Georgia Tech at IEEE SS&P 2017

Atlanta   |   May 22, 2017

Researchers, faculty and students from the Georgia Institute of Technology (Georgia Tech) bring cybersecurity research breakthroughs to the 38th IEEE Symposium on Security and Privacy (IEEE SS&P '17) -- an annual forum for presenting developments in computer security and electronic privacy.

Research presented by Georgia Tech at IEEE SS&P includes a new Android vulnerability that leverages mobile app permissions to take control of a user's graphic interface; a large-scale study of the underground business strategy behind evading IP blacklists, and a study showing that for the vast majority of malware samples, network traffic provides the earliest indicator of infection—several weeks and often months before a malware sample is discovered.

Georgia Tech is one of five universities worldwide with the most research accepted into the peer-reviewed conference. Four academic papers will be presented by Georgia Tech -- placing it alongside the University of California Berkeley, Carnegie Mellon University, University of Maryland, and the French Institute for Research in Computer Science and Automation (INRIA) for research volume at IEEE SS&P '17. The competitive conference has one of the lowest acceptance rates of peer-reviewed work with just 13.3 percent of all submissions accepted for presentation in 2016, according to independent research by Guofei Gu, a professor at Texas A&M University and an alumnus of Georgia Tech. This year, in all, nearly 100 organizations worldwide will bring new work to IEEE SS&P '17, including Akamai Technologies, Baidu, Facebook, Intel, Microsoft Research, Uber, and more as well as leading universities from Asia, Europe, and North America. The Symposium -- held May 22-24 in San Jose, Calif., -- is sponsored by IEEE Computer Society's Technical Committee on Security and Privacy.


Cybersecurity Research by Georgia Tech

"Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop"

in collaboration with University of California Santa Barbara
Yanick Fratantonio (UC Santa Barbara), Chenxiong Qian, Simon Chung, Wenke Lee (Georgia Institute of Technology)

The effectiveness of the Android permission system fundamentally hinges on the user’s correct understanding of the capabilities of the permissions being granted. In this paper, we show that both the end-users and the security community have significantly underestimated the dangerous capabilities granted by the SYSTEM_ALERT_WINDOW and the BIND_ACCESSIBILITY_SERVICE permissions: while it is known that these are security-sensitive permissions and they have been abused individually (e.g., in UI redressing attacks, accessibility attacks), previous attacks based on these permissions rely on vanishing side-channels to time the appearance of overlay UI, cannot respond properly to user input, or make the attacks literally visible. This work, instead, uncovers several design shortcomings of the Android platform and shows how an app with these two permissions can completely control the UI feedback loop and create devastating attacks. In particular, we demonstrate how such an app can launch a variety of stealthy, powerful attacks, ranging from stealing user’s login credentials and security PIN, to the silent installation of a God-mode app with all permissions enabled, leaving the victim completely unsuspecting. To make things even worse, we note that when installing an app targeting a recent Android SDK, the list of its required permissions is not shown to the user and that these attacks can be carried out without needing to lure the user to knowingly enable any permission. In fact, the SYSTEM_ALERT_WINDOW permission is automatically granted for apps installed from the Play Store and our experiment shows that it is practical to lure users to unknowingly grant the BIND_ACCESSIBILITY_SERVICE permission by abusing capabilities from the SYSTEM_ALERT_WINDOW permission. We evaluated the practicality of these attacks by performing a user study: none of the 20 human subjects that took part of the experiment even suspected they had been attacked. We also found that it is straightforward to get a proof-of-concept app requiring both permissions accepted on the official store. We responsibly disclosed our findings to Google. Unfortunately, since these problems are related to design issues, these vulnerabilities are still unaddressed. We conclude the paper by proposing a novel defense mechanism, implemented as an extension to the current Android API, which would protect Android users and developers from the threats we uncovered.

