ARJ  Volume 106 No 2

Download the issue (complete journal) (~9.06 MB).

Download the cover (Editorial Board Information) (~2.50 MB)

Table of Contents (2.13 MB)

Jump to Paper:

1. A Sandbox-based Approach to the Deobfuscation and Dissection of PHP-based Malware

2. The Impact of Triggers on Forensic Acquisition and Analysis of Databases

3. An Investigation into Reducing Third Party Privacy Breaches during the Investigation of Cybercrime

4. A Multi-faceted Model for IP-based Service Authorization in the Edutoram Network 

5. Secure Separation of Shared Caches in Amp-based Mixed Criticality Systems

A Sandbox-based Approach to the Deobfuscation and Dissection of PHP-based Malware
by P. Wrench and B. Irwin.

Abstract: The creation and proliferation of PHP-based Remote Access Trojans (or web shells) usedin both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. Current malware tools disguise themselves by makinguse of obfuscation techniques designed to frustrate any efforts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave differently if it detects that it is notrunning on the system for which it was originally targeted. To combat these defensive techniques, this paper presents a sandbox-based environment that aims to accurately mimic a vulnerable host and iscapable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code.
Download Paper (~380 KB)

The Impact of Triggers on Forensic Acquisition and Analysis of Databases
by W. K. Hauger and M. S. Olivier.

Abstract: An aspect of database forensics that has not received much attention in the academicresearch community yet is the presence of database triggers. Database triggers and their implementations have not yet been thoroughly analysed to establish what possible impact they could have on digital forensic analysis methods and processes. This paper firstly attempts to establish if triggers could be used as an anti-forensic mechanism in databases to potentially disrupt or even thwart forensic investigations. Secondly, it explores if triggers could be used to manipulate ordinary database actions for nefarious purposes and at the same time implicate innocent parties. The database triggers as defined in the SQL standard were studied together with a number of database trigger
implementations. This was done in order to establish what aspects of a trigger might have an impact on digital forensic analysis. It is demonstrated in this paper that certain database forensic acquisition and analysis methods are impacted by the possible presence of non-data triggers. This is specific to databases that provide non-data trigger implementations. Furthermore, it finds that the forensic
interpretation and attribution processes should be extended to include the handling and analysis of all database triggers. This is necessary to enable a more accurate attribution of actions in all databases that provide any form of trigger implementations.
Download Paper (~358. KB)

An Investigation into Reducing Third Party Privacy Breaches during the Investigation of Cybercrime
by W.J. van Staden

Abstract: In this article we continue previous work in which a framework for preventing or limiting a privacy breach of a third party during the investigation of a cybercrime was presented. The investigations may be conducted internally (by the enterprise), or externally (by a third party, or a law enforcement agency) depending on the jurisdiction and context of the case. In many cases, an
enterprise will conduct an internal investigation against some allegation of wrongdoing by an employee, or a client. In these cases maintaining the privacy promise made to other clients or customers is an ideal that the enterprise may wish to honour, especially if the image or brand of the enterprise may be impacted when the details of the process followed during the investigation becomes clear.
Moreover, there may be a duty to honour the privacy of third parties (through legislation or best practice). Providing tools to aid the investigative process in this regard may be invaluable in a world where privacy concerns is enjoying ever more attention – it provides a measure of due diligence from the investigator in showing that reasonable measures were in place to honour privacy. The article reports on the results of the implementation of a privacy breach mitigation tool – it also includes lessons learned, and proposes further steps for refining the breach detection techniques and methods for future digital forensic investigation.

Download paper (~282. KB)

A Multi-faceted Model for IP-based Service Authorization in the Eduroam Network
by L. Tekeni, R. Botha and K. Thomson.

Abstract: Eduroam provides a facility for users from participating institutions to access the Internet at any other participating visited institution using their home credentials. The authentication credentials are verified by the home institution, while authorization is done by the visited institution. The user receives an IP address through the visited institution, and accesses the Internet through the firewall and proxy servers of the visited institution. While this provides great flexibility, it competes with security:access may be wrongfully provided or denied to services that use IP-based authorization. This paper enumerates the risks associated with IP-based authorization in the eduroam network by using Digital Library access as an example. The tension between security and flexibility suggests that a multi-faceted approach to the problem is needed. This paper presents such a multi-faceted model that can be used holistically to consider options for IP-based authorization.
Download Paper (~1.53 MB)

Secure Separation of Shared Caches in Amp-based Mixed Criticality Systems
by P. Schnarz, C. Fischer, J. Wietzke, I. Stengel.

Abstract: The secure separation of functionality is one of the key requirements particularly in mixed criticality systems (MCS). Well-known security models as the Multiple Independent Levels of Security (MILS) aim to formalise the isolation of compartments to avoid interference and make them reliable to work in safety critical environments. Especially for in-car multimedia systems, also known as
In-Vehicle Infotainment (IVI) systems, the composition of compartments onto a system-on-chip (SoC)offers a wide variety of advantages in embedded system development. The development of such system simplies often the combination of pre-qualified hardware- and software components. These componentsare CPU subsystems and operating systems, for example. However, the required strict separation can suffer due to the pre-qualified and therefore not reconfigurable hardware components. Particularly, this is true for shared cache levels in CPU subsystems. The phenomena of interference in the concurrent usage of shared last-level caches, are exploitable by adversaries. Therefore, this article identifies the attack surface and proposes a mitigation to prevent from the intentional misuse of the fixed cache association. Generally, the solution is based on a suitable mapping scheme in the intermediate address space of an asymmetric multiprocessing environment which implements the MCS. Furthermore, we evaluate the strength of the approach and show how the solution contributes to a separation property conformal system.

Download Paper (~688. KB)