Stamp's Master's Students' Defenses: Spring 2010






Who
When
Where
Title
Gauri Gokhale 4/19 @ 1:00pm MH 229 WiSeNetor: A Scalable Wireless Sensor Network Simulator
Da Lin 4/29 @ 10:00am MH 229 Hunting for Undetectable Metamorphic Viruses
Thien Tran 5/12 @ 10:00am MH 229 Document Builder
Jianrui Zhang 5/12 @ 1:00pm MH 229 Improved Software Activation Using Multithreading
Dhivyakrishnan Radhakrishnan 5/14 @ noon MH 225 Approximate Disassembly
Sujandharan Venkatachalam 5/14 @ 1:00pm MH 422 Detecting Undetectable Computer Viruses
Deepika Mulani 5/17 @ 10:00am MH 229 How Smart is Your Smartphone?
Ronak Shah 5/19 @ 2:00pm MH 422 Metamorphic Viruses with Built-In Buffer Overflow
Varian Luong 5/19 @ 4:00pm MH 229 Intrusion Detection and Prevention System: SQL-Injection
Eilbroun Benjamin TBD TBD UNDO: A System for Neutralizing Nuisance Attacks






WiSeNetor: A Scalable Wireless Sensor Network Simulator

by Gauri Gokhale

WiSeNetor is a teaching and a research tool that simulates a scalable wireless sensor network on a single computer. Routing protocols and network discovery algorithms used in mesh networks and cluster tree networks can be demonstrated using this tool. Our simulator is based on the previously developed "Spamulator", which simulates some aspects of the Internet on a single computer.

WiSeNetor contains a network creation module, simulated network devices and it simulates routing algorithms. The network creation module spawns a network according to user specified network type. In this process, neighbor tables are populated and the underlying network module of the Spamulator is initiated.

Each simulated network device has an associated server program and a client program to process incoming requests and forward them to appropriate neighboring nodes, respectively. Network devices also log all of the service messages in individual log files that can be used to trace the routing or network discovery process.

WiSeNetor has achieved scalability up to 15,000 nodes. Message latency and the average number of hops during simulation testing were comparable to previous findings, which serves to validate the WiSeNetor.




Hunting for Undetectable Metamorphic Viruses

by Da Lin

Commercial anti-virus scanners are generally signature based, that is, they scan for known patterns to determine whether a file is infected by a virus or not. To evade signature-based detection, virus writers have adopted code obfuscation techniques to create highly metamorphic computer viruses. Since metamorphic viruses change their appearance from generation to generation, signature-based scanners cannot detect all instances of such viruses.

To combat metamorphic viruses, detection tools based on statistical analysis have been studied. A tool based on hidden Markov models (HMMs) was previously developed and the results are encouraging—it has been shown that metamorphic viruses created by a well-designed metamorphic engine can be detected using an HMM.

In this project, we explore whether there are any exploitable weaknesses in this HMM-based detection approach. We create a highly metamorphic virus generating tool designed specifically to evade HMM-based detection. We then test our engine, showing that we can generate viral copies that cannot be detected using previously-developed HMM-based detection techniques. Finally, we consider possible defenses against our approach.




Document Builder

by Thien Tran

In this paper, we consider problems related to on-demand content publishing and maintenance. Specifically, we are concerned with the recent concept of structural Content Management Systems (CMS) and its design principles. We focus on Apache Ant, a popular document generator tool for the Java development industry. However, Ant has not been widely extended beyond its capacity to deal with computer programs, which limits its utility.

We analyze the Ant build script structure, study its usage, and implement an on-demand document generator for Ant. The focus is to provide a better document build model based on Ant, which can provide document workflows and templates enabling people to work together more efficiently.




Improved Software Activation Using Multithreading

by Jianrui Zhang

Software activation is an anti-piracy technology designed to verify that software products have been legitimately licensed. Activation is supposed to be quick and simple while simultaneously protecting customer privacy. The most common form of software activation is via the entering of legitimate product serial numbers by users, which sometimes are also known as product keys. This technique is employed by various software, from small shareware programs to large commercial programs such as Microsoft Office. However, software activation based on serial numbers appears to be weak, as cracks for a majority of programs are readily available on the Internet. Users can employ such cracks to bypass the software activation.

Generally, the verification logic for checking a serial number executes sequentially in a single thread. Such an approach is weak because attackers can effectively trace this thread from beginning to end to understand how the verification logic works. In this paper, we develop a practical multi-threaded verification design. We breakdown the checking logic into smaller pieces and run each piece within a separate thread. Our results show that the amount of traceable code in a debugger is reduced to a low percentage of the code—especially when junk threads with deadlocks are used—and the traceable code in each run can differ as well. This makes it more difficult for an attacker to reverse engineer the code and bypass any security check. Finally, we attempt to quantify the increased effort necessary to break our verification logic.




