J.-F. Lalande

Analyzing android applications is essential to review proprietary code and to understand malware behaviors. however, android applications use obfuscation techniques to slow down this process. these obfuscation techniques are increasingly based on native code. in this paper, we propose oats'inside , a new analysis tool that focuses on high-level behaviors in order to circumvent native obfuscation techniques transparently. the targeted high-level behaviors are object-level behaviors, i.e. actions performed on java objects (e.g. field accesses, method calls), regardless of whether these actions are performed using java or native code. our system uses a hybrid approach based on dynamic monitoring and trace-based symbolic execution to output control flow graphs (cfgs) for each method of the analyzed application. cfgs are composed of java-like actions enriched with condition expressions and data flows between actions, giving an understandable representation of any code, even those fully native. oats'inside spares users the need to dive into low-level instructions, which are difficult to reverse engineer. we extensively compare oats'inside functionalities against state-of-the-art tools to highlight the benefit when observing native operations. our experiments are conducted on a real smartphone: we discuss the performance impact of oats'inside and we demonstrate its practical use on applications containing anti-debugging techniques provided by the owasp foundation. we also evaluate the robustness of oats'inside using obfuscated unit tests using the tigress obfuscator.

This special issue presents five articles that address the topic of replicability and scientific methodology in information security research, featuring two extended articles from the 2021 international workshop on information security methodology and replication studies (iwsmr). this special issue also comprises two distinguished dissertations.

Android security has received a lot of attention over the last decade, especially malware investigation. researchers attempt to highlight applications' security-relevant characteristics to better understand malware and effectively distinguish malware from benign applications. the accuracy and the completeness of their proposals are evaluated experimentally on malware and goodware datasets. thus, the quality of these datasets is of critical importance: if the datasets are outdated or not representative of the studied population, the conclusions may be flawed. we specify different types of experimental scenarios. some of them require unlabeled but representative datasets of the entire population. others require datasets labeled with valuable characteristics that may be difficult to compute, such as malware datasets. we discuss the irregularities of datasets used in experiments, questioning the validity of the performances reported in the literature. this article focuses on providing guidelines for designing debiased datasets. first, we propose guidelines for building representative datasets from unlabeled ones. second, we propose and experiment a debiasing algorithm that, given a biased labeled dataset and a target representative dataset, builds a representative and labeled dataset. finally, from the previous debiased datasets, we produce datasets for experiments on android malware detection or classification with machine learning algorithms. experiments show that debiased datasets perform better when classifying with machine learning algorithms.

Fault attacks can target smart card programs to disrupt an execution and take control of the data or the embedded functionalities. among all possible attacks, control-flow attacks aim at disrupting the normal execution flow. identifying harmful control-flow attacks and designing countermeasures at the software level are tedious and tricky for developers. in this paper, we propose a methodology to detect harmful inter- and intra-procedural jump attacks at the source code level and automatically inject formally proven countermeasures into a c code. the proposed software countermeasures protect the integrity of individual statements at the granularity of single c statements. they support many control-flow constructs of the c language. the countermeasure scheme can detect an attack early either inside a control-flow construct or only at its exit. the secured source code defeats 100\%of attacks that jump over at least two c source code statements. experiments showed that the resulting code is also hardened against unexpected function calls and jump attacks at the assembly code level. securing a source code automatically and extensively with our scheme degrades the performance. the performance overhead of our countermeasures on three well-known encryption algorithms available in c ranged from +41\%to +138\%on an x86 platform and from +45\%to +217\%on an arm-v7 platform. however, combining code rewriting with hardening of sensitive code regions identified by the weakness detection step enables an application to be fully hardened while limiting the overhead.

Science 2.0 aims at using the information sharing and collaborative features of the internet to offer new features to the research community. science 2.0 has been already applied to computer sciences, especially bioinformatics. for network information hiding, a field studying the possibility of concealing a communication in networks, the application of science 2.0 is still a rather uncovered territory. to foster the discussion of potential benefits for network information hiding, we provide a disquisition for six different science 2.0 aspects when applied to this domain.

Modern malware threats utilize many advanced techniques to increase their stealthiness. to this aim, information hiding is becoming one of the preferred approaches, especially to exfiltrate data. however, for the case of smartphones, covert communications are primarily used to bypass the security framework of the device. the most relevant case is when two "colluding applications" cooperate to elude the security policies enforced by the underlying os. unfortunately, detecting this type of malware is a challenging task as well as a poorly generalizable process. in this paper, we propose a method for the detection of malware exploiting colluding applications. in more details, we analyze the correlation of processes to spot the unknown pair covertly exchanging information. experimental results collected on an android device showcase the effectiveness of the approach, especially to detect low-attention raising covert channels, i.e., those active when the user is not operating the smartphone.

The best protection against malware is to execute it: a security paradox.

Modern malware uses advanced techniques to hide from static and dynamic analysis tools. to achieve stealthiness when attacking a mobile device, an effective approach is the use of a covert channel built by two colluding applications to locally exchange data. since this process is tightly coupled with the used hiding method, its detection is a challenging task, also worsened by the very low transmission rates. as a consequence, it is important to investigate how to reveal the presence of malicious software by using general indicators such as the energy consumed by the device. in this perspective, the paper aims to spot malware covertly exchanging data by using two detection methods based on artificial intelligence tools such as neural networks and decision trees. to verify their effectiveness, seven covert channels have been implemented and tested over a measurement framework using android devices. experimental results show the feasibility and effectiveness of the proposed approach to detect the hidden data exchange between colluding applications.

