Semantic view re-creation for the secure monitoring of virtual machines

Carbone, Martim

28 June 2012

The insecurity of modern-day software has created the need for security monitoring applications. Two serious deficiencies are commonly found in these applications. First, the absence of isolation from the system being monitored allows malicious software to tamper with them. Second, the lack of secure and reliable monitoring primitives in the operating system makes them easy to be evaded. A technique known as Virtual Machine Introspection attempts to solve these problems by leveraging the isolation and mediation properties of full-system virtualization. A problem known as semantic gap, however, occurs as a result of the low-level separation enforced by the hypervisor. This thesis proposes and investigates novel techniques to overcome the semantic gap, advancing the state-of-the-art on the syntactic and semantic view re-creation for applications that conduct passive and active monitoring of virtual machines. First, we propose a new technique for reconstructing a syntactic view of the guest OS kernel's heap state by applying a combination of static code and dynamic memory analysis. Our key contribution is the accuracy and completeness of our analysis. We also propose a new technique that allows out-of-VM applications to invoke and securely execute API functions inside the monitored guest's kernel, eliminating the need for the application to know details of the guest's internals. Our key contribution is the ability to overcome the semantic gap in a robust and secure manner. Finally, we propose a new virtualization-based event monitoring technique based on the interception of kernel data modifications. Our key contribution is the ability to monitor operating system events in a general and secure fashion.

Semantic gap

Secure monitoring

Introspection

Systems security

Virtual machines

Virtualization

Computer networks Security measures

Virtual computer systems

Computer architecture

Studies on Employees’ Information Security Awareness

Häußinger, Felix

13 May 2015

No description available.

330

Information Security Awareness

Information Security Behahavior

Information Systems Security

Antecedents of Information Security

Endogenous Motivation

Wirtschaftswissenschaften (PPN621567140)

Robust digital watermarking of multimedia objects

Gupta, Gaurav

January 2008

Thesis (PhD)--Macquarie University, Division of Information and Communication Sciences, Department of Computing, 2008. / Bibliography: p. 144-153. / Introduction -- Background -- Overview of watermarking -- Natural language watermarking -- Software watermarking -- Semi-blind and reversible database watermarking -- Blind and reversible database watermarking -- Conclusion and future research -- Bibliography. / Digital watermarking has generated significant research and commercial interest in the past decade. The primary factors contributing to this surge are widespread use of the Internet with improved bandwidth and speed, regional copyright loopholes in terms of legislation; and seamless distribution of multimedia content due to peer-to-peer file-sharing applications. -- Digital watermarking addresses the issue of establishing ownership over mul-timedia content through embedding a watermark inside the object. Ideally, this watermark should be detectable and/or extractable, survive attacks such as digital reproduction and content-specific manipulations such as re-sizing in the case of images, and be invisible to the end-user so that the quality of the content is not degraded significantly. During detection or extraction, the only requirements should be the secret key and the watermarked multimedia object, and not the original un-marked object or the watermark inserted. Watermarking scheme that facilitate this requirement are categorized as blind. In recent times, reversibility of watermark has also become an important criterion. This is due to the fact that reversible watermarking schemes can provided security against secondary watermarking attacks by using backtracking algorithms to identify the rightful owner. A watermarking scheme is said to be reversible if the original unmarked object can be regenerated from the watermarked copy and the secret key. / This research covers three multimedia content types: natural language documents, software, and databases; and discusses the current watermarking scenario, challenges, and our contribution to the field. We have designed and implemented a natural language watermarking scheme that uses the redundancies in natural languages. As a result, it is robust against general attacks against text watermarks. It offers additional strength to the scheme by localizing the attack to the modified section and using error correction codes to detect the watermark. Our first contribution in software watermarking is identification and exploitation of weaknesses in branch-based software watermarking scheme proposed in [71] and the software watermarking algorithm we present is an improvised version of the existing watermarking schemes from [71]. Our scheme survives automated debugging attacks against which the current schemes are vulnerable, and is also secure against other software-specific attacks. We have proposed two database watermarking schemes that are both reversible and therefore resilient against secondary watermarking attacks. The first of these database watermarking schemes is semi-blind and requires the bits modified during the insertion algorithm to detect the watermark. The second scheme is an upgraded version that is blind and therefore does not require anything except a secret key and the watermarked relation. The watermark has a 89% probability of survival even when almost half of the data is manipulated. The watermarked data in this case is extremely useful from the users' perspective, since query results are preserved (i.e., the watermarked data gives the same results for a query as the nmarked data). -- The watermarking models we have proposed provide greater security against sophisticated attacks in different domains while providing sufficient watermark-carrying capacity at the same time. The false-positives are extremely low in all the models, thereby making accidental detection of watermark in a random object almost negligible. Reversibility has been facilitated in the later watermarking algorithms and is a solution to the secondary watermarking attacks. We shall address reversibility as a key issue in our future research, along with robustness, low false-positives and high capacity. / Mode of access: World Wide Web. / xxiv, 156 p. ill. (some col.)

