Student Projects Completed in 2016-2017

Spring 2017 Student Projects

  • Student: Zhenyu Liu

    Faculty Mentor: Joel Coffman

    Abstract: A universally large-scale code-reuse attack relies on target hosts running identical software. In other words, target binaries have identical gadgets at identical addresses. In a software monoculture, it enables attackers more or less conveniently to automate parts of attacks such as code-reuse. Software diversity was proposed as a defense to mitigate the risk in a software monoculture. However, whether a diversity technique can be adopted in the market largely depending on the trade-off between its cost and security improvement. Typically, diversity in software increases the complexity and cost. A recent work introduced and implemented a diversifying compiler named Multicompiler. The goal of our work is to analyze and evaluate the cost of Multicompiler in compiling process.

    Previously, we estimate compiling time and CPU usage with the statistics of the compilation information of different benchmarks. However, during this experiment, we try to make the test more general. Instead that we use the existed multicompiler embedded diversifying strategies to compare the result, we try to find or dump the real lower level source file, which is the entry point that implements the diversification, to prove that diversification on the files in this stage is feasible. In other words, applying any self-defined or official diversifying strategies has been much easier, since the project can always dump the current version of the bitcode of the project for diversification. Furthermore, for the large-scale compilation, the generated bitcode of the same project can be cached once it has been compiled with this process, the total performance of the cloud-based compilation will be optimized continuously. Besides, once the project bitcode has been cached, the actual building time might decrease since the compiler do not need to trace back to the source file and link with the header file; instead, the compiler or the tools just need to shift the content from bitcode to objective file.

  • Students: Rui Zhu, Vishnu Nair, Mohammad Jawad Najafi

    Faculty Mentor: Matt Green

    External Mentor: Jay Chen (Accenture Tech Lab)

    Abstract: This project’s goal was to analyze the security and anonymity properties of the Monero cryptocurrency. Monero has employed strong cryptographic primitives called ring signatures (“mixins”) and stealth addresses to deter de-anonymizing and traceability attacks to which the traditional Bitcoin implementations are particularly susceptible.  Using big data analysis the money flow can easily be deduced in Bitcoin cryptocurrencies. The motivation for this project was that the “mixins” strategy could be defeated using statistical distributions and timing analysis to reduce the privacy and anonymity guarantees to that of any ordinary Bitcoin. We want to highlight some of the inherent weaknesses of the current strategy that Monero employs and thus contribute towards making Monero more secure and be capable of providing stronger privacy mechanisms based on our analysis.

  • Students: Ze Yu, Zuo Wang

    Faculty Mentor: Tim Leschke

    Abstract: Email has become the most important way of communication on Internet, many messages are sent using email. People can send pictures, work documents using email. But many people also sent illegal messages using email like child pornography pictures, and attackers may send Trojan horse using email, so cybercrimes that involves E-mail never stop. It’s necessary for users to identify who send the illegal email and which machines are used for bad purpose. In this paper, we describe the basic architecture of email, then we will discuss some visualization tools used in the email analysis, we propose our method to analyze an email, finally, we show the visualization result of email content and communication way analysis.

  • Student: Sen Li

    Faculty Mentor: Xiangyang Li

    External Mentor: Nathan Bos (JHUAPL)

    Abstract: A user study was designed to understand user security behavior when processing phishing emails. Previous works suggest that people are victimized by phishing emails due to a lack of awareness and the adverse effects of time pressure and distraction on information processing. We looked deeper to explore what phishing indicators users ignore more often than others, and whether applying interventions that signify such phishing tells and awarding incentives for good performance improve the effectiveness and task completion time in email processing. More specifically, 20 participants of mixed educational backgrounds were recruited to perform tasks of sorting emails into suspicious and legitimate categories on a desktop computer. Some of these emails contain three different phishing tells in sender’s email address, link or attachment payload, and message composition. Each participant went through three rounds of this sorting task in one session. In the second round, one phishing tell, with which the participant struggled the most in the first round, was modified in a way to make it easier to recognize. Moreover, one group of participants was offered a financial reward if their classification accuracy reached 80% or better. Participants’ performance data of classification accuracy and task completion time were analyzed and presented with a few interesting findings. This paper discusses the complexity of conducting such a user study and describes the research experience that the team had.