To ensure the privacy of users in transport systems, researchers are working on new protocols providing the best security guarantees while respecting functional requirements of transport operators. in this paper1, we design a secure nfc m-ticketing protocol for public transport that preserves users' anonymity and prevents transport operators from tracing their customers' trips. to this end, we introduce a new practical set-membership proof that does not require provers nor verifiers (but in a specific scenario for verifiers) to perform pairing computations. it is therefore particularly suitable for our (ticketing) setting where provers hold sim/uicc cards that do not support such costly computations. we also propose several optimizations of boneh-boyen type signature schemes, which are of independent interest, increasing their performance and efficiency during nfc transactions. our m-ticketing protocol offers greater flexibility compared to previous solutions as it enables the post-payment and the off-line validation of m-tickets. by implementing a prototype using a standard nfc sim card, we show that it fulfils the stringent functional requirement imposed by transport operators whilst using strong security parameters. in particular, a validation can be completed in 184.25ms when the mobile is switched on, and in 266.52ms when the mobile is switched off or its battery is flat.

Many efforts in the area of computer security have been drawn to attribute-based access control (abac). compared to other adopted models, abac provides more granularity, scalability, and flexibility. this makes it a valuable access control system candidate for securing platforms and environments used for coordination and cooperation among organizations and communities, especially over open networks such as the internet. on the other hand, the basic abac model lacks provisions for context, trust and privacy issues, all of which are becoming increasingly critical, particularly in high performance distributed collaboration environments. this paper presents an extended access control model based on attributes associated with objects and subjects. it incorporates trust and privacy issues in order to make access control decisions sensitive to the cross-organizational collaboration context. several aspects of the proposed model are implemented and illustrated by a case study that shows realistic abac policies in the domain of distributed multiple organizations crisis management systems. furthermore, the paper shows a collaborative graphical tool that enables the actors in the emergency management system to make better decisions. the prototype shows how it guarantees the privacy of object's attributes, taking into account the trust of the subjects. this tool incorporates a decision engine that relies on attribute based policies and dynamic trust and privacy evaluation. the resulting platform demonstrates the integration of the abac model, the evolving context, and the attributes of actors and resources.

The emergence of the nfc (near field communication) technology brings new capacities to the next generation of smartphones, but also new security and privacy challenges. indeed through its contactless interactions with external entities, the smartphone of an individual will become an essential authentication tool for service providers such as transport operators. however, from the point of view of the user, carrying a part of the service through his smartphone could be a threat for his privacy. indeed, an external attacker or the service provider himself could be tempted to track the actions of the user. in this paper, we propose a privacy-preserving contactless mobile service, in which a user's identity cannot be linked to his actions when using the transport system. the security of our proposition relies on the combination of a secure element in the smartphone and on a privacy-enhancing cryptographic protocol based on a variant of group signatures. in addition, although a user should remain anonymous and his actions unlinkable in his daily journeys, we designed a technique for lifting his anonymity in extreme circumstances. in order to guarantee the usability of our solution, we implemented a prototype demonstrating that our solution meets the major functional requirements for real transport systems: namely that the mobile pass can be validated at a gate in less than 300 ms, and this even if the battery of the smartphone is exhausted.

Hpc clusters are costly resources, hence nowadays these structures tend to be co-financed by several partners. a cluster administrator has to be designated, whose duties include, amongst others, the prevention of accidental data leakage or theft. linux has been chosen as an operating system for the cea's computing platforms. however, strong system security solutions such as selinux are usually difficult to set up in large environments. this article presents how we have adapted a mac mechanism in order to enforce confidentiality and integrity between a large number of users. first we define our security objectives, and show how they direct our technical choices. then we present how confinement was achieved using the selinux security mechanism, and how various attack scenarios were addressed. we then focus on the use of mandatory categories, access control on high bandwidth network filesystems and the integration of new users and applications. we discuss some residual technical challenges. finally, we present benchmark results and validate the acceptable performance impact of our deployment on a modern cluster.

This paper proposes to address new requirements of confidentiality, integrity and availability properties fitting to peer-to-peer domains of resources. the enforcement of security properties in an open peer-topeer network remains an open problem as the literature have mainly proposed contribution on availability of resources and anonymity of users. that paper proposes a novel architecture that eases the administration of a peer-to-peer network. it considers a network of safe peer-to-peer clients in the sense that it is a commune client software that is shared by all the participants to cope with the sharing of various resources associated with different security requirements. however, our proposal deals with possible malicious peers that attempt to compromise the requested security properties. despite the safety of an open peer-to-peer network cannot be formally guaranteed, since a end user has privileges on the target host, our solution provides several advanced security enforcement. first, it enables to formally define the requested security properties of the various shared resources. second, it evaluates the trust and the reputation of the requesting peer by sending challenges that test the fairness of its peer-to-peer security policy. moreover, it proposes an advanced mandatory access control that enforces the required peer-to-peer security properties through an automatic projection of the requested properties onto selinux policies. thus, the selinux system of the requesting peer is automatically configured with respect to the required peer-to-peer security properties.

This paper presents the design and discusses the results of a secured high-interaction honeypot. the challenge is to have a honeypot that welcomes attackers, allows userland malicious activities but prevents system corruption. the honeypot must authorize real malicious activities. it must ease the analysis of those activities. a clustered honeypot is proposed for two kinds of hosts. the first class prevents a system corruption and never has to be reinstalled. the second class assumes a system corruption but an easy reinstallation is available. various off-the-shelf security tools are deployed to detect a corruption and to ease analysis. moreover, host and network information enable a full analysis for complex scenario of attacks. the solution is totally based on open source software and has been validated over two years. a complete analysis is provided using the collected events and alarms. first, different types of malicious activities are easily reconstructed. second, correlation of alarms enables us to compare the efficiency of various off-the-shelf security tools. third, a correlation eases a complete analysis for the host and network activities. finally, complete examples of attacks are explained. ongoing works focus on recognition of complex malicious activities using a correlation grid and on distributed analysis.

