ForSE 2017 Abstracts


Full Papers
Paper Nr: 1
Title:

Hacking of the AES with Boolean Functions

Authors:

Michel Dubois and Eric Filiol

Abstract: One of the major issues of cryptography is the cryptanalysis of cipher algorithms. Some mechanisms for breaking codes include differential cryptanalysis, advanced statistics and brute-force. Recent works also attempt to use algebraic tools to reduce the cryptanalysis of a block cipher algorithm to the resolution of a system of quadratic equations describing the ciphering structure. In our study, we will also use algebraic tools but in a new way: by using Boolean functions and their properties. A Boolean function is a function from Fn 2 !F2 with n > 1. The arguments of Boolean functions are binary words of length n. Any Boolean function can be represented, uniquely, by its algebraic normal form which is an equation which only contains additions modulo 2—the XOR function—and multiplications modulo 2—the AND function. Our aim is to describe the AES algorithm as a set of Boolean functions then calculate their algebraic normal forms by using the Moebius transforms. After, we use a specific representation for these equations to facilitate their analysis and particularly to try a combinatorial analysis. Through this approach we obtain a new kind of equations system.

Paper Nr: 2
Title:

Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices

Authors:

Paul Irolla and Eric Filiol

Abstract: Android is the most widely used smartphone OS with 82.8% market share in 2015 (IDC, 2015). It is therefore the most widely targeted system by malware authors. Researchers rely on dynamic analysis to extract malware behaviors and often use emulators to do so. However, using emulators lead to new issues. Malware may detect emulation and as a result it does not execute the payload to prevent the analysis. Dealing with virtual device evasion is a never-ending war and comes with a non-negligible computation cost (Lindorfer et al., 2014). To overcome this state of affairs, we propose a system that does not use virtual devices for analysing malware behavior. Glassbox is a functional prototype for the dynamic analysis of malware applications. It executes applications on real devices in a monitored and controlled environment. It is a fully automated system that installs, tests and extracts features from the application for further analysis. We present the architecture of the platform and we compare it with existing Android dynamic analysis platforms. Lastly, we evaluate the capacity of Glassbox to trigger application behaviors by measuring the average coverage of basic blocks on the AndroCoverage dataset (AndroCoverage, 2016). We show that it executes on average 13.52% more basic blocks than the Monkey program.

Paper Nr: 3
Title:

Mathematical Backdoors in Symmetric Encryption Systems - Proposal for a Backdoored AES-like Block Cipher

Authors:

Arnaud Bannier and Eric Filiol

Abstract: Recent years have shown that more than ever governments and intelligence agencies try to control and bypass the cryptographic means used for the protection of data. Backdooring encryption algorithms is considered as the best way to enforce cryptographic control. Until now, only implementation backdoors (at the protocol/ implementation/management level) are generally considered. In this paper we propose to address the most critical issue of backdoors: mathematical backdoors or by-design backdoors, which are put directly at the mathematical design of the encryption algorithm. While the algorithm may be totally public, proving that there is a backdoor, identifying it and exploiting it, may be an intractable problem. We intend to explain that it is probably possible to design and put such backdoors. Considering a particular family (among all the possible ones), we present BEA-1, a block cipher algorithm which is similar to the AES and which contains a mathematical backdoor enabling an operational and effective cryptanalysis. The BEA-1 algorithm (80-bit block size, 120-bit key, 11 rounds) is designed to resist to linear and differential cryptanalyses. A challenge will be proposed to the cryptography community soon. Its aim is to assess whether our backdoor is easily detectable and exploitable or not.

