6.1.1 Blare

• Name: Blare, an information flow monitor
• Keywords: Cybersecurity, Intrusion Detection Systems (IDS), Data Leakage Protection
• Scientific Description: Blare implements our approach of illegal information flow detection for a single node (Android and Linux kernel, JVM) and a set of nodes (monitoring of flows between linux machines).
• Functional Description: Blare is an information flow monitor that opérates at the OS level. Blare relies on tainting techniques to monitor information flow between files, processes, sockets and memory pages. Blare allows to identify how a (malicious) application contaminates the OS.
• News of the Year: In 2020, we have worked on porting Blare to new recent versions of the Linux kernel. In particular, we started to work on kernels 4.x that are used on mobile phone in order to be able to build AndroBlare, a modified version of Android based on Android 9 or 10.
• URL: http://www.blare-ids.org
• Publications: hal-01535949, hal-01535862, hal-00268408, hal-00356441, hal-00356484, hal-00420117, hal-00875211, hal-00840338, hal-00909400, hal-00862468, hal-00736045, hal-00736034, hal-00647116, hal-00647170, hal-00736045
• Contacts: Valérie Viet Triem Tong, Alexandre Sanchez, Frédéric Tronel
• Partner: CentraleSupélec

6.1.2 GroddDroid

• Name: GroddDroid
• Keywords: Android, Detection, Malware
• Scientific Description: GroddDroid automates the dynamic analysis of a malware. When a piece of suspicious code is detected, GroddDroid interacts with the user interface and eventually forces the execution of the identified code. Using Blare (Information Flow Monitor), GroddDroid monitors how an execution contaminates the operating system. The output of GroddDroid can be visualized in an web browser. GroddDroid is used by the Kharon software.
• Functional Description: GroddDroid 1 - locates suspicious code in Android application 2 - computes execution paths towards suspicious code 3 - forces executions of suspicious code 4 - automates the execution of a malware or a regular Android application
• News of the Year: In 2020, we have optimized the static analysis part, based on the soot framework. We have also implemented a new strategy to trigger UI elements on an analyzed application that runs into a smartphone.
• URL: http://kharon.gforge.inria.fr/grodddroid.html
• Publications: hal-01311917, hal-01201743, hal-01584989, hal-01535678
• Authors: Mourad Leslous, Adrien Abraham, Pierre Graux, Jean François Lalande, Valérie Viet Triem Tong, Pierre Wilke
• Contacts: Valérie Viet Triem Tong, Jean-François Lalande
• Partners: CentraleSupélec, Insa Centre Val-de-Loire

6.1.3 PyMaO

• Name: Python Malware Orchestrator
• Keywords: Android, Malware
• Scientific Description: PyMaO (Python Malware Orhestrator) is a tool that helps to orchestrate experiments involving applications such as Android apps run on a smartphone or external devices. PyMaO chains several analyses that are part of an experiment. An analysis is most of the time, a call to an external tool that returns a result, for example apktool, grep, Androguard, Apkid. An experiment is a collection of analyses that are run one by one, chained, if some conditions hold. For example, if the unpacking of an application with Apktool succeeds, then you can grep the code for searching a string. PyMaO has a nice old-fashion graphical interface (ncurses).
• Functional Description:

  PyMaO chains several analyses that are part of an experiment. An analysis is most of the time, a call to an external tool that returns a result, for example apktool, grep, Androguard, Apkid. An experiment is a collection of analyses that are run one by one, chained, if some conditions hold. For example, if the unpacking of an application with Apktool succeeds, then you can grep the code for searching a string.

  PyMaO has a nice old-fashion graphical interface (ncurses).

