Filho, Ailton Santos; Rodríguez, Ricardo J; Feitosa, Eduardo L Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks Journal Article Digital Threats: Research and Practice, 3 (2), pp. 28, 2022. Abstract | Links | BibTeX | Tags: analysis evasion, Analysis-aware malware, Dynamic binary instrumentation @article{SRF-DTRAP-22, title = {Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks}, author = {Ailton Santos Filho and Ricardo J Rodríguez and Eduardo L Feitosa}, url = {http://webdiis.unizar.es/~ricardo/files/papers/SRF-DTRAP-21.pdf}, doi = {10.1145/3480463}, year = {2022}, date = {2022-01-01}, journal = {Digital Threats: Research and Practice}, volume = {3}, number = {2}, pages = {28}, abstract = {Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes.}, keywords = {analysis evasion, Analysis-aware malware, Dynamic binary instrumentation}, pubstate = {published}, tppubtype = {article} } Dynamic Binary Instrumentation (DBI) is a dynamic analysis technique that allows arbitrary code to be executed when a program is running. DBI frameworks have started to be used to analyze malicious applications. As a result, different approaches have merged to detect and avoid them. Commonly referred to as split personality malware or evasive malware are pieces of malicious software that incorporate snippets of code to detect when they are under DBI framework analysis and thus mimic benign behavior. Recent studies have questioned the use of DBI in malware analysis, arguing that it increases the attack surface. In this paper, we examine the anti-instrumentation techniques that abuse desktop-based DBI frameworks and existing countermeasures to determine if it is possible to reduce the exploitable attack surface introduced by these DBI frameworks. In particular, we review the related literature to identify (i) the existing set of DBI framework evasion techniques and (ii) the existing set of countermeasures to avoid them. We also analyze and compare the taxonomies introduced in the literature, and propose a new taxonomy that expands and completes the previous taxonomies. Our findings demonstrate that despite advances in DBI framework protections that make them quite suitable for system security purposes, more efforts are needed to reduce the attack surface that they add during application analysis. Only 12 of the 26 evasion techniques covered in this document have countermeasures, threatening the transparency of DBI frameworks. Furthermore, the impact in terms of performance overhead and effectiveness of these countermeasures in real-world situations is unknown. Finally, there are only proofs of concept for 9 of these 26 techniques, which makes it difficult to validate and study how they evade the analysis in order to counter them. We also point out some relevant issues in this context and outline ways of future research directions in the use of DBI frameworks for system security purposes. |
Fernández-Álvarez, Pedro; Rodríguez, Ricardo J Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application Journal Article Forensic Science International: Digital Investigation, 40 , pp. 301342, 2022, ISBN: 2666-2817. Abstract | Links | BibTeX | Tags: digital forensics, instant messaging, memory forensics, Telegram Desktop, Windows @article{FR-FSIDI-22, title = {Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application}, author = {Pedro Fernández-Álvarez and Ricardo J Rodríguez }, url = {http://webdiis.unizar.es/~ricardo/files/papers/FR-FSIDI-22.pdf}, doi = {10.1016/j.fsidi.2022.301342}, isbn = {2666-2817}, year = {2022}, date = {2022-01-01}, journal = {Forensic Science International: Digital Investigation}, volume = {40}, pages = {301342}, abstract = {Instant messaging applications have become a very common way of communicating, and today there are many applications of this type. The forensic analysis of these applications can help provide essential clues to solve or clarify a possible crime. This type of applications generally store their data in a secure way or transmit it through encrypted channels and thus, the forensic analysis of memory takes on special relevance to analyze them. Following a three-phase forensic analysis methodology, this work has developed a forensic analysis environment for instant messaging applications composed of two tools. One of the tools is responsible for extracting the content of a process that runs on a Windows system, while the other focuses on studying the information present in the process memory of an instant messaging application. This second tool can be easily adapted and extended to provide analysis support for any instant messaging application. As a case study, we focus on the Telegram application for Windows systems called Telegram Desktop. Adapting these tools to this application, their joint use allows obtaining forensic artifacts of interest for an investigation, such as user contacts or the content of conversations that have taken place, among others, even when the application is blocked. Obtaining these data is of great help for a forensic analyst, since the analysis of these data can be vital to clarify the events that occurred in some type of criminal act. Both tools are open source under the GNU/GPLv3 license to promote their use and extensibility to applications of other instant messaging services.