcode. Network-level emulation does not rely on any exploit or vulnerability specific signatures, which allows the detection of previously unknown attacks. At the same time, the actual execution of the attack code, e.g., in contrast to static analysis, makes the detector robust to evasion techniques such as self-modifying code. Furthermore, each input is inspected autonomously, which makes the approach effective against targeted attacks. I will also present recent attack statistics from long-term real-world deployments of our prototype implementation, as well as our ongoing and future work on improving network-level emulation.


CANDID : Preventing SQL Code Injection Attacks
Prithvi Bisht, University of Illinois, Chicago

SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks.

A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and to detect attacks by comparing them against the intended query structure. The mechanism of mining programmer intended queries relies on a simple and novel idea that evaluates runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic queries computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice.


Protecting User Files by Reducing Application Access
William Enck, Patrick McDaniel, and Trent Jaeger, SIIS Lab, Pennsylvania State University

Traditional discretionary access control mechanisms do not differentiate between a user's running applications--hence they provide no means of preventing one application from exploiting another's data. Commercial mandatory access control mechanisms, such as SELinux and AppArmor aim to protect system files, but do little to prevent similar misuse of user data. We propose the PinUP access control overlay. PinUP extends filesystem protections to explicitly identify the set of applications that may access each user's files. This reflects users' intuition about access: that files should only be accessed by the applications that own them. This approach reduces the often esoteric task of access control policy specification to a significantly simpler declaration of the relationship between user files and applications. In so doing, we reduce the significant gap between existing access control and least privilege frequently exploited by malware such as viruses, worms, and spyware.


Securing Web Browsers Against Malicious Plug-Ins
Mike Ter Louw, University of Illinois at Chicago

We are examining the security issues in functionality extension mechanisms supported by web browsers. Extensions (or "plug-ins") within modern web browsers enjoy unlimited power and thus are attractive vectors for malware. To solidify the claim, we have assumed the role of malware writers looking to take control of a user's browser. We have taken advantage of the lack of security mechanisms for browser extensions and implemented a malware application for the popular Firefox web browser, which we call BrowserSpy, that requires no special privileges to be installed. We also play the role of defenders to develop defense strategies against such malware. Our previous contribution is a mechanism that uses code integrity checking techniques to control the extension installation and loading process. As part of our ongoing research, we are exploring techniques for runtime monitoring of extension behavior to defend against threats due to installed extensions.

This talk contains a summary of the work (Extensible Web Browser Security) we published at the Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA) conference in Lucerne, Switzerland on July 12, 2007. Furthermore, I will discuss the progress of our ongoing work in this topic and our goals for the future.


Detecting ISP-Injected Ads with Web Tripwires
Charles Reis, Steven D. Gribble, and Tadayoshi Kohno, University of Washington; Nicholas C. Weaver, ICSI

Some Web users have recently noticed a new practice by certain ISPs: injecting advertisements into the web pages requested by their clients. To detect how widespread this practice is and study the injected content, our group has developed a "web tripwire" to detect and study such modifications. In this talk, we will share a few of our preliminary results after tens of thousands of Slashdot and Digg readers visited our tool. We will describe a few of the interesting cases of injections, some reactions by ISPs, and our plans to build on what we have observed.

Further information and the tool itself are available online at http://vancouver.cs.washington.edu.


Leveraging Non-Volatile Memory for Advanced Storage Security
Kevin Butler, Pennsylvania State University

As computing models change, so too do the demands on storage. Distributed and virtualized systems introduce new vulnerabilities, assumptions, and performance requirements on disks. However, traditional storage systems have very limited capacity to implement needed ``advanced storage'' features such as integrity and data isolation. This is largely due to the simple interfaces and limited computing resources provided by commodity hard-drives.

A new generation of storage devices affords better opportunities to meet these new models, but little is known about how to exploit them. We show that the recently introduced fast-access non-volatile RAM-enhanced hybrid (HHD) disk architectures can be used to implement a range of valuable storage-security services, such as authenticated encryption and labelled information flow at the disk access layer. We introduce systems that place a security perimeter at the disk interface, and deal with the parent operating system only as a largely untrusted entity.

?Need help? Use our Contacts page.

Last changed: 14 Nov. 2007 jel