Martín-Pérez, Miguel; Rodríguez, Ricardo J; Balzarotti, Davide Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules Journal Article Computers & Security, 101 , pp. 102119, 2021, ISSN: 0167-4048. Abstract | Links | BibTeX | Tags: memory forensics, relocation, similarity digest algorithms, Windows @article{MRB-COSE-21, title = {Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules}, author = {Miguel Martín-Pérez and Ricardo J Rodríguez and Davide Balzarotti}, url = {http://webdiis.unizar.es/~ricardo/files/papers/MRB-COSE-21.pdf}, doi = {10.1016/j.cose.2020.102119}, issn = {0167-4048}, year = {2021}, date = {2021-01-01}, journal = {Computers & Security}, volume = {101}, pages = {102119}, abstract = {Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.}, keywords = {memory forensics, relocation, similarity digest algorithms, Windows}, pubstate = {published}, tppubtype = {article} } Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules. |
Martín-Pérez, Miguel; Rodríguez, Ricardo J; Breitinger, Frank Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms Journal Article Forensic Science International: Digital Investigation, 36 , pp. 301120, 2021, ISSN: 2666-2817. Abstract | Links | BibTeX | Tags: Approximate matching, Bytewise, Classification scheme, Fuzzy hashing, Similarity digest algorithm, Similarity hashing @article{MRB-FSIDI-21, title = {Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms}, author = {Miguel Martín-Pérez and Ricardo J Rodríguez and Frank Breitinger}, url = {http://webdiis.unizar.es/~ricardo/files/papers/MRB-FSIDI-21.pdf}, doi = {10.1016/j.fsidi.2021.301120}, issn = {2666-2817}, year = {2021}, date = {2021-01-01}, journal = {Forensic Science International: Digital Investigation}, volume = {36}, pages = {301120}, abstract = {Bytewise approximate matching algorithms (a.k.a.~fuzzy hashing or similarity hashing) convert digital artifacts into an intermediate representation to allow a faster comparison them. They gained a lot of popularity over the past decade with new algorithms being developed and released to the digital forensics community. When releasing algorithms (e.g., as part of a scientific article), they are frequently compared with other algorithms to outline the benefits and sometimes also the weaknesses of the proposed approach. However, given the wide variety of algorithms and approaches, it is impossible to provide direct comparisons with all existing algorithms. In this paper, we present the first classification of approximate matching algorithms which allows an easier description and comparisons. Therefore, we first reviewed existing literature to understand the techniques various algorithms use and to familiarize ourselves with the common terminology. Our findings allowed us to develop a categorization relying heavily on the terminology proposed by NIST SP 800-168. In addition to the categorization, this article also presents an abstract set of attacks against algorithms and why they are feasible. Lastly, we detail the characteristics needed to build robust algorithms to prevent attacks. We believe that this article helps newcomers, practitioners, and experts alike to better compare algorithms, understand their potential, as well as characteristics and implications they may have on forensic investigations.}, keywords = {Approximate matching, Bytewise, Classification scheme, Fuzzy hashing, Similarity digest algorithm, Similarity hashing}, pubstate = {published}, tppubtype = {article} } Bytewise approximate matching algorithms (a.k.a.~fuzzy hashing or similarity hashing) convert digital artifacts into an intermediate representation to allow a faster comparison them. They gained a lot of popularity over the past decade with new algorithms being developed and released to the digital forensics community. When releasing algorithms (e.g., as part of a scientific article), they are frequently compared with other algorithms to outline the benefits and sometimes also the weaknesses of the proposed approach. However, given the wide variety of algorithms and approaches, it is impossible to provide direct comparisons with all existing algorithms. In this paper, we present the first classification of approximate matching algorithms which allows an easier description and comparisons. Therefore, we first reviewed existing literature to understand the techniques various algorithms use and to familiarize ourselves with the common terminology. Our findings allowed us to develop a categorization relying heavily on the terminology proposed by NIST SP 800-168. In addition to the categorization, this article also presents an abstract set of attacks against algorithms and why they are feasible. Lastly, we detail the characteristics needed to build robust algorithms to prevent attacks. We believe that this article helps newcomers, practitioners, and experts alike to better compare algorithms, understand their potential, as well as characteristics and implications they may have on forensic investigations. |