Digital watermarking

Computer security

Data protection

Intellectual property

Multimedia systems -- Security measures

watermarking

copyright protection

information security

The Chief Security Officer Problem

Tanga, Vikas Reddy

12 1900

The Chief Security Officer Problem (CSO) consists of a CSO, a group of agents trying to communicate with the CSO and a group of eavesdroppers trying to listen to the conversations between the CSO and its agents. Through Lemmas and Theorems, several Information Theoretic questions are answered.

Secrecy

CSO model

Pairing strategies

Secrecy efficiency

Optimality

Power allocation

Computer security.

Cyber-Physical Analysis and Hardening of Robotic Aerial Vehicle Controllers

Taegyu Kim (10716420)

06 May 2021

Robotic aerial vehicles (RAVs) have been increasingly deployed in various areas (e.g., commercial, military, scientific, and entertainment). However, RAVs’ security and safety issues could not only arise from either of the “cyber” domain (e.g., control software) and “physical” domain (e.g., vehicle control model) but also stem in their interplay. Unfortunately, existing work had focused mainly on either the “cyber-centric” or “control-centric” approaches. However, such a single-domain focus could overlook the security threats caused by the interplay between the cyber and physical domains. <br>In this thesis, we present cyber-physical analysis and hardening to secure RAV controllers. Through a combination of program analysis and vehicle control modeling, we first developed novel techniques to (1) connect both cyber and physical domains and then (2) analyze individual domains and their interplay. Specifically, we describe how to detect bugs after RAV accidents using provenance (Mayday), how to proactively find bugs using fuzzing (RVFuzzer), and how to patch vulnerable firmware using binary patching (DisPatch). As a result, we have found 91 new bugs in modern RAV control programs, and their developers confirmed 32 cases and patch 11 cases.

Computer System Security

Computer Systems Security

Drone

Embedded Systems

Program Analysis

Binary Analysis

Forensic Analysis

Fuzzing Testing

Binary Rewriting

REHOSTING EMBEDDED APPLICATIONS AS LINUX APPLICATIONS FOR DYNAMIC ANALYSIS

Jayashree Srinivasan (17683698)

20 December 2023

<p dir="ltr">Dynamic analysis of embedded firmware is a necessary capability for many security tasks, e.g., vulnerability detection. Rehosting is a technique that enables dynamic analysis by facilitating the execution of firmware in a host environment decoupled from the actual hardware. Current rehosting techniques focus on high-fidelity execution of the entire firmware. Consequently, these techniques try to execute firmware in an emulated environment, with precise models of hardware (i.e., peripheral) interactions. However, these techniques are hard to scale and have various drawbacks. </p><p dir="ltr">Therefore, a novel take on rehosting is proposed by focusing on the application components and their interactions with the firmware without the need to model hardware dependencies. This is achieved by rehosting the embedded application as a Linux application. In addition to avoiding precise peripheral modeling, such a rehosting technique enables the use of existing dynamic analysis techniques on these embedded applications. The feasibility of this approach is demonstrated first by manually performing the rehosting on real-world embedded applications. The challenges in each of the phases – retargeting to x86-64, peripheral handling, and fuzzing the rehosted applications are elaborated. Furthermore, automated steps for retargeting to the x86-64 and peripheral handling are developed. The peripheral handling achieves 89% accuracy if reserved regions are also considered. The testing of these rehosted applications found 2 previously unknown defects in driver components.</p>

Software and application security

System and network security

Cybersecurity

Firmware

Rehosting

Real-Time Systems

RTOS

Dynamic Analysis

Embedded Systems

Embedded Systems Security

Architectural Enhancements to Increase Trust in Cyber-Physical Systems Containing Untrusted Software and Hardware

