Angelos Stavrou Herbert Bos Georgios Portokalidis (Eds.) 8 8 Research in Attacks, 6 8 S C Intrusions, and Defenses N L 17th International Symposium, RAID 2014 Gothenburg, Sweden, September 17–19, 2014 Proceedings 123 Lecture Notes in Computer Science 8688 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Angelos Stavrou Herbert Bos Georgios Portokalidis (Eds.) Research in Attacks, Intrusions, and Defenses 17th International Symposium, RAID 2014 Gothenburg, Sweden, September 17-19, 2014 Proceedings 1 3 VolumeEditors AngelosStavrou GeorgeMasonUniversity DepartmentofComputerScience Fairfax,VA22030,USA E-mail:[email protected] HerbertBos FreeUniversityAmsterdam DepartmentofComputerScience 1081HVAmsterdam,TheNetherlands E-mail:[email protected] GeorgiosPortokalidis StevensInstituteofTechnology DepartmentofComputerScience Hoboken,NJ07030,USA E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-319-11378-4 e-ISBN978-3-319-11379-1 DOI10.1007/978-3-319-11379-1 SpringerChamHeidelbergNewYorkDordrechtLondon LibraryofCongressControlNumber:2014947893 LNCSSublibrary:SL4–SecurityandCryptology ©SpringerInternationalPublishingSwitzerland2014 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection withreviewsorscholarlyanalysisormaterialsuppliedspecificallyforthepurposeofbeingenteredand executedonacomputersystem,forexclusiveusebythepurchaserofthework.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheCopyrightLawofthePublisher’slocation, inistcurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Permissionsforuse maybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violationsareliabletoprosecution undertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Whiletheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication, neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityforanyerrorsor omissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,withrespecttothe materialcontainedherein. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface Welcome to the proceedings of the 17th International Symposium on Research in Attacks,Intrusions, andDefenses (RAID 2014).This year,RAID receivedan unusuallylargenumberof113submissionsoutofwhichtheProgramCommittee selected22high-qualitypapersforinclusionintheproceedingsandpresentation at the conference in Gothenburg. In our opinion, an acceptance rate of 19% is healthy.Inaddition,weaccepted10postersfrom24submissions.Theacceptance rate and quality of submissions clearly shows that RAID is a competitive, high- quality conference, but avoids the insanely low probabilities of acceptance that sometimes reduce security conferences to glorified lotteries. Running a well-established conference with many strong submissions makes thejoboftheprogramchairsrelativelyeasy.Moreover,thechair/co-chairsetup (where the co-chairofthe previous yearbecomes the chairof the next), andthe conference’s active Steering Committee both ensure continuity. In our opinion, it has helped RAID to become and to remain a quality venue. One thing we did consciously try to change in this year’s edition is the com- positionofthe ProgramCommittee. Specifically, we believe that it is important to infuse new blood into our conferences’ Program Committees – both to pre- pare the next generation of Program Committee members, and to avoid the incestuous community where the same small circle of senior researchers rotates from Program Committee to Program Committee. From the outset, we there- fore aimed for a ProgramCommittee that consisted of researcherswho had not servedontheRAIDPCmorethanonceinthepastfewyears,butwithaproven track recordin terms of top publications. In addition, we wantedto introduce a healthynumberofyoungerresearchersand/orresearchersfromslightlydifferent fields. It maysound like all this wouldbe hardto find, but it was surprisinglyeasy. There is a lot of talent in our community! With a good mix of seniority, back- ground,andexpertise,wewereveryhappywiththegreatandveryconscientious Program Committee we had this year (as well as with the external reviewers). Specifically, we made sure that all valid submissions received at least three re- views, and in case of diverging reviews, we added one or two more. As a result, theloadofthe ProgramCommittee thisyearmayhavebeenhigherthaninpre- vious years, but we are happy with the result and thank all reviewers for their hard work. We are also grateful to the organizers, headed by the general chair Magnus Almgren and supported by Erland Jonsson (local arrangements), Georgios Por- tokalidis (publications), Vincenzo Gulisano and Christian Rossow (publicity), Bosse Norrhem (sponsoring), and all local volunteers at Chalmers. We know from experience how much work it is to organize a conference like RAID and VI Preface that a general chair especially gets most of the complaints and too little of the credit. Not this year: hats off to Magnus for a great job! Finally, none of this would be possible