ebook img

Windows Live Messenger 2009 PDF

124 Pages·2010·4.24 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Windows Live Messenger 2009

ISSN 1980-1114 Volume 4, Number 1, 2009 Proceedings of The Fourth International Conference of Forensic Computer Science ICoFCS 2009 www.ICoFCS.org The Fourth International Conference of Forensic Computer Science - ICoFCS 2009 Proceedings of the Fourth International Conference of Forensic Computer Science (ICoFCS’2009) / ABEAT (ed.) - Natal, Brazil, 2009, 122 pp. - ISSN 1980-1114 © Copyrigth 2009 by ABEAT ST SHC/NORTE CL Quadra 309 - Bloco D - nº 50 - sala 103 - Asa Norte Brasília DF - Brazil 70.755-540 Phone: +55 61 3202.3006 www.abeat.org.br ISSN 1980-1114 REALIZATION Honorary President Luiz Fernando Corrêa Director General - Brazilian Federal Police Honorary Vice-President Paulo Roberto Fagundes Technical-Scientifc Director - Brazilian Federal Police General Chair Paulo Quintiliano da Silva Forensic Computer Crime Unit - Brazilian Federal Police Organization Team Bruno Werneck Pinto Hoelz Forensic Computer Crime Unit - Brazilian Federal Police Cris Amon Caminha da Rocha Forensic Computer Crime Unit - Brazilian Federal Police Marcelo Caldeira Ruback Forensic Computer Crime Unit - Brazilian Federal Police Itamar Almeida de Carvalho Forensic Computer Crime Unit - Brazilian Federal Police Reviewers Andreia Stanger Bruno Werneck Pinto Hoelz Cris Amon Caminha da Rocha Daniel Miranda Galileu Batista de Sousa Ivo Peixinho José Helano Matos Nogueira José Henrique Linhares Marcelo Abdalla Murilo Tito Paulo César Herrmann Paulo Quintiliano da Silva Sergio Luis Fava ABEAT - Associação Brasileira de Especialistas em Alta Tecnologia ST SHC/NORTE CL Quadra 309 - Bloco D - nº 50 - sala 103 - Asa Norte Brasília DF - Brazil 70.755-540 Phone: +55 61 3202.3006 CONTENTS BEST PAPER Automated Malware Invariant Generation Rachid Rebiha, Arnaldo V. Moura ............................................................................................... 7 Extração de vestígios do Windows Live Messenger 2009 Marcelo Henrique Ferreira de Medeiros, Galileu Batista de Sousa ............................................. 15 Extração e análise de dados em memória na perícia forense computacional Gilson Marques da Silva, Evandro Mário Lorens ....................................................................... 21 Forense computacional em memória principal Antônio Pires de Castro Júnior, Bruno Lopes Lisita, Thiago Silva Machado de Moura, Tiago Jorge Pinto .................................................................................................................................... 29 A perícia forense e a questão dos documentos eletrônicos no processo civil brasileiro Caio César Carvalho Lima ........................................................................................................... 37 Um modelo para as normas sobre certifcação digital no Brasil Viviane Bertol, Rafael Timóteo de Sousa Jr, Laerte Peota de Melo ............................................. 45 Projeto MAAOS - mecanismo para monioramento de sistemas operacionais e auditoria para detecção de vestígios Vitor Teixeira Costa, George Soares Fleury ................................................................................. 53 A Ciência das Redes no combate ao crime e na proteção da infraestrutura crítica para a sociedade Gustavo Vasconcellos Cavalcante e Mamede Lima-Marques ...................................................... 60 Security aspects and future trends of social networks Anchises M. G. de Paula .............................................................................................................. 66 Desafos da informática forense no cenário de Cloud Computing Carlos Eduardo Marins ............................................................................................................... 78 Arquitetura de agentes inteligentes no auxílio à perícia forense computacional Benedito Cristiano Petroni, Pedro Luís Próspero Sanchez ........................................................ 86 Análise teórica e prática da segurança de redes sem fo na cidade de São Paulo Wilson Leite da Silva Filho .......................................................................................................... 93 Fraudes digitais - análise de pixels Carlos Alberto Goldani, Daniel Weber, Evandro Della Vecchia Pereira ...................................... 101 EspiaMule e Wyoming ToolKit: ferramentas de repressão à exploração sexual infanto-juvenil em redes Peer-to-Peer Jorge Ricardo Souza de Oliveira, Edmar Edilton da Silva .......................................................... 108 Identifcação de autoria e materialidade em crimes de abuso sexual de criança/adolescente a partir da análise de arquivos multimídia Pedro Monteiro da Silva Eleutério, Marcio Pereira Machado ..................................................... 114 1 Automated Malware Invariant Generation Arnaldo V. Moura, and Rachid Rebiha, Abstract—In our days, any social infrastructure relies on computer security and privacy: a malicious intent to a computer is a threat to society. Our project aims to design and develop a powerful binary analysis framework based on formal methods and employ the platform in order to provide automatic in-depth malware analysis. We propose a new method to detect and identify malware by generating automatically invariants directly from the specified malware code and use it as semantic aware signatures that we call malware-invariant. Also, we propose a host-based intrusion detection systems using automatically generated model where system calls are guarded by pre-computed invariant in order to report any deviation observed during the execution of the application. Our methods provides also technics for the detection of logic bugs and vulnerability in the application. Current malware detectors are “signature-based” but is it well-known that Malware writers use obfuscation to evade current detectors easily. We propose automatic semantic aware detection, identification and model extraction methods, hereby circumventing difficulties met by recent approaches. Index Terms—Formal Methods, Security, Forensic Computer Science, Static and Dynamic Binary Analysis, Malware/In- trusion/Vulnerability Detection, Identification and Containment. ✦ 1 INTRODUCTION we call