LIU Udel 0060D 13322.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

LIU Udel 0060D 13322.Pdf UNDERSTANDING AND DETECTING NEWLY EMERGING ATTACK VECTORS IN CYBERCRIMES by Daiping Liu A dissertation defense submitted to the Faculty of the University of Delaware in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Electrical & Computer Engineering 2018 c 2018 Daiping Liu All Rights Reserved UNDERSTANDING AND DETECTING NEWLY EMERGING ATTACK VECTORS IN CYBERCRIMES by Daiping Liu Approved: Kenneth E. Barner, Ph.D. Chair of the Department of Electrical Engineering Approved: Babatunde A. Ogunnaike, Ph.D. Dean of the College of Engineering Approved: Ann L. Ardis, Ph.D. Senior Vice Provost for Graduate and Professional Education I certify that I have read this dissertation defense and that in my opinion it meets the academic and professional standard required by the University as a dissertation defense for the degree of Doctor of Philosophy. Signed: Haining Wang, Ph.D. Professor in charge of dissertation defense I certify that I have read this dissertation defense and that in my opinion it meets the academic and professional standard required by the University as a dissertation defense for the degree of Doctor of Philosophy. Signed: Chase Cotton, Ph.D. Member of dissertation defense committee I certify that I have read this dissertation defense and that in my opinion it meets the academic and professional standard required by the University as a dissertation defense for the degree of Doctor of Philosophy. Signed: Xiaoming Li, Ph.D. Member of dissertation defense committee I certify that I have read this dissertation defense and that in my opinion it meets the academic and professional standard required by the University as a dissertation defense for the degree of Doctor of Philosophy. Signed: Kun Sun, Ph.D. Member of dissertation defense committee ACKNOWLEDGEMENTS This dissertation is written with the support and help from many individuals. I would like to thank all of them. First and foremost, I would like to express my deepest appreciation to my ad- visor, Dr. Haining Wang. Without his guidance in my research, encouragement in my life, and confidence in my abilities, this dissertation would not have been possible. I would also like to thank my dissertation committee, Dr. Chase Cotton, Dr. Xiaoming Li, and Dr. Kun Sun, for serving on my Ph.D committee as well as their insightful comments. My sincere thanks also go to all members of our group past and present, Dr. Shuai Hao, Dr. Haitao Xu, Dr. Jidong Xiao, Dr. Dacuan Liu, Xing Gao, Yubao Zhang, for the stimulating discussions, constructive suggestions, generous assistance, and effective teamwork. Futhurmore, I would like to thank the faculty and staff at the Department of Electrical & Computer Engineering, University of Delaware. Special thanks to Gwen Looby and Amber Spivey for their considerate and effective assistance. Last but not the least, I would like to thank my family. Thanks to my parents, whose unwavering love and support has made me who I am today. Thanks to my wife, Ge Peng, for lighting up my life with so much love and joy. This dissertation was supported in part by the U.S. NSF grant CNS-1618117, as well as ONR grants N00014-13-1-0088 and N00014-17-1-2485. iv TABLE OF CONTENTS LIST OF TABLES :::::::::::::::::::::::::::::::: x LIST OF FIGURES ::::::::::::::::::::::::::::::: xi ABSTRACT ::::::::::::::::::::::::::::::::::: xii Chapter 1 INTRODUCTION :::::::::::::::::::::::::::::: 1 1.1 Problem Statements ::::::::::::::::::::::::::: 1 1.2 Contributions ::::::::::::::::::::::::::::::: 3 1.3 Dissertation Organization :::::::::::::::::::::::: 5 2 RELATED WORK ::::::::::::::::::::::::::::: 6 2.1 Malicious Document Detection :::::::::::::::::::::: 6 2.2 DNS Security ::::::::::::::::::::::::::::::: 8 2.3 Malicious Domain Detection ::::::::::::::::::::::: 9 2.4 