Winner of the 2017 "Distinguished Practical Paper" Award

Covered by:
Threatpost, May 24, 2017
InfoSecurity Magazine, May 24, 2017
International Business Times, May 23, 2017
Daily Mail (UK), May 22, 2017


"A Lustrum of Malware Network Communication: Evolution and Insights"

in collaboration with IMDEA and Eurecom
Chaz Lever (Georgia Institute of Technology), Platon Kotzias (IMDEA), Davide Balzarotti (Eurecom), Juan Caballero (IMDEA), Manos Antonakakis (Georgia Institute of Technology)

Both the operational and academic security communities have used dynamic analysis sandboxes to execute malware samples for roughly a decade. Network information derived from dynamic analysis is frequently used for threat detection, network policy, and incident response. Despite these common and important use cases, the efficacy of the network detection signal derived from such analysis has yet to be studied in depth. This paper seeks to address this gap by analyzing the network communications of 26.8 million samples that were collected over a period of five years. Using several malware and network datasets, our large scale study makes three core contributions. (1) We show that dynamic analysis traces should be carefully curated and provide a rigorous methodology that analysts can use to remove potential noise from such traces. (2) We show that Internet miscreants are increasingly using potentially unwanted programs (PUPs) that rely on a surprisingly stable DNS and IP infrastructure. This indicates that the security community is in need of better protections against such threats, and network policies may provide a solid foundation for such protections. (3) Finally, we see that, for the vast majority of malware samples, network traffic provides the earliest indicator of infection—several weeks and often months before the malware sample is discovered. Therefore, network defenders should rely on automated malware analysis to extract indicators of compromise and not to build early detection systems.

Covered by:
Network World, May 25, 2017
Threatpost, May 24, 2017

"Protecting Bare-metal Embedded Systems with Privilege Overlays"

in collaboration with Purdue University and Sandia National Laboratories
Abraham A. Clements (Purdue and Sandia National Laboratories), Naif Saleh Almakhdhub (Purdue), Khaled Saab (Georgia Institute of Technology), Prashast Srivastava (Purdue), Jinkyu Koo (Purdue), Saurabh Bagchi (Purdue), Mathias Payer (Purdue)

Embedded systems are ubiquitous in every aspect of modern life. As the Internet of Thing expands, our dependence on these systems increases. Many of these interconnected systems are and will be low cost bare-metal systems, executing without an operating system. Bare-metal systems rarely employ any security protection mechanisms and their development assumptions (unrestricted access to all memory and instructions), and constraints (runtime, energy, and memory) makes applying protections challenging. To address these challenges we present EPOXY, an LLVM-based embedded compiler. We apply a novel technique, called privilege overlaying, wherein operations requiring privileged execution are identified and only these operations execute in privileged mode. This provides the foundation on which code integrity, adapted control-flow hijacking defenses, and protections for sensitive IO are applied. We also design fine-grained randomization schemes, that work within the constraints of bare-metal systems to provide further protection against control-flow and data corruption attacks. These defenses prevent code injection attacks and ROP attacks from scaling across large sets of devices. We evaluate the performance of our combined defense mechanisms for a suite of 75 benchmarks and 3 real-world IoT applications. Our results for the application case studies show that EPOXY has, on average, a 1.8% increase in execution time and a 0.5% increase in energy usage.

"Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks"

in collaboration with Indiana University and New York University
Sumayah Alrwais (Indiana University at Bloomington), Xiaojing Liao (Georgia Institute of Technology), Xianghang Mi (Indiana University at Bloomington), Peng Wang (Indiana University at Bloomington), XiaoFeng Wang (Indiana University at Bloomington), Feng Qian (Indiana University at Bloomington), Raheem Beyah (Georgia Institute of Technology), Damon McCoy (New York University)

BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, doud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 Whois snapshots of the entire IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients migrating to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.

About Cybersecurity at Georgia Tech

Cybersecurity at the Georgia Institute of Technology (Georgia Tech) is an interdisciplinary effort, spanning 11 research labs and centers across seven campus units and the Georgia Tech Research Institute, with more than 460 researchers, and 200,000 square feet of secured, classified space. The Institute for Information Security & Privacy (IISP) at Georgia Tech serves as a coordinating body for cybersecurity research; as a gateway to faculty, students, and scientists at Georgia Tech, and as a central location for collaboration around six, critical research thrusts: Policy, Consumer-facing privacy, Risk, Trust, Attribution and Cyber-physical systems. By leveraging intellectual capital from across Georgia Tech and its external partners, we address vital solutions for national defense, economic continuity, and individual freedom. In partnership with the IISP,  government and industry partners can help move Georgia Tech's cybersecurity research into deployable solutions that close the innovation gap with immediate application in the world. To inquire about licensing existing research or to begin a project, contact Gloria Griessman.



Tara La Bouff
Marketing Communications Manager
404.769.5408 (mobile)