Dr. Dorottya Futóné Papp

Assistant Professor

dpapp (at) crysys.hu

web: www.crysys.hu/~dpapp/
office: I.E. 429
tel: +36 1 463 2063

Current courses | Publications

Short Bio

Dorottya Futóné Papp was born in 1992 in Budapest. She received her BSc degree in Computer Science in 2014 and her MSc degree in Computer Science Engineering in 2016 from the Budapest University of Technology and Economics (BME). She started her PhD studies in September 2016. Sha has been involved with the Laboratory of Cryptography and System Security (CrySyS) since 2013 and with the Austrian Institute of Technology since 2015.

Current Courses

Coding and IT Security (VIHIBB01)

This BProf course gives an overview of the different areas of IT security with the aim of increasing the security awareness of computer science students and shaping their attitude towards designing and using secure computing systems. The course also gives an introduction to source coding and channel coding.

Computer Security (VIHIMA06)

The course introduces security problems in computing systems, as well as the principles, practical mechanisms, and tools used to solve them. The term computer is interpreted in a broad sense, and it includes personal computers, servers, mobile devices, and embedded computers. The course covers physical security and OS level security of computers, software security issues at the application level, secure programming, and the problem of malicious software (malware).

Secure Software Development (VIHIAV33)

This course fills an important gap in the education of software engineers, - namely developing secure software applications. During this course, students will learn the most common mistakes in software development and how attackers exploit those mistakes (offensive security). Then, students get to know how to mitigate attacks and write secure software applications.

Publications

2022

SIMBIoTA-ML: Light-weight, Machine Learning-based Malware Detection for Embedded IoT Devices

D. Papp, G. Ács, R. Nagy, L. Buttyán

International Conference on Internet of Things, Big Data and Security (IoTBDS), 2022.

Bibtex | Abstract | PDF

@conference {
   author = {Dorottya Papp, Gergely Ács, Roland Nagy, Levente Buttyán},
   title = {SIMBIoTA-ML: Light-weight, Machine Learning-based Malware Detection for Embedded IoT Devices},
   booktitle = {International Conference on Internet of Things, Big Data and Security (IoTBDS)},
   year = {2022}
}

Keywords

IoT, embedded systems, malware detection, machine learning

Abstract

Embedded devices are increasingly connected to the Internet to provide new and innovative applications in many domains. However, these devices can also contain security vulnerabilities, which allow attackers to compromise them using malware. In this paper, we present SIMBIoTA-ML, a light-weight antivirus solution that enables embedded IoT devices to take advantage of machine learning-based malware detection. We show that SIMBIoTA-ML can respect the resource constraints of embedded IoT devices, and it has a true positive malware detection rate of ca. 95%, while having a low false positive detection rate at the same time. In addition, the detection process of SIMBIoTA-ML has a near-constant running time, which allows IoT developers to better estimate the delay introduced by scanning a file for malware, a property that is advantageous in real-time applications, notably in the domain of cyber-physical systems.

2021

Rootkit Detection on Embedded IoT Devices

R. Nagy, K. Németh, D. Papp, L. Buttyán

Acta Cybernetica, 2021.

Bibtex | Abstract | PDF

@article {
   author = {Roland Nagy, Krisztián Németh, Dorottya Papp, Levente Buttyán},
   title = {Rootkit Detection on Embedded IoT Devices},
   journal = {Acta Cybernetica},
   year = {2021}
}

Keywords

embedded systems, Internet of Things, security, malware

Abstract

IoT systems are subject to cyber attacks, including infecting embedded IoT devices with rootkits. Rootkits are malicious software that typically run with elevated privileges, which makes their detection challenging. In this paper, we address this challenge: we propose a rootkit detection approach for embedded IoT devices that takes advantage of a trusted execution environ- ment (TEE), which is often supported on popular IoT platforms, such as ARM based embedded boards. The TEE provides an isolated environment for our rootkit detection algorithms, and prevents the rootkit from interfering with their execution even if the rootkit has root privileges on the untrusted part of the IoT device. Our rootkit detection algorithms identify modifications made by the rootkit to the code of the operating system kernel, to system pro- grams, and to data influencing the control flow (e.g., hooking system calls), as well as inconsistencies created by the rootkit in certain kernel data struc- tures (e.g., those responsible to handle process related information). We also propose algorithms to detect rootkit components in the persistent storage of the device. Besides describing our approach and algorithms in details, we also report on a prototype implementation and on the evaluation of our design and implementation, which is based on testing our prototype with rootkits that we developed for this purpose.