Hernández-Bejarano, Miguel; Rodríguez, Ricardo J; Merseguer, José A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks Inproceedings Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI), 2021, (Accepted for publication. To appear.). Abstract | Links | BibTeX | Tags: @inproceedings{HRM-CISTI-21, title = {A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks}, author = {Miguel Hernández-Bejarano and Ricardo J Rodríguez and José Merseguer}, url = {http://webdiis.unizar.es/~ricardo/files/papers/HRM-CISTI-21.pdf}, year = {2021}, date = {2021-01-01}, booktitle = {Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI)}, abstract = {Nowadays, business organizations support daily operations using Information and Communication Technologies. They serve as a basis to have a con- trolled management of resources, services and business goals, aligned with the mission of the organization. In this paper, we review standards and frameworks for achieving cyber-resilience in organizations, such as the NIST framework, ENISA, or international standards as the ISO/IEC 27032. We then envision the need of a new cyber-resilience framework that leveraging machine learning techniques contributes to improve business continuity.}, note = {Accepted for publication. To appear.}, keywords = {}, pubstate = {published}, tppubtype = {inproceedings} } Nowadays, business organizations support daily operations using Information and Communication Technologies. They serve as a basis to have a con- trolled management of resources, services and business goals, aligned with the mission of the organization. In this paper, we review standards and frameworks for achieving cyber-resilience in organizations, such as the NIST framework, ENISA, or international standards as the ISO/IEC 27032. We then envision the need of a new cyber-resilience framework that leveraging machine learning techniques contributes to improve business continuity. |
Uroz, Daniel; Rodríguez, Ricardo J Evaluation of the Executional Power in Windows using Return Oriented Programming Inproceedings Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT), pp. 361–372, IEEE, 2021. Abstract | Links | BibTeX | Tags: automatic exploit, evaluation, ROP chain, Turing-completeness, Windows @inproceedings{UR-WOOT-21b, title = {Evaluation of the Executional Power in Windows using Return Oriented Programming}, author = {Daniel Uroz and Ricardo J. Rodríguez}, url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-WOOT-21.pdf}, doi = {10.1109/SPW53761.2021.00056}, year = {2021}, date = {2021-01-01}, booktitle = {Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT)}, pages = {361--372}, publisher = {IEEE}, abstract = {Code-reuse techniques have emerged as a way to defeat the control-flow defenses that prevent the injection and execution of new code, as they allow an adversary to hijack the control flow of a victim program without injected code. A well-known code-reuse attack technique is Return-Oriented-Programming (ROP), which considers and links together (relatively short) code snippets, named ROP gadgets, already present in the victim's memory address space through a controlled use of the stack values of the victim program. Although ROP attacks are known to be Turing-complete, there are still open question such as the quantification of the executional power of an adversary, which is determined by whatever code exists in the memory of a victim program, and whether an adversary can build a ROP chain, made up of ROP gadgets, for any kind of algorithm. To fill these gaps, in this paper we first define a virtual language, dubbed ROPLang, that defines a set of operations (specifically, arithmetic, assignment, dereference, logical, and branching operations) which are mapped to ROP gadgets. We then use it to evaluate the executional power of an adversary in Windows 7 and Windows 10, in both 32- and 64-bit versions. In addition, we have developed rop3, a tool that accepts a set of program files and a ROP chain described with our language and returns the code snippets that make up the ROP chain. Our results show that there are enough ROP gadgets to simulate any virtual operation and that branching operations are the less frequent ones. As expected, our results also indicate that the larger a program file is, the more likely to find ROP gadgets within it for every virtual operation.