}, keywords = {digital forensics, instant messaging, memory forensics, Telegram Desktop, Windows}, pubstate = {published}, tppubtype = {article} } Instant messaging applications have become a very common way of communicating, and today there are many applications of this type. The forensic analysis of these applications can help provide essential clues to solve or clarify a possible crime. This type of applications generally store their data in a secure way or transmit it through encrypted channels and thus, the forensic analysis of memory takes on special relevance to analyze them. Following a three-phase forensic analysis methodology, this work has developed a forensic analysis environment for instant messaging applications composed of two tools. One of the tools is responsible for extracting the content of a process that runs on a Windows system, while the other focuses on studying the information present in the process memory of an instant messaging application. This second tool can be easily adapted and extended to provide analysis support for any instant messaging application. As a case study, we focus on the Telegram application for Windows systems called Telegram Desktop. Adapting these tools to this application, their joint use allows obtaining forensic artifacts of interest for an investigation, such as user contacts or the content of conversations that have taken place, among others, even when the application is blocked. Obtaining these data is of great help for a forensic analyst, since the analysis of these data can be vital to clarify the events that occurred in some type of criminal act. Both tools are open source under the GNU/GPLv3 license to promote their use and extensibility to applications of other instant messaging services. |
Uroz, Daniel; Rodríguez, Ricardo J Characterization and Evaluation of IoT Protocols for Data Exfiltration Journal Article IEEE Internet of Things Journal, PP , pp. PP, 2022, (Accepted for publication. To appear in press.). Abstract | Links | BibTeX | Tags: AMQP 1.0, CoAP 1.0, Data Exfiltration, IoT Protocols, MQTT 3.1.1, MQTT 5.0 @article{UR-IOTJ-22, title = {Characterization and Evaluation of IoT Protocols for Data Exfiltration}, author = {Daniel Uroz and Ricardo J Rodríguez}, url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-IOTJ-22.pdf}, doi = {10.1109/JIOT.2022.3163469}, year = {2022}, date = {2022-01-01}, journal = {IEEE Internet of Things Journal}, volume = {PP}, pages = {PP}, abstract = {Data exfiltration relies primarily on network protocols for unauthorized data transfers from information systems. In addition to well-established Internet protocols (such as DNS, ICMP, or NTP, among others), adversaries can use newer protocols such as Internet of Things (IoT) protocols to inadvertently exfiltrate data. These IoT protocols are specifically designed to meet the limitations of IoT devices and networks, where minimal bandwidth usage and low power consumption are desirable. In this paper, we review the suitability of IoT protocols for exfiltrating data. In particular, we focus on the Constrained Application Protocol (CoAP; version 1.0), the Message Queuing Telemetry Transport protocol (MQTT; in its versions 3.1.1 and 5.0), and Advanced Message Queuing Protocol (AMQP; version 1.0). For each protocol, we review its specification and calculate the overhead and available space to exfiltrate data in each protocol packet. In addition, we empirically measure the elapsed time to exfiltrate different amounts of data. In this regard, we develop a software tool (dubbed chiton) to encapsulate and exfiltrate data within the IoT protocol packets. Our results show that both MQTT and AMQP outperform CoAP. Additionally, MQTT and AMQP protocols are best suited for exfiltrating data, as both are commonly used to connect to IoT cloud providers through IoT gateways and are therefore more likely to be allowed in business networks. Finally, we also provide suggestions and recommendations to detect data exfiltration in IoT protocols.}, note = {Accepted for publication. To appear in press.