The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Reports and Papers Archive


Browse All Papers »       Submit A Paper »

Planning and Integrating Deception into Computer Security Defenses∗

CERIAS TR 2014-7
Mohammed H. Almeshekah and Eugene H. Spafford
Download: PDF

Deceptive techniques played a prominent role in many hu- man conflicts throughout history. Digital conflicts are no different as the use of deception has found its way to com- puting since at least the 1980s. However, many computer defenses that uses deception were ad-hoc attempts to incor- porate deceptive elements in them. In this paper, we present a model that can be used to plan and integrate deception in computer security defenses. We present an overview of why deception fundamentally works and what are the essen- tial principles in using such techniques. We investigate the unique advantages deception-based mechanisms bring to tra- ditional computer security defenses. Furthermore, we show how our model can be used to incorporate deception to many part of computer systems and discuss how we can use such techniques effectively. A successful deception should present plausible alternative(s) to the truth and these should be de- signed to exploit specific adversaries’ biases. We investigate these biases and discuss how can they be used by presenting a number of examples.

Added 2014-10-31

USACM and U.S. Legislation

Eugene H. Spafford

When confronted with an issue, someone with a computing background typically gathers data, applies a decision algorithm, and makes a definitive choice. We are, after all, dealing with ones and zeroes on a daily basis!

Real-life policy choices are not quite that simple, however, especially those with political aspects. A policy choice often includes considerations about consistency with past choices (and laws), philosophical positions about the role of government, economic consequences, reputation and image, timing, and other factors that seldom present a single, obvious choice. Furthermore, choices are compounded by political considerations (especially near election seasons), and by simple ignorance (for example, the late Sen. Ted Stevens’ description of the Internet as a “series of tubes”). The way these choices and priorities are mixed often result in outcomes that perplex—and possibly enrage—observers.

One recent example was the controversy over the Stop Online Piracy Act (SOPA) and its companion Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (the PROTECT IP Act, or PIPA). In late 2011, people throughout the U.S. (and elsewhere) grew concerned about these proposed laws, with particular attention focused on SOPA. They feared the legislative language would inappropriately allow authorities to shut down whole domains and penalize fair use of copyrighted materials, among other possible results. An online protest grew, eventually resulting in a massive online “blackout” on January 18, 2012.

ACM’s U.S. Public Policy Council (USACM) was involved in this issue well before the blackout. USACM’s mandate is to help policymakers understand the computing-related aspects of their activities. We are uniquely positioned for this task because ACM is a non-partisan, professional organization devoted to computing. USACM focuses on the technical issues of computing, while acknowledging there are often more factors involved in policy. Thus, our usual mode of operation is to provide education and background on issues, although we sometimes take an advocacy position.

It was clear that SOPA (and PIPA) could result in adverse effects for some Internet users—a point not lost on some legislators. However, they also believed other factors outweighed or mitigated these risks. Three of these were specifically presented to USACM during our discussions about this legislation:

There are millions of people in the U.S. whose jobs, directly or indirectly, depend on intellectual property protection and licensing. Pension funds and investors hold significant equity positions in companies that depend on intellectual property. New and existing companies (including many not in the entertainment industry) depend on intellectual property protections to compete in the international marketplace. As an international issue, the U.S. lacks legal jurisdiction where the most egregious violations originate. Some of the host nations have agendas that include the weakening or destruction of the U.S. economy, thus this activity is tolerated. Some governments have close ties to the criminal elements involved and will not take action. Others are resource-constrained and unable to mount investigations and prosecutions. Most legal systems depend on discretion. Everything from deciding whether someone should get a speeding ticket to capital murder cases depend on some amount of discretion and expenditure of resources. USACM did not address any of those concerns. Instead, we focused on the proposed legislation’s technical aspects. Members of USACM provided briefings to Congressional staff and others about the ramifications should the legislation be passed. We also submitted formal statements to legislators in both the House and the Senate, with particular emphasis on how the proposed legislation could damage the deployment of the DNS Security Extensions (DNSSEC). In mid-January, one senior staff member told us that our private meeting gave them the first true understanding of how DNS and DNSSEC worked, and thus why the legislation was problematic.

The combination of technical problems and political pressure were overwhelming; the bills were eventually withdrawn by their sponsors for further consideration. Some in the Internet community viewed this as a victory, but it will be fleeting: the underlying problems of intellectual property violations and fraud continue. Thus, we expect ongoing pressure for some legislative proposals.