• Release Contributions: Initial release corresponding to the demo presented at MASCOTS 2019.
• News of the Year: PyMao has been heavily refactored for handling experiments that are not related to Android. In particular we added the support of external devices that are handled by ssh commands.
• URL: https://gitlab.inria.fr/cidre-public/pymao
• Publication: hal-02305473
• Authors: Jean-François Lalande, Pierre Graux, Tomas Javier Concepcion Miranda, Benoit Fournier
• Contact: Jean-François Lalande

6.1.4 OATs'inside

• Keywords: Android, Malware, Reverse engineering, Code analysis
• Functional Description: OATs’inside is an Android reverse engineering tool that handles all native obfuscation techniques. This tool uses a hybrid approach based on dynamic monitoring and trace-based symbolic execution to output control flow graphs (CFGs) for each method of the analyzed application. These CFGs spare users the need to dive into low-level instructions, which are difficult to reverse engineer.
• News of the Year: Initial release of the code.
• Publication: hal-02877815
• Authors: Pierre Graux, Jean-François Lalande, Valérie Viet Triem Tong, Pierre Wilke
• Contact: Pierre Graux

6.1.5 Tata

• Name: Taint Analysis for Transient Analysis
• Keywords: Cybersecurity, Android
• Scientific Description: TATA (Taint Analysis for Transient Analysis) is a tool that automatically detects, at compilation time, missing transient keywords directly from Android applications’ source code. The analysis focuses on applications composed of Dalvik bytecode and C/C++ native code.
• Functional Description: Tata searches a particular vulnerability in the source code of an Android application.
• Release Contributions: First release of the prototype.
• News of the Year: Initial release of the code.
• URL: https://gitlab.inria.fr/cidre-public/tata/tata-release
• Publication: hal-03066847
• Contacts: Pierre Graux, Jean-François Lalande, Valérie Viet Triem Tong, Pierre Wilke

6.1.6 MoM

• Name: Malware-O-Matic
• Keywords: Malware, Cybersecurity, Ransomware
• Functional Description: MoM is an automated platform for conducting dynamic malware scans running on Windows. MoM is a bare-metal, non-virtualized platform on which user activity is simulated.
• Release Contributions: Refactoring allowing greater flexibility in its deployment and use. Monitoring of experiments.
• URL: https://lhs-pec.inria.fr/hosting/
• Publication: hal-01405636
• Contacts: Valérie Viet Triem Tong, Alexandre Sanchez, Leopold Ouairy
• Partner: DGA-MI

Visualization and monitoring

Visualization attacks for better understanding of a live attack or for forensic purpose is also of primary interest to the team. We got new results for visualizing Android malware 14 that is built on top of the tools developed the last couple of years.

Evaluation of the evasion techniques used by Windows malware in the wild

An evasive malware is a malware carrying an environment-aware payload that aims at remaining invisible to any protection system. In 13 we evaluate the evasion techniques used by Windows malware in the wild. First, we evaluate how common AVs cope both with unknown malware and well-known evasion techniques. To this end, we develop and use Nuky, a ransomware targeting Windows, and implementing several evasion techniques. Second, we design and evaluate a countermeasure that reproduces the presence of the artifacts on computers by instrumenting the Windows API in order to force malware to evade. The purpose of this countermeasure is to limit the infection’s spread and not to replace malware detection.

Attacks against Android smartphones

We continued to study the possible ways of attacking an Android smartphone by building new attacks. In particular we focused on the attack surface offered by native code that may be embedded in Android applications. We discovered two new ways for obfuscating an attack 12 that would be very difficult to detect with current analysis tools that only focus on the Java bytecode of an Android application. A first attack bypasses the JNI interface between the native code and the objects stored in the heap. A second attack obfuscates the bytecode by removing it from a fully compiled (native) version of an application. This last attack would be usable for a smartphone vendor that would pre-install a compiled application on a smartphone.

How to attack NOP

The fault model of the virtual NOP considers that with a fault injection, an instruction can be replaced by a NOP (or an instruction with no effect on the program). By considering that we can inject several faults, in 18 we prove that we can then rewrite the program in execution by letting it execute only the instructions we are interested in. This is called NOP-oriented programming and we show that this method is Turing-complete. An extension of Gem5 has been developed with the aim of being able, through simulation, to predict the fault injections to be made to carry out a NOP-oriented attack.

