New Methods for Vulnerability Detection and Sanitization
Igor Santos
http://paginaspersonales.deusto.es/isantos/
DeustoTech (www.deustotech.eu) is a private non-profit institution of the Faculty of Engineering at the University of Deusto for applied research in new technologies. Since 2005 DeustoTech mission is to support the ICT activity in business and society through research, the development of technologies, innovation and knowledge transfer. We focus our activity around TRLs 2-7 and articulate it into four applied fields: Industry, Mobility, Energy and Society, having a fifth, the Chair of Applied Mathematics, as a transversal activity and support for the previous four. We are characterized for working with data of heterogeneous nature, throughout its life cycle and in compliance with ethical principles and humanists who define the University of Deusto.
The research group which will host the IF candidate devotes to Cybersecurity as well. In particular, we have been working actively in two different areas: web security and code security. In the first one, we have devoted to the analysis of web privacy with works in web tracking with works in dark web privacy or browser attributes finger printability. In the area of code security, we have worked in malware detection and we are now working on vulnerability detection and sanitization.
The applicant should hold a PhD and have not stayed in the hosting institution country (Spain) for, at least, more than 12 months in the last 3 years previously to the MCSA-IF call deadline.
The applicant needs to be proficient in CyberSecurity with a desirable background on Code Analysis and reversing, with a strong record of early publications in these topics.
The applicant should also be willing to join a team that looks forward into major contributions in the field, to be published in top-tier venues (Oakland, Usenix Security, ACM CCS, ISOC NDDS).
- Information Sciences and Engineering (ENG)
Memory corruption appears as a consequence of the lack of memory and type safety in low-level languages such as C and C++, and it covers every form of involuntary access or alteration in the contents of one or more memory addresses. In order to mitigate these attacks, proactive defenses such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) have been the standard the last years. However, as they have been proven to not be enough, more advanced methods that, for example, enforce control and data flow integrity have been developed. In top of that, other error classes exist that may lead to exploitation and to which little attention has been paid. One of the most worrying examples are the so-called concurrency errors. They arise as a result of concurrent accesses to a shared resource without proper synchronization, such as shared memory accesses among threads inside a single process, or resource accesses among different processes. In this research, we will focus in the later type of errors.
EXCELLENCE OF THE HOST RESEARCH UNIT
Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, Pablo G. Bringas. RAMBO: Run-time packer Analysis with Multiple Branch Observation. Proceedings of the 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). San Sebastián, Spain. 2016. (acceptance rate: 31.8%)
[SoK] Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers
Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, Pablo G. Bringas
Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA. 2015. (acceptance rate: 13.8%)
Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti. Clock Around the Clock: Time-Based Device Fingerprinting. Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, 2018 (acceptance rate: 16.6%)
[Media coverage: New Scientist | Metro | TechNews | …]
Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. Proceedings of the 26th Usenix Security Symposium (Sec), Vancouver, Canada, 2017 (acceptance rate: 16.28%)
[Media coverage: SecurityWeek | BleepingComputer | Ghacks (1) | Ghacks (2) | FayerMayer |…]
Igor Santos, Félix Brezo, Xabier Ugarte-Pedrero, Pablo G Bringas. Opcode Sequences as Representation of Executables for Data-mining-based Unknown Malware Detection
Information Sciences. vol. 231, pp. 64-82. 2013
VESSEDIA: VERIFICATION ENGINEERING OF SAFETY AND SECURITY CRITICAL INDUSTRIAL APPLICATIONS. Funded by: H2020. 2016-DS-01 Ref: N/A. PI (University of Deusto): Igor Santos Budget (University of Deusto): 352125 Euros
SOCIAL SPAM: SEGUIMIENTO Y FILTRADO DE SPAM PERSONALIZADO EN MEDIOS SOCIALES MEDIANTE MODELOS DE DIFUSIÓN Y ANÁLISIS DE CONTENIDO. Funded by: Gobierno Vasco Research Ref: N/A. PI: Igor Santos Budget: 48300 Euros
VEMAS: SISTEMA INSTALADO “EN LA NUBE” PARA LA VERIFICACIÓN FORMAL DEL SOFTWARE
Y LA MEDIDA DE SU CALIDAD, DESDE LOS COMPILADORES E INTÉRPRETES QUE EJECUTAN EL CÓDIGO HASTA LAS APLICACIONES. Funded by: Consultoría Tecnológica para el comercio, SL (CONSULTEC), Avangroup Bussiness Solutions S.L. Research Contract. Ref: N/A. PI: Borja Sanz Urquijo. Budget: 44161 Euros
ACSAS – ANÁLISIS DE CAMPAÑAS Y SENSIBILIDAD A LA AMBIGÜEDAD LINGÜÍSTICA PARA LA MEJORA DEL FILTRADO DE SPAM. Funded by: AVANGROUP BUSINESS SOLUTIONS S.L. Research Contract. Ref: N/A. PI: Igor Santos. Budget: 8,000 Euros INTERDISCIPLINARY COLLABORATION
The project is within the security scope. However, the results will help developers and users.