}, keywords = {automatic exploit, evaluation, ROP chain, Turing-completeness, Windows}, pubstate = {published}, tppubtype = {inproceedings} } Code-reuse techniques have emerged as a way to defeat the control-flow defenses that prevent the injection and execution of new code, as they allow an adversary to hijack the control flow of a victim program without injected code. A well-known code-reuse attack technique is Return-Oriented-Programming (ROP), which considers and links together (relatively short) code snippets, named ROP gadgets, already present in the victim's memory address space through a controlled use of the stack values of the victim program. Although ROP attacks are known to be Turing-complete, there are still open question such as the quantification of the executional power of an adversary, which is determined by whatever code exists in the memory of a victim program, and whether an adversary can build a ROP chain, made up of ROP gadgets, for any kind of algorithm. To fill these gaps, in this paper we first define a virtual language, dubbed ROPLang, that defines a set of operations (specifically, arithmetic, assignment, dereference, logical, and branching operations) which are mapped to ROP gadgets. We then use it to evaluate the executional power of an adversary in Windows 7 and Windows 10, in both 32- and 64-bit versions. In addition, we have developed rop3, a tool that accepts a set of program files and a ROP chain described with our language and returns the code snippets that make up the ROP chain. Our results show that there are enough ROP gadgets to simulate any virtual operation and that branching operations are the less frequent ones. As expected, our results also indicate that the larger a program file is, the more likely to find ROP gadgets within it for every virtual operation. |
Filho, Ailton Santos; Rodríguez, Ricardo J; Feitosa, Eduardo L Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks Inproceedings Developments and Advances in Defense and Security, pp. 3–13, Springer Singapore, Singapore, 2020, ISBN: 978-981-13-9155-2. Abstract | Links | BibTeX | Tags: Analysis-aware malware, Anti-analysis, Anti-instrumentation, Dynamic binary instrumentation @inproceedings{SRF-MICRADS-19, title = {Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks}, author = {Ailton Santos Filho and Ricardo J Rodríguez and Eduardo L Feitosa}, url = {http://webdiis.unizar.es/~ricardo/files/papers/SRF-MICRADS-19.pdf}, doi = {10.1007/978-981-13-9155-2_1}, isbn = {978-981-13-9155-2}, year = {2020}, date = {2020-01-01}, booktitle = {Developments and Advances in Defense and Security}, volume = {152}, pages = {3--13}, publisher = {Springer Singapore}, address = {Singapore}, abstract = {Malicious applications pose as one of the most relevant issues in today's technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures.}, keywords = {Analysis-aware malware, Anti-analysis, Anti-instrumentation, Dynamic binary instrumentation}, pubstate = {published}, tppubtype = {inproceedings} } Malicious applications pose as one of the most relevant issues in today's technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures. |
Uroz, Daniel; Rodríguez, Ricardo J On Challenges in Verifying Trusted Executable Files in Memory Forensics Journal Article Digital Investigation, 2020, (Accepted for publication. To appear.). Abstract | Links | BibTeX | Tags: Authenticode, code signing, digital signature verification, memory forensics, Volatility @article{UR-DIIN-20, title = {On Challenges in Verifying Trusted Executable Files in Memory Forensics}, author = {Daniel Uroz and Ricardo J Rodríguez}, url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-DIIN-20.pdf}, doi = {10.1016/j.fsidi.2020.300917}, year = {2020}, date = {2020-01-01}, journal = {Digital Investigation}, abstract = {Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time.}, note = {Accepted for publication. To appear.}, keywords = {Authenticode, code signing, digital signature verification, memory forensics, Volatility}, pubstate = {published}, tppubtype = {article} } Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time. |
