FORSEC Activities
1) Security monitoring on ARM devices
ARM based mobile devices are rapidly become the dominant force in the market space for mobile phones, smart watches, and Internet of Things (IoT) devices. Unfortunately, many of these devices leverage the Android Operating System, and the open characteristics of Android pose a major challenge for computer security products. Thus, the development of new Virtual Machine Introspection (VMI) based security mechanisms are essential to provide monitoring capabilities that are capable of extracting meaningful analytics when issues arise.
To tackle this challenge, we plan on implementing a VMI system for Xen on ARM in order to develop VMI applications for Android based devices. The first step towards this goal is to overcome the notorious semantic gap problem. Unfortunately, Android poses unique challenges as we will need to find a solution to the problem in the Kernel and User space. From the kernel perspective, the Android kernel is written by C which is a static binding language. This will allow us to leverage our current knowledge to reconstruct the values for the registers, memory addresses, stack, and heap. However, Android applications use dynamic binding languages, such as C++ and Java, which causes a non-deterministic running characteristic. This characteristic makes it much more difficult to overcome the semantic gap problem. As such, we will be primarily working to develop methods that overcome this challenge, from the VMI standpoint, as we proceed.
In the next steps, we plan to extend our CFI (Control Flow Integrity) method so it is able to be used with Android applications. Through CFI, we hope to protect Android Applications from control flow hijacks such as GUI changing attacks, unauthorized access, and information leakage attacks. Additionally, we plan to implement VMI based methods to detect and prevent code reuse attacks (ROPs, JOPs, COOPs, and JIT-ROP).
2) Anomaly and intrusion detection under resource constraints
This section of the project is dedicated to the development of Machine Learning methods that use data retrieved through VMI for malware detection. While the behavioral analysis tools living on top of VMI enable us to retrieve valuable information about malware activity, we need to develop statistical methods to turn the wealth of data into useful information for malware analysis. To achieve reliable results for malware detection and analysis, we plan to investigate and further develop methods such as topic modeling, neural networks, and semi-supervised learning.
Furthermore, we will be studying the resource constraints present in mobile devices: memory, power, and bandwidth. Using this knowledge, we will then develop methods for anomaly detection that are designed for optimal operation under these constraints. In addition, we will also develop anomaly-based methods for intrusion detection and continuous authentication on mobile devices. In this area, we will focus on adapting Machine Learning methods for anomaly detection such as Gaussian Processes, Hidden Markov Models, and One-Class SVM.