This paper focuses on the enforcement of security properties fitting with dynamic mandatory access control policies. it adds complementary results to previous works of the authors in order to better address dynamic policies. previous works of the authors provide several advances for enforcing the security of mac system. an administration language for formalizing a large set of security properties is available to system administrators. that language uses several flow operators and ease the formalization of the required security properties. a solution is also available for computing the possible violations of any security property that can be formalized using our language. that solution computes several flow graphs in order to find all the allowed activities that can violate the requested properties. that paper addresses remaining problems related to the enforcement of the same kind of properties but with dynamic mac policies. enforcement is more much complex if we consider dynamic policies since the states of those policies are theoretically infinite. a new approach is proposed for dynamic mac policies. the major idea is to use a meta-policy language for controlling the allowed evolutions of those dynamic policies. according to those meta-policy constraints, the computation problem becomes easier. the proposed solution adds meta-nodes within the considered flow graphs. a general algorithm is given for computing the required meta-nodes and the associated arcs. the proposed meta-graphs provide an overestimation of the possible flows between the different meta-nodes. the computation of the possible violations within the allowed dynamic policies is thus allowed. several concrete security properties are considered using regular expressions for identifying the requested meta- contexts. the resulting violations, within the allowed meta- graphs, are computed and real violations are presented.

Information hiding techniques can implement covert channels, which are increasingly used for developing malware that is able to bypass the security layer of modern mobile devices or to covertly exfiltrate data. for this reason, understanding and detecting this type of threats is crucial to assess the security of modern devices and data. unfortunately, the detection of information hiding-capable malware is a complex and poorly generalizable task, as it is tightly coupled with the specific implementation. therefore, this chapter proposes to prevent the exfiltration of mobile data by early detection of malicious software considering the correlation of processes running on a device or anomalies in the consumed energy.

This chapter presents forensic investigations of cyber attackers' activities on a large scale honeypot and shows how these methodologies can be integrated into an siem. the chapter describes our high interaction honeypot and analyzes the illegal activities performed by attackers on the basis of the data collected over two years of attacks: logged sessions, intrusion detection system alerts, mandatory access control system alerts. the empirical study of these illegal activities has allowed us to understand the global motivations of the attackers, their technical skills, the geographical location of the attackers and their targets. a generic method is presented that has enabled us to rebuild the illegal activities using correlation techniques operating on system and network events. monitoring the network and the operations occurring on each system has provided precise and high level characterization of attacks. finally, the chapter explains how network and system methods for forensics can be integrated into an siem in order to more accurately monitor the security of a pool of hosts.

This chapter presents an algorithm for resource allocation in satellite networks. it deals with planning a time/frequency plan for a set of terminals with a known geometric configuration under interference constraints. our objective is to maximize the system throughput while guaranteeing that the different types of demands are satisfied, each type using a different amount of bandwidth. the proposed algorithm relies on two main techniques. the first generates admissible configurations for the interference constraints, whereas the second uses linear and integer programming with column generation. the obtained solution estimates a possible allocation plan with optimality guarantees, and highlights the frequency interferences which degrade the construction of good solutions.

With millions of android malware samples available, researchers have a large amount of data to perform malware detection and classification, specially with the help of machine learning. thus far, visualization tools focus on single samples or one-to-many comparison, but not a many-to-many approach. in order to exploit the quantity of data from various datasets to obtain meaningful information, we propose daviz, a visualization tool for android malware datasets. with the aid of multiple chart types and interactive sample filtering, users can explore different application datasets and compare them. this new tool allows to get a better understanding of the datasets at hand, and help to continue research by narrowing the samples to those of interest based on selected characteristics.

During a computer security investigation, a security analyst has to explore the logs available to understand what happened in the compromised system. for such tasks, visual analysis tools have been developed to help with log exploration. they provide visualisations of aggregated logs, and help navigate data efficiently. however, even using visualisation tools, the task can still be difficult and tiresome. the amount and the numerous dimensions of the logs to analyse, the potential stealthiness and complexity of the attack may end with the analyst missing some parts of an attack. we offer to help the analyst finding the logs where her expertise is needed rapidly and efficiently. we design a recommender system called kraken that links knowledge coming from advanced attack descriptions into a visual analysis tool to suggest exploration paths. kraken confronts real world adversary knowledge with the investigated logs to dynamically provide relevant parts of the dataset to explore. to evaluate kraken we conducted a user study with seven security analysts. using our system, they investigated a dataset from the darpa containing different advanced persistent threat attacks. the results and comments of the security analysts show the usability and usefulness of the recommender system.

A malicious android application often consists of a benign part which is the body of the application, and a malicious part that is added later, by repackaging. fast and efficient analysis of android malware depends on the ana-lyst's ability to quickly locate malicious code and have a clear representation of it. to do this, the analysis tools must allow the suspicious code to be quickly located and isolated from the rest of the application. in this article, we propose in a first part to synthesize recent works from the literature and to refresh older research works in order to highlight the discriminating characteristics of malicious code. then, we propose a heuristic to reveal the suspicious methods of an android application by static analysis. finally, we discuss an algorithm to recover the malicious graft. this graft should contain the methods considered suspicious as well as the code calling these suspicious methods.

Experimenting with android malware requires to manipulate a large amount of samples and to chain multiple analyses. scripting such a sequence of analyses on a large malware dataset becomes a challenge: the analysis has to handle fails on the computer and crashes on the used smartphone, in case of dynamic analyses. we present a new tool, pymao, for handling such experiments on a regular desktop pc with the highest performance throughput. pymao helps to write sequences of analyses and handle partial experiments that should be restarted after a crash or continued with new unknown analyses. the tool also offers a post processing capability for generating number tables or bar graphs from the analyzed datasets.

Obfuscation techniques help developers to hide their code when distributing an android application. the used techniques are linked to the features provided by the programming language but also with the way the application is executed. using obfuscation is now a common practice and specialized companies sell tools or services for automatizing the manipulation of the source code. in this paper, we present how to develop obfuscated applications and how obfuscation technique usage is evolving in the wild. first, using advanced obfuscation techniques requires some advanced knowledge about the development of android applications. we describe how to build such applications for helping researchers to generate samples of obfuscated applications for their own research. second, the use of obfuscation techniques is evolving for both regular applications or malicious ones. we aim at measuring the development of these usages by studying application and malware samples and the artifacts that indicate the use of obfuscation techniques.