Shi, Yu; Chang, Xiaolin; Rodríguez, Ricardo J; Zhang, Zhenjiang; Trivedi, Kishor S Quantitative security analysis of a dynamic network system under lateral movement-based attacks Journal Article Reliability Engineering & System Safety, 183 , pp. 213–225, 2019, ISSN: 0951-8320. Abstract | Links | BibTeX | Tags: Dynamic transient analysis, Lateral movement-based attack, Non-homogeneous continuous-time Markov chain, Piecewise constant approximation @article{SCRZT-RESS-19, title = {Quantitative security analysis of a dynamic network system under lateral movement-based attacks}, author = {Yu Shi and Xiaolin Chang and Ricardo J Rodríguez and Zhenjiang Zhang and Kishor S Trivedi}, url = {http://webdiis.unizar.es/~ricardo/files/papers/SCRZT-RESS-19.pdf}, doi = {10.1016/j.ress.2018.11.022}, issn = {0951-8320}, year = {2019}, date = {2019-01-01}, journal = {Reliability Engineering & System Safety}, volume = {183}, pages = {213--225}, abstract = {Malicious lateral movement-based attacks have become a potential risk for many systems, bringing highly likely threats to critical infrastructures and national security. When launching this kind of attacks, adversaries first compromise a fraction of the targeted system and then move laterally to the rest of the system until the whole system is infected. Various approaches were proposed to study and/or defend against lateral movement-based attacks. However, few of them studied transient behaviors of dynamic attacking and dynamic targeted systems. This paper aims to analyze the transient security of a dynamic network system under lateral movement-based attacks from the time that attack-related abnormity in the system is detected until mechanisms are designed and deployed to defend against attacks. We explore state-space modeling techniques to construct a survivability model for quantitative analysis. A phased piecewise constant approximation approach is also proposed to derive the formulas for calculating model state transient probabilities, with which we derive formulas for calculating metrics of interest. The proposed approach allows both model state transition rates and the number of model states to be time-varying during the system recovery. Numerical analysis is carried out for investigating the impact of various dynamic system parameters on system security.}, keywords = {Dynamic transient analysis, Lateral movement-based attack, Non-homogeneous continuous-time Markov chain, Piecewise constant approximation}, pubstate = {published}, tppubtype = {article} } Malicious lateral movement-based attacks have become a potential risk for many systems, bringing highly likely threats to critical infrastructures and national security. When launching this kind of attacks, adversaries first compromise a fraction of the targeted system and then move laterally to the rest of the system until the whole system is infected. Various approaches were proposed to study and/or defend against lateral movement-based attacks. However, few of them studied transient behaviors of dynamic attacking and dynamic targeted systems. This paper aims to analyze the transient security of a dynamic network system under lateral movement-based attacks from the time that attack-related abnormity in the system is detected until mechanisms are designed and deployed to defend against attacks. We explore state-space modeling techniques to construct a survivability model for quantitative analysis. A phased piecewise constant approximation approach is also proposed to derive the formulas for calculating model state transient probabilities, with which we derive formulas for calculating metrics of interest. The proposed approach allows both model state transition rates and the number of model states to be time-varying during the system recovery. Numerical analysis is carried out for investigating the impact of various dynamic system parameters on system security. |
Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams Journal Article Expert Systems with Applications, 124 , pp. 156–163, 2019, ISSN: 0957-4174. Abstract | Links | BibTeX | Tags: Domain-generated algorithms, malware, Random Forest @article{SRS-ESWA-19, title = {Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams}, author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas}, url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ESWA-19.pdf}, doi = {10.1016/j.eswa.2019.01.050}, issn = {0957-4174}, year = {2019}, date = {2019-01-01}, journal = {Expert Systems with Applications}, volume = {124}, pages = {156--163}, abstract = {Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance.}, keywords = {Domain-generated algorithms, malware, Random Forest}, pubstate = {published}, tppubtype = {article} } Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance. |
