Dr. Gábor Pék

Assistant Professor

gabor.pek (at) crysys.hu

office: I.E. 429
tel: +36 1 463 2063

Current courses | Publications

Short Bio

Gábor earned his M.Sc. diploma in computer science in 2011 and his Ph.D. degree in 2015 from the Budapest University of Technology and Economics, Hungary. He did research in the CrySyS Lab. together with prof. Levente Buttyán, but completed internships at iSecLab at Eurecom, France and TU Wien, Austria, too. He participated in several industrial projects (e.g., penetration testing, securing virtualization, cloud computing security) also. One of the hardware-level vulnerabilities he found (XSA-59/CVE-2013-3495) affected several Intel chipsets that enabled attacks against hypervisors such as Xen or KVM. He was one of the key members of the Duqu, Flame, Miniduke and Teamspy targeted attack investigation teams.
He founded and coordinates CrySyS Student Core since April 2013, which is an invite-only group for exceptionally talented (graduate + undergraduate) students who are interested in system security. This group gave birth to the !SpamAndHex CTF team, which became one of the top CTF teams in the world in 2 years. As a member of !SpamAndHex he is a three-times DEFCON CTF finalist, that is widely regarded as the hacker world championship.
He co-founded a spin-off called Ukatemi Technologies with some of his colleagues from the CrySyS Lab in December 2012 to mitigate current targeted attacks. He also co-founded avatao to build a cloud-based virtual lab to teach people to build secure software and systems.

Current Courses

Software Security Laboratory (VIHIMA22)

This laboratory extends and deepens the knowledge and skills obtained in the Software Security course by solving practical, hands-on exercises in real, or close-to-real environments.

Computer and Network Security Laboratory (VIHIMB07)

This laboratory extends and deepens the knowledge and skills obtained in the Computer and Network Security course by solving practical, hands-on exercises in real, or close-to-real environments.

Publications

2013

A Survey of Security Issues in Hardware Virtualization

B. Bencsáth and L. Buttyán and G. Pék

ACM Computing Surveys (CSUR), vol. 45 , no. 3, June , 2013, doi:10.1145/2480741.2480757.

Bibtex | Abstract

@article {
   author = {Boldizsár Bencsáth and Levente Buttyán and Gábor PÉK},
   title = {A Survey of Security Issues in Hardware Virtualization},
   journal = { ACM Computing Surveys (CSUR)},
   volume = {45 },
   number = {3},
   month = {June },
   year = {2013},
   note = {doi:10.1145/2480741.2480757}
}

Abstract

Virtualization is a powerful technology to increase the efficiency of computing services; however, besides its advantages, it also raises a number of security issues. In this paper, we provide a thorough survey of those security issues in hardware virtualization. We focus on potential vulnerabilities and existing attacks on various virtualization platforms, but we also briefly sketch some possible countermeasures. To the best of our knowledge, this is the first survey of security issues in hardware virtualization with this level of details. Moreover, the adversary model and the structuring of the attack vectors are original contributions, never published before.

eNeMI: Evading the state-of-the-art hardware protection of I/O virtualization

G. Pék

Presentation at Hactivity Conference, October, 2013.

Bibtex | Abstract

@misc {
   author = {Gábor PÉK},
   title = {eNeMI: Evading the state-of-the-art hardware protection of I/O virtualization},
   howpublished = {Presentation at Hactivity Conference},
   month = {October},
   year = {2013}
}

Keywords

hardware virtualization

Abstract

Direct-device assignment is one of the most controversial issues in hardware virtualization, as it allows for using devices almost at native speed, however, raises many security problems. As most of these issues can be evaded by properly configured system software and hardware, the security issues of that area seemed to be solved. At the same time, virtual instances with direct-device assignment are publicly available via various cloud providers, so the security issues have to be examined in more details. In my presentation, an interesting vulnerability is going to be detailed which is not a simple software bug, but an example for an issue on how to handle improperly a hardware-level mechanism: the interrupt generation.

Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts

G. Pék

Xen Security Advisory CVE-2013-3495 / XSA-59, 2013.