Vulnerability detection

In 17 we propose a novel approach to automatically detect vulnerabilities in java source codes. First, a Natural Language Processing technique is used in order to represent code's functions in Bag-of-words. This is achieved by extracting meaningful information from each function. Then, the k-Nearest-Neighbors' Machine-Learning algorithm is used to cluster similars functions. Finally, it is possible to automatically detect vulnerabilities in each cluster, by comparing tests and method calls performed by each function in the cluster.

Network Attack Detection Based on Novelty Detection on Graph Structured Data

In 16, we introduce a representation of log files of various types in a unified and unique graph representation. This representation mixes and links events of different kinds to constitute a rich description of the activities to be analyzed. To detect anomalies in these graphs, we also propose an unsupervised learning approach based on an auto-encoder. Applying this approach to the CICIDS 2017 dataset, we show that although our approach is unsupervised, its detection results are as good, and even better or much better, than those obtained by many supervised approaches.

Forensic Analysis of Network Attacks

In 15 we propose an approach to treat automatically network events to provide the security analyst with a new way to determine the subset of information related to a given Indice of Compromise (IoC). This approach also relies, as the one of the previous section, on the generation of graphs that are built from the logged network events. The automatic processing of these graphs thanks to the Louvain algorithm allows then to isolate communities around.

Intrusion Survivability for Commodity Operating Systems

We propose a novel intrusion survivability approach 2 to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead.

This article is an extension of our conference paper from ACSAC'19. We give more details about our cost-sensitive response selection process, the results of our experiments and we extended the discussion regarding the limitations of our work. We also give more context regarding the concepts our work is based on and a more detailed comparison with related works. This work has been done in the context of the PhD of Ronny Chevalier, in collaboration with HP Labs.

Modular verification of software/hardware security mechanisms

Modern computing systems have grown in complexity, and even though system components are generally carefully designed and even verified by different groups of people, the composition of these components is often regarded with less attention. Inconsistencies between components’ assumptions on the rest of the system can have significant repercussions on this system, and may ultimately lead to safety or security issues. In 4, we introduce FreeSpec, a formalism built upon the key idea that components can be modeled as programs with algebraic effects to be realized by other components. FreeSpec allows for the modular modeling of a complex system, by defining idealized components connected together, and the modular verification of the properties of their composition. In addition, we have implemented a framework for the Coq proof assistant based on FreeSpec.

This article is an extension of our conference paper from FM'2018. It gives an updated introduction to our formalism, which reduce the size of FreeSpec proofs. It also describes how FreeSpec can be used to reason about a component which is being used by more than one component. This composition pattern was not considered previously, although it is ubiquitous in practice. This work has been done in the context of the PhD of Thomas Letan, in collaboration with the ANSSI and Yann Régis-Gianas from Inria PI.R2 team.

Threat Hunting

Threat hunting is the process of searching through a compromised network to isolate an active attacker. The efficiency of this process depends on the defender's ability to effectively identify the traces left by the attacker in the network. In 1, we formalize both defensive processes and the attacker’s offensive approaches, allowing for confronting their respective perceptions during the same attack campaign. The attacker’s perception of the campaign is built from the execution of his attack procedures, his exposed resources and the compromised components. The defender’s perception of the attack is built from the collected traces on the targeted information system. This model leads to the construction of two persistent graphs on a common set of objects and components allowing for (1) an omniscient actor to compare, for both defender and attacker, the gap in knowledge and perceptions; (2) the attacker to become aware of the traces left on the targeted network; (3) the defender to improve the quality of Threat Hunting by identifying false-positives and adapting logging policy to be oriented for investigations.