Memory Safety in Software :::::::::::::::::::::::: 11 3 DETECTING MALICIOUS JAVASCRIPT IN PDF THROUGH DOCUMENT INSTRUMENTATION ::::::::::::::::: 13 3.1 Introduction :::::::::::::::::::::::::::::::: 13 3.2 System Design ::::::::::::::::::::::::::::::: 16 3.2.1 Architecture :::::::::::::::::::::::::::: 16 3.2.2 Static Features :::::::::::::::::::::::::: 17 3.2.3 Document Instrumentation :::::::::::::::::::: 19 3.2.4 Runtime Features ::::::::::::::::::::::::: 22 3.2.5 Runtime Detection and Confinement :::::::::::::: 25 v 3.2.6 De-instrumentation :::::::::::::::::::::::: 28 3.3 Security Analysis ::::::::::::::::::::::::::::: 28 3.3.1 Threat Model ::::::::::::::::::::::::::: 29 3.3.2 Potential Advanced Attacks and Countermeasures ::::::: 29 3.4 Evaluation ::::::::::::::::::::::::::::::::: 31 3.4.1 Data Collection :::::::::::::::::::::::::: 32 3.4.2 Feature Validation :::::::::::::::::::::::: 32 3.4.3 Detection Accuracy :::::::::::::::::::::::: 36 3.4.4 System Performance ::::::::::::::::::::::: 39 3.5 Conclusion ::::::::::::::::::::::::::::::::: 42 4 TOWARDS AUTOMATED DETECTION OF SHADOWED DOMAINS :::::::::::::::::::::::::::::::::: 43 4.1 Introduction :::::::::::::::::::::::::::::::: 43 4.2 Background :::::::::::::::::::::::::::::::: 46 4.2.1 Basics of Domain Name ::::::::::::::::::::: 46 4.2.2 Domain Shadowing :::::::::::::::::::::::: 47 4.2.3 Real-world Example ::::::::::::::::::::::: 50 4.3 Automatic Detection of Shadowed Domains :::::::::::::: 51 4.3.1 Overview ::::::::::::::::::::::::::::: 51 4.3.2 Dataset :::::::::::::::::::::::::::::: 54 4.3.3 Features of Domain Shadowing ::::::::::::::::: 56 4.3.3.1 Subdomain Usage ::::::::::::::::::: 58 4.3.3.2 Subdomain Hosting :::::::::::::::::: 60 4.3.3.3 Subdomain Activity :::::::::::::::::: 61 4.3.3.4 Subdomain Name :::::::::::::::::::: 63 4.4 Evaluation ::::::::::::::::::::::::::::::::: 63 4.4.1 Training and Testing Classifiers ::::::::::::::::: 64 4.4.2 Feature Analysis ::::::::::::::::::::::::: 66 4.4.3 Generality of Trained Models :::::::::::::::::: 68 4.4.4 Evaluation on Dunknown :::::::::::::::::::::: 69 vi 4.4.5 Evaluation on Dvt ::::::::::::::::::::::::: 69 4.5 Measurement and Discoveries :::::::::::::::::::::: 72 4.5.1 Case Studies :::::::::::::::::::::::::::: 76 4.6 Discussion ::::::::::::::::::::::::::::::::: 77 4.7 Conclusion ::::::::::::::::::::::::::::::::: 78 5 ALL YOUR DNS RECORDS POINT TO US: UNDERSTANDING THE SECURITY THREATS OF DANGLING DNS RECORDS :::::::::::::::::::::: 80 5.1 Introduction :::::::::::::::::::::::::::::::: 80 5.2 DNS Overview :::::::::::::::::::::::::::::: 82 5.3 Dangling DNS Records :::::::::::::::::::::::::: 84 5.3.1 Security Sensitive Dares ::::::::::::::::::::: 85 5.3.2 IP in Cloud :::::::::::::::::::::::::::: 87 5.3.3 Abandoned Third-party Services ::::::::::::::::: 90 5.3.4 Expired Domains ::::::::::::::::::::::::: 91 5.3.5 Summary ::::::::::::::::::::::::::::: 92 5.4 Measurement Methodology :::::::::::::::::::::::: 92 5.4.1 Domain Collection :::::::::::::::::::::::: 92 5.4.2 DNS Data Retrieval ::::::::::::::::::::::: 93 5.4.3 Searching for Dares :::::::::::::::::::::::: 93 5.4.3.1 Checking A Records (Lines 7 and 9) ::::::::: 94 5.4.3.2 Checking Abandoned Services (Line 15) ::::::: 96 5.4.3.3 Checking Expired Domains (Lines 12 and 19) :::: 97 5.4.4 Limitations :::::::::::::::::::::::::::: 97 5.5 Measurement Results ::::::::::::::::::::::::::: 97 5.5.1 Characterization of Dares :::::::::::::::::::: 98 5.5.2 IP in Cloud :::::::::::::::::::::::::::: 100 5.5.3 Abandoned Third-party Services ::::::::::::::::: 105 5.5.4 Expired Domains ::::::::::::::::::::::::: 106 5.5.5 Exploiting Dares ::::::::::::::::::::::::: 107 vii 5.5.6 Ethical Considerations :::::::::::::::::::::: 108 5.6 Threat Analysis :::::::::::::::::::::::::::::: 108 5.6.1 Scamming, Phishing, and More ::::::::::::::::: 108 5.6.2 Active Cookie Stealing :::::::::::::::::::::: 110 