malware-invariant. To do so, one need to Invariant properties are assertions (expressed in adapt formal methods currently use to verify and a specified logic), that hold true on every pos- proof statically systems correctness. sible behaviors of the system. A malware is a Current malware detectors are “signature- program that has malicious intent. Examples of based”: the presence of the malicious behavior is such programs include viruses, trojans horses, detected if the malicious code matches matches and worms. Malicicous intent to computers are byte-signatures. These current malware detec- virulent threat to society. We deeply need to tors are based on sound methods as, if the understand the malicious behavior in details. All executable matches byte-signatures located in present security systems (anti-virus, detection a database of regular expressions that specify systems...) suffer form the lack of automation byte or instructions sequences. in their malware analysis. In order to provide But the main problem is that malware writers automatic in-depth malware analysis and pre- can then use Obfuscation [26] to evade current cise detection systems, one need to be able to detectors easily. To evade detection, hackers extract automatically the malicious behaviors frequently use obfuscation to morph malware and not only its syntaxic signature. and evade detections by injecting code into We propose a new method to detect and malwares that preserves malicious behavior identify malware by generating automatically and makes the previous signature irrelevant. invariants directly from the specified malware The number of derivative malwares by ob- code and use it as semantic aware signatures that fuscation increases exponentially each time a new malware type appear. Malware writers can ∙ Rachid Rebiha is with the Faculty of Informatics, University of easily generate new undetected virus and then Lugano USI, Switzerland, Lugano, 9400 and with the Institute of the anti-virus code has to update its signature Computing, University of Campinas Unicamp, Brazil, Campinas database frequently to be able to catch the SP. new virus. The main difficulty remain in the E-mail: The new strategy would be to generate prove a software free of buffer overflow, quasi-static invariants directly from the spec- segmentation fault or non-termination.). ified malware code and use it as semantic-aware Static Analysis are used to generate and signatures that we call malware-invariants. Thus, infer invariant properties, which are assertions, for one familly of virus we would have only that hold true on every possible behaviors of one semantic signature. the system. Thus static analysis provides prov- We also show how these invariant to de- able guarantees that the most exhaustive and tect intrusion. Our intrusion detection system rigorous testing methods could not reach. mathematically (no false alarm) prove and re- In infinite state systems, safety properties can port any intrusion once the violation of an be proved by induction. Actually the verifica- application invariant is observed during the tion problem of safety properties is reduced execution of the application. Our methods al- to the problem of invariant generation. First, lows also propose how to detect logic bugs and an inductive invariant has to be obtained for vulnerability in the application.. the system. This means that the invariant holds As the main contribution, we proved that in the initial state (initiation condition) of the any approach to static analysis based mal- system and every possible transition preserves ware/intrusion detection will be strongly reen- it (consecution conditions). That is, if the in- forced by the presence of pre-comptued invari- variant holds in some state then it continues ants and will be weakened by their absence. to hold in every successor state as well. Now In the following section we will introduce for- if the inductive invariant implies the desired mal methods and malwares. In section 3, we property then the proof is complete. Finding present a quasi-static binary analysis. Finally inductive invariants automatically is an essen- we present guarded monitor generation for in- tial part in proving safety (such as in program dtrusion detection and vulnerability auditing. analysis) and liveness properties. The Floyd-Hoare [10], [11] inductive asser- tion technique depends on the presence of 2 FORMAL METHODS AND MALWARE loop invariants to establish total correctness. 2.1 Formal Methods and Verification Invariants are essential to prove and establish Formal methods aim at modeling (e.g. building safety properties, (such as no null pointer def- specifications expressed in a specific logic, de- erenciation, buffer overflows, memory leak or sign or code) and analysing (e.g. verification or outbounds array access,...), liveness properties falsification of) a system with methods derived (such as progress or termination.). from or defined by underlying mathematically- In order to tackle the recent most virulent precise concepts and their associated algorith- attacks and vulnerabilities, we show how the mic foundations. precision of malware/intrusion detection/i- Formal methods research aims at discovering dentification systems depends on the ease with mathematical techniques and design which one can automate the discovering of non algorithms to establish the correctness of trivial invariants in the application. software/hardware/concurrent/embed- ded/hybrid systems, i.e. to prove that 2.2 Malware and Virus Charaterisation the considered systems are faithful to their A malware is a program that has malicious specification. On large or infinite systems (with intent. Examples of such programs include a huge or infinite numbers of reachable state in viruses, trojans horses, and worms. These mali- any of its possible behaviors) total correctness cious intent are structured by a three recurrent is usually not practically possible. That is behavior: why we could restrict our focus on safety and liveness properties that any well behaved 1) following some infection strategies, engineered critical systems must guarantee 2) executing a set of malicious actions, pro- (e.g. by using static program analysis, one could cedures which is called the malware pay- load, 8

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.