At present, computer science studies generally offer courses addressing mobile development and they use mobile technologies for illustrating theoretical concepts such as operating system, design patterns, and compilation because android and ios use a large variety of technologies for developing applications. teaching courses on security is also becoming an important concern for academics, and the use of mobile platforms (such as android) as supporting material is becoming a reasonable option. in this paper, we intend to bridge a gap in the literature by reversing this paradigm: android is not only an opportunity to learn security concepts but requires strong pedagogical efforts for covering all the aspects of mobile security. thus, we propose teaching android mobile security through a two-dimensional approach. the first dimension addresses the cognitive process of the bloom taxonomy, and the second dimension addresses the technical layers of the architecture of the android operating system. we describe a set of comprehensive security laboratory courses covering various concepts, ranging from the application development perspective to a deep investigation of the android open source project and its interaction with the linux kernel. we evaluated this approach, and our results verify that the designed security labs impart the required knowledge to the students.

Ten years ago, google released the first version of its new operating system: android. with an open market for third party applications, attackers started to develop malicious applications. researchers started new works too. inspired by previous techniques for windows or gnu/linux malware, a lot of papers introduced new ways of detecting, classifying, defeating android malware. in this paper, we propose to explore the technical difficulties of experimenting with android malware. these difficulties are encountered by researchers, each time they want to publish a solid experiment validating their approach. how to choose malware samples? how to process a large amount of malware? what happens if the experiment needs to execute dynamically a sample? the end of the paper presents the upcoming scientific challenges of the community interested in malware analysis.

Malicious android applications use clever techniques to hide their real intents from the user and avoid detection by security tools. they resort to code obfuscation and dynamic loading, or wait for special events on the system like reboot or wifi activation. therefore, promising approaches aim to locate, study and execute specific parts of android applications in order to monitor for suspicious behavior. they rely on control flow graphs (cfgs) to obtain execution paths towards sensitive codes. we claim here that these cfgs are incomplete because they do not take into consideration implicit control flow calls, i.e., those that occur when the android framework calls a method implemented in the application space. this article proposes a practical tool, gpfinder, exposing execution paths towards any piece of code considered as suspicious. gpfinder takes the android framework into account and considers explicit and implicit control flow calls to build cfgs. using gpfinder, we give global characteristics of application cfgs by studying a dataset of 14,224 malware and 2,311 goodware samples. we evaluate that 72.69\%of the analyzed malicious samples have at least one suspicious method reachable only through implicit calls.

Android malware authors use sophisticated techniques to hide the malicious intent of their applications. they use cryptography or obfuscation techniques to avoid detection during static analysis. they can also avoid detection during a dynamic analysis. frequently, the malicious execution is postponed as long as the malware is not convinced that it is running in a real smartphone of a real user. however, we believe that dynamic analysis methods give good results when they really monitor the malware execution. in this article, we propose a method to enhance the execution of the malicious code of unknown malware. we especially target malware that have triggering protections, for example branching conditions that wait for an event or expect a specific value for a variable before triggering malicious execution. in these cases, solely executing the malware is far from being sufficient. we propose to force the triggering of the malicious code by combining two contributions. first, we define an algorithm that automatically identifies potentially malicious code. second, we propose an enhanced monkey called grodddroid, that stimulates the gui of an application and forces the execution of some branching conditions if needed. the forcing is used by grodddroid to push the execution flow towards the previously identified malicious parts of the malware and execute it. the source code for our experiments with grodddroid is released as free software. we have verified on a malware dataset that we investigated manually that the malicious code is accurately executed by grodddroid. additionally, on a large dataset of 100 malware we precisely identify the nature of the suspicious code and we succeed to execute it at 28\%.

To ensure the privacy of users in transport systems, researchers are working on new protocols providing the best security guarantees while respecting functional requirements of transport operators. in this paper1, we design a secure nfc m-ticketing protocol for public transport that preserves users' anonymity and prevents transport operators from tracing their customers' trips. to this end, we introduce a new practical set-membership proof that does not require provers nor verifiers (but in a specific scenario for verifiers) to perform pairing computations. it is therefore particularly suitable for our (ticketing) setting where provers hold sim/uicc cards that do not support such costly computations. we also propose several optimizations of boneh-boyen type signature schemes, which are of independent interest, increasing their performance and efficiency during nfc transactions. our m-ticketing protocol offers greater flexibility compared to previous solutions as it enables the post-payment and the off-line validation of m-tickets. by implementing a prototype using a standard nfc sim card, we show that it fulfils the stringent functional requirement imposed by transport operators whilst using strong security parameters. in particular, a validation can be completed in 184.25ms when the mobile is switched on, and in 266.52ms when the mobile is switched off or its battery is flat.

Smart environments integrate information and communication technologies (ict) into devices, vehicles, buildings and cities to offer an increased quality of life, energy efficiency and economical sustainability. in this perspective, the individual has a core role and so has networking, which enables such entities to cooperate. however, the huge amount of sensitive data, social aspects and the mixed set of protocols offer many opportunities to inject hazards, exfiltrate information, mass profiling of citizens, or produce a new wave of attacks. this work reviews the major risks arising from the usage of ict-techniques for smart environments, with emphasis on networking. its main contribution is to explain the role of different stakeholders for causing a lack of security and to envision future threats by considering human aspects.

Trusted execution environments (tee) are becoming widely deployed in new smartphone generation. running within the tee, the trusted applications (ta) belong to diverse service providers. each ta manipulates a profile, constituted of secret credentials and user's private data. normally, a user should be able to transfer his tee profiles from a tee to another compliant tee. however, tee profile migration implies security and privacy issues in particular for tee profiles that require explicit agreement of the service provider. in this paper, we first present our perception of the deployment and implementation of a tee: we organize the tee into security domains with different roles and privileges. based on this new model, we build a migration protocol of tee profiles ensuring its confidentiality and integrity. to this end, we use a reencryption key and an authorization token per couple of devices, per service provider and per transfer. the proposed protocol has been successfully validated by avispa, an automated security protocol validation tool.