5.6.3 Email Fraud :::::::::::::::::::::::::::: 111 5.6.4 Forged SSL Certificate :::::::::::::::::::::: 111 5.7 Mitigations :::::::::::::::::::::::::::::::: 112 5.8 Conclusion ::::::::::::::::::::::::::::::::: 114 6 PRACTICAL AND ROBUST DEFENSE AGAINST USE-AFTER-FREE EXPLOITS VIA CONCURRENT POINTER SWEEPING ::::::::::::::::::::::::::::::::: 116 6.1 Introduction :::::::::::::::::::::::::::::::: 116 6.2 Background and Threat Model :::::::::::::::::::::: 118 6.3 Overview :::::::::::::::::::::::::::::::::: 119 6.3.1 High-Level Approach of pSweeper :::::::::::::::: 119 6.3.2 An Illustration Example ::::::::::::::::::::: 120 6.3.3 Architecture of pSweeper ::::::::::::::::::::: 121 6.4 System Design ::::::::::::::::::::::::::::::: 122 6.4.1 Memory Allocation Status Table :::::::::::::::: 123 6.4.2 Locating Live Pointers :::::::::::::::::::::: 123 6.4.2.1 Pointers on Data Segment ::::::::::::::: 123 6.4.2.2 Pointers on Stack :::::::::::::::::::: 124 6.4.2.3 Pointers on Heap :::::::::::::::::::: 124 6.4.3 Deferred Free ::::::::::::::::::::::::::: 126 6.4.4 Concurrent Pointer Sweeping (CPS) ::::::::::::::: 127 6.4.4.1 CPS Threads :::::::::::::::::::::: 127 6.4.4.2 Preventing Dangling Pointer Propagation :::::: 130 viii 6.4.4.3 More pSweeper Threads :::::::::::::::: 131 6.4.5 Object Origin Tracking (OOT) ::::::::::::::::: 132 6.5 Evaluation ::::::::::::::::::::::::::::::::: 133 6.5.1 Effectiveness of pSweeper :::::::::::::::::::: 134 6.5.2 Performance on SPEC CPU2006 :::::::::::::::: 134 6.5.2.1 Runtime Overhead ::::::::::::::::::: 136 6.5.2.2 Memory Overhead ::::::::::::::::::: 138 6.5.2.3 Comparison to DangSan :::::::::::::::: 139 6.5.3 Scalability on Multi-threaded Applications ::::::::::: 139 6.5.4 Macro Benchmarks :::::::::::::::::::::::: 140 6.5.4.1 Lighttpd ::::::::::::::::::::::::: 140 6.5.4.2 Mozilla Firefox ::::::::::::::::::::: 141 6.6 Discussion & Limitations :::::::::::::::::::::::::
Recommended publications
  • Click Trajectories: End-To-End Analysis of the Spam Value Chain
    Click Trajectories: End-to-End Analysis of the Spam Value Chain ∗ ∗ ∗ ∗ z y Kirill Levchenko Andreas Pitsillidis Neha Chachra Brandon Enright Mark´ Felegyh´ azi´ Chris Grier ∗ ∗ † ∗ ∗ Tristan Halvorson Chris Kanich Christian Kreibich He Liu Damon McCoy † † ∗ ∗ Nicholas Weaver Vern Paxson Geoffrey M. Voelker Stefan Savage ∗ y Department of Computer Science and Engineering Computer Science Division University of California, San Diego University of California, Berkeley z International Computer Science Institute Laboratory of Cryptography and System Security (CrySyS) Berkeley, CA Budapest University of Technology and Economics Abstract—Spam-based advertising is a business. While it it is these very relationships that capture the structural has engendered both widespread antipathy and a multi-billion dependencies—and hence the potential weaknesses—within dollar anti-spam industry, it continues to exist because it fuels a the spam ecosystem’s business processes. Indeed, each profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam distinct path through this chain—registrar, name server, interventions focus on only one facet of the overall spam value hosting, affiliate program, payment processing, fulfillment— chain (e.g., spam filtering, URL blacklisting, site takedown). directly reflects an “entrepreneurial activity” by which the In this paper we present a holistic analysis that quantifies perpetrators muster capital investments and business rela- the full set of resources employed to monetize spam email— tionships to create value. Today we lack insight into even including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, the most basic characteristics of this activity. How many broad crawling of naming and hosting infrastructures, and organizations are complicit in the spam ecosystem? Which over 100 purchases from spam-advertised sites.