without the generous support by our sponsors: Symantec, Ericsson, Swedish Research Council, and the City of Gothenburg. We greatly appreciate their help and their continued commitment to a healthy researchcommunity in security. We hope you enjoy the program and the conference. July 2014 Angelos Stavrou Herbert Bos Organization Organizing Committee General Chair Magnus Almgren Chalmers University of Technology, Sweden Local Arrangement Chair Erland Jonsson Chalmers University of Technology, Sweden PC Chair Angelos Stavrou George Mason University, USA PC Co-chair Herbert Bos Vrije Universiteit, The Netherlands Publication Chair Georgios Portokalidis Stevens Institute of Technology, USA Publicity Chair Vincenzo Gulisano Chalmers University of Technology, Sweden Christian Rossow Vrije Universiteit, The Netherlands / RU Bochum, Germany Sponsorship Chair Bosse Norrhem Program Committee Members Leyla Bilge Symantec Labs, Europe Baris Coskun AT&T Security Research Center, USA Manuel Costa Microsoft Research, UK Aurelien Francillon Eurecom, France Flavio D. Garcia University of Birmingham, UK Dina Hadziosmanovic Delft University of Technology, The Netherlands Gernot Heiser NICTA and UNSW, Australia Sotiris Ioannidis FORTH-ICS, Greece Xuxian Jiang North Carolina State University, USA VIII Organization Emmanouil Konstantinos Antonakakis Georgia Tech, USA Peng Liu Penn State University, USA Paolo Milani Comparetti Lastline Inc., USA Damon Mccoy George Mason University, USA Fabian Monrose University of North Carolina at Chapel Hill, USA Hamed Okhravi MIT Lincoln Labs, USA Alina Oprea RSA Laboratories, USA Michalis Polychronakis Columbia University, USA Georgios Portokalidis Stevens Institute of Technology, USA Konrad Rieck University of G¨ottingen, Germany William Robertson Northeastern University, USA Christian Rossow RU Bochum, Germany Simha Sethumadhavan Columbia University, USA Kapil Singh IBM Research, USA Asia Slowinska Vrije Universiteit, The Netherlands Anil Somayaji Carleton University, Canada External Reviewers Sumayah Alrwais Indiana University, USA Fabian van den Broek Radboud University Nijmegen, The Netherlands Lorenzo Cavallaro Royal Holloway University of London, UK Tom Chothia University of Birmingham, UK Joseph Gardiner University of Birmingham, UK Gurchetan S. Grewal University of Birmingham, UK Georgios Kontaxis Columbia University, USA Mihai Ordean University of Birmingham, UK Roel Verdult Radboud University Nijmegen, The Netherlands Steering Committee Chair Marc Dacier Symantec Research, France Members Davide Balzarotti Eur´ecom, France Herve Debar Telecom SudParis, France Deborah Frincke DoD Research, USA Ming-Yuh Huang Northwest Security Institute, USA Somesh Jha University of Wisconsin, USA Organization IX Erland Jonsson Chalmers, Sweden Engin Kirda Northeastern University, USA Christopher Kruegel UC Santa Barbara, USA Wenke Lee Georgia Tech, USA Richard Lippmann MIT Lincoln Laboratory, USA Ludovic Me Supelec, France Robin Sommer ICSI/LBNL, USA Alfonso Valdes SRI International, USA Giovanni Vigna UC Santa Barbara, USA Andreas Wespi IBM Research, Switzerland S. Felix Wu UC Davis, USA Diego Zamboni CFEngine AS, Mexico Sponsors Symantec (Gold level) Ericsson AB (Silver level) Swedish Research Council City of Gothenburg Table of Contents Malware and Defenses Paint It Black: Evaluating the Effectiveness of Malware Blacklists...... 1 Marc Ku¨hrer, Christian Rossow, and Thorsten Holz GOLDENEYE: Efficiently and Effectively Unveiling Malware’s Targeted Environment............................................ 22 Zhaoyan Xu, Jialong Zhang, Guofei Gu, and Zhiqiang Lin PillarBox: Combating Next-Generation Malware with Fast Forward-Secure Logging .......................................... 46 Kevin D. Bowers, Catherine Hart, Ari Juels, and Nikos Triandopoulos Malware and Binary Analysis Dynamic Reconstruction of Relocation Information for Stripped Binaries ........................................................ 68 Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Evaluating the Effectiveness of Current Anti-ROP Defenses ........... 88 Felix Schuster, Thomas Tendyck, Jannik Pewny, Andreas Maaß, Martin Steegmanns, Moritz Contag, and Thorsten Holz Unsupervised Anomaly-Based Malware Detection Using Hardware Features ........................................................ 109 Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo Web Eyesofa Human, Eyesofa Program:LeveragingDifferentViews ofthe Web for Analysis and Detection.................................... 130 Jacopo Corbetta, Luca Invernizzi, Christopher Kruegel, and Giovanni Vigna You Can’t Be Me: Enabling Trusted Paths and User Sub-origins in Web Browsers ................................................... 150 Enrico Budianto, Yaoqi Jia, Xinshu Dong, Prateek Saxena, and Zhenkai Liang Measuring Drive-by Download Defense in Depth ..................... 172 Nathaniel Boggs, Senyao Du, and Salvatore J. Stolfo