Current Projects

Detecting and Preventing Malicious Code Injection Attacks

Address Space Randomization (ASR) techniques randomize process layout to prevent attackers from locating target functions. Prior ASR techniques have considered single-target attacks, which succeed if the attacker can locate a single, powerful system library function. These techniques are not sufficient to defend against chained return-into-lib(c) attacks, each of which calls a sequence of system library functions in order.In this paper, we propose a new ASR technique, code islands, that randomizes not only the base pointers of memory mapping (mmapping), but also relative distances between functions, maximally and dynamically. Our technique can minimize the utility of information gained in early probes of a chained return-into-lib(c) attack, for later stages of that attack. With a pre-defined rerandomization thresh-old, our code islands technique not only is exponentially more effective than any prior ASR technique in defending against brute-force searches for locations of multiple targets---a key component of chained return-into-lib (c) attacks, but can also maintain high service availability even under attack. Our overhead measurement on some well-known GNU applications shows that it takes less than 0.05 second to load/rerandomize a process with the necessary C system library functions using code islands, and our technique introduces a 3-10% run-time overhead from inter-island control transfers. We conclude that the code island technique is well-suited to dedicated multi-threaded servers.

Protocol Steganography

Protocol steganography allows users who wish to communicate secretly to embed information within other messages and network control protocols used by common applications. This form of unobservable communication can be used as means to enhance privacy and anonymity as well as for many other purposes, ranging from entertainment to protected business communication or national defense. In this paper, we describe our approach to application-layer protocol steganography, describing how we can embed messages into a commonly used TCP/IP protocol. We also introduce the notions of syntax and semantics preservation, which ensure that messages after embedding still conform to the host protocol. Based on those concepts, we attempt to produce reasonably secure and robust stegosystems. To demonstrate the efficacy of our approach, we have implemented protocol steganography within the Secure Shell (SSH) protocol. Findings indicate that protocol steganographic system is reasonably secure if the statistical profile of the covermessages and the statistical profile of its traffic match their counterparts after embedding.

Covert Channels in IPv6

A covert channel is a communication path that allows transferring information in a way that violates a system security policy. Because of their concealed nature, detecting and preventing covert channels are obligatory security practices. In this paper, we present an examination of network storage channels in the Internet Protocol version 6 (IPv6). We introduce and analyze 22 different covert channels. In the appendix, we define three types of active wardens, stateless, stateful, and network-aware, who differ in complexity and ability to block the analyzed covert channels.

Reducing False Positive Rates for Digital Forensics

The process of reconstructing the sequence of events leading to a system compromise has been improved by tools such as Backtracker and Forensix. These systems are based on gathering potential evidence at runtime by monitoring ongoing events and objects at the system call level. The reconstruction process starts with a detection point, such as a suspicious process flagged by an Intrusion Detection System (IDS). Then, a dependency chain from that detection point back to the origin of the attack is built, showing all the processes and files that may have been involved in the attacker's modus operandi. Monitoring at the system call level suffers from the inability to gather potential evidence of those events where memory address space manipulation is involved. This limitation arises because, once memory is mapped into the address space of the processes that are sharing the memory region, no system calls occur to pass data among them. Shared memory is widely used for interprocess communication, disk-based file memory-mapping, and threading. We present a runtime monitor mechanism to trace fetch and store operations for these three applications of shared memory. Being implemented in the kernel's memory management subsystem, our monitor does not require to have access to the source code of the running processes. Our implementation also guarantees the correct ordering of shared-memory access events to determine true page level dependencies between processes, and provides finer granularity for monitoring shared-memory objects. Current reconstruction systems will benefit from our monitor by adding accuracy to eliminate a number of false dependencies that arise with the different uses of shared memory.

Accountable Digital Pseudonyms

We are developing accountable digital pseudonyms (ADP). ADPs would balance the privacy of users with the rights of merchants and society for protection from abuse and fraud. In digital identity management (DIM), pseudonyms (or nyms) protect user privacy by issuing a different ``name'' for each relationship of a user with a merchant. Anonymous credential systems enable a user to prove some attribute based on his relationship with one merchant to another merchant without releasing any information about the user's real identity.