Farag, Mohammed Morsy Naeem

25 October 2012

Embedded electronics are widely employed in cyber-physical systems (CPSes), which tightly integrate and coordinate computational and physical elements. CPSes are extensively deployed in security-critical applications and nationwide infrastructure. Perimeter security approaches to preventing malware infiltration of CPSes are challenged by the complexity of modern embedded systems incorporating numerous heterogeneous and updatable components. Global supply chains and third-party hardware components, tools, and software limit the reach of design verification techniques and introduce security concerns about deliberate Trojan inclusions. As a consequence, skilled attacks against CPSes have demonstrated that these systems can be surreptitiously compromised. Existing run-time security approaches are not adequate to counter such threats because of either the impact on performance and cost, lack of scalability and generality, trust needed in global third parties, or significant changes required to the design flow. We present a protection scheme called Run-time Enhancement of Trusted Computing (RETC) to enhance trust in CPSes containing untrusted software and hardware. RETC is complementary to design-time verification approaches and serves as a last line of defense against the rising number of inexorable threats against CPSes. We target systems built using reconfigurable hardware to meet the flexibility and high-performance requirements of modern security protections. Security policies are derived from the system physical characteristics and component operational specifications and translated into synthesizable hardware integrated into specific interfaces on a per-module or per-function basis. The policy-based approach addresses many security challenges by decoupling policies from system-specific implementations and optimizations, and minimizes changes required to the design flow. Interface guards enable in-line monitoring and enforcement of critical system computations at run-time. Trust is only required in a small set of simple, self-contained, and verifiable guard components. Hardware trust anchors simultaneously addresses the performance, flexibility, developer productivity, and security requirements of contemporary CPSes. We apply RETC to several CPSes having common security challenges including: secure reconfiguration control in reconfigurable cognitive radio platforms, tolerating hardware Trojan threats in third-party IP cores, and preserving stability in process control systems. High-level architectures demonstrated with prototypes are presented for the selected applications. Implementation results illustrate the RETC efficiency in terms of the performance and overheads of the hardware trust anchors. Testbenches associated with the addressed threat models are generated and experimentally validated on reconfigurable platform to establish the protection scheme efficacy in thwarting the selected threats. This new approach significantly enhances trust in CPSes containing untrusted components without sacrificing cost and performance. / Ph. D.

Hardware Trojans

Reconfigurable Hardware

Embedded Systems Security

Cognitive radio networks

Trusted Computing

Cyber-Physical Systems

Process Control Systems

Security of Critical Cyber-Physical Systems: Fundamentals and Optimization

Eldosouky Mahmoud Salama, Abdelrahman A.