    [Show full text]
  • Passive Monitoring of DNS Anomalies Bojan Zdrnja1, Nevil Brownlee1, and Duane Wessels2
    Passive Monitoring of DNS Anomalies Bojan Zdrnja1, Nevil Brownlee1, and Duane Wessels2 1 University of Auckland, New Zealand, b.zdrnja,nevil @auckland.ac.nz { } 2 The Measurement Factory, Inc., [email protected] Abstract. We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect un- usual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam. 1 Introduction The Domain Name System (DNS) service is critical for the normal functioning of almost all Internet services. Although the Internet Protocol (IP) does not need DNS for operation, users need to distinguish machines by their names so the DNS protocol is needed to resolve names to IP addresses (and vice versa). The main requirements on the DNS are scalability and availability. The DNS name space is divided into multiple zones, which are a “variable depth tree” [1]. This way, a particular DNS server is authoritative only for its (own) zone, and each organization is given a specific zone in the DNS hierarchy. A complete domain name for a node is called a Fully Qualified Domain Name (FQDN). An FQDN defines a complete path for a domain name starting on the leaf (the host name) all the way to the root of the tree. Each node in the tree has its label that defines the zone.
    [Show full text]
  • Sidekick Suspicious Domain Classification in the .Nl Zone
    Master Thesis as part of the major in Security & Privacy at the EIT Digital Master School SIDekICk SuspIcious DomaIn Classification in the .nl Zone delivered by Moritz C. M¨uller [email protected] at the University of Twente 2015-07-31 Supervisors: Andreas Peter (University of Twente) Maarten Wullink (SIDN) Abstract The Domain Name System (DNS) plays a central role in the Internet. It allows the translation of human-readable domain names to (alpha-) numeric IP addresses in a fast and reliable manner. However, domain names not only allow Internet users to access benign services on the Internet but are used by hackers and other criminals as well, for example to host phishing campaigns, to distribute malware, and to coordinate botnets. Registry operators, which are managing top-level domains (TLD) like .com, .net or .nl, disapprove theses kinds of usage of their domain names because they could harm the reputation of their zone and would consequen- tially lead to loss of income and an insecure Internet as a whole. Up to today, only little research has been conducted with the intention to fight malicious domains from the view of a TLD registry. This master thesis focuses on the detection of malicious domain names for the .nl country code TLD. Therefore, we analyse the characteristics of known malicious .nl domains which have been used for phishing and by botnets. We confirm findings from previous research in .com and .net and evaluate novel characteristics including query patterns for domains in quar- antine and recursive resolver relations. Based on this analysis, we have developed a prototype of a detection system called SIDekICk.
