Research

My research interests are in network and computer security, with a focus on security monitoring and Information Flow Control. More recently I have initiated a new research agenda based on the security of low level components such as firmware and hardware security mechanisms. My objective is to develop novel practical solutions based on strong theoretical results. I usually develop proof-of-concepts and I am very interested in the practical applications. Most of my research has been done in partnership with private companies or governmental agencies.

Research projects

HardBlare

Dynamic Information Flow Control (DIFC) imply a large overhead induced by the monitoring process. Some attempts rely on a hardware-software approach where DIFC operations are delegated to a coprocessor. Nevertheless, such approaches are based on modified processors. Beyond the fact hardware-assisted DIFC is hardly adopted, existing works do not take care of coprocessor security and multicore/multiprocessor embedded systems. We thus plan to implement DIFC mechanisms including a non-modified ARM processor and a FPGA.

The CominLabs HardBlare project is a cooperation with the CentraleSupélec IETR SCEE team and the UBS Lab-STICC laboratory. Mounir Nasr Allah is doing his PhD in the context of this project.

HP collaboration

I have established a long-term collaboration with HP Inc. Labs to enhance the security of their PC platform.

SpecCert

We are investigating the use of formal methods to assess the security guarantees provided by hardware platforms in the SpecCert project, in collaboration with ANSSI (national cybersecurity agency of France). Thomas Lethan (ANSSI) is doing his PhD in the context of this project.

SecCloud

Attacks targeting web browsers constitute a major threat. We tackled in the context of the CominLabs SecCloud project attacks induced by client-side code execution (javascript, flash or html5). Existing security mechanisms such as os-level access control often are not sufficient to prevent client-side browser attacks as the web browser is granted the same privileges as the user. The idea is to monitor information flows within the web browser in order to enforce a security information flow policy. Such a policy should allow to define fine-grained information flow rules between user data and distant web sites. We proposed a new secure information flow control model specifically designed for JavaScript.

In our approach, we augment the standard symbol table with a mechanism that replaces the reference address for secret values based on the current execution stack. This mechanism also ensures that the secret is stored in a dedicated memory location thereby protecting the secret from any unintended leakage or modification by a malicious JavaScript. This work on detection of illegal information flow in JavaScript has received the best paper award at the 9th International Conference on Security of Information and Networks (SIN 2016): https://hal.inria.fr/hal-01344565

This study was conducted in cooperation with other Inria Teams (Ascola and Celtique). Deepak Subramanian is doing his PhD in the context of this project.

SECEF

The first problem we have to face when we want to correlate alerts is the heterogeneity of the formats of security events. In the context of the RAPID SECEF project we conduced a comparative study of different existing alert formats. This project was funded by a DGA RAPID grant and carried out in cooperation with Télécom SudParis and the CS company. We analyzed two proprietary formats, CEF (HP ArcSight) and LEEF (IBM QRADAR), as well as 4 standard formats, IDMEF (IETF), CEE (MITRE), CIM and CADF (DMTF). We proposed several metrics to compare them based on an accurate revue of every fields proposed by each format. The results show that IDMEF is the most expressive and structured format. However, some fields proposed by other formats are not covered in IDMEF. We have proposed a new version of IDMEF that takes those limitations into account. This new format has been implemented by CS into the open-source reference implementation library libIDMEF.

Blare

The main objective of the Blare Inria Technological Development Action was to enhance the maturity level of two software tools developed by the CIDRE team: kBlare and JBlare. Theses tools consists in dynamic information flow monitors implemented in COTS: kBlare is a monitor implemented within the Linux kernel, JBlare is a monitor implemented within the Java Virtual Machine (JamVM).

Guillaume Brogi was hired as an engineer to work on that project. The main results of this ADT are the followings: we deployed a communication infrastructure composed of a dedicated public Web site with up-to-date documentation, mailing lists, a bug tracker and Git repositories; we deployed a Jenkins continuous integration tool and we have used it to enhance the quality of our code (several non obvious bug have been fixed thanks to this tool); we developed a unit testing framework dedicated to information flow control monitors testing.

Netzob

The network security products, such as the NIDS or firewalls, tend to focus on application-level communication protocols. For known and documented protocols, it is easy to implement the required mechanisms. Conversely, for proprietary and undocumented protocols, the implementation is hardest because this implies the reverse engineering of these protocols.

I supervised the PhD of Georges Bossert in the context of a CIFRE contract with AMOSSYS, an SME located in Rennes. We proposed new approaches to reverse both the vocabulary and the grammar of a protocol. We developed Netzob, a tool dedicated to this task. We proposed two important improvements of the protocol inference process. First, we improved the message format reverse engineering phase. Unlike previous work, our approach uses contextual information and its semantic definition as a key parameter in both the processes of message clustering and field partitioning. We can also detect complex linear and nonlinear relationships between value, size and offset of message fields using correlation-based filtering. Besides, our multi-step pre-clustering phase reduces the required computation time of the main clustering phase. These results have been presented in ASIACCS 2014 conference. The second aspect of this work consisted in enhancing the grammar inference phase. We proposed a new approach that combines passive and active algorithms to infer protocol grammars. This approach also relies on grammar decompositions. We use semantic information to split the large inference task into separate parallel sub-tasks. Our solution reduces the computation time of the whole inference. Moreover our approach is more stealthy since less messages and in particular less invalid messages are sent to the inferred implementation.

CAPALID

The main objective of the AFSPC project was to study security monitoring approaches that could be adopted by the DGA. This study was led in cooperation with AMOSSYS.

PhD students

2016- Ronny Chevalier, Enhanced Computer Platform Security through an Intrusion Detection Approach (HP CIFRE grant)
2015- Oualid Koucham, Intrusion Detection for Industrial Control Systems (DGA grant)
2015- Mounir Nasr Allah, Combining Static Analyses with Dynamic Hardware-Based Analyses for Information Flow Control (CominLabs project)
2015- Thomas Letan, Security of the Low-level Components of a Computer Platform (ANSSI employee)
2013-2017 Deepak Subramanian, Multi-level Information Flow Monitoring (CominLabs project)
2010-2014 Georges Bossert, Exploiting Semantic for the Automatic Reverse Engineering of Communication Protocols (AMOSSYS CIFRE grant)

Master students

2016 Jianqiao Xu, Development of Memory-based Attacks for Android Platform
2016 Ronny Chevalier, Coprocessor-based Low-level Intrusion Detection
2013 Oualid Koucham, Development of a Smart Fuzzing Plugin for Netzob
2013 Eric Asselin, Automatic Generation of Protocol Decoders
2013 Thomas Letan, Cooperation between OS and Java-level IFC Monitors
2011 Mounir Assaf, Combining Static and Dynamic Analysis to Detect Intrusion using Information Flow Control