SIMBIoTA: Similarity-Based Malware Detection on IoT Devices

Cs. Tamás, D. Papp, L. Buttyán

6th International Conference on Internet of Things, Big Data and Security (IoTBDS), 23–25 April, 2021., 2021.

Bibtex | Abstract | PDF

@conference {
   author = {Csongor Tamás, Dorottya Papp, Levente Buttyán},
   title = {SIMBIoTA: Similarity-Based Malware Detection on IoT Devices},
   booktitle = {6th International Conference on Internet of Things, Big Data and Security (IoTBDS), 23–25 April, 2021.},
   year = {2021}
}

Keywords

IoT, embedded systems, malware detection, binary similarity, locality sensitive hashing

Abstract

Embedded devices connected to the Internet are threatened by malware, and currently, no antivirus product is available for them. We present SIMBIoTA, a new approach for detecting malware on such IoT devices. SIMBIoTA relies on similarity-based malware detection, and it has a number of notable advantages: moderate storage requirements on resource constrained IoT devices, a fast and lightweight malware detection process, and a surprisingly good detection performance, even for new, never-before-seen malware. These features make SIMBIoTA a viable antivirus solution for IoT devices, with competitive detection performance and limited resource requirements.

T-RAID: TEE-based Remote Attestation for IoT Devices

R. Nagy, M. Bak, D. Papp, L. Buttyán

Euro-CYBERSEC, Nice, France, 2021.

Bibtex | Abstract | PDF

@conference {
   author = {Roland Nagy, Marton Bak, Dorottya Papp, Levente Buttyán},
   title = {T-RAID: TEE-based Remote Attestation for IoT Devices},
   booktitle = {Euro-CYBERSEC, Nice, France},
   year = {2021}
}

Keywords

Internet of Things, embedded systems, malware, remote attestation, Trusted Execution Environment

Abstract

The Internet of Things (IoT) consists of network-connected embedded devices that enable a multitude of new applications, but also create new risks. In particular, embedded IoT devices can be infected by malware. Operators of IoT systems not only need malware detection tools, but also scalable methods to reliably and remotely verify malware freedom of their IoT devices. In this paper, we address this problem by proposing T-RAID, a remote attestation scheme for IoT devices that takes advantage of the security guarantees provided by a Trusted Execution Environment running on each device.

TEE Based Protection of Cryptographic Keys on Embedded IoT Devices

D. Papp, M. Zombor, L. Buttyán

Annales Mathematicae et Informaticae, 2021.

Bibtex | Abstract | PDF

@article {
   author = {Dorottya Papp, Máté Zombor, Levente Buttyán},
   title = {TEE Based Protection of Cryptographic Keys on Embedded IoT Devices},
   journal = {Annales Mathematicae et Informaticae},
   year = {2021}
}

Keywords

Trusted Execution Environment, cryptographic keys, key manage- ment

Abstract

The Internet of Things (IoT) consists of billions of embedded devices connected to the Internet. Secure remote management of many of these devices requires them to store and use long-term cryptographic keys. In this work we propose to protect cryptographic keys in embedded IoT devices using a Trusted Execution Environment (TEE) which is supported on many embedded platforms. Our approach provides similar protection as secure co-processors, but does not actually require an additional secure hardware element.

2020

Clustering IoT Malware based on Binary Similarity

M. Bak, D. Papp, Cs. Tamás, L. Buttyán

IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT), 2020.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Marton Bak, Dorottya Papp, Csongor Tamás, Levente Buttyán},
   title = {Clustering IoT Malware based on Binary Similarity},
   booktitle = {IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT)},
   year = {2020}
}

Abstract

In this paper, we propose to cluster malware samples based on their TLSH similarity. We apply this approach to clustering IoT malware samples as IoT botnets built from malware infected IoT devices are becoming an important trend. We study the performance of two distance-based clustering algorithms, k-medoid and OPTICS, on a large corpus of IoT malware samples when they are used with the TLSH difference metric to measure distances between samples. Our results show that neither of the two algorithms have acceptable clustering performance. Hence, we propose a new clustering algorithm, which achieves a performance superior to both k-medoid and OPTICS.