Approximate Disassembly

by Dhivyakrishnan Radhakrishnan

Among the various types of malware, metamorphic viruses are one of the most difficult to detect. Metamorphic viruses change their internal structures with each mutation, making signature-based detection infeasible. Many virus construction kits are readily available and these kits can be used to generate metamorphic strains of any given virus.

Previous work has shown that metamorphic viruses are detectable using hidden Markov models (HMMs). In such an HMM-based approach, assembly instruction opcodes are observed and a model is trained which can then be used to determine whether a given executable file belongs to a particular virus family or not. The required opcodes are obtained by disassembling binary executable files. However, the disassembly process is time-consuming, making HMM-based detection impractical.

In this project, we develop and demonstrate a technique to derive an approximate opcode sequence directly from an executable file. We show that, in general, our approach reduces the time required as compared to a standard disassembler. Finally, we test our approximate disassembly to show that it is sufficiently accurate for HMM-based detection of metamorphic viruses.




UNDO: A System for Neutralizing Nuisance Attacks

by Eilbroun Benjamin

This paper considers the problem of digital data integrity protection, which is defined as preventing unauthorized writing of data. Numerous examples of successful attacks against seemingly secure systems are examined to support the assertion that, at least in some circumstances, the integrity of digital data is difficult to preserve.

We then consider an approach to securing data that is focused on nuisance-type attacks, which we defined as an attempt to obscure shared non-sensitive data by limited-experience attackers. A trusted third party is employed to monitor the system and automatically detect and abate unauthorized changes to data. Our approach includes a set of metrics that allow an administrator to measure the performance of the system and appropriately configure it. This enables an administrator to optimize system efficiency, ideally to the point where nuisance attacks on data integrity are nullified.




How Smart is Your Smartphone?

by Deepika Mulani

Smart phones are ubiquitous today. These phones generally have access to sensitive personal information and, consequently, they are a prime target for attackers. A virus or worm that spreads over the network to cell phone users could be particularly damaging.

Due to a rising demand for secure mobile phones, manufacturers have increased their emphasis on mobile security. In this project, we address some security issues relevant to the current Android smartphone framework. Specifically, we demonstrate an exploit that targets the Android telephony service. In addition, as a defense against the loss of personal information, we provide a means to encrypt data stored on the external media card. While smartphones remain vulnerable to a variety of security threats, this encryption provides an additional level of security.




Metamorphic Viruses with Built-In Buffer Overflow

by Ronak Shah

Metamorphic computer viruses change their structure—and thereby their signature—each time they infect a system. Metamorphic viruses are potentially one of the most dangerous types of computer viruses because they are difficult to detect using signature-based detection. Most anti-virus software today is based on signature detection.

In this project, we create and analyze a metamorphic virus toolkit which creates viruses with a built-in buffer overflow. The buffer overflow serves to obfuscate the entry point of the actual virus, thereby making detection more challenging. We show that the resulting viruses successfully evade detection by commercial virus scanners.

Several modern operating systems (e.g., Windows Vista and Windows 7) employ address space layout randomization (ASLR), which is designed to prevent most buffer overflow attacks. We show that our proposed buffer overflow technique succeeds, even in the presence of ASLR. Finally, we consider defenses against our proposed technique.




Detecting Undetectable Computer Viruses

by Sujandharan Venkatachalam

Signature-based detection relies on patterns present in viruses and provides a relatively simple and efficient method for detecting known viruses. At present, most anti-virus systems rely primarily on signature detection.

Metamorphic viruses are one of the most difficult types of viruses to detect. Such viruses change their internal structure, which provides an effective means of evading signature detection. Previous work has provided a rigorous proof that a fairly simple metamorphic engine can generate viruses that will evade any signature-based detection.

In this project, we first implement a metamorphic engine that is provably undetectable—in the sense of signature-based detection. We then show that, as expected, the resulting viruses are not detected by popular commercial anti-virus scanners. Finally, we analyze the same set of viruses using a previously developed approach based on hidden Markov models (HMM). This HMM-based technique easily detects the viruses.




Intrusion Detection and Prevention System: SQL-Injection

by Varian Luong

Personally identifiable information (PII) is information regarding things such as bank accounts, retirement or stock investment accounts, or credit card accounts. There is a need to protect the PII in databases that are connected to the ubiquitous, global network that is the Internet. If there is any vulnerability in the protection in a system that holds PII, then it presents an opportunity for an unauthorized person to access this PII.

One of the techniques available to would-be information thieves is SQL injection (SQL-I). In this project, a system is developed to analyze the values submitted by users through HTML forms and look for possible attack patterns. Once the system finds such a pattern, it blocks the attack and makes a record of the activity. If an attacker continues to pass such attack patterns, the system blocks access by this user altogether. We also include a mechanism to block users who attempt to log in at an abnormally high rate. This provides a combination of pattern-based detection and anomaly-based detection to create a reasonably robust intrusion detection system, with respect to SQL-I attacks.