-
POW-HOW: An enduring timing side-channel to evade online malware sandboxes
Authors:
Antonio Nappa,
Panagiotis Papadopoulos,
Matteo Varvello,
Daniel Aceituno Gomez,
Juan Tapiador,
Andrea Lanzi
Abstract:
Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information inthe reports pr…
▽ More
Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information inthe reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to detect.The most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions.
In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the POW-HOW framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.
△ Less
Submitted 5 October, 2021; v1 submitted 7 September, 2021;
originally announced September 2021.
-
Deja-Vu: A Glimpse on Radioactive Soft-Error Consequences on Classical and Quantum Computations
Authors:
Antonio Nappa,
Christopher Hobbs,
Andrea Lanzi
Abstract:
What do Apple, the FBI and a Belgian politician have in common? In 2003, in Belgium there was an election using electronic voting machines. Mysteriously one candidate summed an excess of 4096 votes. An accurate analysis led to the official explanation that a spontaneous creation of a bit in position 13 of the memory of the computer attributed 4096 extra votes to one candidate. One of the most cred…
▽ More
What do Apple, the FBI and a Belgian politician have in common? In 2003, in Belgium there was an election using electronic voting machines. Mysteriously one candidate summed an excess of 4096 votes. An accurate analysis led to the official explanation that a spontaneous creation of a bit in position 13 of the memory of the computer attributed 4096 extra votes to one candidate. One of the most credited answers to this event is attributed to cosmic rays i.e.(gamma), which can filter through the atmosphere. There are cases though, with classical computers, like forensic investigations, or system recovery where such soft-errors may be helpful to gain root privileges and recover data. In this paper we show preliminary results of using radioactive sources as a mean to generate bit-flips and exploit classical electronic computation devices. We used low radioactive emissions generated by Cobalt and Cesium and obtained bit-flips which made the program under attack crash. We also provide the first overview of the consequences of SEUs in quantum computers which are today used in production for protein folding optimization, showing potential impactful consequences. To the best of our knowledge we are the first to leverage SEUs for exploitation purposes which could be of great impact on classical and quantum computers.
△ Less
Submitted 4 May, 2021;
originally announced May 2021.
-
ZKSENSE: A Friction-less Privacy-Preserving Human Attestation Mechanism for Mobile Devices
Authors:
Iñigo Querejeta-Azurmendi,
Panagiotis Papadopoulos,
Matteo Varvello,
Antonio Nappa,
Jiexin Zhang,
Benjamin Livshits
Abstract:
Recent studies show that 20.4% of the internet traffic originates from automated agents. To identify and block such ill-intentioned traffic, mechanisms that verify the humanness of the user are widely deployed, with CAPTCHAs being the most popular. Traditional CAPTCHAs require extra user effort (e.g., solving mathematical puzzles), which can severely downgrade the end-user's experience, especially…
▽ More
Recent studies show that 20.4% of the internet traffic originates from automated agents. To identify and block such ill-intentioned traffic, mechanisms that verify the humanness of the user are widely deployed, with CAPTCHAs being the most popular. Traditional CAPTCHAs require extra user effort (e.g., solving mathematical puzzles), which can severely downgrade the end-user's experience, especially on mobile, and provide sporadic humanness verification of questionable accuracy. More recent solutions like Google's reCAPTCHA v3, leverage user data, thus raising significant privacy concerns. To address these issues, we present zkSENSE: the first zero-knowledge proof-based humanness attestation system for mobile devices. zkSENSE moves the human attestation to the edge: onto the user's very own device, where humanness of the user is assessed in a privacy-preserving and seamless manner. zkSENSE achieves this by classifying motion sensor outputs of the mobile device, based on a model trained by using both publicly available sensor data and data collected from a small group of volunteers. To ensure the integrity of the process, the classification result is enclosed in a zero-knowledge proof of humanness that can be safely shared with a remote server. We implement zkSENSE as an Android service to demonstrate its effectiveness and practicality. In our evaluation, we show that zkSENSE successfully verifies the humanness of a user across a variety of attacking scenarios and demonstrates 92% accuracy. On a two years old Samsung S9, zkSENSE's attestation takes around 3 seconds (when visual CAPTCHAs need 9.8 seconds) and consumes a negligible amount of battery.
△ Less
Submitted 7 September, 2021; v1 submitted 18 November, 2019;
originally announced November 2019.
-
VPN0: A Privacy-Preserving Decentralized Virtual Private Network
Authors:
Matteo Varvello,
Iñigo Querejeta Azurmendi,
Antonio Nappa,
Panagiotis Papadopoulos,
Goncalo Pestana,
Ben Livshits
Abstract:
Distributed Virtual Private Networks (dVPNs) are new VPN solutions aiming to solve the trust-privacy concern of a VPN's central authority by leveraging a distributed architecture. In this paper, we first review the existing dVPN ecosystem and debate on its privacy requirements. Then, we present VPN0, a dVPN with strong privacy guarantees and minimal performance impact on its users. VPN0 guarantees…
▽ More
Distributed Virtual Private Networks (dVPNs) are new VPN solutions aiming to solve the trust-privacy concern of a VPN's central authority by leveraging a distributed architecture. In this paper, we first review the existing dVPN ecosystem and debate on its privacy requirements. Then, we present VPN0, a dVPN with strong privacy guarantees and minimal performance impact on its users. VPN0 guarantees that a dVPN node only carries traffic it has "whitelisted", without revealing its whitelist or knowing the traffic it tunnels. This is achieved via three main innovations. First, an attestation mechanism which leverages TLS to certify a user visit to a specific domain. Second, a zero knowledge proof to certify that some incoming traffic is authorized, e.g., falls in a node's whitelist, without disclosing the target domain. Third, a dynamic chain of VPN tunnels to both increase privacy and guarantee service continuation while traffic certification is in place. The paper demonstrates VPN0 functioning when integrated with several production systems, namely BitTorrent DHT and ProtonVPN.
△ Less
Submitted 30 September, 2019;
originally announced October 2019.