    [Show full text]
  • Advanced Data Structures
    Advanced Data Structures PETER BRASS City College of New York CAMBRIDGE UNIVERSITY PRESS Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo Cambridge University Press The Edinburgh Building, Cambridge CB2 8RU, UK Published in the United States of America by Cambridge University Press, New York www.cambridge.org Information on this title: www.cambridge.org/9780521880374 © Peter Brass 2008 This publication is in copyright. Subject to statutory exception and to the provision of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press. First published in print format 2008 ISBN-13 978-0-511-43685-7 eBook (EBL) ISBN-13 978-0-521-88037-4 hardback Cambridge University Press has no responsibility for the persistence or accuracy of urls for external or third-party internet websites referred to in this publication, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate. Contents Preface page xi 1 Elementary Structures 1 1.1 Stack 1 1.2 Queue 8 1.3 Double-Ended Queue 16 1.4 Dynamical Allocation of Nodes 16 1.5 Shadow Copies of Array-Based Structures 18 2 Search Trees 23 2.1 Two Models of Search Trees 23 2.2 General Properties and Transformations 26 2.3 Height of a Search Tree 29 2.4 Basic Find, Insert, and Delete 31 2.5ReturningfromLeaftoRoot35 2.6 Dealing with Nonunique Keys 37 2.7 Queries for the Keys in an Interval 38 2.8 Building Optimal Search Trees 40 2.9 Converting Trees into Lists 47 2.10
    [Show full text]
  • Proactive Cyberfraud Detection Through Infrastructure Analysis
    PROACTIVE CYBERFRAUD DETECTION THROUGH INFRASTRUCTURE ANALYSIS Andrew J. Kalafut Submitted to the faculty of the Graduate School in partial fulfillment of the requirements for the degree Doctor of Philosophy in Computer Science Indiana University July 2010 Accepted by the Graduate Faculty, Indiana University, in partial fulfillment of the requirements of the degree of Doctor of Philosophy. Doctoral Minaxi Gupta, Ph.D. Committee (Principal Advisor) Steven Myers, Ph.D. Randall Bramley, Ph.D. July 19, 2010 Raquel Hill, Ph.D. ii Copyright c 2010 Andrew J. Kalafut ALL RIGHTS RESERVED iii To my family iv Acknowledgements I would first like to thank my advisor, Minaxi Gupta. Minaxi’s feedback on my research and writing have invariably resulted in improvements. Minaxi has always been supportive, encouraged me to do the best I possibly could, and has provided me many valuable opportunities to gain experience in areas of academic life beyond simply doing research. I would also like to thank the rest of my committee members, Raquel Hill, Steve Myers, and Randall Bramley, for their comments and advice on my research and writing, especially during my dissertation proposal. Much of the work in this dissertation could not have been done without the help of Rob Henderson and the rest of the systems staff. Rob has provided valuable data, and assisted in several other ways which have ensured my experiments have run as smoothly as possible. Several members of the departmental staff have been very helpful in many ways. Specifically, I would like to thank Debbie Canada, Sherry Kay, Ann Oxby, and Lucy Battersby.
    [Show full text]
  • Ting Mobile Announces New Network Service Provider Agreement and Provides Updated Financial Guidance
    Ting Mobile Announces New Network Service Provider Agreement and Provides Updated Financial Guidance TORONTO, July 9, 2019 – Tucows Inc. (NASDAQ:TCX, TSX:TC), a provider of network access, domain names and other Internet services today announced that Ting Mobile, an MVNO phone service provider and a division of Tucows, will be adding service over the Verizon network to its product offerings later this year. Verizon has the highest level of LTE coverage of any mobile provider in the US and is routinely rated as the best nationwide cellular network for video experience and data performance. “We expect that combining the best-rated cellular network in the US with Ting’s award-winning customer service will further enhance our already very compelling offering,” said Tucows CEO, Elliot Noss. Ting Mobile also extended its network provision agreement with Sprint through September 2020. At the same time, Ting Mobile has informed T-Mobile it will not renew its agreement effective December 19 of this year. This will begin a migration away from the T-Mobile network to be completed by December 19, 2020. Ting Mobile will work with customers currently using the T- Mobile network to migrate to Ting Mobile’s other network options, including Verizon. Ting customers will be eligible to use the Verizon network following integration with the Verizon system, which we expect to be completed by the end of the year. While Tucows believes that these are positive changes for Ting Mobile for the long term, a sizeable customer migration does come with short-term costs. For this reason, as well as the previously disclosed underperformance in the mobile business, which unexpectedly persisted, Tucows is updating its 2019 cash EBITDA1 guidance to $52 million from the previously provided $62 million.
