MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Slides:



Advertisements
Similar presentations
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Operating System Security : David Phillips A Study of Windows Rootkits.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
OS Fall ’ 02 Introduction Operating Systems Fall 2002.
Run-Time Storage Organization
OS Spring’03 Introduction Operating Systems Spring 2003.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
Topics covered: Memory subsystem CSE243: Introduction to Computer Architecture and Hardware/Software Interface.
Extensibility, Safety and Performance in the SPIN Operating System Ashwini Kulkarni Operating Systems Winter 2006.
Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者:張逸文 1.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
Chapter 4 Storage Management (Memory Management).
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:
1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
Source: Operating System Concepts by Silberschatz, Galvin and Gagne.
 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.
Chapter 2 Processes and Threads Introduction 2.2 Processes A Process is the execution of a Program More specifically… – A process is a program.
Lecture 5 Page 1 CS 111 Online Processes CS 111 On-Line MS Program Operating Systems Peter Reiher.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Operating Systems Security
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
CS533 Concepts of Operating Systems Jonathan Walpole.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.
Memory Management Chapter 5 Advanced Operating System.
Hello world !!! ASCII representation of hello.c.
CS203 – Advanced Computer Architecture Virtual Memory.
RealTimeSystems Lab Jong-Koo, Lim
Software, IEE Proceedings, Vol.152, Num.3, June 2005,Page(s): Prasanthi.S March, Java-based component framework for dynamic reconfiguration.
Advanced Operating Systems CS6025 Spring 2016 Processes and Threads (Chapter 2)
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Live Phishing Attack Authentication Activity from a Foreign Address.
Chapter 1. Basic Static Techniques
Paging COMP 755.
Effective Data-Race Detection for the Kernel
Process Realization In OS
Chap 10 Malicious Software.
Loaders and Linkers: Features
Introduction to the Intel x86’s support for “virtual” memory
Operating Systems Lecture 3.
Chap 10 Malicious Software.
Following Malware Execution in IDA
Landon Cox January 17, 2018 January 22, 2018
COMP755 Advanced Operating Systems
Presentation transcript:

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive Shellcode Detection using Runtime Heuristics

Introduction Architecture Runtime Heuristics Implementation Experimental Evaluation Conclusion Outline 2

The injected code, known as shellcode, carries out the first stage of the attack, which usually involves the download and execution of a malware binary on the compromised host. Introduction 3

Identify the presence of shellcode in network inputs using static code analysis - advanced obfuscation - self-modifications Dynamic code analysis using emulation - quite effective Introduction 4

But these are confined to the detection of a particular class of polymorphic shellcode that exhibits self-decrypting behavior Metamorphism Introduction 5

In this paper, present a comprehensive shellcode detection technique based on payload execution Detection method relies on several runtime heuristics tailored to the identification of different shellcode types Gene, a network level detector based on passive network monitoring Introduction 6

Architecture 7

Shellcode is meant to be injected into a running process and it usually accesses certain parts of the process' address space Gene is equipped with a fully blown virtual memory subsystem that handles all user-level memory accesses Architecture 8

Runtime Heuristics 9

Windows API is divided into several dynamic load libraries (DLLs) In order to call an API function, the shellcode must first find its absolute address in the address space of the process Searching for the Relative Virtual Addresses (RVAs) of the function in the Export Directory Table (EDT) of the DLL - LoadLibrary - GetProcAddress Runtime Heuristics - Resolving kernel32.dll 10

No matter which method is used, a common fundamental operation in all methods is that the shellcode has to first locate the base address of kernel32.dll Runtime Heuristics - Resolving kernel32.dll 11

Process Environment Block [PEB] - a user-level structure that holds extensive process specific informationPEB Runtime Heuristics - Process Environment Block 12

Condition P1. (i) the linear address of FS:[0x30]is read (ii) the current or any previous instruction involved the FS register, then this input may correspond to a shellcode that resolves kernel32.dll through the PEB Runtime Heuristics - Process Environment Block 13

