Conference Schedule

Wednesday, July 17th
19:30 Welcome Drinks / BBQ
and Registration

Thursday, July 18th
08:30 Registration
09:15 Opening Remarks
09:30 Keynote:
Malevolution: The Evolution of Evasive Malware [slides]
Giovanni Vigna [foto] (UC Santa Barbara and Lastline, Inc.)
Abstract: In recent years, malware has evolved by introducing novel techniques to foil analysis and identification. For example, cybercriminals routinely tweak their malicious web content to create new and more effective variants (for example, by incorporating exploits targeting newly-discovered vulnerabilities) or to evade commonly-used defensive tools. In addition, the programs that persist on infected machines are increasingly more stealthy and environment-aware. In this presentation, we present research on characterizing, tracking, and analyzing the evolution of evasive malware (both in binary form and as web content). We highlight possible approaches for the automated detection of evasions, and we describe our experience in observing evasive malware in a number of real-world deployments.
Biography: Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara and the CTO of Lastline, Inc. His current research interests include malware analysis, web security, vulnerability assessment, and intrusion detection. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy (S&P 2011). He is known for organizing and running the world's largest inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world.
10:30 Coffee
11:00 Session: Malware - Session Chair: Michael Meier
Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting [slides]
A. Nappa [foto], M. Rafique, J. Caballero
Abstract: Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 hours, long-lived operations exist that operate for several months. To sustain long-lived operations miscreants are turning to the cloud, with 60% of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. To understand how difficult is to take down exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61\% of the reports are not even acknowledged. On average an exploit server still lives for 4.3 days after a report.
ProVeX: Detecting Botnets with Encrypted Command and Control Channels [slides]
C. Rossow [foto], C. Dietrich
Abstract: Botmasters increasingly encrypt command-and-control (C&C) communication to evade existing intrusion detection systems. Our detailed C&C traffic analysis shows that at least ten prevalent malware families avoid well-known C&C carrier protocols, such as IRC and HTTP. Six of these families - e.g., Zeus P2P, Pramro, Virut, and Sality - do not exhibit any characteristic n-gram that could serve as payload-based signature in an IDS. Given knowledge of the C&C encryption algorithms, we detect these evasive C&C protocols by decrypting any packet captured on the network. In order to test if the decryption results in messages that stem from malware, we propose PROVEX, a system that automatically derives probabilistic vectorized signatures. PROVEX learns characteristic values for fields in the C&C protocol by evaluating byte probabilities in C&C input traces used for training. This way, we identify the syntax of C&C messages without the need to manually specify C&C protocol semantics, purely based on network traffic. Our evaluation shows that PROVEX can detect all studied malware families, most of which are not detectable with traditional means. Despite its naive approach to decrypt all traffic, we show that PROVEX scales up to multiple Gbit/s line speed networks.
Exploring Discriminatory Features for Automated Malware Classification
G. Yan, N. Brown, D. Kong
Abstract: The ever-growing malware threat in the cyber space calls for techniques that are more effective than widely deployed signature-based detection systems and more scalable than manual reverse engineering by forensic experts. To counter large volumes of malware variants, machine learning techniques have been applied recently for automated malware classification. Despite the successes made from these efforts, we still lack a basic understanding of some key issues, such as what features we should use and which classifiers perform well on malware data. Against this backdrop, the goal of this work is to explore discriminatory features for automated malware classification. We conduct a systematic study on the discriminative power of various types of features extracted from malware programs, and experiment with different combinations of feature selection algorithms and classifiers. Our results not only offer insights into what features most distinguish malware families, but also shed light on how to develop scalable techniques for automated malware classification in practice.
12:30 Lunch
14:00 Invited talk: Defense Research against Nation-State Actors
Felix 'FX' Lindner (Recurity Labs)
Abstract: The increased interest of nation-state actors in offensive strategies for espionage and military expands the threat landscape into a previously underrated dimension. This talk will explore the difference between the relatively well researched cybercrime actors and the new players, look at examples of successful operations and why our currently deployed defenses are no match for them. Also, a few suggestions for mid-term research to counter this global development will be given.
Biography: Felix 'FX' Lindner is the founder as well as the technical and research lead of Recurity Labs GmbH, a high-end security consulting and research team, specializing in code analysis and design of secure systems and protocols. Well known within the computer security community, he has presented his research for over a decade at conferences worldwide. Felix holds a title as German State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional, is specialized in digital attack technologies, but recently changed the direction of his research to defense, since the later seems to be a lot less fun.
15:00 Coffee
15:30 Session: Network Security - Session Chair: Pavel Laskov
PeerRush: Mining for Unwanted P2P Traffic [slides]
B. Rahbarinia, R. Perdisci [foto], A. Lanzi, K. Li
Abstract: In this paper we present PeerRush, a novel system for the identification of unwanted P2P traffic. Unlike most previous work, PeerRush goes beyond P2P traffic detection, and can accurately categorize the detected P2P traffic and attribute it to specific P2P applications, including malicious applications such as P2P botnets. PeerRush achieves these results without the need of deep packet inspection, and can accurately identify applications that use encrypted P2P traffic. We implemented a prototype version of PeerRush and performed an extensive evaluation of the system over a variety of P2P traffic datasets. Our results show that we can detect all the considered types of P2P traffic with up to 99.5% true positives and 0.1% false positives. Furthermore, PeerRush can attribute the P2P traffic to a specific P2P application with a misclassification rate of 0.68% or less.
Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks [slides]
Y. Cohen [foto], D. Gordon, D. Hendler
Abstract: We present ErDOS, an Early Detection scheme for Outgoing Spam. The detection approach implemented by ErDOS combines content-based detection and features based on inter-account communication patterns. We define new account features, based on the ratio between the numbers of sent and received emails and on the distribution of emails received from different accounts. Our empirical evaluation of ErDOS is based on a real-life data-set collected by an email service provider, much larger than data-sets previously used for outgoing-spam detection research. It establishes that ErDOS is able to provide early detection for a significant fraction of the spammers population, that is, it identifies these accounts as spammers before they are detected as such by a content-based detector. Moreover, ErDOS only requires a single day of training data for providing a high-quality list of suspect accounts.
16:30 End of program (Thursday)
17:00 Meeting of SIG SIDAR (in German)
18:00 Social Events:
Guided tour from Moevenpick Hotel to the Reichstag building including a gala dinner on the top floor
(Your passport will be required!)

