Attack Comprehension
An attack on a computer system begins with the exploitation of one or more vulnerabilities of that system. Generally speaking, a vulnerability can be a software bug or a misconfiguration that can be exploited by the attacker to perform unauthorized actions. Exploiting a vulnerability leads to a use of the system according to a case not foreseen in its specification, implementation or configuration. This puts the system in an inconsistent state allowing the attacker to divert the use of the system in his or her own interest. The systems we use are large, interconnected, constantly evolving and, therefore, are likely to retain many vulnerabilities; their security depends on our ability to update them quickly when new threats are discovered. It is thus necessary to understand how the attacker has compromised the system: what vulnerabilities he has exploited, what actions he has conducted, where he is located in the system. It is essential to study statically the code used by the attacker. It is also important to be able to study it dynamically to be able to replay attacks on demand.Ideally, we should be ahead of the attacker and therefore imagine new ways to attack. In addition, we believe it is necessary to improve the feedback to the expert by allowing him to quickly understand the progress of an attack.
Staff
|
Software and platforms
|
Attack Detection
An attack is generally composed of several steps. During a first approach step the attacker enters the system, locates the target and makes itself persistent. Then, in a second step, the payload of the attack is effectively launched, leading to a violation of the security policy (attacks against confidentiality, integrity, or availability of OS, applications, services, or data).The objective of intrusion detection is to be able to detect the attacker, ideally during the first step of the attack. To do this, intrusion detection systems (IDS) are based on probes that continuously monitor the system. These probes report events to a core engine that decide whether or not to alert the expert.Intrusion detection systems are important for all systems handling sensitive data that may be accessible to a malicious agent. They are especially crucial for low-level systems that provide essential support services to other systems. They are essential in inter-connected systems that are designed to last a long time and are difficult to update.
Staff
|
Software and platforms |
Attack Resistance
We believe that it is always possible for an attacker to bypass the security mechanisms. It is thus important to take into account, starting from the design phase, that the system will run in the presence of an attacker that may have access to a partial or a full knowledge about the system. The last research axis of the CIDRE team focuses on systems that can provide the expected services even in the presence of an attacker. To achieve this objective, we explore two approaches:
- the means of reducing the attack surface
- the design of architectures or services relying on the collaboration of entities that are not affected by the minority presence of malicious entities
Staff
|
Software and platforms
|