Visualizing Endpoint Security Technologies using Attack Trees

Pettersson, Stefan

January 2008

<p>Software vulnerabilities in programs and malware deployments have been increasing almost every year since we started measuring them. Information about how to program securely, how malware shall be avoided and technological countermeasures for this are more available than ever. Still, the trend seems to favor the attacker. This thesis tries to visualize the effects of a selection of technological countermeasures that have been proposed by researchers. These countermeasures: non-executable memory, address randomization, system call interception and file integrity monitoring are described along with the attacks they are designed to defend against. The coverage of each countermeasure is then visualized with the help of attack trees. Attack trees are normally used for describing how systems can be attacked but here they instead serve the purpose of showing where in an attack a countermeasure takes effect. Using attack trees for this highlights a couple of important aspects of a security mechanism, such as how early in an attack it is effective and which variants of an attack it potentially defends against. This is done by the use of what we call defensive codes that describe how a defense mechanism counters a sub-goal in an attack. Unfortunately the whole process is not well formalized and depends on many uncertain factors.</p>

endpoint security

attack tree

memory corruption

non-executable memory

address randomization

system call interception

Computer science

Datalogi

Visualizing Endpoint Security Technologies using Attack Trees

Pettersson, Stefan

January 2008

Software vulnerabilities in programs and malware deployments have been increasing almost every year since we started measuring them. Information about how to program securely, how malware shall be avoided and technological countermeasures for this are more available than ever. Still, the trend seems to favor the attacker. This thesis tries to visualize the effects of a selection of technological countermeasures that have been proposed by researchers. These countermeasures: non-executable memory, address randomization, system call interception and file integrity monitoring are described along with the attacks they are designed to defend against. The coverage of each countermeasure is then visualized with the help of attack trees. Attack trees are normally used for describing how systems can be attacked but here they instead serve the purpose of showing where in an attack a countermeasure takes effect. Using attack trees for this highlights a couple of important aspects of a security mechanism, such as how early in an attack it is effective and which variants of an attack it potentially defends against. This is done by the use of what we call defensive codes that describe how a defense mechanism counters a sub-goal in an attack. Unfortunately the whole process is not well formalized and depends on many uncertain factors.

endpoint security

attack tree

memory corruption

non-executable memory

address randomization

system call interception

Computer Sciences

Datavetenskap (datalogi)

A Study on Fingerprinting of Locally Assigned MAC-Addresses

Djervbrant, Karl-Johan, Häggström, Andreas

January 2019

The number of WiFi Devices is increasing every day, most people traveling hasa device with a WiFi network card enabled. This is something EffectSoft AB in Halmstad utilizes in their service Flow, to track and count devices. The accuracy of counted devices was however not accurate enough for a commercial use and this is where this candidate Thesis will continue research on how to improve the accuracy. It introduces the fundamental problem on how one cannot directly count transmitted MAC-Addresses to count present devices, since the manufacturers implement features against this such as MAC-Address randomization. It covers how manufacturers are not consistent in their implementation of the IEEE 802.11 standard, how this can be utilized to estimate how many devices are present in the networkwith three different approaches. It also concludes that Control Frame Attacks is not a viable approach any longer to count devices and the best method for counting devices are a combination of Passive Probe Request Analysis techniques. / Mängden enheter som kommunicerar över WiFi ökar dagligen och idag bär de flesta människor en enhet med ett aktiverat WiFi-nätverkskort. Detta använder EffectSoft AB, ett företag i Halmstad till sin teknik Flow för att räkna mobila enheter. Noggrannheten för beräkningen är dock inte tillräckligt bra för att produkten ska kunna vara applicerbar på marknaden och därav handlar denna kandidatuppsatsen om beräkning av mobila enheter. Denna rapport presenterar de problem som man stöter på vid beräkning av mobila enheter som till exempel randomisering av MAC-Adresser. Den täcker även hur tillverkare inte är konsekventa i sin implementation av IEEE 802.11 standarden och hur detta kan utnyttjas genom tre metoderför beräkning av antal mobila enheter. Det fastställs att Control Frame Attack inte längre är en möjlig metod för syftet samt att den bästa metoden för beräkning avantalet mobila enheter är en kombination av olika passiva Probe Request analyser.

MAC-Address Randomization

Probe Request

Passive Probe Request Analysis

Control Frame Attacks

Computer Science

Network

IEEE 802.11

WiFi

Tracking

Counting.

Övrig annan teknik