Uroz, Daniel; Rodríguez, Ricardo J Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics Journal Article Digital Investigation, 28 , pp. S95–S104, 2019, ISSN: 1742-2876. Abstract | Links | BibTeX | Tags: Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry @article{UR-DIIN-19, title = {Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics}, author = {Daniel Uroz and Ricardo J Rodríguez}, url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-DIIN-19.pdf}, doi = {10.1016/j.diin.2019.01.026}, issn = {1742-2876}, year = {2019}, date = {2019-01-01}, journal = {Digital Investigation}, volume = {28}, pages = {S95--S104}, abstract = {Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.}, keywords = {Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry}, pubstate = {published}, tppubtype = {article} } Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys. |
Botas, Álvaro; Rodríguez, Ricardo J; Matellan, Vicente; Garcia, Juan F; Trobajo, M T; Carriegos, Miguel V On Fingerprinting of Public Malware Analysis Services Journal Article Logic Journal of the IGPL, 2019, ISSN: 1367-0751. Abstract | Links | BibTeX | Tags: Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability @article{BRMGTC-IGPL-19, title = {On Fingerprinting of Public Malware Analysis Services}, author = {Álvaro Botas and Ricardo J Rodríguez and Vicente Matellan and Juan F Garcia and M T Trobajo and Miguel V Carriegos}, url = {http://webdiis.unizar.es/~ricardo/files/papers/BRMGTC-IGPL-19.pdf}, doi = {10.1093/jigpal/jzz050}, issn = {1367-0751}, year = {2019}, date = {2019-01-01}, journal = {Logic Journal of the IGPL}, abstract = {Automatic Public Malware Analysis Services (PMAS, e.g. VirusTotal, Jotti, or ClamAV, to name a few) provide controlled, isolated, and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal.}, keywords = {Analysis-aware malware, characterization, Malware analysis service, sandbox, unlikeability}, pubstate = {published}, tppubtype = {article} } Automatic Public Malware Analysis Services (PMAS, e.g. VirusTotal, Jotti, or ClamAV, to name a few) provide controlled, isolated, and virtual environments to analyse malicious software (malware) samples. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment; when an analysis environment is detected, malware behaves as a benign application or even shows no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services, considering 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments; the lower the unlikeability of these features, the easier for us (and thus for malware) to fingerprint the analysis service they belong to. Finally, we propose a method for these analysis services to counter or at least mitigate our proposal. |
Rodríguez, Ricardo J; Martín-Pérez, Miguel; Abadía, Iñaki A Tool to Compute Approximation Matching between Windows Processes Inproceedings Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pp. 313–318, 2018. Abstract | Links | BibTeX | Tags: bytewise approximate matching, forensic memory analysis, Volatility, Windows @inproceedings{RMA-ISDFS-18, title = {A Tool to Compute Approximation Matching between Windows Processes}, author = {Ricardo J Rodríguez and Miguel Martín-Pérez and Iñaki Abadía}, url = {http://webdiis.unizar.es/~ricardo/files/papers/RMA-ISDFS-18.pdf}, doi = {10.1109/ISDFS.2018.8355372}, year = {2018}, date = {2018-01-01}, booktitle = {Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS)}, pages = {313--318}, abstract = {Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the em avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range $[0,1]$ between similar inputs instead of a yes/no answer (in the range $0,1$). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump.}, keywords = {bytewise approximate matching, forensic memory analysis, Volatility, Windows}, pubstate = {published}, tppubtype = {inproceedings} } Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the em avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range $[0,1]$ between similar inputs instead of a yes/no answer (in the range $0,1$). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump. |