Paper Nr: 4
Title:

Sequitur-based Inference and Analysis Framework for Malicious System Behavior

Authors:

Robert Luh, Gregor Schramm, Markus Wagner and Sebastian Schrittwieser

Abstract: Targeted attacks on IT systems are a rising threat against the confidentiality of sensitive data and the availability of critical systems. With the emergence of Advanced Persistent Threats (APTs), it has become more important than ever to fully understand the particulars of such attacks. Grammar inference offers a powerful foundation for the automated extraction of behavioral patterns from sequential system traces. In order to facilitate the interpretation and analysis of APTs, we present a grammar inference system based on Sequitur, a greedy compression algorithm that constructs a context-free grammar (CFG) from string-based input data. Next to recursive rule extraction, we expanded the procedure through automated assessment routines capable of dealing with multiple input sources and types. This enables the identification of relevant patterns in sequential corpora of arbitrary quantity and size. On the formal side, we extended the CFG with attributes that help depict the extracted (malicious) actions in a comprehensive fashion. The tool’s output is automatically mapped to the grammar for further parsing and discovery-focused pattern visualization.

Paper Nr: 5
Title:

Localization and Inhibition of Malicious Behaviors through a Model Checking based Methodology

Authors:

Mario Giovanni C. A. Cimino and Gigliola Vaglini

Abstract: Mobile malware is increasing more and more in complexity; current signature based antimalware mechanisms are not able to detect attacks, since trivial code transformations may evade detection. Furthermore, antimalware, when correctly label an application as malicious, are able to quarantine or delete the application, but not to allow the user to install and safely use it. Here we present a model checking based approach to locate and inhibit malicious behaviors: we suppose the specification of programs in terms of process algebra language LOTOS, malicious behaviors specified by temporal logic formulae, and define a method to retrieve, from the specifications, the description of the infected part of the program. We refer as example to some Android malware and derive LOTOS specification automatically from the Java Bytecode corresponding to Android’s app. The method consists of a set of rules building the LOTOS processes mirroring the behavior of the malware possibly contained in the app; besides the description of the infected part of the code, we give also a way to block the malware attack, putting the basis to disinfect the application. The method can be applied at any level of complexity, so allowing the precise location of malicious behaviors.

Paper Nr: 7
Title:

Static and Dynamic Analysis of Android Malware

Authors:

Ankita Kapratwar, Fabio Di Troia and Mark Stamp

Abstract: Static analysis relies on features extracted without executing code, while dynamic analysis extracts features based on execution (or emulation). In general, static analysis is more efficient, while dynamic analysis can be more informative, particularly in cases where the code is obfuscated. Static analysis of an Android application can, for example, rely on features extracted from the manifest file or the Java bytecode, while dynamic analysis of such applications might deal with features involving dynamic code loading and system calls. In this research, we apply machine learning techniques to analyze the relative effectiveness of particular static and dynamic features for detecting Android malware. We also carefully analyze the robustness of the scoring techniques under consideration.

Paper Nr: 10
Title:

“Mirror, Mirror on the Wall, Who is the Fairest One of All?” - Machine Learning versus Model Checking: A Comparison between Two Static Techniques for Malware Family Identification

Authors:

Vittoria Nardone and Corrado Aaron Visaggio

Abstract: Malware targeting Android platforms is growing in number and complexity. Huge volumes of new variants emerge every month and this creates the need of being able to recognize timely the specific variants when encountered. Several approaches have been developed for malware detection. Recently the research community is developing approaches able to detect malware variants. Among all, two approaches demonstrated high performances in detecting malware and assigning the family it belongs to: one based on machine learning and one on formal methods. In this paper we compare the results achieved by two methods in terms of Precision, Recall and Accuracy. We highlight points of strength and weakness of two methods.

Paper Nr: 12
Title:

Identifying Mobile Repackaged Applications through Formal Methods

Authors:

Fabio Martinelli, Francesco Mercaldo, Vittoria Nardone, Antonella Santone and Corrado Aaron Visaggio

Abstract: Smartphones and tablets are rapidly become indispensable in every day activities. Android has become the most popular operating system for mobile environments in the world. These devices, owing to the open nature of Android, are continuously exposed to attacks, mostly to data exfiltration and monetary fraud. There are many techniques to embed the bad code, i.e. the instructions able to perform a malicious behaviour, into a legitimate application: the most diffused one is the so-called repackaged, that consists of reverse engineer the application in order to embed the malicious code and then (re)distribute them in the official and/or third party markets. In this paper we propose a technique to localize malicious payload of GinMaster family, one of the most representative repackaged trojan in Android environment. We obtain encouraging results, achieving an accuracy equal to 0.9.

