This project is based on the premise that there exists a class of security threats which defy conventional means of defense and that countering these emerging threats requires fundamentally new approaches which may utilize heuristic or otherwise unconventional techniques. To better understand these emerging threats we study a variety of attacks and defenses including:
This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from ``hacking for fun'' to ``hacking for profit'' has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.
Motivated by the proliferation of wireless-enabled devices
and the suspect nature of device driver code, we develop a
passive fingerprinting technique that identifies the
wireless device driver running on an IEEE 802.11 compliant
device. This technique is valuable to an attacker wishing
to conduct reconnaissance against a potential target so
that he may launch a driver-specific exploit.
In particular, we develop a unique fingerprinting technique that accurately and efficiently identifies the wireless driver without modification to or cooperation from a wireless device. We perform an evaluation of this fingerprinting technique that shows it both quickly and accurately fingerprints wireless device drivers in real world wireless network conditions. Finally, we discuss ways to prevent fingerprinting that will aid in improving the security of wireless communication for devices that employ 802.11 networking.
We study the remote detection of virtual machine monitors (VMMs) across the Internet, and devise fuzzy benchmarking as an approach that can successfully detect the presence or absence of a VMM on a remote system. Fuzzy benchmarking works by making timing measurements of the execution time of particular code sequences executing on the remote system. The fuzziness comes from heuristics which we employ to learn characteristics of the remote system's hardware and VMM configuration. Our techniques are successful despite uncertainty about the remote machine's hardware configuration.
We design, implement, and evaluate a practical timing-based approach to detect virtual machine monitors (VMMs) without relying on VMM implementation details. The algorithms developed in this paper are based on fundamental properties of virtual machine monitors rather than easily modified software artifacts. We evaluate our approach against two common VMM implementations on machines with and without hardware support for virtualization in a number of remote and local experiments. We successfully distinguish between virtual and real machines in all cases even with incomplete information regarding the VMM implementation and hardware configuration of the targeted machine.
Today's computer users receive few assurances that their software
executes as expected. The problem is that legacy devices do not
enable personal verification of code execution. In addition, legacy
devices lack trusted paths for secure user I/O making it difficult to
ensure the privacy of data.
We present PRISM, a software-only human-verifiable code execution system that temporally separates a legacy computer system into a trusted component and an untrusted component. PRISM enables a user to securely interact with applications by establishing a trusted path and enables personal verification of untampered application execution.
PRISM enables the development of a new class of applications which we term personally verifiable applications (PVAs). PVAs have the property that a user can both securely interact with and execute these applications even in the face of a kernel-level compromise. We develop a personally verifiable digital signature application that assures the user that the password-protected private key is not misused and that neither the private key nor the password are disclosed to malware on the device. We describe an implementation of this application on a personal device, and evaluate the usability of our approach with a user study.
Tamper-evident software has the property that a verifier can detect
a violation of program integrity during execution. In this paper, we
study programs that through their own execution provide sufficient
information in the form of responses and timing to detect
tampering. We refer to such programs as timed tamper-evident
We formalize the notation of a timed tamper-evident program, model a micro-controller under this formalization, and prove the existence of a timed tamper-evident program for this model when used with synchronous communication. We develop timed tamper-evident programs which verify both control and data integrity. We discuss the existence of timed tamper-evident functions in an asynchronous system.