}, keywords = {AMQP 1.0, CoAP 1.0, Data Exfiltration, IoT Protocols, MQTT 3.1.1, MQTT 5.0}, pubstate = {published}, tppubtype = {article} } Data exfiltration relies primarily on network protocols for unauthorized data transfers from information systems. In addition to well-established Internet protocols (such as DNS, ICMP, or NTP, among others), adversaries can use newer protocols such as Internet of Things (IoT) protocols to inadvertently exfiltrate data. These IoT protocols are specifically designed to meet the limitations of IoT devices and networks, where minimal bandwidth usage and low power consumption are desirable. In this paper, we review the suitability of IoT protocols for exfiltrating data. In particular, we focus on the Constrained Application Protocol (CoAP; version 1.0), the Message Queuing Telemetry Transport protocol (MQTT; in its versions 3.1.1 and 5.0), and Advanced Message Queuing Protocol (AMQP; version 1.0). For each protocol, we review its specification and calculate the overhead and available space to exfiltrate data in each protocol packet. In addition, we empirically measure the elapsed time to exfiltrate different amounts of data. In this regard, we develop a software tool (dubbed chiton) to encapsulate and exfiltrate data within the IoT protocol packets. Our results show that both MQTT and AMQP outperform CoAP. Additionally, MQTT and AMQP protocols are best suited for exfiltrating data, as both are commonly used to connect to IoT cloud providers through IoT gateways and are therefore more likely to be allowed in business networks. Finally, we also provide suggestions and recommendations to detect data exfiltration in IoT protocols. |
Raducu, Razvan; Rodríguez, Ricardo J; Alvarez, Pedro Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review Journal Article IEEE Access, 10 , pp. 21742–21758, 2022. Abstract | Links | BibTeX | Tags: avoidance techniques, file-based race condition, TOCTOU vulnerability @article{RRA-ACCESS-22, title = {Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review}, author = {Razvan Raducu and Ricardo J Rodríguez and Pedro Alvarez}, url = {http://webdiis.unizar.es/~ricardo/files/papers/RRA-ACCESS-22.pdf}, doi = {10.1109/ACCESS.2022.3153064}, year = {2022}, date = {2022-01-01}, journal = {IEEE Access}, volume = {10}, pages = {21742--21758}, abstract = {File-based Time-of-Check to Time-of-Use (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability.}, keywords = {avoidance techniques, file-based race condition, TOCTOU vulnerability}, pubstate = {published}, tppubtype = {article} } File-based Time-of-Check to Time-of-Use (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability. |
Martín-Pérez, Miguel; Rodríguez, Ricardo J; Balzarotti, Davide Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules Journal Article Computers & Security, 101 , pp. 102119, 2021, ISSN: 0167-4048. Abstract | Links | BibTeX | Tags: memory forensics, relocation, similarity digest algorithms, Windows @article{MRB-COSE-21, title = {Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules}, author = {Miguel Martín-Pérez and Ricardo J Rodríguez and Davide Balzarotti}, url = {http://webdiis.unizar.es/~ricardo/files/papers/MRB-COSE-21.pdf}, doi = {10.1016/j.cose.2020.102119}, issn = {0167-4048}, year = {2021}, date = {2021-01-01}, journal = {Computers & Security}, volume = {101}, pages = {102119}, abstract = {Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.}, keywords = {memory forensics, relocation, similarity digest algorithms, Windows}, pubstate = {published}, tppubtype = {article} } Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules. |
Martín-Pérez, Miguel; Rodríguez, Ricardo J; Breitinger, Frank Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms Journal Article Forensic Science International: Digital Investigation, 36 , pp. 301120, 2021, ISSN: 2666-2817. Abstract | Links | BibTeX | Tags: Approximate matching, Bytewise, Classification scheme, Fuzzy hashing, Similarity digest algorithm, Similarity hashing @article{MRB-FSIDI-21, title = {Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms}, author = {Miguel Martín-Pérez and Ricardo J Rodríguez and Frank Breitinger}, url = {http://webdiis.unizar.es/~ricardo/files/papers/MRB-FSIDI-21.pdf}, doi = {10.1016/j.fsidi.2021.301120}, issn = {2666-2817}, year = {2021}, date = {2021-01-01}, journal = {Forensic Science International: Digital Investigation}, volume = {36}, pages = {301120}, abstract = {Bytewise approximate matching algorithms (a.k.a.~fuzzy hashing or similarity hashing) convert digital artifacts into an intermediate representation to allow a faster comparison them. They gained a lot of popularity over the past decade with new algorithms being developed and released to the digital forensics community. When releasing algorithms (e.g., as part of a scientific article), they are frequently compared with other algorithms to outline the benefits and sometimes also the weaknesses of the proposed approach. However, given the wide variety of algorithms and approaches, it is impossible to provide direct comparisons with all existing algorithms. In this paper, we present the first classification of approximate matching algorithms which allows an easier description and comparisons. Therefore, we first reviewed existing literature to understand the techniques various algorithms use and to familiarize ourselves with the common terminology. Our findings allowed us to develop a categorization relying heavily on the terminology proposed by NIST SP 800-168. In addition to the categorization, this article also presents an abstract set of attacks against algorithms and why they are feasible. Lastly, we detail the characteristics needed to build robust algorithms to prevent attacks. We believe that this article helps newcomers, practitioners, and experts alike to better compare algorithms, understand their potential, as well as characteristics and implications they may have on forensic investigations.