A secure implementation of the replicated state machine

State machine replication (RSM) is today the foundation of many cloud-based highly-available products: it allows some service to be deployed such as to guarantee its correct functioning despite possible faults. In RSM, clients issue operation requests to a set of distributed processes implementing the replicated service, that, in turn, run a protocol to decide the order of execution of incoming operations and provide clients with outputs. Faults can be accidental (e.g. a computer crashing due to a loss of power) or have a malicious intent (e.g. a compromised server). Whichever is the chosen fault model, RSM has proven to be a reliable and effective solution for the deployment of dependable services. RSM is usually built on top of a distributed Consensus primitive that is used by processes to agree on the order of execution of requests concurrently issued by clients. The main problem with this approach is that Consensus is impossible to achieve deterministically in a distributed settings if the system is asynchronous and even just a single process may fail by crashing. This led the research community to study and develop alternative solutions based on the relaxation of some of the constraints, to allow agreement to be reached in partially synchronous systems with faulty processes by trading off consistency with availability. An alternative approach consists in imposing constraints on the set of operations that can be issued by clients, i.e. imposing updates that commute. In particular, commutative replicated data types (CRDTs) can be implemented with an RSM approach in asynchronous settings using the monotonic growth of a join semilattice, i.e., a partially ordered set that defines a join (least upper bound) for all element pairs. In 6 we have proposed an algorithm that solves Generalized Lattice Agreement in a Byzantine fault model. To the best of our knowledge this is the first solution for Byzantine lattice agreement that works on any possible lattice, and it is the first work proposing a Byzantine tolerant RSM built on it. The algorithm is wait-free, i.e., every process completes its execution of the algorithm within a bounded number of steps, regardless of the execution of other processes. We have also sketch the main lines of a signature-based version of our algorithms which take advantage of digital signatures to reduce the message complexity to $O\left(n\right)$ per process, when the number $f$ of Byzantine processes verifies $f=O\left(1\right)$. We have improve upon this result by showing that the problem cannot be solved if $f=n/3$ or more processes are Byzantine. We have proposed a novel algorithm that works in a synchronous system model with signatures (i.e., the authenticated message model), tolerates up to $f$ Byzantine failures (where $f<n/3$) and that terminates in $O\left(logf\right)$ rounds 7.

Blockchain in adversarial environments

We are pursuing our efforts dedicated to the theoretical aspects of blockchains. There exists many forms of Blockchain finality conditions, from deterministic to probabilistic terminations. To favor availability against consistency in the face of partitions, most blockchains only offer probabilistic eventual finality: blocks may be revoked after being appended to the blockchain, yet with decreasing probability as they sink deeper into the chain. Other blockchains favor consistency by leveraging the immediate finality of Consensus -a block appended is never revoked- at the cost of additional synchronizations. In this paper, we focus on necessary and sufficient conditions to implement a blockchain with deterministic eventual finality, which ensures that selected main chains at different processes share a common increasing prefix. This is a much weaker form of finality that allows us to provide a solution in an asynchronous system subject to unlimited number of byzantine failures. We study stronger forms of eventual finality as well and show that it is unfortunately impossible to provide a bounded displacement. By bounded displacement we mean that the (unknown) number of blocks that can be revoked from the current blockchain is bounded. This problem reduces to consensus or eventual consensus depending on whether the bound is known or not. We also show that the classical selection mechanism, such as in Bitcoin, that appends blocks at the longest chain is not compliant with a solution to eventual finality 26.