18 June 2019

Cyber-physical systems (CPSs) are systems that integrate physical elements with a cyber layer that enables sensing, monitoring, and processing the data from the physical components. Examples of CPSs include autonomous vehicles, unmanned aerial vehicles (UAVs), smart grids, and the Internet of Things (IoT). In particular, many critical infrastructure (CI) that are vital to our modern day cities and communities, are CPSs. This wide range of CPSs domains represents a cornerstone of smart cities in which various CPSs are connected to provide efficient services. However, this level of connectivity has brought forward new security challenges and has left CPSs vulnerable to many cyber-physical attacks and disruptive events that can utilize the cyber layer to cause damage to both cyber and physical components. Addressing these security and operation challenges requires developing new security solutions to prevent and mitigate the effects of cyber and physical attacks as well as improving the CPSs response in face of disruptive events, which is known as the CPS resilience. To this end, the primary goal of this dissertation is to develop novel analytical tools that can be used to study, analyze, and optimize the resilience and security of critical CPSs. In particular, this dissertation presents a number of key contributions that pertain to the security and the resilience of multiple CPSs that include power systems, the Internet of Things (IoT), UAVs, and transportation networks. First, a mathematical framework is proposed to analyze and mitigate the effects of GPS spoofing attacks against UAVs. The proposed framework uses system dynamics to model the optimal routes which UAVs can follow in normal operations and under GPS spoofing attacks. A countermeasure mechanism, built on the premise of cooperative localization, is then developed to mitigate the effects of these GPS spoofing attacks. To practically deploy the proposed defense mechanism, a dynamic Stackelberg game is formulated to model the interactions between a GPS spoofer and a drone operator. The equilibrium strategies of the game are analytically characterized and studied through a novel, computationally efficient algorithm. Simulation results show that, when combined with the Stackelberg strategies, the proposed defense mechanism will outperform baseline strategy selection techniques in terms of reducing the possibility of UAV capture. Next, a game-theoretic framework is developed to model a novel moving target defense (MTD) mechanism that enables CPSs to randomize their configurations to proactive deter impending attacks. By adopting an MTD approach, a CPS can enhance its security against potential attacks by increasing the uncertainty on the attacker. The equilibrium of the developed single-controller, stochastic MTD game is then analyzed. Simulation results show that the proposed framework can significantly improve the overall utility of the defender. Third, the concept of MTD is coupled with new cryptographic algorithms for enhancing the security of an mHealth Internet of Things (IoT) system. In particular, using a combination of theory and implementation, a framework is introduced to enable the IoT devices to update their cryptographic keys locally to eliminate the risk of being revealed while they are shared. Considering the resilience of CPSs, a novel framework for analyzing the component- and system-level resilience of CIs is proposed. This framework brings together new ideas from Bayesian networks and contract theory – a Nobel prize winning theory – to define a concrete system-level resilience index for CIs and to optimize the allocation of resources, such as redundant components, monitoring devices, or UAVs to help those CIs improve their resilience. In particular, the developed resilience index is able to account for the effect of CI components on the its probability of failure. Meanwhile, using contract theory, a comprehensive resource allocation framework is proposed enabling the system operator to optimally allocate resources to each individual CI based on its economic contribution to the entire system. Simulation results show that the system operator can economically benefit from allocating the resources while dams can have a significant improvement in their resilience indices. Subsequently, the developed contract-theoretic framework is extended to account for cases of asymmetric information in which the system operator has only partial information about the CIs being in some vulnerability and criticality levels. Under such asymmetry, it is shown that the proposed approach maximizes the system operator's utility while ensuring that no CI has an incentive to ask for another contract. Next, a proof-of-concept framework is introduced to analyze and improve the resilience of transportation networks against flooding. The effect of flooding on road capacities and on the free-flow travel time, is considered for different rain intensities and roads preparedness. Meanwhile, the total system's travel time before and after flooding is evaluated using the concept of a Wardrop equilibrium. To this end, a proactive mechanism is developed to reduce the system's travel time, after flooding, by shifting capacities (available lanes) between same road sides. In a nutshell, this dissertation provides a suite of analytical techniques that allow the optimization of security and resilience across multiple CPSs. / Doctor of Philosophy / Cyber-physical systems (CPSs) have recently been used in many application domains because of their ability to integrate physical elements with a cyber layer allowing for sensing, monitoring, and remote controlling. This pervasive use of CPSs in different applications has brought forward new security challenges and threats. Malicious attacks can now leverage the connectivity of the cyber layer to launch remote attacks and cause damage to the physical components. Taking these threats into consideration, it became imperative to ensure the security of CPSs. Given that many CPSs provide critical services, for instance many critical infrastructure (CI) are CPSs such as smart girds and nuclear reactors; it is then inevitable to ensure that these critical CPSs can maintain proper operation. One key measure of the CPS’s functionality, is resilience which evaluates the ability of a CPS to deliver its designated service under potentially disruptive situations. In general, resilience measures a CPS’s ability to adapt or rapidly recover from disruptive events. Therefore, it is crucial for CPSs to be resilient in face of potential failures. To this end, the central goal of this dissertation is to develop novel analytical frameworks that can evaluate and improve security and resilience of CPSs. In these frameworks, cross-disciplinary tools are used from game theory, contract theory, and optimization to develop robust analytical solutions for security and resilience problems. In particular, these frameworks led to the following key contributions in cyber security: developing an analytical framework to mitigate the effects of GPS spoofing attacks against UAVs, introducing a game-theoretic moving target defense (MTD) framework to improve the cyber security, and securing data privacy in m-health Internet of Things (IoT) networks using a MTD cryptographic framework. In addition, the dissertation led to the following contributions in CI resilience: developing a general framework using Bayesian Networks to evaluate and improve the resilience of CIs against their components failure, introducing a contract-theoretic model to allocate resources to multiple connected CIs under complete and asymmetric information scenarios, providing a proactive plan to improve the resilience of transportation networks against flooding, and, finally, developing an environment-aware framework to deploy UAVs in disaster-areas.

