Now showing 1 - 10 of 25
  • Publication
  • Publication
    Empowering convolutional networks for malware classification and analysis
    ( 2017)
    Kolosnjaji, B.
    ;
    Eraisha, G.
    ;
    Webster, G.
    ;
    Zarras, A.
    ;
    Eckert, C.
    Performing large-scale malware classification is increasingly becoming a critical step in malware analytics as the number and variety of malware samples is rapidly growing. Statistical machine learning constitutes an appealing method to cope with this increase as it can use mathematical tools to extract information out of large-scale datasets and produce interpretable models. This has motivated a surge of scientific work in developing machine learning methods for detection and classification of malicious executables. However, an optimal method for extracting the most informative features for different malware families, with the final goal of malware classification, is yet to be found. Fortunately, neural networks have evolved to the state that they can surpass the limitations of other methods in terms of hierarchical feature extraction. Consequently, neural networks can now offer superior classification accuracy in many domains such as computer vision and natural language processing. In this paper, we transfer the performance improvements achieved in the area of neural networks to model the execution sequences of disassembled malicious binaries. We implement a neural network that consists of convolutional and feedforward neural constructs. This architecture embodies a hierarchical feature extraction approach that combines convolution of n-grams of instructions with plain vectorization of features derived from the headers of the Portable Executable (PE) files. Our evaluation results demonstrate that our approach outperforms baseline methods, such as simple Feedforward Neural Networks and Support Vector Machines, as we achieve 93% on precision and recall, even in case of obfuscations in the data.
  • Publication
    Combating control flow linearization
    ( 2017)
    Kirsch, J.
    ;
    Jonischkeit, C.
    ;
    Kittel, T.
    ;
    Zarras, A.
    ;
    Eckert, C.
    Piracy is a persistent headache for software companies that try to protect their assets by investing both time and money. Program code obfuscation as a sub-field of software protection is a mechanism widely used toward this direction. However, effectively protecting a program against reverse-engineering and tampering turned out to be a highly non-trivial task that still is subject to ongoing research. Recently, a novel obfuscation technique called Control Flow Linearization (CFL) is gaining ground. While existing approaches try to complicate analysis by artificially increasing the control flow of a protected program, CFL takes the exact opposite direction: instead of increasing the complexity of the corresponding Control Flow Graph (CFG), the discussed obfuscation technique decreases the amount of nodes and edges in the CFG. In an extreme case, this means that the obfuscated program degenerates to one singular basic block, while still preserving its original semantics. In this paper, we present the DeMovfuscator, a system that is able to accurately break CFL obfuscation. DeMovfuscator can reconstruct the control flow, making only marginal assumptions about the execution environment of the obfuscated code. We evaluate both the performance and size overhead of CFL as well as the feasibility of our approach to deobfuscation. Overall, we show that even though CFL sounds like an ideal solution that can evade the state of the art deobfuscation approaches, it comes with its own limitations.
  • Publication
    Dynamic loader oriented programming on Linux
    ( 2017)
    Kirsch, J.
    ;
    Bierbaumer, B.
    ;
    Kittel, T.
    ;
    Eckert, C.
    Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, Stack Canaries, and Address Space Layout Randomization (ASLR), to only name a few. In the following, we describe the Wiedergänger1-Attack, a new attack vector that reliably allows to escalate unbounded array access vulnerabilities occurring in specifically allocated memory regions to full code execution on programs running on i386/x86_64 Linux. Wiedergänger-attacks abuse determinism in Linux ASLR implementation combined with the fact that (even with protection mechanisms such as relro and glibc's pointer mangling enabled) there exist easy-to-hijack, writable (function) pointers in application memory. To discover such pointers, we use taint analysis and backwards slicing at the binary level and calculate an over-approximation of vulnerable instruction sequences. To show the relevance of Wiedergänger, we exploit one of the discovered instruction sequences to perform an attack on Debian 10 (Buster) by overwriting structures used by the dynamic loader (dl) that are present in any application with glibc and the dynamic loader as dependency. In order to show generality, we solely focus on data structures dispatched at program shutdown, as this is a point that arguably all applications eventually have to reach. This results in a reliable compromise that effectively bypasses all protection mechanisms deployed on x86_64/i386 Linux to date. We believe Wiedergänger to be part of an under-researched type of control flow hijacking attacks targeting internal control structures of the dynamic loader for which we propose to use the terminology Loader Oriented Programming (LOP).
