Paper accepted for publication in ACM Computing Surveys

Sebastian Schrittwieser, Stefan Katzenbeisser, Johannes Kinder, Georg Merzdovnik, Edgar Weippl. Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis? Accepted for publication in ACM Computing Surveys. 2016

Abstract: Software obfuscation has always been a highly controversially discussed research area. While theoretical results indicate that provably secure obfuscation in general is impossible, its widespread application in malware and commercial software shows that it is nevertheless popular in practice. Still, it remains largely unexplored to what extent todays software obfuscations keep up with state-of-the-art code analysis, and where we stand in the arms race between software developers and code analysts. The main goal of this survey is to analyze the effectiveness of different classes of software obfuscation against the continuously improving de-obfuscation techniques and off-the-shelf code analysis tools. The answer very much depends on the goals of the analyst and the available resources. On the one hand, many forms of lightweight static analysis have difficulties with even basic obfuscation schemes, which explains the unbroken popularity of obfuscation among malware writers. On the other hand, more expensive analysis techniques, in particular when used interactively by a human analyst, can easily defeat many obfuscations. As a result, software obfuscation for the purpose of intellectual property protection remains highly challenging.

Call for Papers: JRZ TARGET organizes workshop at the ARES Conference 2016

The 1st International Workshop on Targeted Attacks and Mitigation Strategies is going to be held in conjunction with the 11th International Conference on Availability, Reliability and Security (August 31 – September 2, 2016) in Salzburg, Austria.

The workshop aims at bringing together experts from academia and industry to share their research, ideas, knowledge and experience in the analysis and mitigation of targeted attacks.

Call for Papers – Topics of interest comprise but are not limited to:

  • Threats and Attack Modeling
  • Malware detection and analysis
  • Intrusion Detection
  • Incident Response and Prevention
  • Privacy Enhancing Technologies
  • Safety Critical Systems

Submission Deadline: April 18, 2016
The submission guidelines valid for the workshop are the same as for the ARES conference. They can be found here.

Two papers accepted at [email protected]’16

Two papers got accepted at the Workshop on Empirical Research Methods in Information Security which is held in conjunction with the 25rd International World Wide Web Conference (WWW 2016) in Montreal.

Martin Pirker, Andreas Nusser. A Work-Flow for Empirical Exploration of Security Events. First Workshop on Empirical Research Methods in Information Security 2016.

Abstract: As the internet continuously expands and more and more devices connect to it, information security research is a never ending challenge. It is impossible to known all internet participants, protocols and their applications. Instead, certain security research focuses on empirically collected real-world data; stores, processes, transforms and analyses the data, in order to learn from it and its anomalies—security issues—as they happen.
This paper presents one practical work-flow for collection and processing of security events data. It present a hard- and software setup, experiences made and lessons learned, and estimates what future challenges await. This gives others the opportunity to learn and identify areas for improvement, especially those in the early stages of setting up a research project based on empirically gathered data.

Stefan Marschalek, Manfred Kaiser, Robert Luh, Sebastian Schrittwieser. Empirical Malware Research through Observation of System Behaviour. First Workshop on Empirical Research Methods in Information Security 2016.

Abstract: Behavioural analysis has become an important method of today’s malware research. Malicious software is executed inside a controlled environment where its runtime behaviour can be studied. Recently, we proposed the concept of not only observing individual executables but a computer system as a whole. The basic idea is to identify malware by detecting anomalies in the way a system behaves. In this paper we discuss our methodology for empirical malware research and highlight its strengths and limitations. Furthermore, we explain the challenges we faced during our research and describe our lessons learned.

Talk at DeepSec 2015

On November 20th, Manfred Kaiser will give a talk at DeepSec in Vienna:

Title: Remote Browser-Based Fingerprinting of Local Network Devices
Abstract: In this talk we discuss remote device fingerprinting techniques for SOHO routers and other network-connected devices offering a browser-based configuration interface. While consumer network devices provided to customers by their ISPs are typically based on very few different hardware platforms, they are equipped with highly customized firmwares and thus contain different vulnerabilities. The knowledge of a specific device’s vulnerabilities is vital to the success of a remote attack. In a live demo we show how a remote attacker can exploit the feature-richness of modern web technologies (HTML5, WebRTC, JavaScript, CSS) to perform device discovery and fine-grained device fingerprinting in a local network over a web browser in preparation of a targeted attack.

Two papers accepted at iiWAS 2015

Members of the Josef Ressel Center will present two papers at iiWAS 2015 in Brussels:

Stefan Marschalek, Robert Luh, Manfred Kaiser, Sebastian Schrittwieser. Classifying malicious system behavior using event propagation trees. In Proceedings of the 17th International Conference on Information Integration and Web-based Applications & Services, 2015.

Abstract: Behavior-based analysis of dynamically executed software has become an established technique to identifying and analyzing potential malware. Most solutions rely on API or system call patterns to determine whether a sample is exhibit- ing malicious activity. Analysis is usually performed on demand and offers little insight into the current system state. In addition, the fixed nature of behavioral patterns is known to cause false-positives whenever a certain, potentially malicious action is used in a benign context.

To combat these shortcomings, this paper proposes an analysis system capable of building event propagation trees from real-time kernel monitoring data. Distance-based anomaly detection is then used to find and highlight activities deviating from a predefined baseline established through heuristic clustering.

The system was tested on a set of real-world data collected by a number of host-based agents distributed across a corporate network.

Christoph Rottermanner, Peter Kieseberg, Markus Huber, Martin Schmiedecker, Sebastian Schrittwieser. Privacy and Data Protection in Smartphone Messengers. In Proceedings of the 17th International Conference on Information Integration and Web-based Applications & Services, 2015.

Abstract: Ever since the Snowden revelations regarding mass surveillance, the role of privacy protection in commodity communication software has gained increasing awareness in the general public. Still, during the last years many new messengers were developed for Android, where often privacy was not considered to be a key issue. Due to the widespread use of these apps even in corporate environments this opens up attack vectors that can result in advanced persistent threats. In this paper we analyze the most prominent messenger apps with respect to privacy concepts, focusing not only on the transmission layer regarding the support of encrypted communication, but also attacks targeting the communication metadata, e.g. detecting the existence of communication between users, as well as providing an enumeration of all users of a service. Furthermore, device theft and loss is a major issue regarding the protection of user privacy. Thus, we also analyzed, whether the messages are stored in a secure way on the device itself, or if control over the physical device allows access to the message data. In order to analyze the possible usability of these messengers as means for targeted surveillance of users by the provider (or an entity controlling it), we also analyzed the rights and privileges the respective apps need in order to be able to install and work. Here, major differences could be detected, with several apps claiming privileges that could not be explained with the normal mode of operation, thus posing a serious risk for the privacy of the respective user base.

The Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (TARGET) is a research institution operated by the St. Pölten University of Applied Sciences. The mission of the center is to explore novel techniques for detecting and mitigating targeted attacks.