Figure 1 - uploaded by Karthik Pattabiraman
Content may be subject to copyright.
Source publication
This paper presents a technique to systematically discover insider attacks in applications. An attack model where the insider is in the same address space as the process and can corrupt arbitrary data is assumed. A formal technique based on sym- bolic execution and model-checking is developed to comprehensively enumerate all possible insider attack...
Context in source publication
Context 1
... section describes the attack model for insider attacks and an example scenario for an insider attack. Capabilities : The insider is a part of the application and has unfettered access to the program‟s address space. This includes the ability to both read and write the program‟s memory and registers. However, we assume that the insider cannot modify the program ‟s code , which is reasonable since in most programs the code segment is marked read-only after the program is loaded. An attacker may get into the application (and become an insider) in one or more of the following ways: 1. By a logical loophole in the application planted by a disgruntled or malicious programmer, 2. Through a malicious (or buggy) third-party library loaded into the address space of the application, 3. By exploiting known security loopholes such as buffer overflow attacks and planting the attack code, 4. By overwriting the process‟s registers or memory from another process (with higher privilege) or debugger, 5. Through a security vulnerability in the operating system or virtual machine (if present) In each of the above scenarios, the insider can corrupt the values of either memory locations or registers while the application is executing. The first three scenarios only require the insider to have the same privileges as the applications, while the last two require higher privileges. Goal : The attacker‟s goal is to subvert the application to perform malicious functions on behalf of the attacker. However, the attacker wants to elude detection or culpability (as f ar as possible), so the attacker‟s code may not directly carry out the attack, but may instead overwrite elements of the program‟s data or control in order to achieve the attacker‟s aims. From an external perspective, it will appear as though the attack originated due to an application malfunction, and hence the attack code will not be blamed. Therefore, the attacker can execute code to overwrite crucial elements of the program‟s data or control elements. It is assumed that the attacker does not want to crash the application, but wants to subvert its execution for some malicious purpose. The attack is typically launched only under a specific set of inputs to the program (known to the attacker), and the input sequence that launches the attack is indistinguishable from a legitimate input for the program. Even if the insider is unable to launch the attack by himself/herself, he/she may have a colluding user who supplies the required inputs to launch the attack. Note that the colluding user does not need to have the same privileges as the insider in order to launch the attack. Figure 1 shows an example attack scenario where the insider has planted a “ logic bomb” in the application which is triggered under a specific set of inputs. Normal users are unlikely to accidentally supply the trigger sequence and will be able to use the application without any problems. However, a colluding user knows about ...
Similar publications
A transient hardware fault occurs when an energetic particle strikes a transistor, causing it to change state. Although transient faults do not permanently damage the hardware, they may corrupt computations by altering stored values and signal transfers. In this paper, we propose a new scheme for provably safe and reliable computing in the presence...
Citations
... Nous nous intéressons aux différences qu'il peut exister entre notre méthode et celles basées sur une analyse symbolique. Trois approches remplissent ces critères [PNKI09,Jaf19,PMPD14], toutes présentées dans la section 3.3. Nous considérons des critères de comparaison qui nous semblent pertinents compte tenu de ce que nous avons présenté dans ce chapitre. ...
... LLBMC déroule les boucles un certain nombre de fois compte tenu d'une valeur par défaut, ou d'une valeur donnée à l'outil pour limiter la profondeur du déroulage. De la même façon, nous n'avons pas pu trouver d'éléments sur la complétude de l'approche proposée dans SymPLAID [PNKI09]. Toutefois, les auteurs indiquent dans [PNKI08], présentant l'outil sur lequel est basé SymPLAID, que l'approche qui y est présentée trouve toutes les "manifestations d'erreurs", ce qui suggère sa complétude. ...
Les systèmes embarqués traitent et manipulent de plus en plus de données sensibles. La sécurité de ces systèmes est une préoccupation de premier ordre pour ceux qui les conçoivent. Les attaques en fautes visent à perturber l'exécution des programmes à travers la manipulation de grandeurs physiques dans l'environnement du système. Des contre-mesures logicielles sont déployées pour faire face à cette menace. Différentes analyses sont actuellement utilisées pour évaluer l'efficacité des contre-mesures une fois déployées mais elles sont peu ou pas automatisées, coûteuses et limitées quant à la couverture des comportements possibles et aux types de fautes analysables. Nous proposons une méthode d'analyse de robustesse de code binaire combinant des méthodes formelles et de l'exécution symbolique. L'analyse au niveau du code binaire permet non seulement de se placer après la compilation, qui peut altérer les contre-mesures, mais aussi de prendre en compte des éléments du code binaire invisibles à plus haut niveau. Les méthodes formelles, capables d'exhaustivité, permettent à l'analyse de considérer toutes les configurations des paramètres d'entrée. L'analyse est toutefois réalisée vis-à-vis d'un contexte symbolique, extrait par exécution symbolique, ce qui la circonscrit à des paramètres d'entrée réalistes et limite ainsi les faux positifs. Nous avons implémenté cette méthode dans un outil, nommé \texttt{RobustB}, automatisé depuis le code source. Nous proposons trois métriques permettant de synthétiser les résultats de l'analyse et d'aider le concepteur de contre-mesures à évaluer la sensibilité globale du code ainsi qu'au niveau de chaque instruction.