Bibtex | Abstract

@misc {
   author = {Gábor PÉK},
   title = {Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts},
   howpublished = {Xen Security Advisory CVE-2013-3495 / XSA-59},
   year = {2013}
}

Abstract

Message Signaled Interrupts (MSI) interrupts on Intel platforms are defined as DWORD writes to a special address location (0xFEE?????). MSIs on Intel Platforms supporting VT-d have two defined formats - Remappable format interrupts, and Compatibility (not remappable) format interrupts, based on the format of their data payload. Remappable interrupts are subject to interrupt-remapping protection checks, while compatibility format interrupts are not. For protection reasons, host software disables compatibility format interrupts (causing them to be blocked by interrupt translation hardware) and manages the remappable interrupts through programming of interrupt-remapping table entries. Malformed MSIs are transactions to the special (0xFEE?????) address range that do not have proper attributes of MSI requests (e.g., size of request is invalid). Such malformed transactions are detected and aborted by the platform, before they are subject to further interrupt remapping/processing. For RAS purposes, some platforms may be configured to support System Error Reporting (SERR) capability. These platforms raise a PCI system error (SERR#) due to Unsupported Request, which are typically delivered as Non-Maskable Interrupts (NMI), to report such errors to software. Depending on hypervisor and Dom0 kernel configuration, such an NMI may be handled by the hypervisor/Dom0 or can result in a host software halt ("panic"). On platforms with SERR enabled, such malformed MSI requests can be generated by guest OS with an assigned device, causing hypervisor/Dom0 receive NMI despite using VT-d and interrupt remapping for device assignment.

Technical Trends in Recent Targeted Attacks

M. Felegyhazi and L. Buttyán and B. Bencsáth and G. Pék

Presentation at Power of Community (POC 2013, Seoul, South Korea), November, 2013.

Bibtex

@misc {
   author = {Mark Felegyhazi and Levente Buttyán and Boldizsár Bencsáth and Gábor PÉK},
   title = {Technical Trends in Recent Targeted Attacks },
   howpublished = {Presentation at Power of Community (POC 2013, Seoul, South Korea)},
   month = {November},
   year = {2013}
}

Abstract

2012

Célzott informatikai támadások napjainkban

B. Bencsáth and G. Pék and L. Buttyán and M. Felegyhazi

Budapest New Tech Meetup, Budapest, Hungary., December, 2012.

Bibtex

@misc {
   author = {Boldizsár Bencsáth and Gábor PÉK and Levente Buttyán and Mark Felegyhazi},
   title = {Célzott informatikai támadások napjainkban},
   howpublished = {Budapest New Tech Meetup, Budapest, Hungary.},
   month = {December},
   year = {2012}
}

Abstract

Duqu, Flame, Gauss - new challenges for a new era

B. Bencsáth and L. Buttyán and M. Felegyhazi and G. Pék

EuroNOG 2012 conference, Budapest, 10-11 Sept 2012, September, 2012.

Bibtex

@misc {
   author = {Boldizsár Bencsáth and Levente Buttyán and Mark Felegyhazi and Gábor PÉK},
   title = {Duqu, Flame, Gauss - new challenges for a new era },
   howpublished = {EuroNOG 2012 conference, Budapest, 10-11 Sept 2012},
   month = {September},
   year = {2012}
}

Abstract

Duqu: Analysis, Detection, and Lessons Learned

B. Bencsáth and G. Pék and L. Buttyán and M. Felegyhazi

ACM European Workshop on System Security (EuroSec), ACM, 2012.

