Person has left EURECOM
- PAGANI Fabio
Thesis
Prevention and Analysis of Cyber-Attacks
Objective
Despite the incredible effort and the enormous investments to increase security and fight cybercrime,
the number of security incidents is rapidly increasing every year. Many forms of cyber
attacks (such as botnets, spam, and phishing pages) are simply designed to target the largest
number of users or devices. In contrast, when an attack is customized for, and targeted at, a
small number of victims, its effectiveness is usually much higher. An important factor to take
into account is that these types of targeted attacks often involve attackers with an abundance of
available resources to evade current detection and analysis techniques.
As a result, many sophisticated attacks remained undetected for long period of times (seven
years for "Careto", eight for the "Turla" group, and potentially even longer for some of the
NSA backdoors) before the security community was finally able to detect their presence on the
infected machines.
In this challenging context, this dissertation will explore new techniques to prevent, detect,
and analyze sophisticated cyber-attacks. The work will focus on operating system and
host-based solutions as well as offline analysis approaches to analyze suspicious samples or
compromised machines. As a result, the final goal is to explore several directions for advanced
malware analysis, for OS protection and threat detection, and for improved memory analysis.
In particular, memory analysis is today an active research fields that have rapidly evolved over
the past decade and now represents a popular, complementary approach to support modern malware
analysis and inspect potentially compromised machines. Therefore, it can be a powerful
tool to cope with the increasing sophistication of cyber attacks and to advance the state of the
art in the field.
Background and PreviousWork
The work performed in this thesis builds upon two lines of research which are ongoing in our
group at Eurecom. The first one focuses on attack prevention, with a focus on compile-time
and hypervisor-based instrumentation techniques. In the first category is worth mentioning
G-Free [11], the first practical compiler-based solution to prevent any possible form of return
oriented programming (ROP). G-Free is able to eliminate all unaligned free-branch instructions
inside a binary executable, and to protect the aligned free-branch instructions to prevent them
from being misused by an attacker. The second category covers previous research efforts which
focused on describing malware in terms of violations to an information-flow policy. Because
it is not feasible for performance reasons to track system-wide information flows accurately,
the focus shifted on better and better approximations of the information flow. Bruschi et al. [1]
and Kruegel et al. [9] showed that some classes of obfuscations could be rendered innocuous
1
by modeling programs according to their instruction-level control flow, while Christodorescu
et al. [3] and Kinder et al. [8] built obfuscation-resilient detectors based on instruction-level
information flow.
The idea of utilizing a virtual machine monitor to perform sophisticated run-time analyses,
with the guarantee that the results cannot be tampered by a malicious attacker, has already been
widely explored in the literature. Garfinkel et al. were the first to propose to use a VMM to
perform OS-aware introspection [7]. Other researchers proposed to use a VMM for protecting
the guest OS from attacks by monitoring its execution, with a software-based VMM [13] that
leveraged on hardware support for virtualization [14]. Similar ideas were also proposed by
other authors [12, 15]. Chen et al. [2] described a solution to protect applications' data even
in the presence of a compromised operating system. Building on these previous works, our
group leveraged hardware-assisted virtualization technology to design a tamper-resistant and
efficient detector that is able to take over the OS operations and verify a set of policies. The
result, called AccessMiner [5], is a system-centric behavioral malware detector that models the
general interactions between benign programs and the underlying operating system (OS). This
allows AccessMiner to capture which, and how, OS resources are used by normal applications
and detect in real-time anomalous behavior that is often associated to known and unknown
malware infections.
The second line of research focuses instead on the area of memory analysis, and in particular
on possible evasions and on the improvement of its reliability. In this area, Stuttgen et
al. and Vomel et al. [16, 17] pointed out the current limitations of memory acquisition tools
(which rely on the operating system to select the memory pages to dump) and Zhang et al. [18]
presented a way to evade all existing acquisition modules by manipulating the layout of the
physical address space. Once the memory has been acquired, existing tools often rely on weak
information to recognize the operating system and locate its key data structures. This led Lin
et al. [10] to propose graph-based signatures and Gavitt et al. [4] to the definition and creation
of Strong Signatures based on data invariants, i.e., based on fields whose value cannot be modified
without crashing or destabilizing the system. A similar graph of kernel objects has being
proposed by other researches [6] to label data structures for memory analysis.