Towards Secure Remote Firmware Update on Embedded IoT Devices

M. Juhász, D. Papp, L. Buttyán

Conference of PhD Students in Computer Science (CSCS), 2020.

Bibtex | Abstract | PDF

@conference {
   author = {Márton Juhász, Dorottya Papp, Levente Buttyán},
   title = {Towards Secure Remote Firmware Update on Embedded IoT Devices},
   booktitle = {Conference of PhD Students in Computer Science (CSCS)},
   year = {2020}
}

Abstract

An important security problem in IoT systems is the integrity protection of software, including the firmware and the operating system, running on embedded IoT devices. Digitally signed code and verified boot only partially solve this problem, because those mechanisms do not address the issue of run-time attacks that exploit software vulnerabilities. For this issue, the only known solution today is to fix the discovered vulnerabilities and update embedded devices with the fixed software. Such an update should be performed remotely in a secure and reliable way, as otherwise the update mechanism itself can be exploited to install compromised software on devices at large scale. In this work, we propose a system and related procedures for remotely updating the firmware and the operating system of embedded IoT devices securely and reliably.

2019

IoT Hacking - A Primer

D. Papp, K. Tamás, L. Buttyán

Infocommunications Journal, 2nd Issue, 2019.

Bibtex | Abstract | PDF

@article {
   author = {Dorottya Papp, Kristóf Tamás, Levente Buttyán},
   title = {IoT Hacking - A Primer},
   journal = {Infocommunications Journal, 2nd Issue},
   year = {2019}
}

Abstract

The Internet of Things (IoT) enables many new and exciting applications, but it also creates a number of new risks related to information security. Several recent attacks on IoT devices and systems illustrate that they are notoriously insecure. It has also been shown that a major part of the attacks resulted in full adversarial control over IoT devices, and the reason for this is that IoT devices themselves are weakly protected and they often cannot resist even the most basic attacks. Penetration testing or ethical hacking of IoT devices can help discovering and fixing their vulnerabilities that, if exploited, can result in highly undesirable conditions, including damage of expensive physical equipment or even loss of human life. In this paper, we give a basic introduction into hacking IoT devices. We give an overview on the methods and tools for hardware hacking, firmware extraction and unpacking, and performing basic firmware analysis. We also provide a survey on recent research on more advanced firmware analysis methods, including static and dynamic analysis of binaries, taint analysis, fuzzing, and symbolic execution techniques. By giving an overview on both practical methods and readily available tools as well as current scientific research efforts, our work can be useful for both practitioners and academic researchers.

Towards Detecting Trigger-based Behavior In Binaries: Uncovering the Correct Environment

D. Papp, T. Tarrach, L. Buttyán

International Conference on Software Engineering and Formal Methods (SEFM), 2019.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Dorottya Papp, Thorsten Tarrach, Levente Buttyán},
   title = {Towards Detecting Trigger-based Behavior In Binaries: Uncovering the Correct Environment},
   booktitle = {International Conference on Software Engineering and Formal Methods (SEFM)},
   year = {2019}
}

Keywords

Directed symbolic execution, Trigger-based behavior, Software verification

Abstract

In this paper, we present our first results towards detecting trigger-based behavior in binary programs. A program exhibits trigger-based behavior if it contains undocumented, often malicious functionality that is executed only under specific circumstances. In order to determine the inputs and environment required to trigger such behavior, we use directed symbolic execution and present techniques to overcome some of its practical limitations. Specifically, we propose techniques to overcome the environment problem and the path selection problem. We implemented our techniques and evaluated their performance on a real malware sample that launches denial-of-service attacks upon receiving specific remote commands. Thanks to our techniques, our implementation was able to determine those specific commands and all other requirements needed to trigger the malicious behavior in reasonable time.

2017

Towards Semi-automated Detection of Trigger-based Behavior for Software Security Assurance

D. Papp, L. Buttyán, Z. Ma

Workshop on Software Assurance at ARES 2017, 2017.