Bibtex | Abstract | PDF

@inproceedings {
   author = {Boldizsár Bencsáth and Gábor PÉK and Levente Buttyán and Mark Felegyhazi},
   title = {Duqu: Analysis, Detection, and Lessons Learned},
   booktitle = {ACM European Workshop on System Security (EuroSec)},
   publisher = {ACM},
   year = {2012}
}

Abstract

In September 2011, a European company sought our help to investigate a security incident that happened in their IT system. During the investigation, we discovered a new malware that was unknown to all mainstream anti-virus products, however, it showed striking similarities to the infamous Stuxnet worm. We named the new malware Duqu, and we carried out its rst analysis. Our ndings led to the hypothesis that Duqu was probably created by the same people who developed Stuxnet, but with a di erent purpose: unlike Stuxnet whose mission was to attack industrial equipment, Duqu is an information stealer rootkit. Nevertheless, both pieces of malware have a modular structure, and they can be re-con gured remotely from a Command and Control server to include virtually any kind of functionality. In this paper, we present an abridged version of our initial Duqu analysis, which is available in a longer format as a technical report. We also describe the Duqu detector toolkit, a set of heuristic tools that we developed to detect Duqu and its variants. Finally, we discuss a number of issues that we learned, observed, or identi ed during our Duqu analysis project concerning the problems of preventing, detecting, and handling targeted malware attacks; we believe that solving these issues represents a great challenge to the system security community.

sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks

B. Bencsáth and G. Pék and L. Buttyán and M. Felegyhazi

In collaboration with the sKyWIper Analysis Team , 2012.

Bibtex | PDF

@techreport {
   author = {Boldizsár Bencsáth and Gábor PÉK and Levente Buttyán and Mark Felegyhazi},
   title = {sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks},
   institution = {In collaboration with the sKyWIper Analysis Team },
   year = {2012}
}

Abstract

Targeted attacks against Critical infrastructure: Stuxnet and beyond

B. Bencsáth and G. Pék and L. Buttyán and M. Felegyhazi

SCADA and Smart Grid Cyber Security Summit, 26-27 April 2012, April, 2012, London.

Bibtex

@misc {
   author = {Boldizsár Bencsáth and Gábor PÉK and Levente Buttyán and Mark Felegyhazi},
   title = {Targeted attacks against Critical infrastructure: Stuxnet and beyond},
   howpublished = {SCADA and Smart Grid Cyber Security Summit, 26-27 April 2012},
   month = {April},
   year = {2012},
   note = {London}
}

Abstract

Targeted Attacks of Recent Times

B. Bencsáth and L. Buttyán and G. Pék and M. Felegyhazi

Kaspersky SAS 2012 - Security Analyst Summit, Cancun, Mexico, February, 2012.

Bibtex

@misc {
   author = {Boldizsár Bencsáth and Levente Buttyán and Gábor PÉK and Mark Felegyhazi},
   title = {Targeted Attacks of Recent Times },
   howpublished = {Kaspersky SAS 2012 - Security Analyst Summit, Cancun, Mexico},
   month = {February},
   year = {2012}
}

Abstract

Technical analysis and information sharing in the handling of high-profile targeted attacks

B. Bencsáth and L. Buttyán and G. Pék and M. Felegyhazi

2012 Workshop on Cyber Security and Global Affairs and Global Security Forum, 1-3 June 2012, June, 2012, Barcelona, Spain.

Bibtex

@misc {
   author = {Boldizsár Bencsáth and Levente Buttyán and Gábor PÉK and Mark Felegyhazi},
   title = {Technical analysis and information sharing in the handling of high-profile targeted attacks },
   howpublished = {2012 Workshop on Cyber Security and Global Affairs and Global Security Forum, 1-3 June 2012},
   month = {June},
   year = {2012},
   note = {Barcelona, Spain}
}

Abstract

The cousins of Stuxnet: Duqu, Flame, Gauss, …

L. Buttyán and B. Bencsáth and G. Pék and M. Felegyhazi

ISCD 2012, Balatonöszöd, 3-4 Sep., September, 2012.

Bibtex

@misc {
   author = {Levente Buttyán and Boldizsár Bencsáth and Gábor PÉK and Mark Felegyhazi},
   title = {The cousins of Stuxnet: Duqu, Flame, Gauss, …},
   howpublished = {ISCD 2012, Balatonöszöd, 3-4 Sep.},
   month = {September},
   year = {2012}
}

Abstract

The Cousins of Stuxnet: Duqu, Flame, and Gauss

B. Bencsáth and G. Pék and L. Buttyán and M. Felegyhazi

Future Internet 2012, 4(4), doi:10.3390/fi4040971, 2012, pp. 971-1003, doi:10.3390/fi4040971, http://www.mdpi.com/journal/futureinternet/special_issues/stuxnet.