... These complexities and uncertainties led to a new set of control flow analysis techniques that avoid translating the program code to a formal model. For example, insider attack detection based on symbolic execution and model-checking of assembly code was proposed in [25]. In this work, we propose a novel approach for control flow similarity check for attack detection that totally discards the idea of building CFGs. ...
In big data systems, the infrastructure is such that large amounts of data are hosted away from the users. In such a system information security is considered as a major challenge. From a customer perspective, one of the big risks in adopting big data systems is in trusting the provider who designs and owns the infrastructure from accessing user data. Yet there does not exist much in the literature on detection of insider attacks. In this work, we propose a new system architecture in which insider attacks can be detected by utilizing the replication of data on various nodes in the system. The proposed system uses a two-step attack detection algorithm and a secure communication protocol to analyze processes executing in the system. The first step involves the construction of control instruction sequences for each process in the system. The second step involves the matching of these instruction sequences among the replica nodes. Initial experiments on real-world hadoop and spark tests show that the proposed system needs to consider only 20% of the code to analyze a program and incurs 3.28% time overhead. The proposed security system can be implemented and built for any big data system due to its extrinsic workflow.
... In order to assist both the development and certification processes, several tools have been developed, either to analyze the robustness of applications against fault injection [10,5,4,14,8,7,11,13], or to harden applications by adding software countermeasures [15,9,12]. All these tools are dedicated to particular fault models and code levels. ...
Applications in secure components (such as smartcards, mobile phones or secure dongles) must be hardened against fault injection to guarantee security even in the presence of a malicious fault. Crafting applications robust against fault injection is an open problem for all actors of the secure application development life cycle, which prompted the development of many simulation tools. A major difficulty for these tools is the absence of representative codes, criteria and metrics to evaluate or compare obtained results. We present FISSC, the first public code collection dedicated to the analysis of code robustness against fault injection attacks. FISSC provides a framework of various robust code implementations and an approach for comparing tools based on predefined attack scenarios.
... The topic of application level insider attacks, where a malicious insider tries to overwrite one or more data items in an application, has been systematically studied by Pattabiraman et al. in [380]. The application code is modeled at the assembly level by defining the rewriting logic semantics of assembly code. ...
Rewriting logic is a simple computational logic that can naturally express both concurrent computation and logical deduction with great generality. This paper provides a gentle, intuitive introduction to its main ideas, as well as a survey of the work that many researchers have carried out over the last twenty years in advancing: (i) its foundations; (ii) its semantic framework and logical framework uses; (iii) its language implementations and its formal tools; and (iv) its many applications to automated deduction, software and hardware specification and verification, security, real-time and cyber-physical systems, probabilistic systems, bioinformatics and chemical systems.
... Pattabiraman et. al. presented using symoblic execution to enumerate all possible application level " insider " attacks [26]. More recently, Caballero et al. [11] independently proposed a binary code extraction technique, BCR, by combining dynamic and static analysis, to extract the malware encryption and decryption functions and reuse them in a network proxy (to decrypt the encrypted traffic). ...
We introduce a reuse-oriented camouflaging attack - a new threat to legal software binaries. To perform a malicious action, such an attack will identify and reuse an existing function in a legal binary program instead of implementing the function itself. Fur- thermore, the attack is stealthy in that the malicious invocation of a targeted function usually takes place in a location where it is legal to do so, closely mimicking a legal invocation. At the network level, the victim binary can still follow its communication protocol without exhibiting any anomalous behavior. Meanwhile, many close-source shareware binaries are rich in functions that can be maliciously "reused", making them attractive targets of this type of attack. In this paper, we present a framework to determine if a given binary program is vulnerable to this attack and to construct a concrete attack if so. Our experiments with a number of real-world software binaries demonstrate that the reuse-oriented camouflaging attacks are real and vulnerabilities in the binaries can be effectively revealed and confirmed.
This chapter is about the author’s time at the University of Illinois as a PhD student in Ravi’s group working on the Trusted Illiac project at the University of Illinois (UIUC) from 2004 to 2009. The author starts by narrating his initial involvement in the project, and how it grew as time progressed. He then reflects on the lessons he learned from the project, and how the project has influenced his subsequent research career.
Fault attacks are a major threat requiring to protect applications. We present a method and a set of metrics, implemented in a framework combining formal methods, dynamic and static analyses to evaluate the robustness of a binary code against fault attacks. The framework models the vulnerabilities detection as formal equivalence-checking problems that are solved by a SMT solver. It can support transient fault models targeting both data and code. Its application to programs hardened at source level shows its benefits for comparing different hardened versions, compilers and their optimizations, and for analyzing the sources of vulnerability.
This bibliography compiles, to the best of our knowledge, all the papers on rewriting logic and its applications which have been written during the more than 20 years that have passed since the introduction of rewriting logic in 1990. The papers are classified according to five main areas: foundations, logical and semantic framework, languages, tools, and applications.