Bibtex | Abstract | PDF

@conference {
   author = {Dorottya Papp, Levente Buttyán, Zhendong Ma},
   title = {Towards Semi-automated Detection of Trigger-based Behavior for Software Security Assurance},
   booktitle = {Workshop on Software Assurance at ARES 2017},
   year = {2017}
}

Abstract

A program exhibits trigger-based behavior if it performs undocumented, often malicious, functions when the environmental conditions and/or specific input values match some pre-specified criteria. Checking whether such hidden functions exist in the program is important for increasing trustworthiness of software. In this paper, we propose a framework to effectively detect trigger-based behavior at the source code level. Our approach is semi-automated: We use automated source code instrumentation and mixed concrete and symbolic execution to generate potentially suspicious test cases that may trigger hidden, potentially malicious functions. The test cases must be investigated by a human analyst manually to decide which of them are real triggers. While our approach is not fully automated, it greatly reduces manual work by allowing analysts to focus on a few test cases found by our automated tools.

2016

RoViM: Rotating Virtual Machines for Security and Fault-Tolerance

D. Papp, Z. Ma, L. Buttyán

EMC2 Summit at CPS Week 2016, 2016.

Bibtex | Abstract | PDF

@conference {
   author = {Dorottya Papp, Zhendong Ma, Levente Buttyán},
   title = {RoViM: Rotating Virtual Machines for Security and Fault-Tolerance},
   booktitle = {EMC2 Summit at CPS Week 2016},
   year = {2016}
}

Abstract

Nowadays, the field of embedded system experiences a number of changes. On one hand, recent cyber attacks against safety-critical systems demonstrate that malware can force safety-critical systems to endanger human lives and harm the environment. Therefore, a new requirement of security have arisen for safety-critical and embedded systems. However, security should be designed hand in hand with safety to resolve conflicts between the two fields. On the other hand, the emerging trend of virtualization has significant impact on the embedded market. The isolation and protection mechanisms of virtualization contributes to both safety and security via redundancy and the prevention of one virtual machine affecting another. In this paper we present RoViM, a system of rotating virtual machines providing proactive security for embedded devices. RoViM uses multiple virtual machines in the system which increases redundancy as a safety measure. Our design satisfies reachability, liveness and safety requirements and we present a proof-of-concept implementation with use case of an Internet Protocol Security (IPsec) gateway. We evaluate our design with formal verification and show that rotating virtual machines cause no significant change in the performance of the IPsec gateway.

2015

Embedded System Security: Threats, Vulnerabilities, and Attack Taxonomy

D. Papp, Z. Ma, L. Buttyán

IEEE International Confenrence on Privacy, Security, and Trust, 2015.

Bibtex | Abstract

@conference {
   author = {Dorottya Papp, Zhendong Ma, Levente Buttyán},
   title = {Embedded System Security: Threats, Vulnerabilities, and Attack Taxonomy},
   booktitle = {IEEE International Confenrence on Privacy, Security, and Trust},
   year = {2015}
}

Abstract

Embedded systems are the driving force for technological development in many domains such as automotive, healthcare, and industrial control in the emerging post-PC era. As more and more computational and networked devices are integrated into all aspects of our lives in a pervasive and ``invisible' way, security becomes critical for the dependability of all smart or intelligent systems built upon these embedded systems. In this paper, we conduct a systematic review of the existing threats and vulnerabilities in embedded systems based on public available data. Moreover, based on the information, we derive an attack taxonomy for embedded systems. We envision that the findings in this paper provide a valuable insight of the threat landscape facing embedded systems. The knowledge can be used for a better understanding and the identification of security risks in system analysis and design.

ROSCO: Repository of signed code

B. Bencsáth, L. Buttyán, T. Holczer, B. Kócsó, D. Papp

Virus Bulletin, 2015.

Bibtex | PDF

@conference {
   author = {Boldizsár Bencsáth, Levente Buttyán, Tamas Holczer, Balázs Kócsó, Dorottya Papp},
   title = {ROSCO: Repository of signed code},
   booktitle = {Virus Bulletin},
   year = {2015}
}

Abstract