Bibtex | Abstract

@article {
   author = {Boldizsár Bencsáth and Gábor PÉK and Levente Buttyán and Mark Felegyhazi},
   title = {The Cousins of Stuxnet: Duqu, Flame, and Gauss},
   journal = {Future Internet 2012, 4(4), doi:10.3390/fi4040971},
   year = {2012},
   pages = {971-1003},
   note = {doi:10.3390/fi4040971, http://www.mdpi.com/journal/futureinternet/special_issues/stuxnet}
}

Abstract

Stuxnet was the first targeted malware that received worldwide attention forcausing physical damage in an industrial infrastructure seemingly isolated from the onlineworld. Stuxnet was a powerful targeted cyber-attack, and soon other malware samples were discovered that belong to this family. In this paper, we will first present our analysis of Duqu, an information-collecting malware sharing striking similarities with Stuxnet. Wedescribe our contributions in the investigation ranging from the original detection of Duquvia finding the dropper file to the design of a Duqu detector toolkit. We then continue with the analysis of the Flame advanced information-gathering malware. Flame is unique in thesense that it used advanced cryptographic techniques to masquerade as a legitimate proxyfor the Windows Update service. We also present the newest member of the family, called Gauss, whose unique feature is that one of its modules is encrypted such that it can onlybe decrypted on its target system; hence, the research community has not yet been able to analyze this module. For this particular malware, we designed a Gauss detector serviceand we are currently collecting intelligence information to be able to break its very specialencryption mechanism. Besides explaining the operation of these pieces of malware, wealso examine if and how they could have been detected by vigilant system administrators manually or in a semi-automated manner using available tools. Finally, we discuss lessonsthat the community can learn from these incidents. We focus on technical issues, and avoidspeculations on the origin of these threats and other geopolitical questions.

2011

Duqu: A Stuxnet-like malware found in the wild

B. Bencsáth and G. Pék and L. Buttyán and M. Felegyhazi

BME CrySyS Lab., October, 2011., First published in cut-down form as appendix to the Duqu report of Symantec.

Bibtex

@techreport {
   author = {Boldizsár Bencsáth and Gábor PÉK and Levente Buttyán and Mark Felegyhazi},
   title = {Duqu: A Stuxnet-like malware found in the wild},
   institution = {BME CrySyS Lab.},
   month = {October},
   year = {2011.},
   note = {First published in cut-down form as appendix to the Duqu report of Symantec}
}

Abstract

nEther: In-guest Detection of Out-of-the-guest Malware Analyzers

G. Pék and B. Bencsáth and L. Buttyán

ACM European Workshop on System Security (EuroSec), ACM, Salzburg, Austria, April 10, 2011, pp. 1-6.

Bibtex | PDF

@inproceedings {
   author = {Gábor PÉK and Boldizsár Bencsáth and Levente Buttyán},
   title = {nEther: In-guest Detection of Out-of-the-guest Malware Analyzers},
   booktitle = {ACM European Workshop on System Security (EuroSec)},
   publisher = {ACM},
   address = {Salzburg, Austria},
   month = {April 10},
   year = {2011},
   pages = {1-6}
}

Abstract

Recent advances in targeted malware attacks

B. Bencsáth and L. Buttyán and G. Pék and M. Felegyhazi

Fókuszban a CrySyS Lab. , December 14, 2011.

Bibtex

@misc {
   author = {Boldizsár Bencsáth and Levente Buttyán and Gábor PÉK and Mark Felegyhazi},
   title = {Recent advances in targeted malware attacks },
   howpublished = {Fókuszban a CrySyS Lab. },
   month = {December 14},
   year = {2011}
}

Abstract

Recent advances in targeted malware attacks

B. Bencsáth and L. Buttyán and G. Pék and M. Felegyhazi

Schönherz - Simonyi Szakkollégium ., December 13, 2011.