Condition P2. PEB_LDR_DATA structure - holds the list of loaded modules PEB_LDR_DATA (P2): the linear address of PEB.LoaderDatais read. Runtime Heuristics - Process Environment Block 14

Condition P3. Walk through the loaded modules list and locate the second entry (kernel32.dll) (P3): the linear address of any of the Flink or Blink pointers in the one of the three list records of the PEB_LDR_DATA structure is read. Runtime Heuristics - Process Environment Block 15

Structured Exception Handling (SEH) - provides a unified way of handling hardware and software exceptionsSEH Runtime Heuristics - Backwards Searching 16

Runtime Heuristics - Backwards Searching 17

Condition B1. (i) any of the linear address between FS:[0]–FS:[0x8] is read (ii) the current or any previous instruction involved the FS register. Runtime Heuristics - Backwards Searching 18

Condition B2. (B2): the linear address of the Handlerfield of the default SEH handler is read. Runtime Heuristics - Backwards Searching 19

Condition B3. (B3): at least one memory read form the address space of kernel32.dll Runtime Heuristics - Backwards Searching 20

Egg-hunt shellcode Runtime Heuristics – Process Memory Scanning 21

Installing a custom exception handler that is invoked in case of a memory access violation Create a new SEH frame and adjust the current SEH frame pointer of the TIB to point to it Directly modify the Handler pointer of the current SEH frame to point to the attacker's handler routine Process Memory Scanning - SEH 22

Condition S1. (i) the linear address of FS:[0]is read or written (ii) the current or any previous instruction involved the FS register. Process Memory Scanning - SEH 23

Condition S2. (S2): the linear address of the Handler field in the custom SEH frame is or has been written Process Memory Scanning - SEH 24

Condition S3. (S3): starting from FS:[0], all SEH frames should reside on the stack, and the Handler field of the last frame should be set to 0xFFFFFFFF Process Memory Scanning - SEH 25

Another way to safely scanning the process address space is to check whether a page is mapped—before actually accessing it—using a system call Some Windows system calls accept as an argument a pointer to an input parameter. If the supplied pointer is invalid, the system call returns with a return value of STATUS_ACCESS_VIOLATION. Process Memory Scanning – System Call 26

Process Memory Scanning – System Call 27

Condition C1. (C1): the execution of an int 0x2e instruction with the eax register set to one of the following values: NtAccessCheckAndAuditAlarm(0x2), NtAddAtom (0x8), NtDisplayString(0x39 in Windows 2000, 0x43 in XP, 0x46 in 2003 Server, and 0x7F in Vista) Process Memory Scanning – System Call 28

Condition C2. (C2): (C{N}): C1 holds true N times Process Memory Scanning – System Call 29

The most widely used types of GetPC code for this purpose rely on some instruction from the call or fstenv instruction groupsGetPC The shellcode can register a custom exception handler, trigger an exception Runtime Heuristics – SHE-based GetPC Code 30

Gene, a network-level attack detector that uses a custom IA-32 emulator to identify the presence of shellcode in network streams Scan the client-initiated part of each TCP connection using the runtime heuristics The virtual memory of the emulator is initialized with an image of the complete address space of a typical Windows XP process taken from a real system Implementation 31

Experimental Evaluation – Detection Effectiveness 32

False Positives Evaluation - using a large and diverse set of benign inputs to test Heuristic Analysis Experimental Evaluation – Heuristic Robustness 33

Running on a system with a Xeon 1.86GHz processor and 2GB of RAM Experimental Evaluation – Runtime Performance 34

Deployed Gene in two University networks, where it has been operational since 25 November As of 17 April 2010, Gene has detected 116,513 code injection attacks against internal and external hosts in these two networks Experimental Evaluation – Real-world Deployment 35

Present a comprehensive shellcode detection method based on code emulation Expands the range of malicious code types that can be detected Detection of plain and metamorphic shellcode Without any false positives Conclusion 36

TIB and Thread Stack 37

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.