}, keywords = {Approximate matching, Bytewise, Classification scheme, Fuzzy hashing, Similarity digest algorithm, Similarity hashing}, pubstate = {published}, tppubtype = {article} } Bytewise approximate matching algorithms (a.k.a.~fuzzy hashing or similarity hashing) convert digital artifacts into an intermediate representation to allow a faster comparison them. They gained a lot of popularity over the past decade with new algorithms being developed and released to the digital forensics community. When releasing algorithms (e.g., as part of a scientific article), they are frequently compared with other algorithms to outline the benefits and sometimes also the weaknesses of the proposed approach. However, given the wide variety of algorithms and approaches, it is impossible to provide direct comparisons with all existing algorithms. In this paper, we present the first classification of approximate matching algorithms which allows an easier description and comparisons. Therefore, we first reviewed existing literature to understand the techniques various algorithms use and to familiarize ourselves with the common terminology. Our findings allowed us to develop a categorization relying heavily on the terminology proposed by NIST SP 800-168. In addition to the categorization, this article also presents an abstract set of attacks against algorithms and why they are feasible. Lastly, we detail the characteristics needed to build robust algorithms to prevent attacks. We believe that this article helps newcomers, practitioners, and experts alike to better compare algorithms, understand their potential, as well as characteristics and implications they may have on forensic investigations. |
Hernández-Bejarano, Miguel; Rodríguez, Ricardo J; Merseguer, José A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks Inproceedings Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–5, 2021. Abstract | Links | BibTeX | Tags: cyber-attacks, cybersecurity, menaces, resilience, vulnerabilities @inproceedings{HRM-CISTI-21, title = {A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks}, author = {Miguel Hernández-Bejarano and Ricardo J Rodríguez and José Merseguer}, url = {http://webdiis.unizar.es/~ricardo/files/papers/HRM-CISTI-21.pdf}, doi = {10.23919/CISTI52073.2021.9476324}, year = {2021}, date = {2021-01-01}, booktitle = {Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI)}, pages = {1--5}, abstract = {Nowadays, business organizations support daily operations using Information and Communication Technologies. They serve as a basis to have a con- trolled management of resources, services and business goals, aligned with the mission of the organization. In this paper, we review standards and frameworks for achieving cyber-resilience in organizations, such as the NIST framework, ENISA, or international standards as the ISO/IEC 27032. We then envision the need of a new cyber-resilience framework that leveraging machine learning techniques contributes to improve business continuity.}, keywords = {cyber-attacks, cybersecurity, menaces, resilience, vulnerabilities}, pubstate = {published}, tppubtype = {inproceedings} } Nowadays, business organizations support daily operations using Information and Communication Technologies. They serve as a basis to have a con- trolled management of resources, services and business goals, aligned with the mission of the organization. In this paper, we review standards and frameworks for achieving cyber-resilience in organizations, such as the NIST framework, ENISA, or international standards as the ISO/IEC 27032. We then envision the need of a new cyber-resilience framework that leveraging machine learning techniques contributes to improve business continuity. |
Uroz, Daniel; Rodríguez, Ricardo J Evaluation of the Executional Power in Windows using Return Oriented Programming Inproceedings Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT), pp. 361–372, IEEE, 2021. Abstract | Links | BibTeX | Tags: automatic exploit, evaluation, ROP chain, Turing-completeness, Windows @inproceedings{UR-WOOT-21b, title = {Evaluation of the Executional Power in Windows using Return Oriented Programming}, author = {Daniel Uroz and Ricardo J Rodríguez}, url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-WOOT-21.pdf}, doi = {10.1109/SPW53761.2021.00056}, year = {2021}, date = {2021-01-01}, booktitle = {Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT)}, pages = {361--372}, publisher = {IEEE}, abstract = {Code-reuse techniques have emerged as a way to defeat the control-flow defenses that prevent the injection and execution of new code, as they allow an adversary to hijack the control flow of a victim program without injected code. A well-known code-reuse attack technique is Return-Oriented-Programming (ROP), which considers and links together (relatively short) code snippets, named ROP gadgets, already present in the victim's memory address