The “Internet of Things” is in danger, so much so that even secret services and security agencies are losing sleep over it. A new approach from Saarbrücken Computer Scientists are helping protect embedded systems, mobile devices and even servers from known and unknown attacks. It’s being prevented that programs change their once observed behavior. The fully automated process, which requires no modification of existing programs, is being presented by the researchers of CISPA from
March 14-18 at the computer expo CeBIT in Hannover (Hall 6, Stand D28).
Rob Joyce is running probably one of the best equipped group of hackers for the American secret service NSA. When he takes the floor, not only do the journalists listen, but the experts do as well. For that reason, the announcement that Joyce made at the end of January this year at a conference in San Francisco, that the vulnerabilities in cyber-physical systems, such as the Internet of things or Industry 4.0, were giving him sleepless nights, spread like fire. In Germany, the Federal Office for Security in Information Technology had already documented such an incident in 2014: An attacker gained access to the intranet of a steel mill. From there on, he ensured outages in manufacturing and massively damaged the blast furnace. The lead hacker therefore demanded new, fundamental ideas to prevent such attacks in the praxis.
Such a new approach presents Andreas Zeller, Computer Science Professor at the University of Saarland and Researcher at the competence center for IT security (CISPA), together with Konrad Jamrozik and Philipp von Styp-Rekowsky. They are both PhD students at the Saarbrücken Graduate School for Computer Science. Their software system called “Boxmate” defends IT systems not only against current and, till now, unknown attacks, but also blocks hidden back doors. “Regardless of how we improve analysis techniques and program testing, there will always be a way to outsmart them”, explains Zeller. The main problem of existing safeguards, is that the particular attack will have to be observed at least once to be able to be recognized again. “The attackers are always one step ahead of the defenders. At the same time, programs are getting larger and more complex, and every programming error is a potential security hole”, describes Zeller.
Therefore, his newly designed software system “Boxmate”, doesn’t allow programs to change their behavior unnoticed, because this could be a part or a result of a secret attack. “We generate systematic program entry, in order to explore the legitimate behavior of the program. Here we remember which critical data -locations, contacts – and critical resources – microphone, internet – that the program uses to do its tasks”, according to Zeller. In a figurative sense this means: The researchers are defining an area that is big enough. If the monitored object changes his behavior and passes through the bars, the alarm goes off. By Boxmate the area is a so-called Sandbox, which watches the particular program during the operation, so that it doesn’t spy on data as a result of an attack or through the access of a back door.
If the program changes its behavior, the user will receive a warning message and has to confirm it. “Our evaluation has shown that this is less common with Boxmate as already demanded by operating systems”, reports Zeller, whom already tested, with his colleagues, Boxmate on over a hundred apps. The system also makes programs innocuous that were malicious from the start and whose attack methods are still unknown. “If a program wants to use data later, then it must already access the data during the testing through Boxmate and show what it is doing. Malicious programs can’t hide anymore”, according to Zeller.
Zeller funded the research for “Boxmate” with the money from the ERC Advanced Grant. He won the highest award of the European Research Council in 2011 with the application “SPECMATE – Specification Mining and Testing”.
Photo: Credit Oliver Dietze