Friday, July 19th
09:30 Keynote:
Fighting Targeted Attacks on Government Networks [slides]
Robert Krawczyk (BSI; Federal Office for Information Security)
Abstract: The network infrastructure of any government is under constant attack from cyber criminals and intelligence agencies in addition to the normal daily attacks. In 2009 the German government passed a law addressing this issue by permitting the BSI (Federal Office for Information Security) to scan government network traffic to and from the WWW for malicious content. The systems used for this purpose will be described and the successes and shortcomings will be discussed. Furthermore, as the attackers have vast resources and are very skillfull, e.g. they use zero-day exploits for this purpose and change their malware code frequently, standard virus-scanners are becoming increasingly ineffective. In order to detect this kind of attacks the development of new detection methods is necessary. Therefore, in order to be able to detect APTs (advanced persistent threats) the BSI uses, in addition to more traditional detection methods, various techniques. On of the techniques applies machine learning to detect attacks. This machine learning example is used to address the need for the development of new detection methods and their applicability in real-world setups.
Biography: Robert Krawczyk is working at the BSI (Federal Office for Information Security) in Bonn in the network defence section. He graduated from the University of Cologne and received a Doctorate in Chemistry in 2003 from the Technical University of Munich. After his Ph.D. he stayed from 2003 to 2005 as a Feodor-Lynen Fellow at the University of Auckland in New Zealand and worked until 2006 as a Resear Officer at the Massey University in Auckland. In 2006 he switched carreer to an IT-Security Consultant for a small company (Infodas) in Cologne, before finally moving to the BSI in 2008. His interest is the development and implementation of new detection methods of attacks.
10:30 Coffee
11:00 Session: Web Security - Session Chair: Ravishankar Borgaonkar
PreparedJS: Secure Script-Templates for JavaScript [slides]
M. Johns [foto]
Abstract: Content Security Policies (CSP) provide powerful means to mitigate most XSS exploits. However, CSP's protection is incomplete. Insecure server-side JavaScript generation and attacker control over script-sources can lead to XSS conditions which cannot be mitigated by CSP. In this paper we propose PreparedJS, an extension to CSP which takes these weaknesses into account. Through the combination of a safe script templating mechanism with a light-weight script checksumming scheme, PreparedJS is able to fill the identified gaps in CSP's protection capabilities.
Securing Legacy Firefox Extensions with Sentinel [slides]
K. Onarlioglu, M. Battal [foto], W. Robertson, E. Kirda
Abstract: A poorly designed web browser extension with a security vulnerability may expose the whole system to an attacker. Therefore, attacks directed at "benign-but-buggy" extensions, as well as extensions that have been written with malicious intents pose significant security threats to a system running such components. Recent studies have indeed shown that many Firefox extensions are over-privileged, making them attractive attack targets. Unfortunately, users currently do not have many options when it comes to protecting themselves from extensions that may potentially be malicious. Once installed and executed, the extension needs to be trusted. This paper introduces SENTINEL, a policy enforcer for the Firefox browser that gives fine-grained control to the user over the actions of existing JavaScript Firefox extensions. The user is able to define policies (or use predefined ones) and block common attacks such as data exfiltration, remote code execution, saved password theft, and preference modification. Our evaluation of SENTINEL shows that our prototype implementation can effectively prevent concrete, real-world Firefox extension attacks without a detrimental impact on users' browsing experience.
Weaknesses in Defenses Against Web-Borne Malware (Short Paper) [slides]
G. Lu [foto], S. Debray
Abstract: Web-based mechanisms, often mediated by malicious JavaScript code, play an important role in malware delivery today, making defenses against web-borne malware crucial for system security. This paper explores weaknesses in existing approaches to the detection of malicious JavaScript code. These approaches generally fall into two categories: lightweight techniques focusing on syntactic features such as string obfuscation and dynamic code generation; and heavier-weight approaches that look for deeper semantic characteristics such as the presence of shellcode-like strings or execution of exploit code. We show that each of these approaches has its weaknesses, and that state-of-the-art detectors using these techniques can be defeated using cloaking techniques that combine emulation with dynamic anti-analysis checks. Our goal is to promote a discussion in the research community focusing on robust defensive techniques rather than ad-hoc solutions.