Chang, Xiaolin; Lv, Shaohua; Rodríguez, Ricardo J; Trivedi, Kishor Survivability Model for Security and Dependability Analysis of a Vulnerable Critical System Inproceedings Proceedings of the 2018 27th International Conference on Computer Communication and Networks (ICCCN), pp. 1–6, 2018, ISSN: 1095-2055. Abstract | Links | BibTeX | Tags: Quantitative analysis, Reactive defense strategy, Security, Stochastic reward nets, Survivability @inproceedings{CLRT-ICCCN-18, title = {Survivability Model for Security and Dependability Analysis of a Vulnerable Critical System}, author = {Xiaolin Chang and Shaohua Lv and Ricardo J Rodríguez and Kishor Trivedi}, url = {http://webdiis.unizar.es/~ricardo/files/papers/CLRT-ICCCN-18.pdf}, doi = {10.1109/ICCCN.2018.8487446}, issn = {1095-2055}, year = {2018}, date = {2018-01-01}, booktitle = {Proceedings of the 2018 27th International Conference on Computer Communication and Networks (ICCCN)}, pages = {1--6}, abstract = {This paper aims to analyze transient security and dependability of a vulnerable critical system, under vulnerability-related attack and two reactive defensestrategies, from a severe vulnerability announcement untilthe vulnerability is fully removed from the system. By severe, we mean that the vulnerability-based malware could causesignificant damage to the infected system in terms ofsecurity and dependability while infecting more and morenew vulnerable computer systems. We propose a Markov chain-based survivability model for capturing thevulnerable critical system behaviors during the vulnerability elimination process. A high-level formalism based on Stochastic Reward Nets is applied to automaticallygenerate and solve the survivability model. Survivabilitymetrics are defined to quantify system attributes. The proposed model and metrics not only enable us toquantitatively assess the system survivability in terms ofsecurity risk and dependability, but also provide insights onthe system investment decision. Numerical experiments areconstructed to study the impact of key parameters on systemsecurity, dependability and profit.}, keywords = {Quantitative analysis, Reactive defense strategy, Security, Stochastic reward nets, Survivability}, pubstate = {published}, tppubtype = {inproceedings} } This paper aims to analyze transient security and dependability of a vulnerable critical system, under vulnerability-related attack and two reactive defensestrategies, from a severe vulnerability announcement untilthe vulnerability is fully removed from the system. By severe, we mean that the vulnerability-based malware could causesignificant damage to the infected system in terms ofsecurity and dependability while infecting more and morenew vulnerable computer systems. We propose a Markov chain-based survivability model for capturing thevulnerable critical system behaviors during the vulnerability elimination process. A high-level formalism based on Stochastic Reward Nets is applied to automaticallygenerate and solve the survivability model. Survivabilitymetrics are defined to quantify system attributes. The proposed model and metrics not only enable us toquantitatively assess the system survivability in terms ofsecurity risk and dependability, but also provide insights onthe system investment decision. Numerical experiments areconstructed to study the impact of key parameters on systemsecurity, dependability and profit. |
Rodríguez, Ricardo J; de Quirós, Jorge García Desanonimización y categorización de servicios ocultos de la red Tor Inproceedings Actas del VI Congreso Nacional de i+d en Defensa y Seguridad (DESEi+d 2018), 2018, (Accepted for publication. To appear.). Links | BibTeX | Tags: deanonymization, hidden services, privacy, Tor @inproceedings{RG-DESEid-18, title = {Desanonimización y categorización de servicios ocultos de la red Tor}, author = {Ricardo J Rodríguez and Jorge García de Quirós}, url = {http://webdiis.unizar.es/~ricardo/files/papers/RG-DESEid-18.pdf}, year = {2018}, date = {2018-01-01}, booktitle = {Actas del VI Congreso Nacional de i+d en Defensa y Seguridad (DESEi+d 2018)}, note = {Accepted for publication. To appear.}, keywords = {deanonymization, hidden services, privacy, Tor}, pubstate = {published}, tppubtype = {inproceedings} } |
Rodríguez, Ricardo J Evolution and Characterization of Point-of-Sale RAM Scraping Malware Journal Article Journal in Computer Virology and Hacking Techniques, 13 (3), pp. 179–192, 2017, ISSN: 2263-8733. Abstract | Links | BibTeX | Tags: Evolution, malware, POS RAM scraping, Software security, Taxonomy @article{R-CVHT-17, title = {Evolution and Characterization of Point-of-Sale RAM Scraping Malware}, author = {Ricardo J Rodríguez}, url = {http://webdiis.unizar.es/~ricardo/files/papers/R-CVHT-17.pdf}, doi = {10.1007/s11416-016-0280-4}, issn = {2263-8733}, year = {2017}, date = {2017-01-01}, journal = {Journal in Computer Virology and Hacking Techniques}, volume = {13}, number = {3}, pages = {179--192}, abstract = {Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant's in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.}, keywords = {Evolution, malware, POS RAM scraping, Software security, Taxonomy}, pubstate = {published}, tppubtype = {article} } Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant's in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools. |
