George Stergiopoulos

Evgenios Gkritsis, Constantinos Patsakis, George Stergiopoulos

Malware analysis systems, including dynamic-analysis sandboxes and digital forensics and incident response (DFIR) platforms, rely on telemetry pipelines comprising collection agents, serializers, and database backends to capture and present program behavior to analysts. We show that these data-handling components constitute an exploitable attack surface that can lead to denial-of-analysis (DoA) states without disabling sensors or requiring elevated privileges. We present Telemetry Complexity Attacks (TCAs), a new class of vulnerabilities that exploit mismatches between unbounded collection mechanisms and bounded processing capabilities. Our method recursively spawns child processes to generate deeply nested and oversized objects that stress serialization and storage boundaries, as well as visualization layers, e.g., JSON/BSON depth and size limits. Depending on the product, this leads to truncated or missing behavioral reports, rejected database inserts, serializer recursion and size errors, and unresponsive dashboards, with some cases also exhibiting normal malicious execution that was not recorded or presented to analysts. We evaluate our technique against 18 commercial and open-source malware analysis platforms and endpoint detection and response (EDR) solutions. Seven products fail at different stages of the telemetry pipeline; two CVE identifiers have been assigned (CVE-61301 and CVE-61303); one more is pending; one has been assigned to an underlying library, and others have issued patches or configuration changes. We discuss root causes and propose mitigation strategies to prevent DoA attacks triggered by adversarial telemetry.

Charalambos Konstantinou, George Stergiopoulos, Masood Parvania et al.

Cyber-physical systems (CPS) incorporate the complex and large-scale engineered systems behind critical infrastructure operations, such as water distribution networks, energy delivery systems, healthcare services, manufacturing systems, and transportation networks. Industrial CPS in particular need to simultaneously satisfy requirements of available, secure, safe and reliable system operation against diverse threats, in an adaptive and sustainable way. These adverse events can be of accidental or malicious nature and may include natural disasters, hardware or software faults, cyberattacks, or even infrastructure design and implementation faults. They may drastically affect the results of CPS algorithms and mechanisms, and subsequently the operations of industrial control systems (ICS) deployed in those critical infrastructures. Such a demanding combination of properties and threats calls for resilience-enhancement methodologies and techniques, working in real-time operation. However, the analysis of CPS resilience is a difficult task as it involves evaluation of various interdependent layers with heterogeneous computing equipment, physical components, network technologies, and data analytics. In this paper, we apply the principles of chaos engineering (CE) to industrial CPS, in order to demonstrate the benefits of such practices on system resilience. The systemic uncertainty of adverse events can be tamed by applying runtime CE-based analyses to CPS in production, in order to predict environment changes and thus apply mitigation measures limiting the range and severity of the event, and minimizing its blast radius.