space through a controlled use of the stack values of the victim program. Although ROP attacks are known to be Turing-complete, there are still open question such as the quantification of the executional power of an adversary, which is determined by whatever code exists in the memory of a victim program, and whether an adversary can build a ROP chain, made up of ROP gadgets, for any kind of algorithm. To fill these gaps, in this paper we first define a virtual language, dubbed ROPLang, that defines a set of operations (specifically, arithmetic, assignment, dereference, logical, and branching operations) which are mapped to ROP gadgets. We then use it to evaluate the executional power of an adversary in Windows 7 and Windows 10, in both 32- and 64-bit versions. In addition, we have developed rop3, a tool that accepts a set of program files and a ROP chain described with our language and returns the code snippets that make up the ROP chain. Our results show that there are enough ROP gadgets to simulate any virtual operation and that branching operations are the less frequent ones. As expected, our results also indicate that the larger a program file is, the more likely to find ROP gadgets within it for every virtual operation.}, keywords = {automatic exploit, evaluation, ROP chain, Turing-completeness, Windows}, pubstate = {published}, tppubtype = {inproceedings} } Code-reuse techniques have emerged as a way to defeat the control-flow defenses that prevent the injection and execution of new code, as they allow an adversary to hijack the control flow of a victim program without injected code. A well-known code-reuse attack technique is Return-Oriented-Programming (ROP), which considers and links together (relatively short) code snippets, named ROP gadgets, already present in the victim's memory address space through a controlled use of the stack values of the victim program. Although ROP attacks are known to be Turing-complete, there are still open question such as the quantification of the executional power of an adversary, which is determined by whatever code exists in the memory of a victim program, and whether an adversary can build a ROP chain, made up of ROP gadgets, for any kind of algorithm. To fill these gaps, in this paper we first define a virtual language, dubbed ROPLang, that defines a set of operations (specifically, arithmetic, assignment, dereference, logical, and branching operations) which are mapped to ROP gadgets. We then use it to evaluate the executional power of an adversary in Windows 7 and Windows 10, in both 32- and 64-bit versions. In addition, we have developed rop3, a tool that accepts a set of program files and a ROP chain described with our language and returns the code snippets that make up the ROP chain. Our results show that there are enough ROP gadgets to simulate any virtual operation and that branching operations are the less frequent ones. As expected, our results also indicate that the larger a program file is, the more likely to find ROP gadgets within it for every virtual operation. |
Martín-Pérez, Miguel; Rodríguez, Ricardo J Quantifying Paging on Recoverable Data from Windows User-Space Modules Inproceedings Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime, Springer, 2021, (Accepted for publication. To appear). Abstract | Links | BibTeX | Tags: digital forensics, malware, memory forensics, paging, Windows modules @inproceedings{MR-ICDF2C-21, title = {Quantifying Paging on Recoverable Data from Windows User-Space Modules}, author = {Miguel Martín-Pérez and Ricardo J Rodríguez}, url = {https://webdiis.unizar.es/~ricardo/files/papers/MR-ICDF2C-21.pdf}, year = {2021}, date = {2021-01-01}, booktitle = {Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime}, publisher = {Springer}, abstract = {Memory forensic analysis enables a forensic examiner to retrieve evidence of a security incident, such as encryption keys, or analyze malware that resides solely in memory. During this process, the current state of system memory is acquired and saved to a file denoted as memory dump, which is then analyzed with dedicated software for evidence. Although a memory dump contains large amounts of data for analysis, its content can be inaccurate and incomplete due to how an operating system's memory management subsystem works: page swapping, on-demand paging, or page smearing are some of the problems that can affect the data that resides in memory. In this paper, we evaluate how these issues affect user-mode modules by measuring the ratio of modules that reside in memory on a Windows 10 system under different memory workloads. On Windows, a module represents an image (that is, an executable, shared dynamic library, or driver) that was loaded as part of the kernel or a user-mode process. We show that this ratio is particularly low in shared dynamic library modules, as opposed to executable modules. We also discuss the issues of memory forensics that can affect scanning for malicious evidences in particular. Additionally, we have developed a Volatility plugin, dubbed pluginName, which helps forensic analysts obtain paging information from a memory dump for each process running at the time of acquisition, providing them with information on the amount of data that cannot be properly analyzed.