Axis 1: Vulnerability analysis
This axis reasons on vulnerabilities and proposes different techniques to discover them in potentially complex systems. The outcomes of this axis are new techniques to discover system vulnerabilities as well as to analyze them , and to understand how the hardware can be exploited in the process .A large part of this axes will be devoted to extending formal approaches to security. In order to develop such techniques, one has to acquire experience, and to be able to define what a vulnerability is exactly. Contrary to well-studied requirements such as reliability and safety, the definition of security remains inherently vague. Unlike safety, where failures are random and thus become predictable, security is concerned with a creative adversary which may evolve new types of attacks. Consequently, as we develop and deploy tools to close today’s attack vectors, new techniques emerge. This co-evolution drives a constant process of reevaluation and reclassification of what constitutes a vulnerability. Hence, the techniques we develop to protect ourselves should be flexible to be adapted to new scenarios. Studying vulnerabilities is only comprehensive if one considers both sides of the co-evolutionary process.
-The attacker view, where one tries to attack the system in order to understand its weakness. This can be done by exploiting our knowledge and experience on existing successful attacks/exploits as well as our creativity and knowledge on new technologies and programmation paradigm.
-The defender view (which uses formal and engineering approaches) to detect vulnerabilities and protect the system consequently. The later can be done by exploiting a classification of existing vulnerabilities, and then try to apply engineering and formal techniques to detect them.
The above can only be achieved by a team that has competences in protection techniques and that has experience in attacking real-life systems. Indeed, it is important to acquire experience on what a potential attack is. Again, this largely depends on the class of systems under analysis, and TAMIS has no pretense to cover it entirely. During the first four years, we will limit ourselves to smart cards attacks, ARM TrustZone analysis (including TrustZone Software), JAVA/C implementation of security protocols for complex (composite) systems, and assembly/binary code for x86 and ARM. We will start with single-thread implementation (e.g. rasberry pi which embeds a trustzone), and then move to more complexe multi-core devices (e.g. Odroid). Some of those examples will be handled during the first four years, but there is content for a height years project (providing that we take the evolution of the material into account).
The rest of the section is structured as follows. First, in Axis 1.1, we will illustrate how our engineering knowledge can be exploited to discover new vulnerabilities and introduce some tools and techniques that are used to discover them at both the software and hardware levels. Second, in Axis 1.2, we will focus on formal approaches which systematize the discovery of existing classes of vulnerability. Lastly in Axis 1.3 we will generalize from software issues in the previous axes to include hardware issues also.
- The engineering view, and experience acquirement
- Formal approaches for vulnerability analysis
- Hardware vulnerability analysis
Axis 2: Malware analysis
Axis 1 is concerned with vulnerabilities. Such vulnerabilities can be exploited by an attacker in order to introduce malicious behaviors in a system. Another method to identify vulnerabilities is to analyze malware that exploits them. However, modern malware has a wide variety of analysis avoidance techniques. In particular, attackers obfuscate the code leading to a security exploit. For doing so, recent black hat research suggests hiding constants in program choices via polynomials. Such techniques hinder forensic analysis by making detailed analysis labor intensive and time consuming. The objective of this axis is to obtain a full tool chain for malware analysis starting from (1) the observability of the malware via depacking and deobfuscation , and (2) the analysis of the resulting binary file . A complementary objective is to understand how hardware attacks can be captured and analyzed with the tool chain .
- Behavioral Malware Analysis
- Malware and Signature Generation
- Fault enabled malware