Fault attacks can target smart card programs in order to disrupt an execution and gain an advantage over the data or the embedded functionalities. among all possible attacks, control flow attacks aim at disrupting the normal execution flow. identifying harmful control flow attacks as well as designing countermeasures at software level are tedious and tricky for developers. in this paper, we propose a methodology to detect harmful intra-procedural jump attacks at source code level and to automatically inject formally-proven countermeasures. the proposed software countermeasures defeat 100\%of attacks that jump over at least two c source code statements or beyond. experiments show that the resulting code is also hardened against unexpected function calls and jump attacks at assembly level.

This paper studies the topic of privacy in its relations with mobile technologies. after presenting the complexity of the topic and the need for an interdisciplinary approach on this subject, we analyze its media coverage in the modern public space. despite the di culties high- lighted by these studies, we argue that research e orts should support the emergence of mobile services that respect users' privacy as well as the development of a digital culture of privacy.

In this paper, we present a new mobile ticketing protocol for public transport service preserving the users' privacy and offering greater flexibility comparing to existing solutions. our protocol enables post-payment approach. hence, users pay only what they really used. moreover, our protocol enables off-line ticket validation.

In this paper, we present a new mobile ticketing protocol for public transport service preserving the users' privacy and offering greater flexibility comparing to existing solutions. our protocol enables post-payment approach. hence, users pay only what they really used. moreover, our protocol enables off-line ticket validation.

The development of nfc-enabled smartphones has paved the way to new applications such as mobile payment (m-payment) and mobile ticketing (m-ticketing). however, often the privacy of users of such services is either not taken into account or based on simple pseudonyms, which does not offer strong privacy properties such as the unlinkability of transactions and minimal information leakage. in this paper, we introduce a lightweight privacy-preserving contactless transport service that uses the sim card as a secure element. our implementation of this service uses a group signature protocol in which costly cryptographic operations are delegated to the mobile phone.

Nos smartphones hébergent de plus en plus de données privées qu'il convient de protéger d'applications malveillantes. cependant, comme le système de permissions d'android délègue à l'utilisateur l'analyse de la légitimité d'une demande de permission d'accès à une donnée privée, nous considérons que la gestion de la privacy est broken by design. nous proposons donc dans ce papier d'améliorer la sécurité des données privées sans toucher au système d'exploitation sous-jacent, ceci afin de maximiser le nombre d'utilisateurs potentiels de notre solution. la méthodologie proposée repose sur le repackaging d'une application dans laquelle on injecte des codes monitorant l'accès aux données privées du smartphone. nous montrons au travers de résultats expérimentaux comment l'accès aux contacts est audité ou protégé sur un ensemble de 18 applications du market. nous montrons aussi comment décliner la méthode pour empêcher l'envoi de sms, ce que nous avons testé sur un malware réalisant ce type d'attaque.

This paper presents honeycloud: a large-scale high-interaction honeypots architecture based on a cloud infrastructure. the paper shows how to setup and deploy on-demand virtualized honeypot hosts on a private cloud. each attacker is elastically assigned to a new virtual honeypot instance. honeycloud offers a high scalability. with a small number of public ip addresses, honeycloud can multiplex thousands of attackers. the attacker can perform malicious activities on the honeypot and launch new attacks from the compromised host. the honeycloud architecture is designed to collect operating system logs about attacks, from various ids, tools and sensors. each virtual honeypot instance includes network and especially system sensors that gather more useful information than traditional network oriented honeypots. the paper shows how are collected the activities of attackers into the cloud storage mechanism for further forensics. honeycloud also addresses efficient attacker's session storage, long term session management, isolation between attackers and fidelity of hosts.

Smart card software has to implement software countermeasures to face attacks. some of these attacks are physical disruptions of chip components that cause a misbehavior in the code execution. a successful functional attack may reveal a secret or grant an undesired authorization. in this paper, we propose to model fault attacks at source level and then simulate these attacks to find out which ones are harmful. after discussing the effects of physical attacks at assembly level and going back to their consequences at source code level, the paper focuses on control flow attacks. such attacks are good candidates for the proposed model that can be used to exhaustively test the robustness of the attacked program. on the bzip2 software, the paper's results show that up to 21\%of the assembly simulated control flow attacks are covered by the c model with 30 times less test cases.

Smart cards are in the embedded world one of the few hardware devices that can be subject to targeted physical attacks from malicious and skilled people. these physical attacks can target any element of the chip resulting in unpredictable effects on the executed software. for an applicative developer who is more familiar with a high level language, it is a difficult task to predict the consequences of such low level attacks. analysing the consequences of a physical attack and creating a realistic and plausible attack model is the first step that leads to a better understanding of the security of an application. but even with this model it is still difficult to pinpoint locations in the source code where physical attacks might lead to security vulnerabilities. different approaches and techniques exist to simulate faults at hardware or software level. however most of them focus either on a high level of abstraction as with software fuzzing techniques or a precise description of the low level hardware as with a vhdl simulator. since one of the developer's goals is to implement high level countermeasures to prevent low level attacks, both preceding approaches lack of expressiveness. thus, the challenge is to simulate with additional c code the consequences of low level attacks such as register disruption, processor instruction modification, arbitrary jumps. the second difficulty is to deal with the number of possible attacks which is related to the code size, the size of variable domains and the persistence of the attack effect. as it is impossible to exhaustively simulate all the possible attacks, our study focuses on jump attacks. these are classical attacks that lead to a change in the control flow of the code and can be used to bypass security checks. in this talk we will present a cost effective methodology and a technical solution to simulate, at c level, the effects of physical jump attacks. experimental results compare the effect of simulated high level attacks to physical low level attacks. in order to benchmark and validate the methodology, the experiments use the spec 2000 benchmarks with well- studied open source c codes. to make the analogy with the smart card, we consider that a successful attack against a spec 2000 software induces a termination with a wrong output. crashes and non terminating executions are safe results from a security point of view. the results also show how to identify vulnerable functions in a complete application. the knowledge of potential vulnerable locations in the source code of a project will enable a software developer to implement his countermeasures accordingly with more precision and assurance.