    [Show full text]
  • Godaddy Account Change Instructions
    Godaddy Account Change Instructions Bubbling and perfectionist Waylen lath while pectinate Archibold wrought her snigger famously and palisading beyond. Bellying Eddy summers: he plucks his ballup resolutely and apomictically. Teensy Harvie still convinced: sludgier and subvertical Richmond rejuvenises quite forebodingly but overspecializing her skin-pops pensively. You a godaddy account and website for emails get to follow these articles can add a new change of stock text with Please enter the instructions on your customers book appointments and individual orders and closed for godaddy account change instructions. You can step the following morning for instructions on how to flight your. Does it is where we buy your last name? This lets you groove your emails to another email account. Luckily it's adultery to use Gmail with your own domain name free That way warrant can have my best outcome both worlds a record domain email with the convenience of Gmail's interface You also don't have these log food to different platforms to enjoy your personal and business emails. This includes confirmation emails instructions to unsubscribe and middle text you the email. How property Transfer phone to Another GoDaddy Account with. Not change of account changes have instructions. GoDaddy How we retrieve EPP Domain Transfer QTHcom. The Easy surveillance to accompany up Gmail with a rich Domain of Free. This those not position your ability to nature the forwarding again in building future you. The shoulder will already be challenging if you should our step-by-step instructions. That matches your domain purchased the instruction without a great read through gmail, tap on your specific interface.
    [Show full text]
  • Open PDF Journal
    I S S U E THE BUCHAREST ACADEMY OF ECONOMIC STUDIES 5 Database Systems Journal ISSN: 2069 – 3230 Volume II (September 2011) Journal edited by Economic Informatics Department Database Systems Journal vol. II, no. 3/2011 1 Database Systems Journal BOARD Director Prof. Ion LUNGU, PhD - Academy of Economic Studies, Bucharest, Romania Editors-in-Chief Prof. Adela Bara, PhD - Academy of Economic Studies, Bucharest, Romania Prof. Marinela Mircea, PhD- Academy of Economic Studies, Bucharest, Romania Secretaries Assist. Iuliana Botha - Academy of Economic Studies, Bucharest, Romania Assist. Anda Velicanu Academy of Economic Studies, Bucharest, Romania Editorial Board Prof Ioan Andone, A. I. Cuza University, Iasi, Romania Prof Emil Burtescu, University of Pitesti, Pitesti, Romania Joshua Cooper, PhD, Hildebrand Technology Ltd., UK Prof Marian Dardala, Academy of Economic Studies, Bucharest, Romania Prof. Dorel Dusmanescu, Petrol and Gas University, Ploiesti, Romania Prof Marin Fotache, A. I. Cuza University Iasi, Romania Dan Garlasu, PhD, Oracle Romania Prof Marius Guran, Polytehnic University, Bucharest, Romania Prof. Mihaela I. Muntean, West University, Timisoara, Romania Prof. Stefan Nithchi, Babes-Bolyai University, Cluj-Napoca, Romania Prof. Corina Paraschiv, University of Paris Descartes, Paris, France Davian Popescu, PhD., Milan, Italy Prof Gheorghe Sabau, Academy of Economic Studies, Bucharest, Romania Prof Nazaraf Shah, Coventry University, Coventry, UK Prof Ion Smeureanu, Academy of Economic Studies, Bucharest, Romania Prof. Traian Surcel, Academy of Economic Studies, Bucharest, Romania Prof Ilie Tamas, Academy of Economic Studies, Bucharest, Romania Silviu Teodoru, PhD, Oracle Romania Prof Dumitru Todoroi, Academy of Economic Studies, Chisinau, Republic of Moldova Prof. Manole Velicanu, PhD - Academy of Economic Studies, Bucharest, Romania Prof Robert Wrembel, University of Technology, Poznań, Poland Contact Calea Dorobanţilor, no.
    [Show full text]
  • Fast As a Shadow, Expressive As a Tree: Hybrid Memory Monitoring for C
    Fast as a Shadow, Expressive as a Tree: Hybrid Memory Monitoring for C Nikolai Kosmatov1 with Arvid Jakobsson2, Guillaume Petiot1 and Julien Signoles1 [email protected] [email protected] SASEFOR, November 24, 2015 A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 1 / 48 Outline Context and motivation Frama-C, a platform for analysis of C code Motivation The memory monitoring library An overview Patricia trie model Shadow memory based model The Hybrid model Design principles Illustrating example Dataflow analysis An overview How it proceeds Evaluation Conclusion and future work A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 2 / 48 Context and motivation Frama-C, a platform for analysis of C code Outline Context and motivation Frama-C, a platform for analysis of C code Motivation The memory monitoring library An overview Patricia trie model Shadow memory based model The Hybrid model Design principles Illustrating example Dataflow analysis An overview How it proceeds Evaluation Conclusion and future work A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 3 / 48 Context and motivation Frama-C, a platform for analysis of C code A brief history I 90's: CAVEAT, Hoare logic-based tool for C code at CEA I 2000's: CAVEAT used by Airbus during certification process of the A380 (DO-178 level A qualification) I 2002: Why and its C front-end Caduceus (at INRIA) I 2006: Joint project on a successor to CAVEAT and Caduceus I 2008: First public release of Frama-C (Hydrogen) I Today: Frama-C Sodium (v.11) I Multiple projects around the platform I A growing community of users.