We will like to motivate the developers’ awareness of this corruption errors and the consequences of their exploitation. INTERNATIONAL COLLABORATION
The applicant will join this MSCA action and it is possible that derived results can be used in other H2020 projects in the area of cybersecurity. INTERSECTORAL COLLABORATION
Our group has a important network of collaborators around the world that can provide additional insight to this project (e.g., CISCO, UCSB, CMU, Eurecom, Symantec Research Labs, amongst others). IMPACT
The results of the research can be exploited in several ways: (i) developing several vulnerability discovery tools for developers, (ii) devising new sanitization methods to make the vulnerability patching more transparent for commodity users.
Regarding dissemination, we plan to publish our results as scientific publications in top venues but also by performing several dissemination actions for the general public and also people in the field. INNOVATION
Harmful concurrency errors lead to unintended program behavior that may result, for instance, in wrong outputs and program crashes. However, explicitly exploring their consequences reveals that they usually lead to memory corruption, which suggests that some memory error detection approaches may fail detecting these specific cases since they depend on thread scheduling. Consequently, recent studies have verified that the corrupted memory as a result of previously known data races can be leveraged to carry out attacks and that they can be often triggered with high probability. In the case of atomicity violation errors, Time Of Check To Time Of Use (TOCTTOU) vulnerabilities are the most distinctive example, which allow to build attacks that modify a resource between the checking and use operations. The file system has been the main target of these attacks and the focus of the research community in the past years, however, TOCTTOU vulnerabilities apply to several resources and scenarios such as shared memory in multithreaded programs [20], or when a kernel fetches a value from the same user-space memory location twice, known as double-fetch vulnerabilities. These problems derived from concurrency errors and its combination with memory corruption have been tackled to a small extent, which renders in possible new attack opportunities against which it is essential to develop countermeasures. INCLUSION
One of the University of Deusto’s key duties is to be fully aware of problems within the institution itself and the society we live in. For this reason, it should take specific steps to boost integration and real equality of opportunity for people with specific support needs. Timely specific action is required to enable them to enter higher education in equal conditions and ensure their full integration in the university community. DeustoTech, as one of its institutions, is included into this service of social action and inclusion. The main aims consist of achieving full normalisation, equal opportunities and gradually adopting the steps needed to ensure that the University of Deusto is an inclusive educational institution. Furthermore, the University of Deusto provides them with guidance and support on the transition to the labour market jointly with special job centres and companies at large.
Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, Pablo G. Bringas. RAMBO: Run-time packer Analysis with Multiple Branch Observation. Proceedings of the 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). San Sebastián, Spain. 2016. (acceptance rate: 31.8%)
[SoK] Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers
Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, Pablo G. Bringas
Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA. 2015. (acceptance rate: 13.8%)
Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti. Clock Around the Clock: Time-Based Device Fingerprinting. Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, 2018 (acceptance rate: 16.6%)
[Media coverage: New Scientist | Metro | TechNews | …]
Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. Proceedings of the 26th Usenix Security Symposium (Sec), Vancouver, Canada, 2017 (acceptance rate: 16.28%)
[Media coverage: SecurityWeek | BleepingComputer | Ghacks (1) | Ghacks (2) | FayerMayer |…]
Igor Santos, Félix Brezo, Xabier Ugarte-Pedrero, Pablo G Bringas. Opcode Sequences as Representation of Executables for Data-mining-based Unknown Malware Detection
Information Sciences. vol. 231, pp. 64-82. 2013
VESSEDIA: VERIFICATION ENGINEERING OF SAFETY AND SECURITY CRITICAL INDUSTRIAL APPLICATIONS. Funded by: H2020. 2016-DS-01 Ref: N/A. PI (University of Deusto): Igor Santos Budget (University of Deusto): 352125 Euros
SOCIAL SPAM: SEGUIMIENTO Y FILTRADO DE SPAM PERSONALIZADO EN MEDIOS SOCIALES MEDIANTE MODELOS DE DIFUSIÓN Y ANÁLISIS DE CONTENIDO. Funded by: Gobierno Vasco Research Ref: N/A. PI: Igor Santos Budget: 48300 Euros
VEMAS: SISTEMA INSTALADO “EN LA NUBE” PARA LA VERIFICACIÓN FORMAL DEL SOFTWARE
Y LA MEDIDA DE SU CALIDAD, DESDE LOS COMPILADORES E INTÉRPRETES QUE EJECUTAN EL CÓDIGO HASTA LAS APLICACIONES. Funded by: Consultoría Tecnológica para el comercio, SL (CONSULTEC), Avangroup Bussiness Solutions S.L. Research Contract. Ref: N/A. PI: Borja Sanz Urquijo. Budget: 44161 Euros
ACSAS – ANÁLISIS DE CAMPAÑAS Y SENSIBILIDAD A LA AMBIGÜEDAD LINGÜÍSTICA PARA LA MEJORA DEL FILTRADO DE SPAM. Funded by: AVANGROUP BUSINESS SOLUTIONS S.L. Research Contract. Ref: N/A. PI: Igor Santos. Budget: 8,000 Euros
The project is within the security scope. However, the results will help developers and users.
We will like to motivate the developers’ awareness of this corruption errors and the consequences of their exploitation.
INTERNATIONAL COLLABORATION
The applicant will join this MSCA action and it is possible that derived results can be used in other H2020 projects in the area of cybersecurity. INTERSECTORAL COLLABORATION
Our group has a important network of collaborators around the world that can provide additional insight to this project (e.g., CISCO, UCSB, CMU, Eurecom, Symantec Research Labs, amongst others). IMPACT
The results of the research can be exploited in several ways: (i) developing several vulnerability discovery tools for developers, (ii) devising new sanitization methods to make the vulnerability patching more transparent for commodity users.
Regarding dissemination, we plan to publish our results as scientific publications in top venues but also by performing several dissemination actions for the general public and also people in the field. INNOVATION
Harmful concurrency errors lead to unintended program behavior that may result, for instance, in wrong outputs and program crashes. However, explicitly exploring their consequences reveals that they usually lead to memory corruption, which suggests that some memory error detection approaches may fail detecting these specific cases since they depend on thread scheduling. Consequently, recent studies have verified that the corrupted memory as a result of previously known data races can be leveraged to carry out attacks and that they can be often triggered with high probability. In the case of atomicity violation errors, Time Of Check To Time Of Use (TOCTTOU) vulnerabilities are the most distinctive example, which allow to build attacks that modify a resource between the checking and use operations. The file system has been the main target of these attacks and the focus of the research community in the past years, however, TOCTTOU vulnerabilities apply to several resources and scenarios such as shared memory in multithreaded programs [20], or when a kernel fetches a value from the same user-space memory location twice, known as double-fetch vulnerabilities. These problems derived from concurrency errors and its combination with memory corruption have been tackled to a small extent, which renders in possible new attack opportunities against which it is essential to develop countermeasures. INCLUSION
One of the University of Deusto’s key duties is to be fully aware of problems within the institution itself and the society we live in. For this reason, it should take specific steps to boost integration and real equality of opportunity for people with specific support needs. Timely specific action is required to enable them to enter higher education in equal conditions and ensure their full integration in the university community. DeustoTech, as one of its institutions, is included into this service of social action and inclusion. The main aims consist of achieving full normalisation, equal opportunities and gradually adopting the steps needed to ensure that the University of Deusto is an inclusive educational institution. Furthermore, the University of Deusto provides them with guidance and support on the transition to the labour market jointly with special job centres and companies at large.
The applicant will join this MSCA action and it is possible that derived results can be used in other H2020 projects in the area of cybersecurity.
Our group has a important network of collaborators around the world that can provide additional insight to this project (e.g., CISCO, UCSB, CMU, Eurecom, Symantec Research Labs, amongst others).
IMPACT
The results of the research can be exploited in several ways: (i) developing several vulnerability discovery tools for developers, (ii) devising new sanitization methods to make the vulnerability patching more transparent for commodity users.
