Research

Attack Comprehension

An attack on a computer system begins with the exploitation of one or more vulnerabilities of that system. Generally speaking, a vulnerability can be a software bug or a misconfiguration that can be exploited by the attacker to perform unauthorized actions. Exploiting a vulnerability leads to a use of the system according to a case not foreseen in its specification, implementation or configuration. This puts the system in an inconsistent state allowing the attacker to divert the use of the system in his or her own interest. The systems we use are large, interconnected, constantly evolving and, therefore, are likely to retain many vulnerabilities; their security depends on our ability to update them quickly when new threats are discovered. It is thus necessary to understand how the attacker has compromised the system: what vulnerabilities he has exploited, what actions he has conducted, where he is located in the system. It is essential to study statically the code used by the attacker. It is also important to be able to study it dynamically to be able to replay attacks on demand.Ideally, we should be ahead of the attacker and therefore imagine new ways to attack. In addition, we believe it is necessary to improve the feedback to the expert by allowing him to quickly understand the progress of an attack.

Staff
  • Faculty and Research Scientists: Christophe Bidan, Jean-François Lalande, Jean-Louis Lanet, Ludovic Mé, Eric Totel, Valérie Viet Triem Tong, Pierre Wilke
  • Phd: Kevin Bukasa, Damien Crémilleux, Mathieu Escouteloup, Pierre Graux, Laetitia Leichtnam, Charles Xosanavongsa
  • Postdoc: Ludovic Claudepierre
Software and platforms
  • GEPETO  evaluates sanitization methods and inference attacks on geolocated data
  • GroddDroid triggers the malicious code
  • Kayrebt analyses and explores C code, more specifically, the Linux kernel codebase
  • Kharon is a full platform dedicated to Android malware analysis
  • Netzob reverse reverse unknown communication protocols
  • StarLord correlates logs events and display resulting graph in a 3D view
  • VEGAS is visualization tool to easily identify, explore and group alerts generated by an IDS

 

Attack Detection

An attack is generally composed of several steps. During a first approach step the attacker enters the system, locates the target and makes itself persistent. Then, in a second step, the payload of the attack is effectively launched, leading to a violation of the security policy (attacks against confidentiality, integrity, or availability of OS, applications, services, or data).The objective of intrusion detection is to be able to detect the attacker, ideally during the first step of the attack. To do this, intrusion detection systems (IDS) are based on probes that continuously monitor the system. These probes report events to a core engine that decide whether or not to alert the expert.Intrusion detection systems are important for all systems handling sensitive data that may be accessible to a malicious agent. They are especially crucial for low-level systems that provide essential support services to other systems. They are essential in inter-connected systems that are designed to last a long time and are difficult to update.

Staff
  • Faculty and Research Scientists: Guillaume Hiet, Michel Hurfin, Jean-Louis Lanet, Ludovic Mé, Guillaume Piolle, Eric Totel, Frédéric Tronel, Valérie Viet Triem Tong
  • Phd: Vasile Cazacu, Ronny Chevalier, David Lanöe, Aurélien Palisse,
  • Postdoc: Mouad Lemoudden
Software and platforms
  •  Blare is an information flow monitor at the operating system level (for Android and Linux)
  • Conductor  detects low-level intrusions using a co-processor isolated from the main processor
  • GNG an intrusion detection system
  • HardBlare implements hardware DIFC on Xilinx Zynq Platform

 

Attack Resistance

We believe that it is always possible for an attacker to bypass the security mechanisms. It is thus important to take into account, starting from the design phase, that the system will run in the presence of an attacker that may have access to a partial or a full knowledge about the system. The last research axis of the CIDRE team focuses on systems that can provide the expected services even in the presence of an attacker. To achieve this objective, we explore two approaches:

  • the means of reducing the attack surface
  • the design of architectures or services relying on the collaboration of entities that are not affected by the minority presence of malicious entities
Staff
  • Faculty and Research Scientists: Emmanuelle Anceaume, Christophe Bidan, Gilles Guette, Guillaume Piolle,  Jean-Louis Lanet, Pierre Wilke
  • Phd: Aïmad Berady, Benoit Fournier, Cedric Herzog, Léopold Ouairy
  • Postdoc: Jérôme Fellus
Software and platforms
  • SpecCert specifies and verifies hardware-based security mechanisms.

Comments are closed.