Biblio

Filters: Author is Monrose, Fabian  [Clear All Filters]
2018-09-05
Chen, Yizheng, Nadji, Yacin, Kountouras, Athanasios, Monrose, Fabian, Perdisci, Roberto, Antonakakis, Manos, Vasiloglou, Nikolaos.  2017.  Practical Attacks Against Graph-based Clustering. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. :1125–1142.
Graph modeling allows numerous security problems to be tackled in a general way, however, little work has been done to understand their ability to withstand adversarial attacks. We design and evaluate two novel graph attacks against a state-of-the-art network-level, graph-based detection system. Our work highlights areas in adversarial machine learning that have not yet been addressed, specifically: graph-based clustering techniques, and a global feature space where realistic attackers without perfect knowledge must be accounted for (by the defenders) in order to be practical. Even though less informed attackers can evade graph clustering with low cost, we show that some practical defenses are possible.
2017-05-30
Werner, Jan, Baltas, George, Dallara, Rob, Otterness, Nathan, Snow, Kevin Z., Monrose, Fabian, Polychronakis, Michalis.  2016.  No-Execute-After-Read: Preventing Code Disclosure in Commodity Software. Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. :35–46.

Memory disclosure vulnerabilities enable an adversary to successfully mount arbitrary code execution attacks against applications via so-called just-in-time code reuse attacks, even when those applications are fortified with fine-grained address space layout randomization. This attack paradigm requires the adversary to first read the contents of randomized application code, then construct a code reuse payload using that knowledge. In this paper, we show that the recently proposed Execute-no-Read (XnR) technique fails to prevent just-in-time code reuse attacks. Next, we introduce the design and implementation of a novel memory permission primitive, dubbed No-Execute-After-Read (near), that foregoes the problems of XnR and provides strong security guarantees against just-in-time attacks in commodity binaries. Specifically, near allows all code to be disclosed, but prevents any disclosed code from subsequently being executed, thus thwarting just-in-time code reuse. At the same time, commodity binaries with mixed code and data regions still operate correctly, as legitimate data is still readable. To demonstrate the practicality and portability of our approach we implemented prototypes for both Linux and Android on the ARMv8 architecture, as well as a prototype that protects unmodified Microsoft Windows executables and dynamically linked libraries. In addition, our evaluation on the SPEC2006 benchmark demonstrates that our prototype has negligible runtime overhead, making it suitable for practical deployment.