In parallel to this work, we have proposed the design of a scalable permissionless blockchain in the proof-of-stake setting, called StakeCube. In particular, we use a distributed hash table as a building block to set up randomized shards, and then leverage the sharded architecture to validate blocks in an efficient manner. We combine verifiable Byzantine agreements run by shards of stakeholders and a block validation protocol to guarantee that forks occur with negligible probability. We impose induced churn to make shards robust to eclipse attacks, and we rely on the UTXO coin model to guarantee that any stake-holder action is securely verifiable by anyone. Our protocol works against an adaptive adversary, and makes no synchrony assumption beyond what is required for the byzantine agreement. We have instantiated and evaluated StakeCube, and experimentally studied and assessed its performance, especially regarding scalability. We were successfully able to run StakeCube with up to $5,000$ participants, confirming up to $1,100$ bytes/s of transaction, with a confirmation time starting at 200 seconds. Finally, we have used StakeCube in a large scale energy marketplace application, and show that a node running on a Raspberry Pi Zero is able to handle the load without issues 8. We have also proposed a consensus algorithm whose objective is to decide on the same union of proposed values, such that with high probability all the values proposed by the honest nodes belong to the decision. Our algorithm has been designed to cope with an asynchronous and permissionless system. By relying on a proof-of-eligibility, our algorithm is tolerant to an adversary capable of instantaneously corrupting entities. A straightforward application of our algorithm is the design of permissionless distributed ledgers 19.

USB filtering

The project is to do filtering in "man-in-the-middle" mode between a Device and a USB Host. The underlying idea is to be able to block any possible attack via USB (BadUSB in particular) and to lock/restrict the use of a USB port on the Host (allow a limited number of devices vendors/classes, limit the types of commands that can be used...). Positioning in cut-off on the USB link allows to observe all the possible data circulating between Device and Host and also to have an OS-independent filtering method (which is particularly interesting to prevent attacks that take place before the OS starts up) To do this, we chose an FPGA (arty 7) programming linked to 2 USB PHY (USB3300 mounted on board by waveshare). This USB PHY allows to exchange USB packets via an ULPI interface (8 Data pins and 4 operating pins). The first objective is to be just a "pass-through" between the Host and the Device. With our set-up, we are currently able to:

• capture all USB packets for low-speed devices
• detect and block specific class and vendor ID
• detect and block keyboard if some keys are pressed
• detect and block keyboard if the keyboard typong speed is too high (BadUSB attack)

The next step is to handle full-speed devices and mass storage.

9.1.1 FP7 & H2020 Projects

10.1.1 Scientific events: organisation

10.1.2 Scientific events: selection

10.1.3 Journals

10.1.4 Scientific expertise

Jean-Francois Lalande is member of the advisory board of the SIMARGL H2020 project: Secure Intelligent Methods for Advanced Recognition of Malware and Stegomalware.

Emmanuelle Anceaume is member of the Task Force blockchain working group of the Ministry of Economics and Finance.

Ludovic Mé serves:

• the Scientific Council of the LIRIMA (Laboratoire International de Recherche en Informatique et Mathématiques Appliquées);
• the Expert Council of the DSTN (Digital Science and Technology Network);
• the “Bureau du GT sécurité des systèmes logiciels” du GDR Sécurité;
• as a pilot for expert group for the evaluation of French research entities (UMRs and EAs) relatively to the protection of scientific and technological properties (PPST).

10.1.5 Research administration

Ludovic Mé, Guillaume Piolle, and Valérie Viet Triem Tong were members of a recruitment committee for an Inria chair in cybersecurity position at CentraleSupelec.

Valérie Viet Triem Tong was a member of a recruitment committee for an assistant professor position at ESISAR.

Ludovic Mé was member of a recruitment committee for a full Professor in cyber security at IMT Atlantique.

Ludovic Mé is deputy scientific director of Inria, in charge of the cybersecurity domain.

10.2.1 Teaching

Team members are involved in initial and continuing education in CentraleSupélec, a french institute of research and higher education in engineering and science, ESIR (Ecole Supérieure d'Ingénieur de Rennes) the graduate engineering school of the University of Rennes 1.

In these institutions,

• Gilles Guette is the director of corporate relations at ESIR;
• Jean-François Lalande is responsible of the major program dedicated to information systems security and the special track Infosec of CentraleSupélec ;
• Frédéric Tronel and Valérie Viet Triem Tong share the responsability of the mastère spécialisé (post-graduate specialization degree) in Cybersecurity. This education was awarded best French master degree in the category “Master Cybersecurity masters and Security of systems” in the Eduniversal master ranking 2019.

The teaching duties are summed up in table 1.