Information
Assurance Laboratory Research Areas:
1. Software Vulnerability Assurance (Dr.
Drew Hamilton)
Software
Architecture analysis
Our software architecture research is focused on using the architecture as a template to identify threats. In analyzing large, complex software programs, it becomes infeasible to do a line-by-line threat analysis. Through the use of software architecture, we eliminate low-risk code from analysis so that we can focus on the parts of the program that have the greatest potential for abuse, exploitation and/or data compromise.
Decompiling
and Disassembly
Just because it is hard to extract information from an executable file does not mean it is impossible to do so. Decompilation and disassembly can be used to provide an “expected case” analysis for sensitive software. When software programs are shared, it is often important to know exactly what is being shared. We pursue this to see what a potential adversary can learn from the binaries. Disassemblers are readily available and useful. It is reasonable to write scripts to do string searches on massive assembly code files and prudent to do that. In all cases, the executables should be checked to make sure that all debugging information is stripped before the binaries are released. We typically find version numbers, detailed software revision comments, dead (non-accessible) code.
Open
Source attack databases
When it is recognized that secrets in binary code are not secret, a common strategy for secure software is to parameterize all sensitive information and leave the program itself unclassified. However it is often possible to reconstruct the parameters by aggregating open source information available on the Internet. This, combined with analysis of the executable files allows us to extract sensitive results from unclassified software.
Tamper-proofing
Disassembling programs is not difficult. This creates the opportunity to create Trojan or other unauthorized modifications to software. We are experimenting with applying checksums to key parts of the program to prevent tampering. The concept is that any modification to the code would change the checksum and cause the check to fail. Also, it is possible to modify a program to check for a running debugger. The software can be modified to crash if it detects a debugger running.
Dictionary
attacks
In the course of analyzing massive amounts of source code, string literals in executables, assembly code and documentation, we have found it necessary to develop some efficient and sophisticated dictionary attacks. Our objective here is simply to eliminate meaningless strings and provide a targeted response to specific inquiries.
2. Network Assurance (Dr.
Drew Hamilton /
Dr. Richard Chapman)
There are many variations of the Honeynet Project being conducted. Our experiment is to impersonate the site of a defense contractor and develop automated counterintelligence techniques to use against electronic intruders. A central part of our research is the use of the NSA-hardened version of Linux to ensure that our event logging is not wiped during an unauthorized intrusion.
Distributed Denial of Service attacks are becoming more and more common on the Internet, but solutions to these problems are difficult. Currently, each attack must be defended on a case-by-case basis because current techniques do not work well for large-scale attacks. This research uses network simulation to model large-scale DDoS attacks and experiments with the means to proactively eliminated DDoS attacks. The same vulnerabilities that allow attackers to spawn zombie processes on victim machines can also be used to eliminate those zombies. This technique takes advantage of the fact that most zombied computers have been infected by one of two major hacking tools: Back Orifice or Sub7. These programs can be freely downloaded by anyone and are often used by “Script Kiddies” to launch Distributed DDoS attacks. Fortunately, the reuse of this code allows for the reuse of a solution. After being installed on an unaware victim’s computer, the Sub7 zombie connects to an IRC chat-room to notify the hacker that a new computer has become victimized. A skilled programmer can write applications to monitor these zombie-chat-rooms to find out which computers are zombies and possibly who is using them. Not only will the research provide the ability to monitor the zombies, but the user could also notify the victim of the zombie infestation or even remove the zombie completely. Ultimately, this research project hopes to stop DDoS attacks at the source.
3. Secure Wireless Devices (Dr.
Richard Chapman / Dr.
Drew Hamilton)
We are actively looking for ways to safeguard the CORBA Object request Brokers specified in the Software Communications Architecture (SCA) and the Software Defined Radio documentation, The core framework control and status messages are passed back and forth between the read and black side. CORBA messages consist of "marshaled" data embedded in a transport protocol (not in a readable structure when not in application space) making security checking very difficult. A bypass is also available for CORBA message traffic. The control/status bypass has no specific APIs. Platform and waveform specific security policies define the parameters of the control/status bypass guard. This all points to a problem that is not new to any network communication scheme: how to provide a secure fully automated electronic connection between a secure system and a non-secure system. There are some other significant security threats also. Much of the software, especially the waveform software, is written in C and C++. Current vulnerabilities of the standard I/O and system functions in these languages are well known. Pointers are used in the waveform software, so type confusion, garbage memory, dangling references, and malicious pointer manipulation can occur. Another threat is in the exception handling, which may be used to raise and catch security exceptions. Exception handling subroutines are not portable between ORB implementations by different vendors. Consequently, the software security mechanisms will not be uniformly applied among the different implementations. This affects the core framework, the device drivers, and the application services.