Dans cet article, nous proposons de décrire les hypothèses d'attaques physiques contre les cartes à puce afin de modéliser ces attaques à haut niveau. cette modélisation cherche à représenter l'attaque au niveau du langage c par l'injection d'un morceau de code qui simule ses effets. l'intérêt du modèle est qu'il permet de simuler les attaques possibles à un niveau où le programmeur peut comprendre les effets sur le code qu'il développe. cependant, le nombre d'attaques possibles est très grand ce qui empêche la réalisation exhaustive de tous les tests. les résultats expérimentaux montrent comment identifier par simulation les attaques par saut qui aboutissent. enfin, nous présentons nos perspectives de travaux qui concernent la vérification statique de ces codes attaqués.

This paper presents a new monitoring tool called synema that helps to visualize different types of alerts from well-known security sensors. the architecture of the proposed tool is distributed and enables centralizing the collected information into a lightweight visualizer. the front-end proposes many display modes in order to give the ability to clearly see malicious activities and to be able to visually monitor information collected at system, network and user level in the hosts. the paper concludes with development perspectives about an auto-configurable plugin for visual correlation of attacks.

Protecting a hpc cluster against real world cyber threats is a critical task, with the increasing trend to open and share computing resources. as partners can upload data that is confidential regarding other partners, a company managing a shared cluster has to enforce strong security measures. it has to prevent both accidental data leakage and voluntary data stealing. when using an operating system based on linux, the offered protections are difficult to set up in large scale environments. this article presents how to use the mandatory access control feature of selinux in order to guarantee strong security properties for hpc clusters. the proposed solution is based on the use of the multi-category system, the confinement of user profiles and the use of a dual ssh server. the issues encountered during the implementation and the most difficult technical points are presented. finally, this paper shows experimental results about the performance of our solution and the impact on a large scale cluster.

Java collaborative applications are increasingly and widely used in the form of applets or servlets, as a way to easily download and execute small programs on one's computer. however, security associated with these downloaded applications, even if it exists, is not easily manageable. most of the time, it relies on the user's ability to define a security policy for his virtual machine, which is undesirable. this paper proposes to integrate an rbac mechanism for any java application. it introduces a simple tag process that allows the developer to incorporate the appropriate policy in the source code of his application. the user is endowed with the ability to choose a role that corresponds to the required level of trust required in order for him to embed the policy in the executed code. a case study of a collaborative application shows how works the proposed api for managing roles, generating policies and logging in. at the end, a discussion about the dynamic enforcement of the generated policies is presented.

This paper presents an implementation of team-based access control policy (tmac) using selinux as mandatory access control mechanism for linux operating systems. after explaining the particularities of tmac in an elaborate example, the paper presents the xml tmac format developed and introduces a visualization tool that allows a user to explore the tmac policy. furthermore, we discuss how this policy is projected under selinux. finally, we discuss the limitations of this implementation and propose further future developments.

This paper presents an algorithm for resource allocation in satellite networks. it deals with planning a time/frequency plan for a set of terminals with a known geometric configuration under interference constraints. our objective is to maximize the system throughput while guaranteeing that the different types of demands are satisfied, each type using a different amount of bandwidth. the proposed algorithm relies on two main techniques. the first generates admissible configurations for the interference constraints, whereas the second uses linear and integer programming with column generation. the obtained solution estimates a possible allocation plan with optimality guarantees, and highlights the frequency interferences which degrade the construction of good solutions.

Nous présentons un algorithme de calcul de chemins de secours dans un réseau optique qui offre de meilleures performances pratiques que d'autres algorithmes connus grâce à l'application d'une technique d'arrondi aléatoire.

Studying android obfuscation techniques is an essential task for understanding and analyzing malicious applications. obfuscation techniques have already been extensively studied for market applications but never for pre-compiled applications used in smartphone firmwares. in this paper, we describe two new obfuscation techniques that take advantage of the duality between assembly and dalvik bytecode and, as far as we know, have never been described before. we also propose detection methods for these obfuscation techniques. we apply them to vendor firmwares and market applications in order to evaluate their usage in the wild. we found that even if they do not seem to be already used in the wild, they are fully practical.

Understanding an android malware is a difficult task that requires strong skills in reverse engineering. few tools exist except the well know ida and ghidra tools that are more focused on the analysis of binaries. in the android world, understanding a malware requires to analyze the bytecode of the application, possibly obfuscated or hidden in a benign application that has been modified. at execution time, the malware can download new payloads, compromise the smartphone, and install new apps. we believe that a security analyst would appreciate to visualize and replay an execution of an android malware. in particular, an analysis that bridges the gap between the bytecode and the events occurring during the execution would help to understand the malware behavior. in this article, we propose groddviewer the first tool offering a dual view of the execution of an android malware. the first view represents the execution at operating system level through the representation of all information flow between files, processes and sockets. the second view represents what happened in the code of the application, during its execution. the benefit of this visualization tool is illustrated on a ransomware sample. in future, we plan to evaluate the tool with a panel of users on a benchmark of malware samples.

Since android became the first smartphone operating system, malware developers have put large efforts to craft new threats uploaded to the google play store and other third market places. companies and researchers now include in their activities the analysis of malware targeting smartphones. most of the time, the problem that is addressed consists in deciding if an application should be considered as a malware or not. nevertheless, once a malware is tagged as a malicious application, users that have been infected ask for more technical explanations about the threat they have been exposed to. dissecting a malware requires a lot of efforts for a security analyst to be conducted and companies are in demand of new tools for automatizing the analysis. from a research perspective, testing new ideas about malware analysis requires performing experiments on malware datasets. compared to other operating systems, android has fast development cycles with a new major release each year. a lot of malware samples do not run anymore when executed on new versions of android. experiments of the literature becomes quickly out of date and non reproducible when studying few samples. thus, working on larger datasets, built at the time of writing, may give more consistent experimental results. new challenges come from using such datasets. first, as the behavior of the samples are unknown, the obtained results from the experiments are difficult to evaluate. second, the experiment itself may require a large amount of time, depending of the quality of the automatization and the complexity of the analysis. third, the protections that are put by developers in the malware decrease the quality of the results. this paper discusses these challenges and describes our efforts to build reliable and large scale experiments.

