logo EDITE Sujets de doctorat

Prevention and Analysis of Cyber-Attacks

Sujet proposé par
Directeur de thèse:
Doctorant: Fabio PAGANI
Unité de recherche UMR 7102 Laboratoire de recherche d'EURECOM

Domaine: Sciences et technologies de l'information et de la communication


Objective Despite the incredible effort and the enormous investments to increase security and fight cybercrime, the number of security incidents is rapidly increasing every year. Many forms of cyber attacks (such as botnets, spam, and phishing pages) are simply designed to target the largest number of users or devices. In contrast, when an attack is customized for, and targeted at, a small number of victims, its effectiveness is usually much higher. An important factor to take into account is that these types of targeted attacks often involve attackers with an abundance of available resources to evade current detection and analysis techniques. As a result, many sophisticated attacks remained undetected for long period of times (seven years for “Careto”, eight for the “Turla” group, and potentially even longer for some of the NSA backdoors) before the security community was finally able to detect their presence on the infected machines. In this challenging context, this dissertation will explore new techniques to prevent, detect, and analyze sophisticated cyber-attacks. The work will focus on operating system and host-based solutions as well as offline analysis approaches to analyze suspicious samples or compromised machines. As a result, the final goal is to explore several directions for advanced malware analysis, for OS protection and threat detection, and for improved memory analysis. In particular, memory analysis is today an active research fields that have rapidly evolved over the past decade and now represents a popular, complementary approach to support modern malware analysis and inspect potentially compromised machines. Therefore, it can be a powerful tool to cope with the increasing sophistication of cyber attacks and to advance the state of the art in the field.


Background and PreviousWork The work performed in this thesis builds upon two lines of research which are ongoing in our group at Eurecom. The first one focuses on attack prevention, with a focus on compile-time and hypervisor-based instrumentation techniques. In the first category is worth mentioning G-Free [11], the first practical compiler-based solution to prevent any possible form of return oriented programming (ROP). G-Free is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-branch instructions to prevent them from being misused by an attacker. The second category covers previous research efforts which focused on describing malware in terms of violations to an information-flow policy. Because it is not feasible for performance reasons to track system-wide information flows accurately, the focus shifted on better and better approximations of the information flow. Bruschi et al. [1] and Kruegel et al. [9] showed that some classes of obfuscations could be rendered innocuous 1 by modeling programs according to their instruction-level control flow, while Christodorescu et al. [3] and Kinder et al. [8] built obfuscation-resilient detectors based on instruction-level information flow. The idea of utilizing a virtual machine monitor to perform sophisticated run-time analyses, with the guarantee that the results cannot be tampered by a malicious attacker, has already been widely explored in the literature. Garfinkel et al. were the first to propose to use a VMM to perform OS-aware introspection [7]. Other researchers proposed to use a VMM for protecting the guest OS from attacks by monitoring its execution, with a software-based VMM [13] that leveraged on hardware support for virtualization [14]. Similar ideas were also proposed by other authors [12, 15]. Chen et al. [2] described a solution to protect applications’ data even in the presence of a compromised operating system. Building on these previous works, our group leveraged hardware-assisted virtualization technology to design a tamper-resistant and efficient detector that is able to take over the OS operations and verify a set of policies. The result, called AccessMiner [5], is a system-centric behavioral malware detector that models the general interactions between benign programs and the underlying operating system (OS). This allows AccessMiner to capture which, and how, OS resources are used by normal applications and detect in real-time anomalous behavior that is often associated to known and unknown malware infections. The second line of research focuses instead on the area of memory analysis, and in particular on possible evasions and on the improvement of its reliability. In this area, Stuttgen et al. and Vomel et al. [16, 17] pointed out the current limitations of memory acquisition tools (which rely on the operating system to select the memory pages to dump) and Zhang et al. [18] presented a way to evade all existing acquisition modules by manipulating the layout of the physical address space. Once the memory has been acquired, existing tools often rely on weak information to recognize the operating system and locate its key data structures. This led Lin et al. [10] to propose graph-based signatures and Gavitt et al. [4] to the definition and creation of Strong Signatures based on data invariants, i.e., based on fields whose value cannot be modified without crashing or destabilizing the system. A similar graph of kernel objects has being proposed by other researches [6] to label data structures for memory analysis.