12:30 Lunch
14:00 Session: Attacks and Defenses - Session Chair: Sven Dietrich
SMS-based One-Time Passwords: Attacks and Defense (Short Paper) [slides]
C. Mulliner, R. Borgaonkar [foto], P. Stewin, J.-P. Seifert
Abstract: SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing and other attacks against Internet services such as online banking. Today, SMS OTPs are commonly used for authentication and authorization for many different applications. Recently, SMS OTPs have come under heavy attack, especially by smartphone Trojans. In this paper, we analyze the security architecture of SMS OTP systems and study attacks that pose a threat to Internet-based authentication and authorization services. We determined that the two foundations SMS OTP is built on, cellular networks and mobile handsets, were completely different at the time when SMS OTP was designed and introduced. Throughout this work, we show why SMS OTP systems cannot be considered secure anymore. Based on our findings, we propose mechanisms to secure SMS OTPs against common attacks and specifically against smartphone Trojans.
Towards the Protection of Industrial Control Systems - Conclusions of a Vulnerability Analysis of Profinet IO [slides]
A. Paul [foto], F. Schuster, H. Koenig
Abstract: The trend of introducing common information and communication technologies into automation control systems induces besides many benefits new security risks to industrial plants and critical infrastructures. The increasing use of Internet protocols in industrial control systems combined with the introduction of Industrial Ethernet on the field level facilitate malicious intrusions into automation systems. The detection of such intrusions requires a detailed vulnerability analysis of the deployed protocols to find possible attacks. Profinet IO is one of the emerging protocols for decentralized control in the European automation industry which has found wide application. In this paper, we describe as results of a vulnerability analysis of the Profinet IO protocol several possible attacks on this protocol. Thereafter we discuss an appropriate protection of automation networks using anomaly-based intrusion detection as an effective countermeasure to address these attacks.
15:00 Coffee
15:30 Session: Host Security - Session Chair: Jean-Pierre Seifert
HeapSentry: Kernel-assisted Protection against Heap Overflows [slides]
N. Nikiforakis [foto], F. Piessens, W. Joosen
Abstract: The last twenty years have witnessed the constant reaction of the security community to memory corruption attacks and the evolution of attacking techniques in order to circumvent the newly-deployed countermeasures. In this evolution, the heap of a process received little attention and thus today, the problem of heap overflows is largely unsolved. In this paper we present HeapSentry, a system designed to detect and stop heap overflow attacks through the cooperation of the memory allocation library of a program and the operating system's kernel. HeapSentry places unique random canaries at the end of each heap object which are later checked by the kernel, before system calls are allowed to proceed. HeapSentry operates on binaries (no source code needed) and has, by design, no false-positives. At the same time, the active involvement of the kernel provides stronger security guarantees than the current state of the art in heap protection mechanisms for a modest performance overhead.
Preventing Backdoors In Server Applications With A Separated Software Architecture (Short Paper) [slides]
F. Schuster [foto], S. Ruester, T. Holz
Abstract: We often rely on system components implemented by potentially untrusted parties. This implies the risk of backdoors, i.e., hidden mechanisms that elevate the privileges of an unauthenticated adversary or execute other malicious actions on certain triggers. Hardware backdoors have received some attention lately and we address in this paper the risk of software backdoors. We present a design approach for server applications that can -- under certain assumptions -- protect against software backdoors aiming at privilege escalation. We have implemented a proof-of-concept FTP server to demonstrate the practical feasibility of our approach.
16:30 Best Paper Award & Closing

[ ↑ ]

Conference of SIG SIDAR of the German Informatics Society (GI).
Technically co-sponsored by .
Local organization by - Security in Telecommunications/Technische Universität Berlin.
Header picture by Roman Lashkin, CC BY 2.0. All pages © 2013, DIMVA 2013 Organization Committee.