This study is related to the understanding of android malware that now populate smartphone's markets. our main objective is to help other malware researchers to better understand how malware works. additionally, we aim at supporting the reproducibility of experiments analyzing malware samples: such a collection should improve the comparison of new detection or analysis methods. in order to achieve these goals, we describe here an android malware collection called kharon. this collection gives as much as possible a representation of the diversity of malware types. with such a dataset, we manually dissected each malware by reversing their code. we run them in a controlled and monitored real smartphone in order to extract their precise behavior. we also summarized their behavior using a graph representations of the information flows induced by an execution. with such a process, we obtained a precise knowledge of their malicious code and actions. as a result, researchers can figure out the engineering efforts of malware developers and understand their programming patterns. another important result of this study is that most of malware now include triggering techniques that delay and hide their malicious activities. we also think that this collection can initiate a reference test set for future research works.

Covert channels enable a policy-breaking communication not foreseen by a system's design. recently, covert channels in android were presented and it was shown that these channels can be used by malware to leak confidential information (e.g., contacts) between applications and to the internet. performance aspects as well as means to counter these covert channels were evaluated. in this paper, we present novel covert channel techniques linked to a minimized footprint to achieve a high covertness. therefore, we developed a malware that slowly leaks collected private information and sends it synchronously based on four covert channel techniques. we show that some of our covert channels do not require any extra permission and escape well know detection techniques like taintdroid. experimental results confirm that the obtained throughput is correlated to the user interaction and show that these new covert channels have a low energy consumption \textendash both aspects contribute to the stealthiness of the channels. finally, we discuss concepts for novel means capable to counter our covert channels and we also discuss the adaption of network covert channel features to android-based covert channels.

This paper presents a new way of deploying security properties and trust in an open peer-to-peer network. the originality is that the security properties are freely defined by the user and are attached to the exchanged resources that are associated with domains. the paper proposes an implementation of a monitoring agent that looks after an open source peer-to-peer client and detects any attempt of bypassing the defined security policy. the monitoring agent evaluates the consistency of policies when a transaction occurs and measures the trust of peers before authorizing the transaction. even if an experienced hacker can defeat locally the enforcement of the security policy, we show that this malicious user will be progressively excluded from the network by the computation of its trust. the trust measure of a peer is based on the consistency of the declared policy, its history of transactions and the evaluation of download challenges sent to a set of neighbors of the evaluated peer. a prototype of monitoring agent and a peer-to- peer client have been implemented and we show how a policy can be enforced locally to protect the resources at filesystem level. a second experiment has been performed in order to evaluate the trust computation using a peer-to-peer simulator for a network of 100 nodes.

One of the most important threats for android users is the collection of private data by malware put on the market. most of the proposed approaches that help to guarantee the user's privacy rely on modified versions of the android operating system. in this paper, we propose to automatically detect when an application accesses private data and to log this access in a third-party application. this detection should be performed without any modification to the operating system. the proposed methodology relies on the repackaging of a compiled application and the injection of a reporter at bytecode level. thus, such a methodology enables the user to audit suspicious applications that ask permissions to access private data and to know if such an access has occurred. we show that the proposed methodology can also be implemented as an ips, in order to prevent such accesses. experimental results show the efficiency of the methodology on a set of 18 regular applications of the android market that deal with contacts. our prototype detected 66\%of the accesses to the user's contacts. we also experimented the detection of privacy violations with 5 known malware that send premium-rate sms.

Smart card programs are subject to physical attacks that disturb the execution of the embedded code. these attacks enable attackers to steal valuable information or to force a malicious behavior upon the attacked code. this paper proposes a methodology to check interval security properties on smart card source codes. the goal is to identify critical attacks that violate these security properties. the verification takes place at source-level and considers all possible attacks thanks to a proposed source-level model of physical attacks. the paper defines an equivalence relation between attacks and shows that a code can be divided into areas where attacks are equivalent. thus, verifying an interval security property considering all the possible attacks requires to verify as many codes as the number of equivalence classes. this paper provides a reduction algorithm to define the classes i.e. the minimal number of attacked codes that covers all possible attacks. the paper also proposes a solution to make the property verification possible for large codes or codes having unknown source parts.

This paper proposes a technical solution for protecting users using a shared nfs service possibly controlled by a malicious user. the main goal is to protect the integrity and confidentiality of user's resources. moreover, we propose to solve a more difficult challenge: how to prevent a malicious user from exploiting a supposed nfs vulnerability in order to read or write the resources of another user? thus, this paper assumes that a vulnerability might exist in the nfs protocol or software components that gives the ability to a malicious user to execute any arbitrary code on the nfs server. technical details about the implantation of mandatory access control mechanisms with multi categories on the server side are given. the proposed solution avoids heavy modifications of the clients and only relies on the authentication of these clients.

This paper presents the design of a secured high-interaction honeypot. the challenge is to have a honeypot that welcomes attackers, allows userland malicious activities but prevents from system corruption. the honeypot must be scalable to authorize a large amount of malicious activities and to analyze those activities efficiently. the hardening of the honeypot is proposed for two kinds of host. the first class prevents system corruption and has never to be reinstalled. the second class assumes system corruptions but easy reinstallation is available. a first cluster enables to deploy a wide range of honeypots and security sensors. a second cluster provides an efficient auditing facility. the solution is totally based on open source software and has been validated during one year. a statistical analysis shows the efficiency of the different sensors. origin and destination of attacks are given. moreover, the complementarities of the sensors are discussed. ongoing works focus on recognition of complex malicious activities using a correlation grid.

This paper presents a new infrastructure based on a novel meta-policy approach. this solution allows to deploy a mac kernel within a distributed system. it is a completely decentralized solution that has strong fault tolerance properties. despite a local control of the updates, each local policy satisfies global security properties. our ids approach add new security properties. it prevents any accidental or malicious update of the local policies. moreover, the collaboration between the meta-policy and our ids system enables to detect illegal sequences of legal operations.