The computing community must continue to be involved in the process to ensure that all such legislation is technically sound and consistent with our vision of computing. It involves being sensitive to the nuances and factors that influence policy beyond simply our own narrow interests, and continuing to provide expert technical advice. It may be confusing, but it is not impossible.

Added 2014-10-30

Improved kernel security through memory layout randomization

Spafford, E.H.; Stanley D.M.; Xu, Dongyan

The vast majority of hosts on the Internet, including mobile clients, are running on one of three major operating system families. Malicious operating system kernel software, such as the code introduced by a kernel rootkit, is strongly dependent on the organization of the victim operating system. Due to the lack of diversity of operating systems, attackers can craft a single kernel exploit that has the potential to infect millions of hosts. If the underlying structure of vulnerable operating system components has been changed, in an unpredictable manner, then attackers must create many unique variations of their exploit to attack vulnerable systems en masse. If enough variants of the vulnerable software exist, then mass exploitation is much more difficult to achieve. Many forms of automatic software diversification have been explored and found to be useful for preventing malware infection. Forrest et. al. make a strong case for software diversity and describe a few possible techniques including: adding or removing nonfunctional code, reordering code, and reordering memory layouts. Our techniques build on the latter. We describe two different ways to mutate an operating system kernel using memory layout randomization to resist kernel-based attacks. We introduce a new method for randomizing the stack layout of function arguments. Additionally, we refine a previous technique for record layout randomization by introducing a static analysis technique for determining the randomizability of a record. We developed prototypes of our techniques using the plugin architecture offered by GCC. To test the security benefits our techniques, we randomized multiple Linux kernels using our compiler plugins. We attacked the randomized kernels using multiple kernel rootkits. We show that by strategically selecting just a few components for randomization, our techniques prevent kernel rootkit infection.

Added 2014-10-30

International Workshop on Web Intelligence for Information Security (WIIS 2011)

Raskin, Victor; Spafford, Eugene H.; Taylor, Julia M.

WIIS 2011 Workshop Statement: This workshop brings together researchers with interests in applying pertinent areas of natural-language-related web intelligence to new and existing issues in information assurance and security. Information assurance and security topics range from web security per se, with its trust, deception detection, and credibility concerns (as applied to text)—to counterintelligence, preemptive cyber attack detection, and disinformation as part of “cyber warfare.” The workshop goal is to bring together researchers and practitioners in the two areas, thus creating a multidisciplinary atmosphere and providing a new and exciting testing ground for web intelligence, while contributing at the same time to the scientific foundation of cyber security.

Added 2014-10-30

Intrusion Response Systems: A Survey

Foo, B; Glause, M; Howard, G; Wu, YS; Bagchi, S; Spafford, E
Added 2014-10-30

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation

Xu, Dongyan ; Spafford, Eugene H. ; Jiang, Xuxian

Process Coloring is an information-preserving, provenance-aware software system for computer malware detection and investigation. By tainting each application process with a distinct color and propagating the color to other processes or system objects along with system call operations, Process Coloring preserves the “provenance” of malware attacks (namely, “Through which process did a malware program infiltrate the system?”). Process Coloring enables three useful malware defense capabilities: (1) color-based malware detection, (2) color-based malware break-in point identification, and (3) color-based log partitioning. Implemented on top of a virtualization platform, Process Coloring achieves strong tamper-resistance as the logs generated by the protected (virtual) machine are stored and processed outside the machine under attack. Finally, Process Coloring can be integrated with techniques that track information flows inside a program. The resultant integrated system achieves better malware detection accuracy by eliminating false positive alerts, especially for client-side environments. This report gives an overview of the Process Coloring project and presents the design, implementation, and evaluation highlights in the research effort.

Added 2014-10-30

Understanding Risk and Risk-Taking Behavior in Virtual Worlds

Fariborz Farahmand and Eugene H. Spafford

Virtual worlds have seen tremendous growth in recent years. However, security and privacy risks are major considerations in different forms of commerce and exchange in virtual worlds. The studies of behavioral economics and lessons from markets provide fertile ground in the employment of virtual worlds to demonstrate study and examine behaviors. In this chapter, we address user and organizational concerns about security and privacy risks by exploring the relationships among risk, perception of risk, and economic behavior in virtual worlds. To make their interaction more effective, we recommend organizations to understand perceptions of risk in virtual worlds and then implement policies and procedures to enhance trust and reduce risk. Such understanding depends in turn on the multidisciplinary nature of cyber security economics and online behavior

Added 2014-10-30

Understanding insiders: An analysis of risk-taking behavior

Fariborz Farahmand, Eugene H. Spafford

There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.

