application level reconnaissance timing channel attacks
play

Application-Level Reconnaissance: Timing Channel Attacks Against - PowerPoint PPT Presentation

Jan 22, 2024 •423 likes •705 views

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I. Al-Saleh and Jedidiah R. Crandall Server Reconnaissance OS & Services ports Client Server Client Reconnaissance Hmmm, what can I get about

  1. Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I. Al-Saleh and Jedidiah R. Crandall

  2. Server Reconnaissance OS & Services ports Client Server

  3. Client Reconnaissance Hmmm, what can I get about you?!! Client Server

  4. Client Reconnaissance • Browser identification – https://panopticlick.eff.org/ • AV related info – AV fingerprinting – Up-to-date? • Timing channels – AV performance tradeoff – Make the common case fast – Updated?

  5. Threat Model Measure scanning time Updated?? Client Server

  6. Basic Idea • Antivirus (AV) scans data against sigs • Sigs are stored somehow in AV’s data structures • Scanning time – Based on scanning path • Hitting the newly added sigs

  7. ClamAV • ClamAV – http://www.clamav.net – http://www.clamxav.com/ – http://www.clamwin.com/ • Scanning steps: – File type filtering – Filtering step – Boyer-Moore algorithm – Aho-Corasick algorithm

  8. File Type Filtering File to scan Type Roots File Type Filtering Type

  9. Filtering Step Input Yes/No Filter

  10. Boyer-Moore Sig Array of LLs chars HASH Sig

  11. Aho-Corasick

  12. Methodology • Question #1 : Is there a timing channel in the way ClamAV scans data? • Question #2 : If the first question is confirmed, how could the attacker create the timing channel?

  13. Methodology/Q1 • Collect viruses in (name,date) pairs and remove their sigs from current DB

  14. Two Kinds of Experiments • Whole-day sig experiment • Single sig experiment

  15. Whole-Day Sigs of DateX Becomes DB before DateX DB after DateX Old New Scan

  16. content BuffSize = 256 KB ( ( (ahochars|boyerchars)^n . filterchars)^m) File Size

  17. Single Signature One Sig Becomes DB before SigX DB after SigX Old New Scan

  18. Whole-Day Frequency Time Difference (seconds) )

  19. Single Frequency Time Difference (seconds) )

  20. Methodology/Q2

  21. Methodology/Q2 Time Start CPU Time Determine CPU Create file Close the file Busy Time Sampling

  22. Scanning Time (seconds) Min ActiveX Max

  23. Possible Timing Channels in Modern AVs • Pattern matching • Algorithmic scanning – Zmist virus needs to execute at least 2 million p- code-based iterations • Code emulation – Significantly slows scanning • Heuristics – Extra work when triggered

  24. Related Work • Network discovery – Port scanning • Timing channel attacks – Secret keys in cryptographic systems – Virtual machines detection – Others • Antivirus research – Signature extraction – Detection evasion

  25. Conclusion and Future Work • Application-level reconnaissance through timing channels • Running example: ClamAV • Currently, we are exploring performance issues in commercial antiviruses

  26. Acknowledgements • Török Edwin • LEET reviewers • U.S. National Science Foundation (CNS- 0905177)

  27. Thanks

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen, Nick Nikiforakis Background: Timing attacks Introduced by Felten et al. in 2000. A side-channel attack analyzing the time that it takes to a

642 views • 21 slides
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and Shaolei Ren UC Riverside Acknowledgement: This work was supported in part by the U.S. NSF under grants CNS-1551661 and ECCS-1610471. Cloud data

1.15k views • 75 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side

Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side

Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side Channel Mohammad A. Islam, Luting Yang, Kiran Ranganath, and Shaolei Ren Acknowledgement: This work was supported in part by NSF under grants

445 views • 31 slides
Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Open Source Enclave Workshop 2019 Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer Science & Engineering The Ohio State University Userland TEEs on Commodity Processors Application VM VM

154 views • 14 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web Storage Crypto on the Web Motivations Formal analysis of cryptographic web

1.19k views • 106 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 5 Viruses & Worms, Botnets, Todays Threats Viruses & Worms Viruses Program

693 views • 31 slides
Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a

Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a

4/19/2010 Chapter 21 Malicious Software Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow Awaiting the blow. Fifth Edition On War,

352 views • 6 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
Malware and Exploit Enabling Code Information Assurance CS461/ECE422 Fall 2009 Reading

Malware and Exploit Enabling Code Information Assurance CS461/ECE422 Fall 2009 Reading

Malware and Exploit Enabling Code Information Assurance CS461/ECE422 Fall 2009 Reading Material CS Chapter 22 Ken Thompson and Trojans http://cm.bell-labs.com/who/ken/trust.html Worm Anatomy and Model

744 views • 63 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

Table of Contents AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot) Architecture Paul Barford and Vinod Yagneswaran Remote Control Mechanisms Host Control Propagation Exploits and

158 views • 4 slides

More recommend