This paper presents a new framework based on a meta-policy linked to a new intrusion detection approach. it deploys a mac kernel within a distributed system while guaranteeing the consistency of the security policy, preventing any accidental or malicious update of the local policies of each host. access control decisions are resolved locally in accordance with a meta-policy. at the same time, the framework allows the evolution of the distributed policy without any network communication, and also guarantees that it satisfies the global security properties defined in the meta-policy. the combined policy and ids approach relies on trusted operating systems integrating mac and rbac. the proposed architecture controls a wider set of attacks and provides increased fault-tolerance, compared to other existing distributed access control approaches and policy-based ids techniques. details are given about languages used for the meta-policy, and implementation of the framework.

This technical report describes the implementation of exact and parametrized exponential algorithms, developed during the french anr agape during 2010-2012. the developed algorithms are distributed under the cecill license and have been written in java using the jung graph library.

This chapter studies the activities of cyber attackers on a large scale honeypot run- ning for more than 2 years. a honeypot is a set of online computers that welcome attackers and let them perform their attacks. the chapter presents how to classify complex distributed sessions of attacks. the first part of this chapter analyzes the illegal activities performed by attackers using the data collected during two years of attacks: logged sessions, intrusion detection system alerts, mandatory access control system alerts. the study of these illegal activities allows to understand the global motivations of the cyber attackers, their technical skills and the geographical location of the attackers and their targets. the second part of this chapter presents generic methods to rebuild the illegal ac- tivities appearing on several attacked hosts. by correlating information collected by multiple sources (loggers, monitors, detectors) both watching at the network and the operations occurring on each system, we provide precise and high level characterization of attacks. the proposed method follows an incremental approach that characterizes attacks from basic ones to highly complex malicious activities, including largely distributed attacks (migrating/hopping attacks, distributed denials of service). this work reveals the global goals of attackers that take control of mul- tiple hosts to launch massive attacks on big universities, industries, or governmental organisations. experimental results of these forensic and high level characteriza- tion methods are presented using the collected data of our large-scale honeypot.

This report introduces a java library whose objective is to provide tools for solving some network optimization problems and that may be used to write prototype software. we describe here the first step of the development which concerns algorithmic graph problems. this open source library named mascopt includes an implementation of a generic model of graph. this library has been designed with an object-oriented model and aims to be user friendly rather than focusing on speed of execution. we show how the model can be extended and dedicated to a user application by using simple object mechanism. we also present a basic description of the mascopt functionalities so that developers, who are familiar with objects, can use effectively for their own experimentations.

Ce rapport présente un algorithme d'allocation de ressources pour les réseaux satellitaires. il s'agit de prévoir un plan d'allocation en temps/fréquence pour un ensemble de terminaux ayant une configuration géométrique définie et soumis à des contraintes d'interférence. on cherche à minimiser la taille du plan de fréquences tout en garantissant que toutes les demandes des terminaux, en termes de bande passante et pour différents types, sont satisfaites. l'algorithme proposé repose sur deux techniques principales: la génération de configurations admissibles pour les contraintes d'interférence par des heuristiques, la programmation mixte linéaire/entière utilisant la génération de colonnes. la solution obtenue permet de prévoir un plan d'allocation admissible avec des garanties d'optimalité et permet aussi de mettre en évidence les configurations d'interférences qui entravent la génération de bonnes solutions.

Ce manuscrit d'habilitation à diriger des recherches présente une synthèse de mes travaux menés à l'insa centre val de loire dans le laboratoire lifo (laboratoire d'informatique fondamentale d'orléans) depuis septembre 2005. nous nous sommes intéressés à la sécurité de différents systèmes, depuis les systèmes à large échelle ou à hautes performances jusqu'à ceux qui sont embarqués comme les téléphones mobiles et les cartes à puce. nos contributions sont structurées autour de trois axes. dans un premier temps, nous abordons le problème de la conception de politiques de sécurité pour le contrôle d'accès pour des systèmes hautes performances ou collaboratifs. dans un second temps, nous explorons la problématique de l'intégrité du flot de contrôle. les contributions présentées permettent tout à la fois d'élaborer des attaques ou des contremesures pour les malware android et les cartes à puce, dont les garanties sont prouvées formellement. enfin, dans la dernière partie nous nous intéressons à la problématique de la protection des données personnelles dans le contexte particulier de la téléphonie mobile. pour ces systèmes, des contremesures pour traiter les attaques par canaux auxiliaires ainsi qu'un protocole respectueux de la vie privée sont proposés.

Dans cette thèse, nous nous intéressons aux problèmes d'optimisation dans les réseaux de télécommunication. un premier objectif consiste à identifier les problèmes spécifiques aux réseaux optiques et satellitaires, et à présenter des contributions pour l'optimisation des ressources de ces réseaux. le second objectif est de présenter une contribution logicielle pour la conception et l'optimisation de réseaux.la première partie débute par la présentation des réseaux optiques wdm. nous abordons ensuite les modèles pour les réseaux optiques et satellitaires et proposons des méthodes algorithmiques nouvelles pour optimiser l'allocation des ressources de ces réseaux. nous traitons ainsi le problème du routage, du groupage et de la protection des réseaux wdm successivement dans trois chapitres puis nous nous intéressons à un algorithme dédié à l'allocation de fréquences dans les réseaux satellitaires. enfin, pour chaque problème, nous présentons des résultats expérimentaux sur des instances de réseaux réels.la deuxième partie de cette thèse présente les développements logiciels qui ont été entrepris. le premier chapitre présente le logiciel porto dédié à la résolution de problèmes de routage, groupage et protection dans des réseaux optiques utilisant trois niveaux de brassage. dans un second chapitre nous présentons le logiciel mascopt, une bibliothèque d'optimisation pour le domaine des graphes et des réseaux qui a servi notamment à réaliser les expérimentations présentées dans la première partie.