Rodríguez, Ricardo J; Garcia-Escartin, Juan Carlos Security Assessment of the Spanish Contactless Identity Card Journal Article IET Information Security, 11 (6), pp. 386–393(7), 2017, ISSN: 1751-8709. Abstract | Links | BibTeX | Tags: contactless cards, identity cards, NFC, Security @article{RG-IFS-17, title = {Security Assessment of the Spanish Contactless Identity Card}, author = {Ricardo J Rodríguez and Juan Carlos Garcia-Escartin}, url = {http://webdiis.unizar.es/~ricardo/files/papers/RG-IFS-17.pdf}, doi = {10.1049/iet-ifs.2017.0299}, issn = {1751-8709}, year = {2017}, date = {2017-01-01}, journal = {IET Information Security}, volume = {11}, number = {6}, pages = {386--393(7)}, publisher = {Institution of Engineering and Technology}, abstract = {The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the RFID communication to virtually steal personal information. In this paper, we consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, we evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defenses against on-line brute-force attacks were incorporated. We then suggest two countermeasures to protect against these attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all the performed tests with good results.}, keywords = {contactless cards, identity cards, NFC, Security}, pubstate = {published}, tppubtype = {article} } The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the RFID communication to virtually steal personal information. In this paper, we consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, we evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defenses against on-line brute-force attacks were incorporated. We then suggest two countermeasures to protect against these attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all the performed tests with good results. |
Publications
Reading Time: < 1 minute
Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules Journal Article Computers & Security, 101 , pp. 102119, 2021, ISSN: 0167-4048. |
Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms Journal Article Forensic Science International: Digital Investigation, 36 , pp. 301120, 2021, ISSN: 2666-2817. |
A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks Inproceedings Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI), 2021, (Accepted for publication. To appear.). |
Evaluation of the Executional Power in Windows using Return Oriented Programming Inproceedings Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT), pp. 361–372, IEEE, 2021. |
Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks Inproceedings Developments and Advances in Defense and Security, pp. 3–13, Springer Singapore, Singapore, 2020, ISBN: 978-981-13-9155-2. |
On Challenges in Verifying Trusted Executable Files in Memory Forensics Journal Article Digital Investigation, 2020, (Accepted for publication. To appear.). |
Quantitative security analysis of a dynamic network system under lateral movement-based attacks Journal Article Reliability Engineering & System Safety, 183 , pp. 213–225, 2019, ISSN: 0951-8320. |
Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams Journal Article Expert Systems with Applications, 124 , pp. 156–163, 2019, ISSN: 0957-4174. |
Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics Journal Article Digital Investigation, 28 , pp. S95–S104, 2019, ISSN: 1742-2876. |
On Fingerprinting of Public Malware Analysis Services Journal Article Logic Journal of the IGPL, 2019, ISSN: 1367-0751. |
A Tool to Compute Approximation Matching between Windows Processes Inproceedings Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pp. 313–318, 2018. |
Survivability Model for Security and Dependability Analysis of a Vulnerable Critical System Inproceedings Proceedings of the 2018 27th International Conference on Computer Communication and Networks (ICCCN), pp. 1–6, 2018, ISSN: 1095-2055. |
Desanonimización y categorización de servicios ocultos de la red Tor Inproceedings Actas del VI Congreso Nacional de i+d en Defensa y Seguridad (DESEi+d 2018), 2018, (Accepted for publication. To appear.). |
Evolution and Characterization of Point-of-Sale RAM Scraping Malware Journal Article Journal in Computer Virology and Hacking Techniques, 13 (3), pp. 179–192, 2017, ISSN: 2263-8733. |
Security Assessment of the Spanish Contactless Identity Card Journal Article IET Information Security, 11 (6), pp. 386–393(7), 2017, ISSN: 1751-8709. |