18th June, 2 p.m

Léo Cosseron est doctorant en 2ème année dans l’équipe MAGELLAN à l’IRISA (Rennes), et titulaire d’un M2 en informatique de l’ENS Rennes (2022). Ses centres d’intérêts en recherche sont la virtualisation matérielle, la simulation réseau et la sécurité des systèmes. Pendant sa thèse, Léo cherche à synchroniser précisément un simulateur réseau avec une sandbox d’analyse de malware, dans le but de créer un environnement réseau factice qui soit indistinguable d’un réseau réel, afin de contrer des malware évasifs basés sur le fingerprinting des performances du réseau.

Simuler l’environnement réseau de sandboxes pour cacher les pauses d’introspection de machines virtuelles
  Les sandboxes d’analyse de logiciels malveillants utilisent l’introspection de machines virtuelles (VMI) pour analyser ces programmes. La VMI est un ensemble de techniques pour observer l’exécution dans une machine virtuelle (VM) en restant isolé de la VM. Certains logiciels malveillants dits évasifs détectent les pauses d’exécution de la VM causées par la VMI et évitent alors d’activer leur comportement malveillant. Ce problème tend à disparaître puisque les concepteurs de sandboxes manipulent l’horloge des VMs pour cacher ces pauses. En revanche le réseau factice créé par une sandbox offre de nouvelles opportunités aux logiciels malveillants évasifs. En effet les pauses VMI ont un impact mesurable sur les performances réseau.
Les logiciels malveillants peuvent ainsi détecter les écarts de performance entre le réseau observé et celui du système ciblé. Pour résoudre ce problème, l’approche TANSIV consiste à construire le réseau de la sandbox au-dessus d’un simulateur réseau à événements discrets. Le simulateur définit la référence de temps et TANSIV coordonne l’écoulement du temps, en synchronisant les horloges virtuelles avec l’horloge du simulateur. Les paquets émis par les VMs sont interceptés et transmis à la VM destinataire à l’heure virtuelle calculée par le simulateur. Les VMs sont régulièrement interrompues à des heures virtuelles calculées avec le simulateur afin de les resynchroniser, et de faire avancer l’horloge du simulateur en fonction des événements réseau. Dans le cas de la virtualisation matérielle, en plus de manipuler les horloges virtuelles pour masquer les pauses VMI, TANSIV cache les pauses de synchronisation avec le simulateur réseau [1]. TANSIV est portable entre hyperviseurs et supporte QEMU, en modes émulation et KVM, ainsi que Xen. Pour évaluer expérimentalement TANSIV, nous avons mesuré le RTT entre deux VMs, en utilisant sur une VM un script VMI suffisamment agressif pour déclencher une pause VMI entre chaque envoi de paquet. Nos résultats montrent que la distribution des RTT est cohérente en utilisant TANSIV, que ce soit avec ou sans VMI, alors que ne pas masquer les pauses VMI ou utiliser un réseau sans synchronisation résulte en une distribution incohérente des RTTs.

[1] Léo Cosseron, Louis Rilling, Matthieu Simonin, Martin Quinson. Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection Pauses. EuroSec 2024 – 17th European Workshop on Systems Security, Apr 2024, Athène, Greece. pp.1-7, ⟨10.1145/3642974.3652280⟩. ⟨hal-04537165⟩

16 th April, 2 p.m by
Aurore FASS
Aurore Fass is a Tenure-Track Faculty at CISPA Helmholtz Center for Information Security. She got her Ph.D. from CISPA & Saarland University in 2021. From 2021 to 2023, she was a Visiting Assistant Professor of Computer Science at Stanford University.
Aurore’s research broadly focuses on Web Security & Privacy and Web Measurements. Specifically, she designs practical approaches to protect the security and privacy of Web users. She builds systems to proactively detect malicious JavaScript code and suspicious browser extensions. Aurore co-chaired the MADWeb 2024 & 2023 workshop, co-located with NDSS, and she is ACM CCS 2024 workshop co-chair. In addition, she has served on the program committees of the leading security conferences and has received Distinguished Reviewer Awards at ACM CCS 2023 & 2022, ACSAC 2023, and TheWebConf 2022.