}, note = {Accepted for publication. To appear}, keywords = {digital forensics, malware, memory forensics, paging, Windows modules}, pubstate = {published}, tppubtype = {inproceedings} } Memory forensic analysis enables a forensic examiner to retrieve evidence of a security incident, such as encryption keys, or analyze malware that resides solely in memory. During this process, the current state of system memory is acquired and saved to a file denoted as memory dump, which is then analyzed with dedicated software for evidence. Although a memory dump contains large amounts of data for analysis, its content can be inaccurate and incomplete due to how an operating system's memory management subsystem works: page swapping, on-demand paging, or page smearing are some of the problems that can affect the data that resides in memory. In this paper, we evaluate how these issues affect user-mode modules by measuring the ratio of modules that reside in memory on a Windows 10 system under different memory workloads. On Windows, a module represents an image (that is, an executable, shared dynamic library, or driver) that was loaded as part of the kernel or a user-mode process. We show that this ratio is particularly low in shared dynamic library modules, as opposed to executable modules. We also discuss the issues of memory forensics that can affect scanning for malicious evidences in particular. Additionally, we have developed a Volatility plugin, dubbed pluginName, which helps forensic analysts obtain paging information from a memory dump for each process running at the time of acquisition, providing them with information on the amount of data that cannot be properly analyzed. |
Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names Journal Article IEEE Access, 9 , pp. 126446–126456, 2021. @article{SRS-ACCESS-21, title = {Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names}, author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas}, url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ACCESS-21.pdf}, doi = {10.1109/ACCESS.2021.3111307}, year = {2021}, date = {2021-01-01}, journal = {IEEE Access}, volume = {9}, pages = {126446--126456}, keywords = {}, pubstate = {published}, tppubtype = {article} } |
Wang, Jianhua; Chang, Xiaolin; Wang, Yixiang; Rodríguez, Ricardo J; Zhang, Jianan LSGAN-AT: Enhancing Malware Detector Robustness against Adversarial Examples Journal Article Cybersecurity, 4:38 (1), pp. 15, 2021, ISSN: 2523-3246. Abstract | Links | BibTeX | Tags: Adversarial malware example, Generative adversarial network, Machine learning, Malware detector, Transferability @article{WCWRZ-CYSE-21, title = {LSGAN-AT: Enhancing Malware Detector Robustness against Adversarial Examples}, author = {Jianhua Wang and Xiaolin Chang and Yixiang Wang and Ricardo J Rodríguez and Jianan Zhang}, url = {http://webdiis.unizar.es/~ricardo/files/papers/WCWRZ-CYSE-21.pdf}, doi = {10.1186/s42400-021-00102-9}, issn = {2523-3246}, year = {2021}, date = {2021-01-01}, journal = {Cybersecurity}, volume = {4:38}, number = {1}, pages = {15}, abstract = {Adversarial Malware Example (AME)-based adversarial training can effectively enhance the robustness of Machine Learning (ML)-based malware detectors against AME. AME quality is a key factor to the robustness enhancement. Generative Adversarial Network (GAN) is a kind of AME generation method, but the existing GAN-based AME generation methods have the issues of inadequate optimization, mode collapse and training instability. In this paper, we propose a novel approach (denote as LSGAN-AT) to enhance ML-based malware detector robustness against Adversarial Examples, which includes LSGAN module and AT module. LSGAN module can generate more effective and smoother AME by utilizing brand-new network structures and Least Square (LS) loss to optimize boundary samples. AT module makes adversarial training using AME generated by LSGAN to generate ML-based Robust Malware Detector (RMD). Extensive experiment results validate the better transferability of AME in terms of attacking 6 ML detectors and the RMD transferability in terms of resisting the MalGAN black-box attack. The results also verify the performance of the generated RMD in the recognition rate of AME.}, keywords = {Adversarial malware example, Generative adversarial network, Machine learning, Malware detector, Transferability}, pubstate = {published}, tppubtype = {article} } Adversarial Malware Example (AME)-based adversarial training can effectively enhance the robustness of Machine Learning (ML)-based malware detectors against AME. AME quality is a key factor to the robustness enhancement. Generative Adversarial Network (GAN) is a kind of AME generation method, but the existing GAN-based AME generation methods have the issues of inadequate optimization, mode collapse and training instability. In this paper, we propose a novel approach (denote as LSGAN-AT) to enhance ML-based malware detector robustness against Adversarial Examples, which includes LSGAN module and AT module. LSGAN module can generate more effective and smoother AME by utilizing brand-new network structures and Least Square (LS) loss to optimize boundary samples. AT module makes adversarial training using AME generated by LSGAN to generate ML-based Robust Malware Detector (RMD). Extensive experiment results validate the better transferability of AME in terms of attacking 6 ML detectors and the RMD transferability in terms of resisting the MalGAN black-box attack. The results also verify the performance of the generated RMD in the recognition rate of AME. |