Cyber-Physical Systems Security

Critical Infrastructure Resilience

Unmanned Aerial Vehicles

Game Theory

Moving Target Defense

Contract Theory

Internet of Things

Trusted Software Updates for Secure Enclaves in Industrial Control Systems

Gunjal, Abhinav Shivram

18 September 2017

Industrial Control Systems (ICSs) manage critical infrastructures such as water treatment facilities, petroleum refineries, and power plants. ICSs are networked through Information Technology (IT) infrastructure for remote monitoring and control of physical processes. As ICSs integrate with IT infrastructure, IT vulnerabilities are carried over to the ICS environment. Previously proposed process controller security architectures maintain safe and stable plant operation even in the presence of attacks that exploit ICS vulnerabilities. Security architectures are process control system-level solutions that leverage isolated and trusted hardware (secure enclaves) for ICS security. Upon detecting an intrusion, the secure enclave switches control of the physical process to a high assurance controller, making a fail-safe plant operation. The process control loop components have an average lifespan of several decades. During this time, electromechanical components of process control loop may undergo aging that alters their characteristics and affects control loop performance. To deal with component aging and to improve control algorithm flexibility, updates to control loop parameters are required. Plant model, process control loop system specifications, and control algorithm-based security mechanisms at the secure enclave require parameter updates. ICSs have hundreds of process control components that may need be installed in hazardous environments and distributed across hundreds of square kilometers. Updating each component physically may lead to accidents, expensive travel, and increased downtime. Some ICS have allowable downtime of only 5 minutes per year. Hence, remote updates are desirable. A proposed dedicated and isolated hardware module at the secure enclave provides authentication of the update and ensures safe storage in a non-volatile memory. A protocol designed for update transmission through an untrusted ICS network provides resilience against network integrity attacks such as replay attacks. Encryption and authentication of the updates maintain integrity and confidentiality. During the normal plant operation, the hardware module is invisible to the other modules of the process control loop. The proposed solution is implemented on Xilinx Zynq-7000 programmable System-on-Chip to provide secure enclave updates. / Master of Science / Industrial Control Systems (ICSs) manage critical infrastructures such as water treatment facilities, petroleum refineries, and power plants. ICS process controllers interpret sensor output and depending on the set point, generate input signals for the actuator to control physical processes. The process controllers receive set points and periodically send process state to the supervisory network. For remote monitoring and control of physical processes, ICSs are networked through Information Technology (IT) infrastructure. As ICSs integrate with IT infrastructure, IT vulnerabilities are carried over to the ICS environment. Previously proposed process controller security architectures maintain safe and stable plant operation even in the presence of attacks that exploit ICS vulnerabilities. Security architectures are process control system-level solutions that leverage isolated and trusted hardware (secure enclaves) for ICS security. Upon detecting an intrusion, the secure enclave switches control of the physical process to a high assurance controller, making a fail-safe plant operation. The process control loop components have an average lifespan of several decades. During this time, electromechanical components of process control loop may undergo aging that alters their characteristics and affects control loop performance. To deal with component aging and to improve control algorithm flexibility, updates to control loop parameters are required. Plant model, process control loop system specifications, and control algorithm-based security mechanisms at the secure enclave require parameter updates. ICSs have hundreds of process control components that may need be installed in hazardous environments and distributed across hundreds of square kilometers. Updating each component physically may lead to accidents, expensive travel, and increased downtime. Some ICS have allowable downtime of only 5 minutes per year. Hence, remote updates are desirable. A proposed dedicated and isolated hardware module at the secure enclave provides authentication of the update and ensures safe storage in a non-volatile memory. A protocol designed for update transmission through an untrusted ICS network provides resilience against network integrity attacks such as replay attacks. Encryption and authentication of the updates maintain integrity and confidentiality. During the normal plant operation, the hardware module is invisible to the other modules of the process control loop. The proposed solution is implemented on Xilinx Zynq-7000 programmable System-on-Chip to provide secure enclave updates.

Industrial control systems

programmable logic controller

industrial control systems security

secure enclaves

software updates

configurable system-on-chip

Investigation and development of a system for secure synchronisation in a wireless mesh network

De Bruyn, Daniel Nicholas

January 2010

Thesis (M. Tech.(Electrical Engineering)) -- Central University of technology, Free State, 2010 / This dissertation gives an overview of the research done in developing a protocol to synchronise information in a secure wireless mesh network. Alternative methods to control wireless devices were investigated in the non-controlled frequency spectrum. The aim of the research was to develop a protocol that can be loaded on a micro-controller with limited intelligence, controlling endpoints. The protocol minimises human interference and automatically negotiates which device becomes the master controller. The device is able to discover and locate neighbour devices in range. The device has the capability to be stationary or mobile and host multiple control endpoints. Control endpoints can be digital or analogue, input or output, and belongs to a group like security, lighting or irrigation. These capabilities can change according to the solution’s requirements. Control endpoints with the same capabilities must be able to establish a connection between each other. An endpoint has a user-friendly name and can update the remote endpoint with the description. When a connection is established both endpoints update each other with their user-friendly name and their status. A local endpoint can trigger a certain action on a receiving control point. The system was tested with a building monitoring system because it is static and a less expensive choice, thus making the evaluation more suitable. A simulator for a personal computer was developed to evaluate the new protocol. Finally, the protocol was implemented and tested on a micro-controller platform.

Computer networks - Security measures

Computer network protocols

Synchronization