Visible to the public Biblio

Filters: Author is Eckert, Claudia  [Clear All Filters]
2019-02-13
Salfer, Martin, Eckert, Claudia.  2018.  Attack Graph-Based Assessment of Exploitability Risks in Automotive On-Board Networks. Proceedings of the 13th International Conference on Availability, Reliability and Security. :21:1–21:10.

High-end vehicles incorporate about one hundred computers; physical and virtualized ones; self-driving vehicles even more. This allows a plethora of attack combinations. This paper demonstrates how to assess exploitability risks of vehicular on-board networks via automatically generated and analyzed attack graphs. Our stochastic model and algorithm combine all possible attack vectors and consider attacker resources more efficiently than Bayesian networks. We designed and implemented an algorithm that assesses a compilation of real vehicle development documents within only two CPU minutes, using an average of about 100 MB RAM. Our proof of concept "Security Analyzer for Exploitability Risks" (SAlfER) is 200 to 5 000 times faster and 40 to 200 times more memory-efficient than an implementation with UnBBayes1. Our approach aids vehicle development by automatically re-checking the architecture for attack combinations that may have been enabled by mistake and which are not trivial to spot by the human developer. Our approach is intended for and relevant for industrial application. Our research is part of a collaboration with a globally operating automotive manufacturer and is aimed at supporting the security of autonomous, connected, electrified, and shared vehicles.

2019-01-31
Proskurin, Sergej, Lengyel, Tamas, Momeu, Marius, Eckert, Claudia, Zarras, Apostolis.  2018.  Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection. Proceedings of the 34th Annual Computer Security Applications Conference. :407–417.

ARM has become the leading processor architecture for mobile and IoT devices, while it has recently started claiming a bigger slice of the server market pie as well. As such, it will not be long before malware more regularly target the ARM architecture. Therefore, the stealthy operation of Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate this growing threat. Stealthy VMI has proven itself perfectly suitable for malware analysis on Intel's architecture, yet, it often lacks the foundation required to be equally effective on ARM.

2018-05-02
Kirsch, Julian, Bierbaumer, Bruno, Kittel, Thomas, Eckert, Claudia.  2017.  Dynamic Loader Oriented Programming on Linux. Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium. :5:1–5:13.
Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, Stack Canaries, and Address Space Layout Randomization (ASLR), to only name a few. In the following, we describe the Wiedergänger1-Attack, a new attack vector that reliably allows to escalate unbounded array access vulnerabilities occurring in specifically allocated memory regions to full code execution on programs running on i386/x86\_64 Linux. Wiedergänger-attacks abuse determinism in Linux ASLR implementation combined with the fact that (even with protection mechanisms such as relro and glibc's pointer mangling enabled) there exist easy-to-hijack, writable (function) pointers in application memory. To discover such pointers, we use taint analysis and backwards slicing at the binary level and calculate an over-approximation of vulnerable instruction sequences. To show the relevance of Wiedergänger, we exploit one of the discovered instruction sequences to perform an attack on Debian 10 (Buster) by overwriting structures used by the dynamic loader (dl) that are present in any application with glibc and the dynamic loader as dependency. In order to show generality, we solely focus on data structures dispatched at program shutdown, as this is a point that arguably all applications eventually have to reach. This results in a reliable compromise that effectively bypasses all protection mechanisms deployed on x86\_64/i386 Linux to date. We believe Wiedergänger to be part of an under-researched type of control flow hijacking attacks targeting internal control structures of the dynamic loader for which we propose to use the terminology Loader Oriented Programming (LOP).
2017-05-30
Horsch, Julian, Wessel, Sascha, Eckert, Claudia.  2016.  CoKey: Fast Token-based Cooperative Cryptography. Proceedings of the 32Nd Annual Conference on Computer Security Applications. :314–323.

Keys for symmetric cryptography are usually stored in RAM and therefore susceptible to various attacks, ranging from simple buffer overflows to leaks via cold boot, DMA or side channels. A common approach to mitigate such attacks is to move the keys to an external cryptographic token. For low-throughput applications like asymmetric signature generation, the performance of these tokens is sufficient. For symmetric, data-intensive use cases, like disk encryption on behalf of the host, the connecting interface to the token often is a serious bottleneck. In order to overcome this problem, we present CoKey, a novel concept for partially moving symmetric cryptography out of the host into a trusted detachable token. CoKey combines keys from both entities and securely encrypts initialization vectors on the token which are then used in the cryptographic operations on the host. This forces host and token to cooperate during the whole encryption and decryption process. Our concept strongly and efficiently binds encrypted data on the host to the specific token used for their encryption, while still allowing for fast operation. We implemented the concept using Linux hosts and the USB armory, a USB thumb drive sized ARM computer, as detachable crypto token. Our detailed performance evaluation shows that our prototype is easily fast enough even for data-intensive and performance-critical use cases like full disk encryption, thus effectively improving security for symmetric cryptography in a usable way.