    We conducted the study in an ethical manner, with prior review and approval by Institutional Review Board (IRB), adhering to their protocol and guidelines. We performed experiments that mimic real phishing attacks, thereby measuring the actual success rates but by making sure that the study can be distinguished from reality by making participants role play and sort emails on behalf of an imaginary person.

Fall 2016 Student Projects

  • Students: Payal Gupta, Kaustubh Sarkar, Rahanik Vora

    Faculty Mentor: Joel Coffman

    Abstract: In this paper, we present a novel approach for gauging the effectiveness of software diversification techniques and also comparing the selected techniques amongst each other. We use near duplicate detection, in particular, TrendMicro Local Sensitive Hashing (TLSH) and Winnowing algorithms on two datasets. First, both algorithms were run on the Microsoft Malware dataset to see how the algorithms fare in identifying malware binaries of the same families. This helps in establishing the efficacy of Winnowing and TLSH as identification techniques. The algorithms are then run against the Linux binaries set, and the results thus obtained are compared to the baseline-unaltered binaries to gauge the performance measure of the diversification techniques.

  • Student: Bohan Li, Zhenyu Liu (Not as capstone)

    Faculty Mentor: Joel Coffman

    Abstract: Software monoculture reduces attacker’s cost to perform an exploit so enables them to perform automating large-.‐scale software attacks. Software through diversity is practical to defense software attacks by increasing the attack cost. A recent work by Andrei Homescu and his colleges introduces an industrial-.‐strength implementation of compiler-based, automated software diversity. In this paper, our goal is to estimate the performance cost with this diversification approach they proposed. Notably, we calculate time and CPU usage. We describe the design, implementation, results of our experiments, as well as a blueprint for our future work.

  • Students: Rono Dasgupta, Aditya Patil, Gijs Van Laer

    Faculty Mentor: Matt Green

    Abstract: Traditional authentication systems offer ease of use but the security they provide often proves to be inadequate. Hackers use means to gain access to company servers and steal entire databases of password hashes. These hashes are then subject to offline dictionary attacks resulting in the disclosure of millions of passwords. Such password breaches have become commonplace and have caused several major companies to face major losses. Password reuse is a common practice among users and a password breach disclosing a single password on a particular service could result in a user also losing access to their other accounts. Solutions such as multi-factor authentication add some level of security but do not completely solve the problem. There is a need to move towards stronger authentication schemes that do not compromise on ease of use, both for the user and the service provider.

    In this paper, we propose a novel authentication protocol that is proven hard against offline dictionary attacks. Our protocol implements a combination of a Zero Knowledge Password Proof and a sequentially memory hard hash function. In a concrete instantiation of the protocol, we use Schnorr’s Zero Knowledge Password Proof combined with the Fiat-Shamir Heuristic for the Zero Knowledge Password Proof and scrypt for the sequentially memory hard hash function. We also describe a library implementing our protocol that we have developed along with an example web application that uses the library. Lastly, we provide performance tests for the various components of our protocol and show that the protocol is extremely efficient.

  • Students: Moriyike Mejabi, Srishti Bhargava

    Faculty Mentor: Mike Kociemba

    External Advisor: Maria Vachino (APL/DHS)

    Abstract: Airports could become prime locations for beacon technology, and offer seamless services for improving traveling experience. With the rise of self-service, beacons technology has found perfect use cases which can help ease burden of traveling and manage chaos for passengers. However, airports have been slow in adopting beacon technology because of the concerning security and privacy issues involved in its deployment.

    In April 2016, Google released Eddystone protocol based on `Ephemeral` Identifiers with the intent of eliminating security and privacy risks associated with beacons. For the first time, beacons will broadcast encrypted identifiers so that they can be deployed securely in an environment. In this paper, we analyze various security and privacy concerns of beacon deployment in airports, and later analyze how Eddystone EID protocol can be employed to eliminate these risks. Even as the EID seem secure, there is certain limitation in its design which could compromise security in beacon infrastructure. As part of future work, we have devised test cases that can be tested before they are deployed in the airports.