  • Publication
    DeepFuzz: Triggering vulnerabilities deeply hidden in binaries
    ( 2016)
    Böttinger, K.
    ;
    Eckert, C.
    We introduce a new method for triggering vulnerabilities in deep layers of binary executables and facilitate their exploitation. In our approach we combine dynamic symbolic execution with fuzzing techniques. To maximize both the execution path depth and the degree of freedom in input parameters for exploitation, we define a novel method to assign probabilities to program paths. Based on this probability distribution we apply new path exploration strategies. This facilitates payload generation and therefore vulnerability exploitation.
  • Publication
    Policy-based implicit attestation for microkernel-based virtualized systems
    ( 2016)
    Wagner, S.
    ;
    Eckert, C.
    We present an attestation mechanism that enables a remote verifier to implicitly evaluate the trustworthiness of the prover's system through policies. Those policies are verified and enforced by a TPM 2.0, when the attestor interacts with a virtualized hardware component of the prover's system. For instance, when the verifier reads a virtualized sensor device and requests integrity-protected sensor data, such as the average temperature, a heartbeat value, or an anomaly detection score, the prover's TPM, which acts as a trust anchor, checks and enforces the policies specified by the verifier. The prover, in turn, is also able to define policies, which can limit access to certain hardware components and are also enforced by the TPM. As a result, both parties have to cooperate for a successful attestation, which implicitly creates verifiable proof of the prover's trustworthiness using mainly symmetric instead of expensive asymmetric cryptographic operations like digital signatures.
  • Publication
    Novel weaknesses in IEC 62351 protected Smart Grid control systems
    ( 2016)
    Strobel, M.
    ;
    Wiedermann, N.
    ;
    Eckert, C.
    Smart Grids are characterized by a high level of interconnectedness and interdependency between their sub-components. As this increases the surface for potential cyber attacks, the control system communication needs to be protected. IEC 61850 is about to become the most prevalent communication standard in the process related parts of Smart Grid control systems, but it was not designed with security in mind. IEC 62351 extends IEC 61850 by comprehensive security measures. By analyzing the IEC 61850 and IEC 62351 specifications, three novel weaknesses in the IEC 62351 standard were discovered which will be presented in this paper. Two weaknesses allow for replay of GOOSE and Sampled Values messages and one weakness in the protocol used for time exchange (SNTP) leaves the system vulnerable to a variety of attacks.
  • Publication
    Interactive function identification decreasing the effort of reverse engineering
    ( 2016)
    Kilic, F.
    ;
    Laner, H.
    ;
    Eckert, C.
    Today's software is growing in size and complexity. Consequently analysing closed-source binaries becomes time-consuming and labour-intensive. In the common use case, the analyst is only interested in specific functions of the given application. Identifying the relevant functions is difficult since no related meta information is given. In this paper we present a framework which speeds up the reverse-engineering process using interactive function identification. We use the benefits of Dynamic Binary Instrumentation as base to collect the executed function calls. We support the analyst in filtering the relevant functions for specific functionality. Our approach is divided into three process steps. Real-time data gathering, user defined information processing/filtering and graphical representation. We show a significant speed up in the reverse engineering process using our framework. We reduce the number of executed functions to be viewed by the analyst more than 90 % and due to visual components we help the analyst pre-selecting the functions on an abstract level.
  • Publication
    Lightweight attestation and secure code update for multiple separated microkernel tasks
    ( 2015)
    Wagner, S.
    ;
    Krauß, C.
    ;
    Eckert, C.
    By implementing all non-essential operating system services as user space tasks and strictly separating those tasks, a microkernel can effectively increase system security. However, the isolation of tasks does not necessarily imply their trustworthiness. In this paper, we propose a microkernel-based system architecture enhanced with a multi-context hardware security module (HSM) that enables an integrity verification, anomaly detection, and efficient lightweight attestation of multiple separated tasks. Our attestation protocol, which we formally verified using the automated reasoning tool ProVerif, implicitly proves the integrity of multiple tasks, efficiently communicates the result to a remote verifier, and enables a secure update protocol without the need for digital signatures that require computationally expensive operations.