Filho, Ailton Santos; Rodríguez, Ricardo J; Feitosa, Eduardo L Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks Inproceedings Developments and Advances in Defense and Security, pp. 3–13, Springer Singapore, Singapore, 2020, ISBN: 978-981-13-9155-2. Abstract | Links | BibTeX | Tags: Analysis-aware malware, Anti-analysis, Anti-instrumentation, Dynamic binary instrumentation @inproceedings{SRF-MICRADS-19, title = {Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks}, author = {Ailton Santos Filho and Ricardo J Rodríguez and Eduardo L Feitosa}, url = {http://webdiis.unizar.es/~ricardo/files/papers/SRF-MICRADS-19.pdf}, doi = {10.1007/978-981-13-9155-2_1}, isbn = {978-981-13-9155-2}, year = {2020}, date = {2020-01-01}, booktitle = {Developments and Advances in Defense and Security}, volume = {152}, pages = {3--13}, publisher = {Springer Singapore}, address = {Singapore}, abstract = {Malicious applications pose as one of the most relevant issues in today's technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures.}, keywords = {Analysis-aware malware, Anti-analysis, Anti-instrumentation, Dynamic binary instrumentation}, pubstate = {published}, tppubtype = {inproceedings} } Malicious applications pose as one of the most relevant issues in today's technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures. |
Uroz, Daniel; Rodríguez, Ricardo J On Challenges in Verifying Trusted Executable Files in Memory Forensics Journal Article Forensic Science International: Digital Investigation, 32 , pp. 300917, 2020. Abstract | Links | BibTeX | Tags: @article{UR-FSIDI-20, title = {On Challenges in Verifying Trusted Executable Files in Memory Forensics}, author = {Daniel Uroz and Ricardo J Rodríguez}, url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-FSIDI-20.pdf}, doi = {10.1016/j.fsidi.2020.300917}, year = {2020}, date = {2020-01-01}, journal = {Forensic Science International: Digital Investigation}, volume = {32}, pages = {300917}, abstract = {Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time.}, keywords = {}, pubstate = {published}, tppubtype = {article} } Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time. |
Shi, Yu; Chang, Xiaolin; Rodríguez, Ricardo J; Zhang, Zhenjiang; Trivedi, Kishor S Quantitative security analysis of a dynamic network system under lateral movement-based attacks Journal Article Reliability Engineering & System Safety, 183 , pp. 213–225, 2019, ISSN: 0951-8320. Abstract | Links | BibTeX | Tags: Dynamic transient analysis, Lateral movement-based attack, Non-homogeneous continuous-time Markov chain, Piecewise constant approximation @article{SCRZT-RESS-19, title = {Quantitative security analysis of a dynamic network system under lateral movement-based attacks}, author = {Yu Shi and Xiaolin Chang and Ricardo J Rodríguez and Zhenjiang Zhang and Kishor S Trivedi}, url = {http://webdiis.unizar.es/~ricardo/files/papers/SCRZT-RESS-19.pdf}, doi = {10.1016/j.ress.2018.11.022}, issn = {0951-8320}, year = {2019}, date = {2019-01-01}, journal = {Reliability Engineering & System Safety}, volume = {183}, pages = {213--225}, abstract = {Malicious lateral movement-based attacks have become a potential risk for many systems, bringing highly likely threats to critical infrastructures and national security. When launching this kind of attacks, adversaries first compromise a fraction of the targeted system and then move laterally to the rest of the system until the whole system is infected. Various approaches were proposed to study and/or defend against lateral movement-based attacks. However, few of them studied transient behaviors of dynamic attacking and dynamic targeted systems. This paper aims to analyze the transient security of a dynamic network system under lateral movement-based attacks from the time that attack-related abnormity in the system is detected until mechanisms are designed and deployed to defend against attacks. We explore state-space modeling techniques to construct a survivability model for quantitative analysis. A phased piecewise constant approximation approach is also proposed to derive the formulas for calculating model state transient probabilities, with which we derive formulas for calculating metrics of interest. The proposed approach allows both model state transition rates and the number of model states to be time-varying during the system recovery. Numerical analysis is carried out for investigating the impact of various dynamic system parameters on system security.