  • Students: Jiazhen Fan, Qingying Hao, Jiaqin Zhou

    Faculty Mentor: Timothy Leschke

    Abstract: Our capstone project is about the “Visualization of Windows Security Event Logs” that we used a Http dashboard presenting the visualization graphs and statistical analysis of Windows security event logs according to our pre-defined security policies. Some security incidents, such as “remote login”, “password failure”, “screen-share by a third party” that probably would indicate some security risks of current host, are not included as “warnings” or “alerts” in the current Windows Event Viewer security logs; and thus are usually ignored by security analysts when tracing security problems. Besides, current Windows Event Viewer or some Windows security events viewer product on market, don’t provide a good visualization solution that could describe present security logs category, security anomaly trend clearly. Our Windows security logs visualization solutions provide 4 responsive graph which analyze security logs from 4 perspectives that could help users understand the security logs more intuitively to identify potential security problems; our visualization solution also triggers different level of warnings regarding the neglected edge security incidents through pre-defined security policies.

  • Student: Supriya Muthal, Yuan Huang, Sen Li (Not as capstone)

    Faculty Mentor: Xiangyang Li

    External Advisor: Nathan Bos (APL)

    Abstract: A user study to understand human behavior in making informed security decisions by capturing user actions and challenging users based on their performance during the study, and testing the effectiveness of incentives as a pressure. In our project, we studied how participants make an informed security decision, such as identifying and classifying phishing emails accurately. Previous works suggest that people are victimized to phishing emails due to lack of awareness and their negligence while experiencing time pressure and multitasking. We dig deeper to explore what phishing tells do users fall victim to more than others, and whether applying interventions that signify such phishing tells and incentives that reward good performance improve the effectiveness and task completion time in email processing. More specifically, in this project we recruited 20 participants of computer science and non-computer science educational background to perform tasks of sorting emails, of three phishing tells in sender’s address, payload, and composition, into suspicious and legitimate categories on a desktop computer. There were three rounds of this task in one session. In the second round, one phishing tell, with which the participant struggles the most in the first round, is modified in a way to help him/her. Moreover, one group of participants was incentivized with a financial reward if the classification accuracy is 80% or better. Participants’ performance data was analyzed and presented.

    We conducted the study in an ethical manner, with prior review and approval by Institutional Review Board (IRB), adhering to their protocol and guidelines. We performed experiments that mimic real phishing attacks, thereby measuring the actual success rates but by making sure that the study can be distinguished from reality by making participants role play and sort emails on behalf of an imaginary person.

  • Students: Chen Cao, Xiao Chong Chua

    Faculty Mentor: Song Luo

    External Advisor: David Silberberg (APL)

    Abstract: Traditionally, malware detection is a topic that is mainly solved with signature and heuristic based methods. However, in the recent years, data analytics has become increasingly mainstream, and as a result of the “big data” boom, data scientific techniques such as machine learning are increasingly looked into for improving reliability of existing malware detection systems.

    In our project, we seek to understand the viability of these data analytical techniques for malware detection. To do this, we conducted research and experiments with the use of data mining and machine learning techniques to analyze malware behavior on the network, focusing specifically on trying to discern botnet traffic from benign network traffic.

  • Students: Asmaa Aljohani, Yue Zhu, Gyan Namdhari

    Faculty Seth Nielson

    External Advisor: Maria Vachino (APL/DHS)

    Abstract: Instances of attacks that targeted payment systems have raised the awareness to reshape the traditional payment infrastructure. As a response, Europay, MasterCard, and Visa network payment systems established the EMVCo framework to ensure secure, robust payment infrastructures. This framework aims at facilitating “consistent, secure and globally interoperable digital payments when using a mobile handset, tablet, personal computer or other smart devices.”[1] This research project aimed at implementing a secure identity-based transaction using the EMVCo payment tokenization specification. However, as we went further in our research, unclearness of the EMVCo framework and several impediments we encountered forced us to shift the focus to design a secure protocol based on the EMVCo framework.

    Before delving into the details of the proposed system, we will provide an overview of the EMVCo framework components, requirements, and recommendations and how we will apply it to our proposed systems. Then, we will indicate major impediments we encountered and justify how these impediments can bring challenges for future implementations. Next, we will propose a design of a secure system based on the EMVCo framework, and this section will also include potential challenges along with recommended countermeasures.