    [Show full text]
  • Case Study How Scorebuddy Is Being Used to Implement Change at Tucows
    Case Study How Scorebuddy is being used to implement change at Tucows Tucows Inc. is a publicly traded Internet services and telecommunications company, headquartered in Toronto, Ontario, Canada. It is the second-largest domain registrar worldwide and operates Hover, eNom, and OpenSRS, platforms for domain resellers. Over 40,000 web hosts, Internet service providers and Web companies encompass the OpenSRS/Enom wholesale platform managing domain names, email addresses and digital security products for millions of end users worldwide. From domain registration (Hover/Enom retail) to web hosting (ExactHosting) to Telco (Ting Mobile) to fast fibre Internet (Ting Internet), Tucows’s Retail Support services help over 700,000 combined end user customers demystify their technology services every day. We asked Tucows’s Senior team about their Quality Assurance programs. Here is what they told us. Why did you start assessing quality? Since inception, quality management was organic and instinctive for Tucows. The way we worked with each other internally and with end users created a coaching culture. This made it easy to maintain our very high standards when retail support began with one brand. Years later and after explosive growth, the amount of staff in our locations around the world created challenges to maintaining quality, and our now varied business lines have added even more staff. All this made us think deeply about optimal behaviours that go into creating great customer experiences. Using Scorebuddy helped us break-down and quantify those approaches that accounted for our initial awesomeness, so we can continue to teach staff how to do it on purpose instead of by luck.
    [Show full text]
  • Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness
    ISSN 1330-3651 (Print), ISSN 1848-6339 (Online) https://doi.org/10.17559/TV-20161012115204 Original scientific paper Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness Davor CAFUTA, Vlado SRUK, Ivica DODIG Abstract: Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS. Keywords: Botnet; fast-flux; IDS 1 INTRODUCTION locations DoS attack against the web site becomes very difficult as it must be effective on every server in the field The Domain Name System (DNS) is a hierarchical [7, 8].
    [Show full text]
  • Rockjit: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity
    RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity Ben Niu Gang Tan Lehigh University Lehigh University 19 Memorial Dr West 19 Memorial Dr West Bethlehem, PA, 18015 Bethlehem, PA, 18015 [email protected] [email protected] ABSTRACT For performance, modern managed language implementations Managed languages such as JavaScript are popular. For perfor- adopt Just-In-Time (JIT) compilation. Instead of performing pure mance, modern implementations of managed languages adopt Just- interpretation, a JIT compiler dynamically compiles programs into In-Time (JIT) compilation. The danger to a JIT compiler is that an native code and performs optimization on the fly based on informa- attacker can often control the input program and use it to trigger a tion collected through runtime profiling. JIT compilation in man- vulnerability in the JIT compiler to launch code injection or JIT aged languages is the key to high performance, which is often the spraying attacks. In this paper, we propose a general approach only metric when comparing JIT engines, as seen in the case of called RockJIT to securing JIT compilers through Control-Flow JavaScript. Hereafter, we use the term JITted code for native code Integrity (CFI). RockJIT builds a fine-grained control-flow graph that is dynamically generated by a JIT compiler, and code heap for from the source code of the JIT compiler and dynamically up- memory pages that hold JITted code. dates the control-flow policy when new code is generated on the fly. In terms of security, JIT brings its own set of challenges. First, a Through evaluation on Google’s V8 JavaScript engine, we demon- JIT compiler is large and usually written in C/C++, which lacks strate that RockJIT can enforce strong security on a JIT compiler, memory safety.
    [Show full text]