}, keywords = {Dynamic transient analysis, Lateral movement-based attack, Non-homogeneous continuous-time Markov chain, Piecewise constant approximation}, pubstate = {published}, tppubtype = {article} } Malicious lateral movement-based attacks have become a potential risk for many systems, bringing highly likely threats to critical infrastructures and national security. When launching this kind of attacks, adversaries first compromise a fraction of the targeted system and then move laterally to the rest of the system until the whole system is infected. Various approaches were proposed to study and/or defend against lateral movement-based attacks. However, few of them studied transient behaviors of dynamic attacking and dynamic targeted systems. This paper aims to analyze the transient security of a dynamic network system under lateral movement-based attacks from the time that attack-related abnormity in the system is detected until mechanisms are designed and deployed to defend against attacks. We explore state-space modeling techniques to construct a survivability model for quantitative analysis. A phased piecewise constant approximation approach is also proposed to derive the formulas for calculating model state transient probabilities, with which we derive formulas for calculating metrics of interest. The proposed approach allows both model state transition rates and the number of model states to be time-varying during the system recovery. Numerical analysis is carried out for investigating the impact of various dynamic system parameters on system security. |
Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams Journal Article Expert Systems with Applications, 124 , pp. 156–163, 2019, ISSN: 0957-4174. Abstract | Links | BibTeX | Tags: Domain-generated algorithms, malware, Random Forest @article{SRS-ESWA-19, title = {Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams}, author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas}, url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ESWA-19.pdf}, doi = {10.1016/j.eswa.2019.01.050}, issn = {0957-4174}, year = {2019}, date = {2019-01-01}, journal = {Expert Systems with Applications}, volume = {124}, pages = {156--163}, abstract = {Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance.}, keywords = {Domain-generated algorithms, malware, Random Forest}, pubstate = {published}, tppubtype = {article} } Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance. |
Publications
Reading Time: < 1 minute
Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation Frameworks Journal Article Digital Threats: Research and Practice, 3 (2), pp. 28, 2022. |
Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application Journal Article Forensic Science International: Digital Investigation, 40 , pp. 301342, 2022, ISBN: 2666-2817. |
Characterization and Evaluation of IoT Protocols for Data Exfiltration Journal Article IEEE Internet of Things Journal, PP , pp. PP, 2022, (Accepted for publication. To appear in press.). |
Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review Journal Article IEEE Access, 10 , pp. 21742–21758, 2022. |
Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules Journal Article Computers & Security, 101 , pp. 102119, 2021, ISSN: 0167-4048. |
Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms Journal Article Forensic Science International: Digital Investigation, 36 , pp. 301120, 2021, ISSN: 2666-2817. |
A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks Inproceedings Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–5, 2021. |
Evaluation of the Executional Power in Windows using Return Oriented Programming Inproceedings Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT), pp. 361–372, IEEE, 2021. |
Quantifying Paging on Recoverable Data from Windows User-Space Modules Inproceedings Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime, Springer, 2021, (Accepted for publication. To appear). |
Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names Journal Article IEEE Access, 9 , pp. 126446–126456, 2021. |
LSGAN-AT: Enhancing Malware Detector Robustness against Adversarial Examples Journal Article Cybersecurity, 4:38 (1), pp. 15, 2021, ISSN: 2523-3246. |
Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks Inproceedings Developments and Advances in Defense and Security, pp. 3–13, Springer Singapore, Singapore, 2020, ISBN: 978-981-13-9155-2. |
On Challenges in Verifying Trusted Executable Files in Memory Forensics Journal Article Forensic Science International: Digital Investigation, 32 , pp. 300917, 2020. |
Quantitative security analysis of a dynamic network system under lateral movement-based attacks Journal Article Reliability Engineering & System Safety, 183 , pp. 213–225, 2019, ISSN: 0951-8320. |
Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams Journal Article Expert Systems with Applications, 124 , pp. 156–163, 2019, ISSN: 0957-4174. |