Added 2014-10-30

Privacy and Security: Answering the wrong questions is no answer

Eugene H. Spafford

Asking the wrong questions when building and deploying systems results in systems that cannot be sufficiently protected against the threats they face.

Added 2014-10-29

Remembrances of things pest

Eugene H. Spafford

Recalling malware milestones.

Added 2014-10-29

Cyber Security: Assessing Our Vulnerabilities and Developing an Effective Defense

Eugene H. Spafford

The number and sophistication of cyberattacks continues to increase, but no national policy is in place to confront them. Critical systems need to be built on secure foundations, rather than the cheapest general-purpose platform. A program that combines education in cyber security, increasing resources for law enforcement, development of reliable systems for critical applications, and expanding research support in multiple areas of security and reliability is essential to combat risks that are far beyond the nuisances of spam email and viruses, and involve widespread espionage, theft, and attacks on essential services.

Added 2014-10-29

Insider Behavior:

Fariborz Farahmand & Eugene H. Spafford

There is considerable research being conducted on insider threats is directed to developing new technologies. At the same time, ex- isting technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues re- lated to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and charac- teristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also in- vestigated decision theories, leading to a conclusion that Prospect The- ory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. We discuss the results of validating that model with thirty-five senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insid- ers’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions.

Added 2014-10-29

Back Channels Can Be Useful!- Layering Authentication Channels to Provide Covert Communication

Mohammed H. Almeshekah, Mikhail J. Atallah, Eugene H. Spafford

This paper argues the need for providing a covert back-channel communication mechanism in authentication protocols, discusses various practical uses for such a channel, and desirable features for its design and deployment. Such a mechanism would leverage the current authentication channel to carry out the covert communication rather than introducing a separate one. The communication would need to be oblivious to an adversary observing it, possibly as a man-in-the-middle. We discuss the properties that such channels would need to have for the various scenarios in which they would be used. Also, we show their potential for mitigating the effects of a number of security breaches currently occurring in these scenarios.

Added 2014-10-29

Processing Coloring: An Information Flow-Preserving Approach to Malware Investigation

Xu, Dongyan ; Spafford, Eugene H. ; Jiang, Xuxian

Process Coloring is an information-preserving, provenance-aware software system for computer malware detection and investigation. By tainting each application process with a distinct color and propagating the color to other processes or system objects along with system call operations, Process Coloring preserves the “provenance” of malware attacks (namely, “Through which process did a malware program infiltrate the system?”). Process Coloring enables three useful malware defense capabilities: (1) color-based malware detection, (2) color-based malware break-in point identification, and (3) color-based log partitioning. Implemented on top of a virtualization platform, Process Coloring achieves strong tamper-resistance as the logs generated by the protected (virtual) machine are stored and processed outside the machine under attack. Finally, Process Coloring can be integrated with techniques that track information flows inside a program. The resultant integrated system achieves better malware detection accuracy by eliminating false positive alerts, especially for client-side environments. This report gives an overview of the Process Coloring project and presents the design, implementation, and evaluation highlights in the research effort.

Added 2014-10-29

Risk-Aware Virtual Resource Management for Access Control-Based Cloud Datacenters

CERIAS TR 2014-6
Abdulrahman Almutairi, Arif Ghafoor
Download: PDF

Multitenancy and virtualization features of cloud computing enhance resource utilization and lower the cloud provider total cost of hosting customers data for big data applications. However, the cloud computing has many security challenges that are exacerbated by virtual resource sharing. In particular, sharing of resources among potentially untrusted tenants can result in an increased risk of information leakage due to vulnerability of virtual resources causing side channel attacks or VM escape. For the big data applications, an access control policy such as RBAC can be used to control the data sharing among cloud customers. However, an unintelligent cloud resources management mechanism can significantly increase the risk of data leakage among roles. The goal of this paper is to develop efficient risk-aware virtual resource assignment mechanisms for Cloud’s multitenant environment. The objective is to minimize of risk of information leakage due to Cloud virtual resources vulnerability. Such an assignment problem is shown to be NP-Complete. We present several scheduling heuristics including a scalable solution and compare their relative performance.

Added 2014-07-31