«Studying JavaScript Security Through Static Analysis: Detection of Malicious and Vulnerable Code» JavaScript is a browser scripting language that was designed to create sophisticated and interactive web pages. However, JavaScript also provides an entry point for an attacker to exploit bugs and vulnerabilities in web pages and browser extensions. In practice, an attacker can leverage both malicious and vulnerable JavaScript code to compromise the security and privacy of Web users.
In this talk, I will approach these issues by proposing several systems to statically analyze real-world JavaScript code.
First, I will focus on _malicious JavaScript_. I will briefly introduce static detectors, which leverage machine learning techniques to detect malicious JavaScript samples. Then, I will evaluate the robustness of such static detectors in an adversarial setting. In particular, I will introduce HideNoSeek, our generic camouflage attack that consists of rewriting malicious JavaScript samples so that they have the same syntactic structure as existing benign scripts.
Finally, I will focus on _vulnerable JavaScript_ code from browser extensions. I will present DoubleX, our open-source static analyzer that detects vulnerable data flows in browser extensions with high precision (89%) and recall (93%).
Through this talk, I aim to raise awareness about the risks posed by malicious and vulnerable JavaScript code, and to discuss strategies for mitigating such threats.

19 th Mars, 2 p.m by
Luca Demetrio
Luca Demetrio is Assistant Professor at the University of Genoa, and he received his Ph.D. in 2021.
His research focuses on assessing the security of machine learning threat detectors, with a strong focus on Windows malware. He is first author on several paper on the topic, and he is maintainer of SecML Malware (https://github.com/pralab/secml_malware) which automates the generation of adversarial EXEmples. He has been awarded with an honourable mention by the “Gruppo 2003” for your researchers in 2023 for his contribution on the topic, and he is reviewer for top-tier conferences like USENIX and ICLR.Also, he took part to industrial conferences like TROOPERS, and, together with other people, he will also deliver a training to BlackHat 2024 covering machine learning for malware detection and pentesting techniques with EXEmples.

Title: « Pentesting Windows malware detectors with Adversarial EXEmples ? »
  Machine learning for malware detection has received a great boost in popularity, given its inhuman performances with extremely-low numbers of false alarms, compared to static signature which are unable to cope with all the possible variants. However, recent research shows that these techniques are not bullet-proof since they are vulnerable to Adversarial EXEmples, carefully-crafted malware samples optimised to bypass detection. These are implemented through manipulations that preserve the original functionality, and their generation can be easily automated and targeted against both machine learning models and commercially-available antivirus programs.Hence, in this talk, we will provide insights on how to properly formulate these novel threats, and how they can be used to test malware detectors. Thanks to cutting-edge advancements, we will also share details on possible defenses and mitigations against Adversarial EXEmples, and we will close by highlighting limitations and possible future directions to improve this novel research field.

February 20th at 2 p.m by
Simone AONZO

Simone Aonzo is an Assistant Professor at EURECOM (France), where he teaches and conducts research in the Digital Security Department. He has extensive experience and knowledge in malware analysis (covering both Windows and Android platforms), reverse engineering, phishing, and mobile security. He is also interested in the human factors of security processes and has recently started publishing papers on this topic. He is passionate about finding and solving real-world security challenges and educating the next generation of security professionals.

Title: « Do Androids Dream of Electric Phishing? »
  In this seminar, I will present two novel and practical phishing attacks on Android that exploit some convenience features. In the first attack, I will abuse features unique to Android, namely the Autofill Framework and Instant Apps, to show how an attacker can trick password managers into autofilling credentials for malicious websites. In the second attack, I demonstrate a state inference-based phishing attack that uses the inotify APIs, in this case a feature of the Linux kernel on which Android is based, to monitor file system events and detect when the victim launches a target application.
Several vulnerabilities and their fixes were reported to both Google and major password manager developers, but even now these issues have not been fully resolved, proving once again that while secure solutions exist in theory, they are difficult to implement in practice.

Les commentaires sont clos.