Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.

Slides:



Advertisements
Similar presentations
Practical Malware Analysis
Advertisements

Full-System Timing-First Simulation Carl J. Mauer Mark D. Hill and David A. Wood Computer Sciences Department University of Wisconsin—Madison.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Supporting Parallel Applications on Clusters of Workstations: The Intelligent Network Interface Approach.
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Operating System Kernels1 Operating System Support for Performance Monitoring Witawas Srisa-an Chapter: not in the book.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Battle of Botcraft: Fighting Bots in Online Games withHuman Observational Proofs Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang The College.
8/16/2015\course\cpeg323-08F\Topics1b.ppt1 A Review of Processor Design Flow.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
6.828: PC hardware and x86 Frans Kaashoek
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
High Performance User-Level Sockets over Gigabit Ethernet Pavan Balaji Ohio State University Piyush Shivam Ohio State University.
Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.
Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science and Technology, Fall 2010 Performance.
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
High Performance Computing Processors Felix Noble Mirayma V. Rodriguez Agnes Velez Electric and Computer Engineer Department August 25, 2004.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
StreamX10: A Stream Programming Framework on X10 Haitao Wei School of Computer Science at Huazhong University of Sci&Tech.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
CNIT 127: Exploit Development Ch 1: Before you begin.
A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.
Multithreaded Programing. Outline Overview of threads Threads Multithreaded Models  Many-to-One  One-to-One  Many-to-Many Thread Libraries  Pthread.
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Nozzle: A Defense Against Heap Spraying Attacks
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
ONLINE INTRUSION ALERT AGGREGATION WITH GENERATIVE DATA STREAM MODELING.
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Under the Guidance of V.Rajashekhar M.Tech Assistant Professor
MadeCR: Correlation-based Malware Detection for Cognitive Radio
Information Security - 2
Week 2: Buffer Overflow Part 2.
Prof. Leonardo Mostarda University of Camerino
Return-to-libc Attacks
Sampling Dynamic Dataflow Analyses
Presentation transcript:

Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering The Ohio State University Columbus, OH, USA IEEE Infocom Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering The Ohio State University Columbus, OH, USA IEEE Infocom A Presentation at Advanced Defense Lab

Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab2

Introduction - Motivation According to the US-CERT database, buffer overflows are one of the most critical and common software vulnerabilities.US-CERT Difference between DDC-Based and DBC-Based. In this paper, we remove the limitation of DBC-Based approaches. Advanced Defense Lab3

Introduction - Contributions Take snapshots of the target process’s virtual memory immediately before input data are consumed. Use these snapshots to instantiate a runtime environment that emulates the target process’s input data consumption. Advanced Defense Lab4

Introduction - Contributions Implement a prototype system in Debian Linux with Kernel version Conduct extensive experiments based on real traces and thousands of malicious shellcode samples. Advanced Defense Lab5

Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab6

DBC-Based – Static Analysis Advanced Defense Lab7

DBC-Based – Static Analysis T. Toth and C. Kruegel, “Accurate Buffer Overflow Detection via Abstract Payload Execution” (NOP Sled) Focusing on code-level patterns has limitations regarding accuracy and completeness. U. Bayer, A. Moser, C. Kruegel, and E. Kirda, “Dynamic Analysis of Malicious Code” Advanced Defense Lab8

DBC-Based – Dynamic Analysis M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos, “Network-level Polymorphic Shellcode Detection Using Emulation” “Emulation-Based Detection of Non-Self-Contained Polymorphic Shellcode” They’re still prone to evasion due to insufficient context information about the target process. Advanced Defense Lab9

Generated Block N … … Generated Block 2 Generated Block 1 DBC-Based – Dynamic Analysis Advanced Defense Lab10 Decryptor for block 1 Decryptor for block 2 … … Decryptor for block N Bootstrap Code espeip Launch

Examples to by pass detection Advanced Defense Lab11

DDC-Based Detection is conducted while processes consume input data. Address Space Randomization (ASR) Data Space Randomization (DSR) Troubleshooting is inefficient. Advanced Defense Lab12

Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab13

System Design - Rationale Advanced Defense Lab14

System Design - Rationale Instantiating Virtual Execution Environment Snapshots are used to initialize this environment and provide two benefits. For observing the input data’s real behaviors. mimic the process’s consumption of input data. For constructing a lightweight virtual environment. Advanced Defense Lab15

System Design - Rationale Facilitating System Call-based Detection No matter how well malicious shellcode disguises itself, it will eventually use system calls to launch attacks. Existing DBC-Based approaches, including both static and dynamic analysis, cannot use system call invocations as detection criteria as they lack such necessary register information. Advanced Defense Lab16

System Design - Architecture Advanced Defense Lab17

System Design - Architecture Advanced Defense Lab18

System Design - Workflow Advanced Defense Lab19

System Design - Workflow Advanced Defense Lab20

Generated Blocks Generated Blocks Decryptors By passed... lidt eax jz +3 Cmp ebx,0x252d252d Mov ebx,0xa0ef(ebp) Erase eax Pop esp System Design - Detection Advanced Defense Lab21 Pop eax Calculate… Push eax Pop eax Calculate… Push eax Push esp lidt eax jz +3 Cmp ebx,0x252d252d Mov ebx,0xa0ef(ebp) Erase eax Pop esp Pop eax Calculate… Push eax Pop eax Calculate… Push eax Push esp With snapshotsWithout snapshots ebx=0x252d252d Context Information Provieded ebx=0x252d252d Context Information Provieded ebx=??? Context Information Unavailable ebx=??? Context Information Unavailable GG…

Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab22

Implementation Debian Linux with kernel version Emulator can interpret all IA-32 instructions General-purpose 、 FPU instructions System instructions System call instructions (int 0x80 、 sysenter) When an unimplemented instruction is encountered in emulation Skip if it’s not a privileged instruction Stop otherwise Advanced Defense Lab23

Implementation Suitable Threshold Lower Bound : Set exe_depth to 14 Upper Bound : Set exe_depth to 7000 Use an open-source x86 disassembler library to construct the decoder ( ) Integrated into glibc, override the read 、 recv functions… Advanced Defense Lab24

Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab25

Experiments - Effectiveness Collect 51 unencrypted malicious shellcodes from the Internet that target Linux Systems. Using encryption tools to generate 5000 encrypted malicious shellcodes. ADMMutate: Polymorphic Shellcode Engine Metasploit: TAPiON: Advanced Defense Lab26

Experiments - Effectiveness Enlist 4 volunteers who collect HTTP messages for 6 weeks by using Fiddler ( Advanced Defense Lab27

Experiments - False Pos & Neg Advanced Defense Lab28 False Negative is ZERO.

Experiments - Overhead Dell Dimension 5150 with an Intel Pentium GHz and 1 GB RAM. Advanced Defense Lab29

Experiments - Overhead Hardware Server: Dell Dimension 5150 with an Intel Pentium GHz and 1 GB RAM Client: IBM ThinkPad T60 and 1 GB RAM. Connection: 100 Mbps Ethernet switch Software Server: thttpd (ACME Laboratories)ACME Laboratories Client: Jef Poskanzer’s HTTP Load ProgramJef Poskanzer’s HTTP Load Program Advanced Defense Lab30

Experiments - Overhead Advanced Defense Lab31

Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab32

Conclusion Drawback Return-into-libc without function calls may still evade this system. Feature work Designing a faster instruction decoder. Using static analysis tech. to analyze input data before or during emulation. The virtual memory snapshot is very useful for analysis. Advanced Defense Lab33

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.