Paper Nr: 13
Title:

On the Detection of Replay Attacks in Industrial Automation Networks Operated with Profinet IO

Authors:

Steffen Pfrang and David Meier

Abstract: Modern industrial facilities consist of controllers, actuators and sensors that are connected via traditional IT equipment. The ongoing integration of these systems into the communication network yields to new threats and attack possibilities. In industrial networks, often distinct communication protocols like Profinet IO (PNIO) are used. These protocols are often not supported by typical network security tools. In this paper, we present two attack techniques that allow to take over the control of a PNIO device, enabling an attacker to replay formerly recorded traffic. We model attack detection rules and propose an intrusion detection system (IDS) for industrial networks which is capable of detecting those replay attacks by correlating alerts from traditional IT IDS with specific PNIO alarms. Thereafter, we evaluate our IDS in a physical demonstrator and compare it with another IDS dedicated to securing PNIO networks.

Paper Nr: 14
Title:

Internal Network Monitoring and Anomaly Detection through Host Clustering

Authors:

W. J. B. Beukema, T. Attema and H. A. Schotanus

Abstract: Internal network traffic is an undervalued source of information for detecting targeted attacks. Whereas most systems focus on the external border of the network, we observe that targeted attacks campaigns often involve internal network activity. To this end, we have developed techniques capable of detecting anomalous internal network behaviour. As a second contribution we propose an additional step in the model-based anomaly detection involving host clustering. Through host clustering, individual hosts are grouped together on the basis of their internal network behaviour. We argue that a behavioural model for each cluster, compared to a model for each host or a single model for all hosts, performs better in terms of detecting potentially malicious behaviour. We show that by applying this concept to internal network traffic, the detection performance for identifying malicious flows and hosts increases.

Paper Nr: 15
Title:

Verifying Data Secure Flow in AUTOSAR Models by Static Analysis

Authors:

Cinzia Bernardeschi, Marco Di Natale, Gianluca Dini and Maurizio Palmieri

Abstract: This paper presents a method to check data secure flow in security annotated AUTOSAR models. The approach is based on information flow analysis and abstract interpretation. The analysis computes the lowest security level of data sent on a communication, according to the annotations in the model and the code of runnables. An abstract interpreter executes runnables on abstract domains that abstract from real values and consider only data dependency levels. Data secure flow is verified if data sent on a communication always satisfy the security annotation in the model. The work has been developed in the EU project Safure, where modeling extensions to AUTOSAR have been proposed to improve security in automotive communications.

Paper Nr: 16
Title:

Extracting Android Malicious Behaviors

Authors:

Khanh-Huu-The Dam and Tayssir Touili

Abstract: The number of Android malwares is increasing quickly. That makes the Android devices more vulnerable while they are the target of malware’s writers. Thus, the challenge nowadays is to detect the malicious Android applications. To this aim, we need to know what are the malicious behaviors that Android malwares apply. In this paper, we introduce a method to automatically extract the malicious behaviors for Android malware detection. We present the behaviors of an Android application by an API call graph and we use a malicious API graph to represent the malicious behaviors. Then, given a set of malicious and benign applications, we compute the malicious behaviors by extracting from the API call graphs the subgraphs that are relevant to the malicious API call graphs but not relevant to the benign ones. This relevance is measured by applying the TFIDF weighting scheme widely used in the Information Retrieval Community. These malicious API graphs are applied to detect malicious applications. We obtained encouraging results with a recall rate of 92% and a precision of 98%.