Regarding dissemination, we plan to publish our results as scientific publications in top venues but also by performing several dissemination actions for the general public and also people in the field. INNOVATION
Harmful concurrency errors lead to unintended program behavior that may result, for instance, in wrong outputs and program crashes. However, explicitly exploring their consequences reveals that they usually lead to memory corruption, which suggests that some memory error detection approaches may fail detecting these specific cases since they depend on thread scheduling. Consequently, recent studies have verified that the corrupted memory as a result of previously known data races can be leveraged to carry out attacks and that they can be often triggered with high probability. In the case of atomicity violation errors, Time Of Check To Time Of Use (TOCTTOU) vulnerabilities are the most distinctive example, which allow to build attacks that modify a resource between the checking and use operations. The file system has been the main target of these attacks and the focus of the research community in the past years, however, TOCTTOU vulnerabilities apply to several resources and scenarios such as shared memory in multithreaded programs [20], or when a kernel fetches a value from the same user-space memory location twice, known as double-fetch vulnerabilities. These problems derived from concurrency errors and its combination with memory corruption have been tackled to a small extent, which renders in possible new attack opportunities against which it is essential to develop countermeasures. INCLUSION
One of the University of Deusto’s key duties is to be fully aware of problems within the institution itself and the society we live in. For this reason, it should take specific steps to boost integration and real equality of opportunity for people with specific support needs. Timely specific action is required to enable them to enter higher education in equal conditions and ensure their full integration in the university community. DeustoTech, as one of its institutions, is included into this service of social action and inclusion. The main aims consist of achieving full normalisation, equal opportunities and gradually adopting the steps needed to ensure that the University of Deusto is an inclusive educational institution. Furthermore, the University of Deusto provides them with guidance and support on the transition to the labour market jointly with special job centres and companies at large.
The results of the research can be exploited in several ways: (i) developing several vulnerability discovery tools for developers, (ii) devising new sanitization methods to make the vulnerability patching more transparent for commodity users.
Regarding dissemination, we plan to publish our results as scientific publications in top venues but also by performing several dissemination actions for the general public and also people in the field.
Harmful concurrency errors lead to unintended program behavior that may result, for instance, in wrong outputs and program crashes. However, explicitly exploring their consequences reveals that they usually lead to memory corruption, which suggests that some memory error detection approaches may fail detecting these specific cases since they depend on thread scheduling. Consequently, recent studies have verified that the corrupted memory as a result of previously known data races can be leveraged to carry out attacks and that they can be often triggered with high probability. In the case of atomicity violation errors, Time Of Check To Time Of Use (TOCTTOU) vulnerabilities are the most distinctive example, which allow to build attacks that modify a resource between the checking and use operations. The file system has been the main target of these attacks and the focus of the research community in the past years, however, TOCTTOU vulnerabilities apply to several resources and scenarios such as shared memory in multithreaded programs [20], or when a kernel fetches a value from the same user-space memory location twice, known as double-fetch vulnerabilities. These problems derived from concurrency errors and its combination with memory corruption have been tackled to a small extent, which renders in possible new attack opportunities against which it is essential to develop countermeasures.
INCLUSION
One of the University of Deusto’s key duties is to be fully aware of problems within the institution itself and the society we live in. For this reason, it should take specific steps to boost integration and real equality of opportunity for people with specific support needs. Timely specific action is required to enable them to enter higher education in equal conditions and ensure their full integration in the university community. DeustoTech, as one of its institutions, is included into this service of social action and inclusion. The main aims consist of achieving full normalisation, equal opportunities and gradually adopting the steps needed to ensure that the University of Deusto is an inclusive educational institution. Furthermore, the University of Deusto provides them with guidance and support on the transition to the labour market jointly with special job centres and companies at large.
One of the University of Deusto’s key duties is to be fully aware of problems within the institution itself and the society we live in. For this reason, it should take specific steps to boost integration and real equality of opportunity for people with specific support needs. Timely specific action is required to enable them to enter higher education in equal conditions and ensure their full integration in the university community. DeustoTech, as one of its institutions, is included into this service of social action and inclusion. The main aims consist of achieving full normalisation, equal opportunities and gradually adopting the steps needed to ensure that the University of Deusto is an inclusive educational institution. Furthermore, the University of Deusto provides them with guidance and support on the transition to the labour market jointly with special job centres and companies at large.