Wireless handheld computing devices have tremendous potential for further widespread deployment. Wireless devices can move with first responders, military units or business consumers. Wireless security must be considered from both external and internal threats. High powered transmitters and receivers located on mobile platforms may be used in attempts to engage in monitoring, intrusion and deception operations. Wireless handhelds used to transmit business transactions must do so in a manner that ensures privacy. Of particular concern is the lack of kernel space protection in many embedded operating systems. We are working to design a multi-security level protocol using existing algorithms and protocols (VPN, public key crypto, Kerberos, etc).
Cell
Phone Compromise and Manipulation
As mobile phones make the transition from closed architectures to open architectures such as Symbian, Microsoft Smartphone, BREW, and J2ME, the opportunity for compromise of the handset and network increases. As networks move to packet switched rather than circuit switched protocols in the third and fourth generations, new vulnerabilities arise. Worms, viruses, denial of service attacks, buffer overruns, and other classic TCP/IP network attacks will become increasingly feasible. In collaboration with the Auburn Wireless Engineering Research and Education Center, the IAL is looking at analysis of these vulnerabilities. There is room for research here not only to prevent compromise of mobile phone systems, including military systems such as mobile subscriber equipment, but also to exploit the vulnerabilities for offensive purposes, sinc mobile phone communications are also widely used by the “bad guys” for purposes ranging from bomb detonation in Iraq to tactical battlefield communication in Yugoslavia.
4. Software Process for Secure Software
Development (Dr.
David Umphress)
As software engineers, we are schooled in developing software that can be used. What is frequently omitted from this picture is the flip side: how software can be misused. Software Vulnerability Assessment Process (SVAP) addresses this darker side by examining a software product for its susceptibility to compromise. Although Auburn has taken the lead in assessing software vulnerabilities, it is obvious that preventing vulnerabilities is better than remediating vulnerabilities. Program Managers have made it clear that they want to be able to assess vulnerabilities during software development. This ongoing research seeks to produce and refine the following: an assessment scale for measuring software vulnerability, a publicly available toolkit for assessing software vulnerability and a software vulnerability process consistent with the CMM.
5. Reverse Engineering (Dr.
James Cross)
The GRASP Research Laboratory has a long history of reverse engineering visualizations from source code. Many of the research results have been implemented in jGRASP, an integrated development environment (IDE), which is written in Java and specifically intended to automatically generate Graphical Representations of Algorithms, Structures, and Processes from source code. GRASP research is currently focusing on dynamic object visualization. Recently, an extensive object workbench was added to jGRASP to facilitate the creation of instances of objects from Java byte code, with or without source code. When instances of objects have been placed on the workbench, they can then be examined to understand their function and purpose. The workbench concept can be applied to any set of class files intended to execute on a Java Virtual Machine. A number of proposed extensions to jGRASP are currently under consideration including the de-obfuscating and decompiling class files and the harvesting complete hierarchies of classes so that they can be used elsewhere. More general extensions to include the analysis of software intended to run on the .Net virtual machine are also under consideration. With these proposed extensions, jGRASP can be a valuable tool for vulnerability assessment of Java and .Net software.
See http://jgrasp.org/ for more information on jGRASP.
6. AI for Vulnerability Assessment (Dr.
Gerry Dozier)
Genetic
Algorithms for Parameter Analysis
The use of genetic algorithms has been shown to be an effective method of performing boundary analysis and parameter optimization. Since genetic algorithms have been successfully used to perform parameter analysis in other domains, we have demonstrated that a genetic algorithm could extract information concerning how particular parameters affect simulation software computations. This application of genetic algorithms is part of a greater vulnerability analysis of sensitive defense software.