Would you like to receive webinar invitations? Contact us by email at: maira.nassau@loria.fr
We are pleased to invite you to the next DefMal webinar by
Marcus BOTACIN ( Texas A&M University )
on October 15th at 2 p.m.
Towards Fully Automated Malware Analysis
This talk discusses the ideas developed in Botacin’s lab toward the goal of creating an end-to-end, fully automated malware detection solution. Let’s together discuss solutions for each step of a malware detection pipeline, including: (1) How to efficiently build ML detectors in the presence of evolving attacks via concept drift detection and distributed learning; (2) How to test detectors’ robustness with automated adversarial attack generation; (3) How to enhance model’s robustness via adversarial retraining based on the augmentation of the training set with synthetic samples generated by GPT models; (4) How to derive rules from ML models for efficient matching at the endpoint with hardware support; and (5) How to advance threat intelligence in analysis platforms with LLMs.
Marcus Botacin is an assistant professor in the computer science and engineering department at Texas A&M University. He holds a Ph.D. in computer Science (Federal University of Paraná, Brazil, 2021), a master’s in computer science (University of Campinas, Brazil, 2017) and a bachelor’s in computer engineering (University of Campinas, Brazil, 2015). Botacin’s main research interests are malware analysis and reverse engineering. Botacin’s research has been published in the major scientific venues (e.g., ACM Transactions and USENIX Security). Botacin has spoken of academic, industry and hacking conferences (e.g., USENIX Enigma and HackInTheBox).
We are pleased to invite you to the next DefMal webinar by Giada Stivala (CISPA) on 17th September at 2 p.m.
Giada Stivala is a senior PhD student in the group of Giancarlo Pellegrino at CISPA, focusing on web security, large-scale measurements, phishing, and cybercrime. Her recent works present Clickbait PDFs, an attack vector for malicious links, and investigate the web infrastructure behind clickbait PDF campaigns. Previously, she studied malicious link distribution on social platforms, focusing on trustworthiness (or deception) of link previews in social media posts.
Deceptive Link Distribution and the Tactics Behind Malicious Web Campaigns.
Our browsers, whether on mobile or
desktop, are gateways to a vast universe of information. Accessing
online content, like reading a blog post linked on social media or
searching for a document, is part of our daily routine. However,
seemingly legitimate social media posts can lead to malicious websites,
and search engine results can be manipulated to rank harmful content
higher than legitimate sources.
In this talk, I explore two emerging
methods of malicious link distribution. The first involves the
programmatic manipulation of social media link previews. Attackers can
create deceptive previews not only by controlling the linked page but
also by exploiting flaws in the preview creation process. While some
platforms make it easy to craft deceptive previews, they can also
easily block link distribution via blocklisting.The second distribution
method involves embedding malicious links within PDF files known as
“Clickbait PDFs.” These files don’t contain malware but use misleading
visuals to trick users into clicking, directing them to harmful
websites. Attackers poisoned search results to reach victims, uploading
hundreds of thousands of clickbait PDF files for months. Our studies
show that SEO-driven Clickbait PDF campaigns have distinct patterns
compared to traditional file-based Web attacks, and that fighting their
distribution is complex.
| We are pleased to invite you to the next DefMal webinar by Davide Balzarotti (EURECOM) on 10th July at 11 a.m. Davide Balzarotti is a full Professor and the head of the Digital Security Department at EURECOM. He received his Ph.D. from Politecnico di Milano in 2006 and his research interests include most aspects of software and system security and in particular the areas of binary and malware analysis, fuzzing and vulnerability discovery, computer forensics, and web security. Davide authored more than 100 publications in leading conferences and journals. He has been the Program Chair Usenix Security 2024, ACSAC 2017, RAID 2012, and Eurosec 2014. Davide received in an ERC Consolidator and an ERC PoC Grants for his research in the analysis of compromised systems. Davide is also member of the « Order of the Overflow » team, which organized the DEF CON CTF competition between 2018 and 2021. |
| Malware Research: History, Milestones, and Open Questions Abstract Researchers have worked on the analysis, detection, and classification of malicious software since the first early viruses in the 1980s. After more than 40 years of academic research and thousands of papers published on this topic, what have we learned about malware? Which problems and questions have attracted the interest of researchers? And for which of those did we find some answers so far? In this talk, I will go through some of these past achievements (shamelessly using some of my research as an example) and discuss past findings as well as open questions for the future. |
We are pleased to invite you to the next DefMal webinar by
Leo COSSERON on 18th June at 2 p.m.
