My research interests are in network and computer security, with a focus on security monitoring and Information Flow Control. More recently I have initiated a new research agenda based on the security of low level components such as firmware and hardware security mechanisms. My objective is to develop novel practical solutions based on strong theoretical results. I usually develop proof-of-concepts and I am very interested in the practical applications. Most of my research has been done in partnership with private companies or governmental agencies.
Dynamic Information Flow Control (DIFC) imply a large overhead induced by the monitoring process. Some attempts rely on a hardware-software approach where DIFC operations are delegated to a coprocessor. Nevertheless, such approaches are based on modified processors. Beyond the fact hardware-assisted DIFC is hardly adopted, existing works do not take care of coprocessor security and multicore/multiprocessor embedded systems. We thus plan to implement DIFC mechanisms including a non-modified ARM processor and a FPGA.
The CominLabs HardBlare project is a cooperation with the CentraleSupélec IETR SCEE team and the UBS Lab-STICC laboratory. Mounir Nasr Allah is doing his PhD in the context of this project.
This study was conducted in cooperation with other Inria Teams (Ascola and Celtique). Deepak Subramanian is doing his PhD in the context of this project.
The main objective of the Blare Inria Technological Development Action was to enhance the maturity level of two software tools developed by the CIDRE team: kBlare and JBlare. Theses tools consists in dynamic information flow monitors implemented in COTS: kBlare is a monitor implemented within the Linux kernel, JBlare is a monitor implemented within the Java Virtual Machine (JamVM).
Guillaume Brogi was hired as an engineer to work on that project. The main results of this ADT are the followings: we deployed a communication infrastructure composed of a dedicated public Web site with up-to-date documentation, mailing lists, a bug tracker and Git repositories; we deployed a Jenkins continuous integration tool and we have used it to enhance the quality of our code (several non obvious bug have been fixed thanks to this tool); we developed a unit testing framework dedicated to information flow control monitors testing.
The network security products, such as the NIDS or firewalls, tend to focus on application-level communication protocols. For known and documented protocols, it is easy to implement the required mechanisms. Conversely, for proprietary and undocumented protocols, the implementation is hardest because this implies the reverse engineering of these protocols.
I supervised the PhD of Georges Bossert in the context of a CIFRE contract with AMOSSYS, an SME located in Rennes. We proposed new approaches to reverse both the vocabulary and the grammar of a protocol. We developed Netzob, a tool dedicated to this task. We proposed two important improvements of the protocol inference process. First, we improved the message format reverse engineering phase. Unlike previous work, our approach uses contextual information and its semantic definition as a key parameter in both the processes of message clustering and field partitioning. We can also detect complex linear and nonlinear relationships between value, size and offset of message fields using correlation-based filtering. Besides, our multi-step pre-clustering phase reduces the required computation time of the main clustering phase. These results have been presented in ASIACCS 2014 conference. The second aspect of this work consisted in enhancing the grammar inference phase. We proposed a new approach that combines passive and active algorithms to infer protocol grammars. This approach also relies on grammar decompositions. We use semantic information to split the large inference task into separate parallel sub-tasks. Our solution reduces the computation time of the whole inference. Moreover our approach is more stealthy since less messages and in particular less invalid messages are sent to the inferred implementation.
|2016-||Ronny Chevalier, Enhanced Computer Platform Security through an Intrusion Detection Approach (HP CIFRE grant)|
|2015-||Oualid Koucham, Intrusion Detection for Industrial Control Systems (DGA grant)|
|2015-||Mounir Nasr Allah, Combining Static Analyses with Dynamic Hardware-Based Analyses for Information Flow Control (CominLabs project)|
|2015-||Thomas Letan, Security of the Low-level Components of a Computer Platform (ANSSI employee)|
|2013-2017||Deepak Subramanian, Multi-level Information Flow Monitoring (CominLabs project)|
|2010-2014||Georges Bossert, Exploiting Semantic for the Automatic Reverse Engineering of Communication Protocols (AMOSSYS CIFRE grant)|
|2016||Jianqiao Xu, Development of Memory-based Attacks for Android Platform|
|2016||Ronny Chevalier, Coprocessor-based Low-level Intrusion Detection|
|2013||Oualid Koucham, Development of a Smart Fuzzing Plugin for Netzob|
|2013||Eric Asselin, Automatic Generation of Protocol Decoders|
|2013||Thomas Letan, Cooperation between OS and Java-level IFC Monitors|
|2011||Mounir Assaf, Combining Static and Dynamic Analysis to Detect Intrusion using Information Flow Control|