Chinese Chapter Status Report For 2012 (Sep 2011 - Aug 2012)

ORGANIZATION

The Chinese Chapter was founded in 2008 based on Artemis research team in PKU and currently consists of the following people:

  • Dr. Jianwei Zhuge, Chapter Leader, Tsinghua Asso. Prof.
  • Chengyu Song, Gatech ph.d. student
  • Zhijie Chen, Berkeley ph.d. student
  • Dr. Xinhui Han, PKU Asso. Prof.
  • Dr. Yong Tang, NUDT Asso. Prof.
  • Huilin Zhang, PKU ph.d. student
  • Lingfeng Sun, Huawei engineer
  • Jian Jiang, Tsinghua phd. student
  • Cong Zheng, PKU ms. student
  • Youzhi Bao, CMU ph.d. student
  • Kun Yang, Tsinghua ms. student
  • Yuan Tian, CMU ph.d. student
  • Weilin Xu, Tsinghua engineer

Kun Yang, Yuan Tian, Weilin Xu joined Chinese Chapter as Contributors after GSoC'12.

Alumnus

  • Zhongjie Wang left Chinese Chapter during this period.

The Chapter members are interested in research projects covering the following topics:

  • Android security
  • Mobile malware analysis
  • Computer forensics
  • IPv6 Honeypots
  • Malware analysis
  • underground economy
  • Distributed honeynet deployment, operation and data analysis

DEPLOYMENTS

Artemis distributed honeypot on CERNET

1. deployed nearly thirty virtual honeypot on CERNET, integrating Dionaea, Kippo, Glastopf and Spampot, using XMPP to collect the captured logs, and extend carniwwwhore as the WebUI
2. We are replacing XMPP with HPFeeds, and adding the support of IPv6. Rewriting the backend with HPFeeds, MongeDB and Djongo.

RESEARCH AND DEVELOPMENT
Projects

1. Chinese Underground Economy Investigation, we released the investigation report in both English and Chinese, to reveal the security threats raised by underground economy to the public, and attract many attentions from the media, industry, public and the government in China.

2. Artemis distributed honeypot deployment and operation, we have a small funds from MIIT of China to built and operate a POC IPv6 distributed darknet/honeynet with four nodes.

GSoC'11 Tools

1. APKInspector, Developed by Cong Zheng, Mentored by Ryan Smith, The goal of this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code. The primary focus of this project is to provide a visualization layer that’s typically missing in existing Android reverse engineering tools, as well as to create a unified platform that combines several existing Android reverse engineering tools into a single unified view and context. For example this would include taking the control flow graph output from Androguard and unifying it with the code output from apktool, or dex2jar.

2. AxMock, developed by Youzhi Bao, Mentored by Ian Welch, Capture-AxMock is a tool for monitoring the behaviour of ActiveX controls that are referenced from webpages, it can also be used to emulate the behaviour of ActiveX controls that are not currently installed.

GSoC'12 Tools

1. DriodBox's APIMoinitor, developed by Kun Yang, Mentored by Patrik Lantz, Android is upgrading in a fast speed. To avoid endless porting of DroidBox, we changed the way to do dynamic analysis. Instead of hooking systems, we interpose APIs in APK files and insert monitoring code. By running the repackaged APK, we can get API call logs and understand APK's behavior.

2. APKInspector improvement, developed by Yuan Tian, Mentored by Cong Zheng, The updated version of APKInspector is a powerful static analysis tool for Android Malicious applications. It provide convenient and various features for smartphone security engineers. With the sensitive permission analysis, static instrumentation and easy-to-use graph-code interaction .etc, they can get a thorough and deep understanding of the malicious applications on Android.

3. 6Guard, an IPv6 attack detector, developed by Weilin Xu, Mentored by Ryan Smith, 6Guard is an IPv6 attack detector aiming at link-local level security threats, including most attacks initiated by the THC-IPv6 suit and the advanced host discovery methods used by Nmap. It can help the network administrators detect the link-local IPv6 attacks in the early stage.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

Papers

  • Xun Lu, Jianwei Zhuge, Ruoyu Wang, Yinzhi Cao, Yan Chen. De-obfuscation and Detection of Malicious PDF Files with High Accuracy. Accepted by HICSS-46 Forensics Analysis Track , Hawaii, Jan 2013.
  • Jianwei Zhuge, L. Gu, H. Duan, Investigating China’s Online Underground Economy. Conference on the Political Economy of Information Security in China, San Diego, US, Apr, 2012. Full paper published at July 2012. [pdf]
  • Chengyu Song, Paul Royal and Wenke Lee, "Impeding Automated Malware Analysis with Environment-sensitive Malware", In Proceedings of The 7th USENIX conference on Hot topics in Security (HotSec'12), Bellevue, WA, USA, August 2012. [pdf]
  • Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, Wei Zou. SmartDroid: an Automatic System for Revealing UI-based Trigger Conditions in Android Applications. In Proceedings of the 2nd ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’12), Raleigh, NC, USA, October 2012. [pdf]
  • Haixin Duan, Nicholas Weaver, Zongxu Zhao, Meng Hu, Jinjin Liang, Jian Jiang, Kang Li and Vern Paxson, Hold-On: Protecting Against On-Path DNS Poisoning, Securing and Trusting Internet Names, SATIN 2012. [pdf]
  • J. Jian, L. Jinjin, L. Kang, L. Jun, D. Haixin, W. Jianping, Ghost Domain Names: Revoked Yet Still Resolvable, 19th Annual Network & Distributed System Security Symposium (NDSS), 5-8 February 2012.[pdf]

Presentation

  • Chengyu Song, Paul Royal, Flowers for Automated Malware Analysis, Blackhat USA 2012.
  • Jianwei Zhuge, Defcon 20 Quals CTF review from Blue-lotus team, KCON in China, June 2012.
  • Jianwei Zhuge, Investigating China’s Online Underground Economy. Conference on the Political Economy of Information Security in China, San Diego, US, Apr, 2012. Also given at ICSI Berkeley, Baidu and MPS of China.
  • Youzhi Bao, Cong Zheng. Introduction to Chinese Chapter and Android Security Status in China, Annual Honeynet Workshop 2011.

Interactions with the security community

  • CTF games as Blue-lotus team (led by Jianwei Zhuge, with some Chapter members), iCTF'11 (23/87), Defcon Quals'12 (19/500+), CSAW Quals'12 (59/700+), Hack.Lu'12 (27/500+)
  • SANS Secure the Human OUCH! Chinese versions, Jianwei Zhuge, http://www.securingthehuman.org/resources/newsletters/ouch.

Interact with Chinese chapter (e.g. chapter web page).

  • Chinese Chapter: www.honeynet.org.cn
  • Jianwei Zhuge's personal blog: http://netsec.ccert.edu.cn/zhugejw
  • SecKungfu Blog in Chinese: http://seckungfu.com/

GOALS

The goal of our chapter of the following year is:
1. to develop artemis distributed honeynet with full support of IPv6 and deploy the honeynet in major campus in China mainland, and start the security data collection, analysis, and incident response.
2. continue the research on android security, underground economy, malware analysis and publish high-quality papers/presentations.
3. enrich our interaction and collaboration with the worldwide information security community, and increase our influence.

MISC ACTIVITIES

Cong Zheng, Gsoc2012 mentor summit.

MENTORING

Cong Zheng, Gsoc2012 mentor on APKInspector.