Léo COSSERON
Léo Cosseron est doctorant en 2ème
année dans l’équipe MAGELLAN à l’IRISA (Rennes), et titulaire d’un M2 en
informatique de l’ENS Rennes (2022). Ses centres d’intérêts en
recherche sont la virtualisation matérielle, la simulation réseau et la
sécurité des systèmes. Pendant sa thèse, Léo cherche à synchroniser
précisément un simulateur réseau avec une sandbox d’analyse de malware,
dans le but de créer un environnement réseau factice qui soit
indistinguable d’un réseau réel, afin de contrer des malware évasifs
basés sur le fingerprinting des performances du réseau.
Simuler l’environnement réseau de sandboxes pour cacher les pauses d’introspection de machines virtuelles
Les sandboxes d’analyse de logiciels malveillants utilisent
l’introspection de machines virtuelles (VMI) pour analyser ces
programmes. La VMI est un ensemble de techniques pour observer
l’exécution dans une machine virtuelle (VM) en restant isolé de la VM.
Certains logiciels malveillants dits évasifs détectent les pauses
d’exécution de la VM causées par la VMI et évitent alors d’activer leur
comportement malveillant. Ce problème tend à disparaître puisque les
concepteurs de sandboxes manipulent l’horloge des VMs pour cacher ces
pauses. En revanche le réseau factice créé par une sandbox offre de
nouvelles opportunités aux logiciels malveillants évasifs. En effet les
pauses VMI ont un impact mesurable sur les performances réseau.
Les logiciels malveillants peuvent ainsi détecter les écarts de
performance entre le réseau observé et celui du système ciblé. Pour
résoudre ce problème, l’approche TANSIV consiste à construire le réseau
de la sandbox au-dessus d’un simulateur réseau à événements discrets.
Le simulateur définit la référence de temps et TANSIV coordonne
l’écoulement du temps, en synchronisant les horloges virtuelles avec
l’horloge du simulateur. Les paquets émis par les VMs sont interceptés
et transmis à la VM destinataire à l’heure virtuelle calculée par le
simulateur. Les VMs sont régulièrement interrompues à des heures
virtuelles calculées avec le simulateur afin de les resynchroniser, et
de faire avancer l’horloge du simulateur en fonction des événements
réseau. Dans le cas de la virtualisation matérielle, en plus de
manipuler les horloges virtuelles pour masquer les pauses VMI, TANSIV
cache les pauses de synchronisation avec le simulateur réseau [1].
TANSIV est portable entre hyperviseurs et supporte QEMU, en modes
émulation et KVM, ainsi que Xen. Pour évaluer expérimentalement TANSIV,
nous avons mesuré le RTT entre deux VMs, en utilisant sur une VM un
script VMI suffisamment agressif pour déclencher une pause VMI entre
chaque envoi de paquet. Nos résultats montrent que la distribution des
RTT est cohérente en utilisant TANSIV, que ce soit avec ou sans VMI,
alors que ne pas masquer les pauses VMI ou utiliser un réseau sans
synchronisation résulte en une distribution incohérente des RTTs.
[1]
Léo Cosseron, Louis Rilling, Matthieu Simonin, Martin Quinson.
Simulating the Network Environment of Sandboxes to Hide Virtual Machine
Introspection Pauses. EuroSec 2024 – 17th European Workshop on Systems
Security, Apr 2024, Athène, Greece. pp.1-7, ⟨10.1145/3642974.3652280⟩.
⟨hal-04537165⟩
16 th April, 2 p.m by
Aurore FASS
Aurore
Fass is a Tenure-Track Faculty at CISPA Helmholtz Center for
Information Security. She got her Ph.D. from CISPA & Saarland
University in 2021. From 2021 to 2023, she was a Visiting Assistant
Professor of Computer Science at Stanford University.
Aurore’s
research broadly focuses on Web Security & Privacy and Web
Measurements. Specifically, she designs practical approaches to protect
the security and privacy of Web users. She builds systems to
proactively detect malicious JavaScript code and suspicious browser
extensions. Aurore co-chaired the MADWeb 2024 & 2023 workshop,
co-located with NDSS, and she is ACM CCS 2024 workshop co-chair. In
addition, she has served on the program committees of the leading
security conferences and has received Distinguished Reviewer Awards at
ACM CCS 2023 & 2022, ACSAC 2023, and TheWebConf 2022.
«Studying JavaScript Security Through Static Analysis: Detection of Malicious and Vulnerable Code»
JavaScript is a browser scripting language that was designed to create
sophisticated and interactive web pages. However, JavaScript also
provides an entry point for an attacker to exploit bugs and
vulnerabilities in web pages and browser extensions. In practice, an
attacker can leverage both malicious and vulnerable JavaScript code to
compromise the security and privacy of Web users.
In this talk, I will approach these issues by proposing several systems to statically analyze real-world JavaScript code.
