1. Introducing the CrySyS Lab Félegyházi Márk Laboratory of Cryptography and System Security (CrySyS Lab) Budapest University of Technology and Economics Department of Networked Systems and Services www.crysys.hu 2013.11.20

2. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 22 Current members  faculty: –Boldizsár Bencsáth, PhD, Assistant Professor –Levente Buttyán, PhD, Associate Professor (head of the lab) –Márk Félegyházi, PhD, Assistant Professor –Tamás Holczer, PhD, Research Fellow –István Vajda, DSc, Professor (affiliate)  PhD candidates and PhD students: –Gábor Gulyás (privacy in social networks, identity separation techniques) –Áron Lászka (robustness of network toplogies, optimization problems, game theory) –Gábor Pék (security of virtualized systems, malware analysis) –Ta Vinh Thong (formal verification of security protocols)  CrySyS Student Core –10-12 talented students working with us permanently + students working on diploma and semester projects

3. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 3 Working with talented students  CrySyS Student Core  CrySyS Security Challenges: –2011, 2012, 2013 –more: http://www.crysys.hu/security-challenges.html  Capture the Flag (CTF) hacking contests –iCTF 2011: 36/87 –iCTF 2012: 23/98 –CSAW 2013: 12/1378 (2/490)

4. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 44 Mission  internationally recognized, high quality research on security and privacy in computer networks and systems –problem driven, project oriented research  we are committed to establish and participate in R&D projects, in which we collaborate with industrial and other academic partners  teaching network and system security, privacy, and cryptography in the context of university courses, laboratory exercises, and student semester projects  provision of consulting services without compromising the general academic objectives

5. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 5 Research areas in the past  security and privacy in wireless embedded networks –sensor networks, body mounted sensor networks, mesh networks, car-to-car communications, RFID systems –secure communications, secure routing, secure distributed data storage, location privacy, private authentication, privacy preserving cluster head election  economics of security –game theoretic models of strategic behavior, incentive compatible security architectures, quantitative risk management, cyber insurance

6. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 66 International collaborations  EPFL, Switzerland (Prof. Jean-Pierre Hubaux)  University of Twente, The Netherlands (Prof. Frank Kargl)  KTH, Sweden (Prof. Panagiotis Papadimitratos, Prof. György Dán)  NEC Laboratories, Germany (Dr. Dirk Westhoff)  IHP, Germany (Prof. Dr. Peter Langendoerfer)  INRIA Rhone-Alpes (Dr. Claude Castelluccia)  University of Münster, Germany (Prof. Rainer Böhme)  Eurecom, France (Dr. Davide Balzarotti)  University of Rome 3 (Dr. Roberto Di Pietro)  …  University of Washington, Seattle (Prof. Radha Poovendran)  University of California, Berkeley (Prof. Jean Walrand)  ICSI, Berkeley (Prof. Vern Paxson)  …

7. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu Current research  detection and analysis of unknown targeted malware –static and dynamic program analysis, reverse engineering, rootkit detection –Windows, Android 7

8. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 8 Stuxnet (June 2010)  “the Most Menacing Malware in History” (Kim Zetter, Wired)  targeted the Natanz nuclear enrichment plant in Iran  modified PLCs (Programmable Logic Controllers)  destroyed hundreds of uranium centrifuges

9. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 9 Highly visible results  Duqu (October 2011) –discovery, naming, and first analysis of Duqu striking similarities to Stuxnet, but different mission (info-stealer) –identification of the dropper component 0-day Windows kernel exploit (in embedded font parsing) –development of the Duqu Detector Toolkit open source, heuristic anomaly detector (detects Duqu and Stuxnet)  Flame (May 2012) –first detailed technical analysis of Flame (aka sKyWIper) another info-stealer, but more complex than Duqu (unusually large size)  MiniDuke (Feb 2013) –detailed technical analysis with Kaspersky  TeamSpy (Mar 2013) –first detailed technical analysis  more info >>> http://www.crysys.hu/targeted-attacks.html

10. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu Press 10

11. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 11 Lessons learned  current approaches to defend systems against targeted attacks are ineffective –code signing is not bullet proof –virus scanners cannot identify previously unseen malware  global threat mitigation and forensic analysis are challenging problems –How to share information in a privacy preserving manner? crucial for identification of droppers (and potentially 0-day exploits) –How to capture C&C servers quickly and track down the C&C proxy chain?  attackers started to use advanced techniques –MD5 collision attack in Flame –encrypted payload in Gauss  better monitoring of system state could have been resulted in earlier detection

12. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 12 Consulting and industry relations

13. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu On-going projects: Cloud-based targeted attack detection  funded by the Hungarian National Development Agency (NFÜ)  determined and resourceful attackers will always be able to succeed in compromising systems  we focus on rapid detection  ingredients –cloud based analysis environment –automated detection of behavioral anomalies –human expertise to eliminate false positives 13

14. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu On-going projects: Repository of Signed Code  funded by the US Office of Naval Research Global (ONRG)  motivation –signed kernel driver in Stuxnet and Duqu (compromised key) –signature on Flame (fake certificate seemingly issued by MS)  idea –collect everything that is signed in a database certificates, CRLs, OCSP responses, PE files, JAR files, PDFs,... hadoop based, no-sql database platform – allow queries such as has this signature been seen by others? and when? what else have been signed by this key? –provide alerts for registered users if objects signed with their keys are uploaded in our database 14

15. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 15 CrySyS Lab spin-offs Incident response Malware threat intelligence Industry oriented research, development, and training Encrypted data storage in the cloud

16. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 16 Contact information www.crysys.hu Levente Buttyán, PhD Head of the CrySyS Lab buttyan@crysys.hu +36 1 463 1803