Examinando por Autor "Santos Grueiro, Igor"

Mostrando 1 - 3 de 3
  • Miniatura
    Ítem
    Cookies from the past: timing server-side request processing code for history sniffing
    (Association for Computing Machinery, 2020-12-22) Sánchez Rola, Iskander; Balzarotti, Davide; Santos Grueiro, Igor
    Cookies were originally introduced as a way to provide state awareness to websites, and they are now one of the backbones of the current web. However, their use is not limited to store the login information or to save the current state of user browsing. In several cases, third-party cookies are deliberately used for web tracking, user analytics, and for online advertisement, with the subsequent privacy loss for the end-users. However, cookies are not the only technique capable of retrieving the users' browsing history. In fact, history sniffing techniques are capable of tracking the users' browsing history without relying on any specific code in a third-party website, but only on code executed within the visited site. Many sniffing techniques have been proposed to date, but they usually have several limitations, and they are not able to differentiate between multiple possible states within the target application. We propose BakingTimer, a new history-sniffing technique based on timing the execution of server-side request processing code. This method is capable of retrieving partial or complete user browsing history, it does not require any permission, and it can be performed through both first- and third-party scripts. We studied the impact of our timing side-channel attack to detect prior visits to websites and discovered that it was capable of detecting the users' state in more than half of the 10K websites analyzed, which is the largest test performed to date to test this type of technique. We additionally performed a manual analysis to check the capabilities of the attack to differentiate between three states: never accessed, accessed, and logged in. Moreover, we performed a set of stability tests to verify that our time measurements are robust with respect to changes both in the network RTT and in the servers workload. This extended version additionally includes a comprehensive analysis of existing countermeasures, starting from its evolution/adoption, and finishing with a large-scale experiment to asset the repercussions on the presented technique.
  • Miniatura
    Ítem
    Nuevo enfoque para la detección de malware basado en métodos de recuperación de información
    (Universidad de Deusto, 2011-10-27) Santos Grueiro, Igor; García Bringas, Pablo; Sanz Urquijo, Borja; Facultad de Ingeniería; SISTEMAS DE INFORMACION
    Malware es todo código malicioso que tiene potencial para dañar cualquier ordenador, red o información. La cantidad de malware se está incrementado cada año y constituye un serio problema de seguridad. Por lo tanto, la detección de malware se ha convertido en un tema crítico dentro del campo de la seguridad de la información. Actualmente, el método más extendido dentro de las compañías antivirus es la detección basada en firmas. A pesar de que esta técnica aún se utiliza en la mayoría de soluciones antivirus comerciales, sólo es capaz de conseguir la detección una vez que el ejecutable ha causado daño y están documentados. Además los creadores de software malicioso utilizan técnicas de ofuscación para ocultar sus creaciones a estos detectores de malware. Por ello, los sistemas de detección de malware simplemente fallan al detectar, tanto nuevas variantes de malware conocido como familias de malware desconocidas. En esta tesis doctoral proponemos un nuevo sistema de representación de ejecutables basado en recuperación de la información que es capaz de detectar variantes ofuscadas de malware y detectar malware desconocido, reduciendo los esfuerzos del etiquetado mientras mantiene un alto nivel de precisión. En concreto, utilizamos la frecuencia de aparición de secuencias de códigos operacionales (opcodes). En base a esta representación, hemos unificado la detección de variantes ofuscadas de familias de malware con la detección de malware desconocido. Para la detección de variantes, hemos propuesto un sistema completo de recuperación de variantes que se compone de: (i) una base de datos de malware, (ii) una representación de ejecutables, (iii) un sistema para generar consultas que transforma un ejecutable en su representación y (iv) un generador de modelos filogenéticos para monitorizar la evolución de una familia de malware. Para la detección de malware desconocido, hemos usado aprendizaje automático. Hemos empleado aprendizaje supervisado que, aunque requiere una gran cantidad de software etiquetado en clases (benigno o malware), es capaz de ofrecer un alto nivel de precisión. Para reducir el elevado número de ejecutables necesario en el entrenamiento propio del aprendizaje automático, hemos adaptado un enfoque de aprendizaje de clase única, en el que sólo es necesario etiquetar un subconjunto de especímenes de una de las clases de software.
  • Miniatura
    Ítem
    When memory corruption met concurrency: vulnerabilities in concurrent programs
    (Institute of Electrical and Electronics Engineers Inc., 2023) Llorente Vázquez, Oscar; Santos Grueiro, Igor ; Bringas García, Pablo
    Concurrent programs are widespread in modern systems. They make better use of processor resources but inevitably introduce a new set of problems in terms of reliability and security. Concurrency bugs usually lead to program crashes and unexpected behavior, and are an active research topic. From a security perspective, concurrency vulnerabilities are those that exhibit harmful behavior exclusively in concurrent executions. They can take place in a diverse range of environments, such as in operating system kernels, file system operations, or general-purpose multithreaded programs. A particular characteristic of concurrency is that it not only introduces new problems, but also enables traditional vulnerabilities to be triggered in concurrent-specific ways. Those that lead to dangerous security vulnerabilities usually cause memory corruption, a strong and flexible primitive for exploitation, and are known as concurrency memory corruption vulnerabilities. In this paper, we systematically analyze concurrency vulnerabilities in C and C++ programs, their exploitation and their detection, focusing on concurrency memory corruption vulnerabilities. We organize previous work on concurrency bug characteristics and detection, and highlight the differences in relation to vulnerabilities. Then, we examine the existence of concurrency vulnerabilities in real-world programs by searching the CVE database and point out a growing trend. Further, we analyze and compare existing detection approaches towards concurrency memory corruption.