First, I will focus on _malicious JavaScript_. I will briefly introduce
static detectors, which leverage machine learning techniques to detect
malicious JavaScript samples. Then, I will evaluate the robustness of
such static detectors in an adversarial setting. In particular, I will
introduce HideNoSeek, our generic camouflage attack that consists of
rewriting malicious JavaScript samples so that they have the same
syntactic structure as existing benign scripts.
Finally, I will
focus on _vulnerable JavaScript_ code from browser extensions. I will
present DoubleX, our open-source static analyzer that detects
vulnerable data flows in browser extensions with high precision (89%)
and recall (93%).
Through this talk, I aim to raise awareness about
the risks posed by malicious and vulnerable JavaScript code, and to
discuss strategies for mitigating such threats.
19 th Mars, 2 p.m by Luca Demetrio
Luca Demetrio is Assistant Professor at the University of Genoa, and he received his Ph.D. in 2021.
His
research focuses on assessing the security of machine learning threat
detectors, with a strong focus on Windows malware. He is first author
on several paper on the topic, and he is maintainer of SecML Malware (https://github.com/pralab/secml_malware)
which automates the generation of adversarial EXEmples. He has been
awarded with an honourable mention by the “Gruppo 2003” for your
researchers in 2023 for his contribution on the topic, and he is
reviewer for top-tier conferences like USENIX and ICLR.Also, he took
part to industrial conferences like TROOPERS, and, together with other
people, he will also deliver a training to BlackHat 2024 covering
machine learning for malware detection and pentesting techniques with
EXEmples.
Title: « Pentesting Windows malware detectors with Adversarial EXEmples ? »
Machine learning for malware detection has received a great boost in
popularity, given its inhuman performances with extremely-low numbers
of false alarms, compared to static signature which are unable to cope
with all the possible variants. However, recent research shows that
these techniques are not bullet-proof since they are vulnerable to
Adversarial EXEmples, carefully-crafted malware samples optimised to
bypass detection. These are implemented through manipulations that
preserve the original functionality, and their generation can be easily
automated and targeted against both machine learning models and
commercially-available antivirus programs.Hence, in this talk, we will
provide insights on how to properly formulate these novel threats, and
how they can be used to test malware detectors. Thanks to cutting-edge
advancements, we will also share details on possible defenses and
mitigations against Adversarial EXEmples, and we will close by
highlighting limitations and possible future directions to improve this
novel research field.
February 20th at 2 p.m by
Simone AONZO
Simone Aonzo is an Assistant Professor at EURECOM (France), where he teaches and conducts research in the Digital Security Department. He has extensive experience and knowledge in malware analysis (covering both Windows and Android platforms), reverse engineering, phishing, and mobile security. He is also interested in the human factors of security processes and has recently started publishing papers on this topic. He is passionate about finding and solving real-world security challenges and educating the next generation of security professionals.
Title: « Do Androids Dream of Electric Phishing? »
In this seminar, I will present two novel and practical phishing
attacks on Android that exploit some convenience features. In the first
attack, I will abuse features unique to Android, namely the Autofill
Framework and Instant Apps, to show how an attacker can trick password
managers into autofilling credentials for malicious websites. In the
second attack, I demonstrate a state inference-based phishing attack
that uses the inotify APIs, in this case a feature of the Linux kernel
on which Android is based, to monitor file system events and detect
when the victim launches a target application.
Several
vulnerabilities and their fixes were reported to both Google and major
password manager developers, but even now these issues have not been
fully resolved, proving once again that while secure solutions exist in
theory, they are difficult to implem
Tuesday 16/01 at 2pm by Gregoire Menguy, CEA List.
Black-box Code Analysis for Reverse Engineering Through Constraint Acquisition and Program Synthesis
Software
always becomes larger and more complex, making crucial tasks like code
testing, verification, or code understanding highly difficult for
humans. Hence the need for methods to reason about code automatically.
These are usually white-box, and use the code syntax to deduce its
properties. While they have proven very powerful, they also show
limitations: they need the source code, the code size and the data
structures’ complexity degrade their efficiency, they are highly
impacted by syntactic code complexity amplified by optimizations or
obfuscations. We explore how black-box code analysis can infer valuable
properties for reverse engineering through data-driven learning. First,
we consider the function contracts inference problem, which aims to
infer over which inputs a code function can be executed to get good
behaviors only. We extend the constraint acquisition learning framework,
notably solving one of its major flaws: the dependency on a human user.
It leads to PreCA, the first black-box approach enjoying clear
theoretical guarantees. It makes PreCA especially suitable for
development uses. Second, we consider the deobfuscation problem, which
aims to simplify obfuscated code. Our proposal, Xyntia, synthesizes code
block semantics through S-metaheuristics to offer an understandable
version of the code. Xyntia significantly improves the state-of-the-art
in terms of robustness and speed. In addition, we propose the two first
protections efficient against black-box deobfuscation.