  • Students: Jingmiao Wang, Yuanqi Zhu, Harshneel More

    Faculty Mentor: Seth Nielson

    External Advisor: Darren Lacey (JHU)

    Abstract:

    Over the past few years we have seen an enormous increase in Cross-site Scripting

    (XSS) attacks on public and private networks. Yet, a large number of commercial solutions in the market have been reported to fail in detecting such widespread attacks. During our research, we were troubled by the fact that we were only able to find one simple Bro script that provided insufficient detection ability for XSS attacks. Bro IDS is known for its flexibility, and is one of commonly used NIDS by research institutes. We looked into capabilities of Bro IDS, and examined whether it is feasible for Bro IDS to detect XSS attacks by developing our own Bro script. We proposed a keyword based detection method. While our script sharply decreases the false positive rate, we sacrificed our true positive rate. But we are convinced that Bro is capable of detecting XSS attacks and are hopeful that we have provided some foundations for future researches.

  • Students:Kevin Manzotti, Kashif Memon, Rahul Durgad

    Faculty Mentor: Seth Nielson

    External Advisor: David Minch (APL)

    Abstract: Ransomware is becoming more sinister in nature day-by-day. Nearly 50 percent of the organizations have been hit with ransomware, with hundreds of millions of dollars being paid to ransomware extortionists annually. With 56,000 ransomware infections in March 2016 alone, modern-day ransomware detection tools are not sufficient to protect individual users and corporations. With the diversity of ransomware families out there wreaking havoc, it is difficult to come up with one tool which will counter all the ransomwares. This project is an attempt to develop a proof-of-concept that is very much similar to how CryptoDrop attempts to detect ransomware based on several key indicators. By developing a Windows Minifilter driver, we strive to capture the behaviour of all the processes in order to isolate a ransomware on the basis of these indicators.

  • Students: Rahul Nair, Chinmohan Nayak

    Faculty Mentor: Lanier Watkins

    Abstract: ICS devices are the systems which are used to control and monitor large scale manufacturing and distribution processes such as pumps, centrifuges and switches. These devices are usually tasked with performing highly repetitive tasks at fixed intervals throughout their lifetime and have no user interactions and extraneous process running on them. Due to this they have a fixed CPU loads for a large period of time. Our work is based on the premise that we are able to infer CPU loads based on the traffic emitted by an ICS device. This varies from other fingerprinting methods based on signatures and rules nor does it require installation of any special software on the node which is required to be monitored. We demonstrate that it is possible to remotely infer task cycle periods of an ABB RTU560 device (having a built-in PLC) and also extend this capability to inferring the presence of an anomalous CPU load. This was done by the introduction of a Stuxnet-type threat model which ran on different task cycles on the RTU. We have also done further testing by being able to infer the CPU load of a Siemens IED device (SIPROTEC 7SJ61) using a novel method based on the traffic between the IED and the RTU. Our overall tool implements a GUI (Graphical user interface) that can be used for monitoring a small network of RTUs or PLC devices and raise alerts if required.

  • Student: Ren Hao

    Faculty Mentor: Lanier Watkins

    David Stone (Lenovo)

    Abstract: Software risk management is growing into one of the core issues for software manufactures, an open framework that can give a concise and persuasive software risk assessment is demanded by both the stakeholders and the customers. However there is not such an open framework in the. In this paper, the author proposed an application-level risk scoring system based on CWSS and proved it could give a better assessment result to the decision making process. This methodology is integrated into the Lenovo Internal Security Testing Tool and will assist the security engineers to audit the security features of their software products.

  • Students: Jessica Vallejo, Juan Ramos, Gaetano Snow

    Faculty Mentor: Lanier Watkins

    Abstract: Unmanned Aircraft Systems come from a variety of manufacturers from toy grade to commercial as well as and control mechanisms such as Radio Frequency (RF), WiFi, or mixed. Past research reveals weaknesses in such products that merit the continuation of penetration testing of models as they enter the market. Penetration testing of three

    WiFi controlled drones has revealed multiple vulnerabilities which when acted upon allow for an attacker to deauthenticate and hijack a device, force land, or launch a denial of service attack. Two vulnerabilities discovered span the WiFi drone market. The degree of severity is discussed.

JHU Information Security Institute