Auflistung nach Autor:in "Boes, Felix"
1 - 3 von 3
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragTEEM: A CPU Emulator for Teaching Transient Execution Attacks(Sicherheit 2024, 2024) Swierzy, Ben; Hoffmann, Melina; Boes, Felix; Betke, Felix; Hein, Lennart; Shevchishin, Maxim; Sohn, Jan-Niklas; Meier, MichaelSide channel attacks have been an active field of attacker research for decades. The Spectre, Meltdown and Load Value Injection publications established a new type of attacks, known as transient execution attacks, which utilize that architectural rollbacks leave traces in microarchitectural caches and buffers. These can serve as covert channels, resulting in practically relevant but hard to prevent attack scenarios. The associated weaknesses are complex, which makes it hard for security researchers to detect them and even harder for developers to prevent them. To achieve advancements in this field it is important to teach students about the underlying concepts. However, the documentation of modern CPUs is neither complete nor correct, which increases difficulties in obtaining practical experience. As a result, there is a need for a CPU emulator that facilitates practical learning with options for looking inside the box. We contribute TEEM, a Transient Execution EMulator of a RISC-V CPU supporting several microarchitectural features relevant for teaching transient execution attacks. Our empirical teaching experiences clearly indicate an improvement in the student’s understanding of Meltdown and Spectre.
- TextdokumentTowards Detection of Malicious Software Packages Through Code Reuse by Malevolent Actors(GI SICHERHEIT 2022, 2022) Ohm, Marc; Kempf, Lukas; Boes, Felix; Meier, MichaelTrojanized software packages used in software supply chain attacks constitute an emerging threat. Unfortunately, there is still a lack of scalable approaches that allow automated and timely detection of malicious software packages and thus most detections are based on manual labor and expertise. However, it has been observed that most attack campaigns comprise multiple packages that share the same or similar malicious code. We leverage that fact to automatically reproduce manually identified clusters of known malicious packages that have been used in real world attacks, thus, reducing the need for expert knowledge and manual inspection. Our approach, AST Clustering using MCL to mimic Expertise (ACME), yields promising results with a F1 score of 0.99. Signatures are automatically generated based on characteristic code fragments from clusters and are subsequently used to scan the whole npm registry for unreported malicious packages. We are able to identify and report six malicious packages that have been removed from npm consequentially. Therefore, our approach can support the detection by reducing manual labor and hence may be employed by maintainers of package repositories to detect possible software supply chain attacks through trojanized software packages.
- KonferenzbeitragYou Can Run But You Can’t Hide: Runtime Protection Against Malicious Package Updates For Node.js(Sicherheit 2024, 2024) Pohl, Timo; Ohm, Marc; Boes, Felix; Meier, MichaelMalicious software packages are often used in software supply chain attacks. Detecting these packages is a top priority, and there have been many academic and commercial approaches developed for this purpose. In the event of an attack, it is essential to have resilience against malicious code. To address this issue, we introduce a runtime protection for Node.js that automatically limits the capabilities of packages to a minimum level. The implementation and evaluation of the detection and enforcement of necessary capabilities at runtime was conducted against known malicious attacks. Our approach successfully prevented 90 % of historical attacks with a median install-time overhead of less than 0.6 seconds and a median runtime overhead of less than 0.2 seconds.