Foundations and Practice of Security

In this work, we study the ability for malware to leak sensitive information from an air-gapped high-security system to systems on a low-security network, using ultrasonic and audible audio covert channels in two different environments: an open-concept office and a closed-door office. Our results show that malware installed on unmodified commodity hardware can leak data from an air-gapped system using the ultrasonic frequency range from 20 kHz to 20.5 kHz at a rate of 140 bps and at a rate of 6.7 kbps using the audible spectrum from 500 Hz to 18 kHz. Additionally, we show that data can be communicated using ultrasonic communication at distances up to 11 m with bit rates over 230 bps and a bit error rate of 2%. Given our results, our attacks are able to leak captured keystrokes in real-time using ultrasonic signals and, using audible signals when nobody is present in the environment the overnight attack, both keystrokes and recorded audio.

[1]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[2]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[3]  Lior Malka,et al.  VMCrypt: modular software architecture for scalable secure computation , 2011, CCS '11.

[4]  Jean-Pierre Szikora Banques en ligne : à la découverte d'EMV-CAP , 2011 .

[5]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[6]  Rafail Ostrovsky,et al.  Distributed Oblivious RAM for Secure Two-Party Computation , 2013, TCC.

[7]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[8]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  Michael Baentsch,et al.  The Zurich Trusted Information Channel - An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks , 2008, TRUST.

[10]  David A. Cooper,et al.  Guidelines for the selection, configuration, and use of Transport Layer Security (TLS) implementations , 2005 .

[11]  Ling Ren,et al.  Path ORAM , 2012, J. ACM.

[12]  Tayssir Touili,et al.  Pushdown Model Checking for Malware Detection , 2012, TACAS.

[13]  Roberto Giacobazzi,et al.  Modelling Metamorphism by Abstract Interpretation , 2010, SAS.

[14]  Hao Zhou,et al.  Transport Layer Security (TLS) Session Resumption without Server-Side State , 2008, RFC.

[15]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[16]  Nigel P. Smart,et al.  Actively Secure Private Function Evaluation , 2014, ASIACRYPT.

[17]  Payman Mohassel,et al.  How to Hide Circuits in MPC: An Efficient Framework for Private Function Evaluation , 2013, IACR Cryptol. ePrint Arch..

[18]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[19]  Jan Willemson,et al.  Round-Efficient Oblivious Database Manipulation , 2011, ISC.

[20]  Philippe Herrmann,et al.  Refinement-Based CFG Reconstruction from Unstructured Programs , 2011, VMCAI.

[21]  Philippe Herrmann,et al.  OSMOSE: automatic structural testing of executables , 2011, Softw. Test. Verification Reliab..

[22]  Abraham Waksman,et al.  A Permutation Network , 1968, JACM.

[23]  Dana Angluin,et al.  Inductive Inference of Formal Languages from Positive Data , 1980, Inf. Control..

[24]  Thomas W. Reps,et al.  Improved Memory-Access Analysis for x86 Executables , 2008, CC.

[25]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[26]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[27]  L. Kronecker,et al.  Ueber die Bestimmung der mittleren Werthe in der Zahlentheorie , 2012 .

[28]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[29]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[30]  Leslie G. Valiant,et al.  A theory of the learnable , 1984, CACM.

[31]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[32]  Joan Calvet Analyse Dynamique de Logiciels Malveillants. (Dynamic Analysis of Malicious Software) , 2013 .

[33]  Jean-Yves Marion,et al.  Abstraction-Based Malware Analysis Using Rewriting and Model Checking , 2012, ESORICS.