Bibtex

@misc {
   author = {Boldizsár Bencsáth and Levente Buttyán and Gábor PÉK and Mark Felegyhazi},
   title = {Recent advances in targeted malware attacks },
   howpublished = {Schönherz - Simonyi Szakkollégium .},
   month = {December 13},
   year = {2011}
}

Abstract

2009

Consistency verification of stateful firewalls is not harder than the stateless case

L. Buttyán and G. Pék and T. V. Thong

Infocommunications Journal, vol. LXIV, no. 2009/2-3, March, 2009, pp. 1-8.

Bibtex | Abstract | PDF

@article {
   author = {Levente Buttyán and Gábor PÉK and Ta Vinh Thong},
   title = {Consistency verification of stateful firewalls is not harder than the stateless case},
   journal = {Infocommunications Journal},
   volume = {LXIV},
   number = {2009/2-3},
   month = {March},
   year = {2009},
   pages = {1-8}
}

Keywords

Stateful firewall, FIREMAN, verification, security, inconsistency

Abstract

Firewalls play an important role in the enforcement of access control policies in contemporary networks. However, firewalls are effective only if they are configured correctly such that their access control rules are consistent and the firewall indeed implements the intended access control policy. Unfortunately, due to the potentially large number of rules and their complex relationships with each other, the task of firewall configuration is notoriously error-prone, and in practice, firewalls are often misconfigured leaving security holes in the protection system. In this paper, we address the problem of consistency verification of stateful firewalls that keep track of already existing connections. For the first sight, the consistency verification of stateful firewalls appears to be harder than that of stateless firewalls. We show that, in fact, this is not the case: consistency verification of stateful firewalls can be reduced to the stateless case, and hence, they have the same complexity. We also report on our prototype implemetation of an automated consistency verification tool that can handle stateful firewalls.

Universal Autonomous Robot Navigation Using Quasi Optimal Path Generation

P. Varlaki and G. Pék and Varkonyi-Koczy, A.R. and A. Laszka

4th IEEE Int. Conf. on Autonomous Robots and Agents (ICARA' 2009), February, 2009.

Bibtex | Abstract

@conference {
   author = {Varlaki Péter and Gábor PÉK and Varkonyi-Koczy, A.R. and Aron Laszka},
   title = {Universal Autonomous Robot Navigation Using Quasi Optimal Path Generation},
   booktitle = {4th IEEE Int. Conf. on Autonomous Robots and Agents (ICARA' 2009)},
   month = {February},
   year = {2009}
}

Abstract

Autonomous robot navigation is an important research field because these robots can solve problems where the human presence is impossible, dangerous, expensive, or uncomfortable. In this paper, a new hybrid autonomous navigation method is introduced. The algorithm is composed of visibility graph based global navigation and simple potential field based local navigation parts. It applies a new automated graph generation method which may become necessary if, because of the observed new obstacles, a new path should be generated. The quasi optimal route is found by applying the well known A* algorithm on the graph. The presented technique offers a quasi optimal universal navigation technique which can successfully be used in all, known, unknown, and dynamically changing environments.

2008

An Improved Hybrid Navigation Method

Varkonyi-Koczy, A.R. and A. Laszka and G. Pék

7th Int. Conf. On Global Research and Education in Intelligent Systems (Inter-Akademia' 2008), September, 2008.

Bibtex | Abstract

@conference {
   author = {Varkonyi-Koczy, A.R. and Aron Laszka and Gábor PÉK},
   title = {An Improved Hybrid Navigation Method},
   booktitle = {7th Int. Conf. On Global Research and Education in Intelligent Systems (Inter-Akademia' 2008)},
   month = {September},
   year = {2008}
}

Abstract

Autonomous robot navigation is an important research field because these robots can solve problems where the human presence is impossible, dangerous, expensive, or uncomfortable. In this paper, a new hybrid autonomous navigation method is introduced. The algorithm is composed of visibility graph based global navigation and simple potential field based local navigation parts. It applies a new automated graph generation method which may become necessary if, because of the observed new obstacles, a new path should be generated. The quasi optimal route is found by applying the well known A* algorithm on the graph. The presented technique offers a quasi optimal universal navigation technique which can successfully be used in all, known, unknown, and dynamically changing environments.