Automating mimicry attacks using static binary analysis
作者: Engin Kirda , Christopher Kruegel , Darren Mutz , Giovanni Vigna , William Robertson
DOI:
关键词: Intrusion detection system 、 Real-time computing 、 Program counter 、 Computer science 、 System call 、 Symbolic execution 、 Distributed computing 、 Call stack 、 Evasion (network security) 、 Control flow 、 Process (computing)
摘要: Intrusion detection systems that monitor sequences of system calls have recently become more sophisticated in defining legitimate application behavior. In particular, additional information, such as the value program counter and configuration program's call stack at each call, has been used to achieve better characterization While there is common agreement this information complicates task for attacker, it less clear which extent an intruder constrained. In paper, we present a novel technique evade extended features state-of-the-art intrusion reduce traditional mimicry attack. Given sequence calls, our allows attacker execute correct execution context by obtaining relinquishing control application's flow through manipulation code pointers. We developed static analysis tool Intel x86 binaries uses symbolic automatically identify instructions can be redirect compute necessary modifications environment process. We successfully exploit three vulnerable programs existing monitors. addition, analyzed real-world applications verify general applicability techniques.
ucsb.edu
jhu.edu 参考文章(20)
Kymie M. C. Tan, Kevin S. Killourhy, Roy A. Maxion, Undermining an anomaly-based intrusion detection system using common exploits recent advances in intrusion detection. pp. 54- 73 ,(2002) , 10.1007/3-540-36084-0_4
Barton P. Miller, Somesh Jha, Jonathon T. Giffin, Efficient Context-Sensitive Intrusion Detection. network and distributed system security symposium. ,(2004)
Haizhi Xu, Wenliang Du, Steve J. Chapin, Context Sensitive Anomaly Monitoring of Process Control Flow To Detect Mimicry Attacks and Impossible Paths recent advances in intrusion detection. pp. 21- 38 ,(2004) , 10.1007/978-3-540-30143-1_2
Roberto Bagnara, Elisa Ricci, Enea Zaffanella, Patricia M. Hill, Possibly Not Closed Convex Polyhedra and the Parma Polyhedra Library static analysis symposium. pp. 213- 229 ,(2002) , 10.1007/3-540-45789-5_17
Flemming Nielson, Chris Hankin, Hanne R. Nielson, Principles of program analysis ,(1999)
Debin Gao, Dawn Song, Michael K. Reiter, On gray-box program tracking for anomaly detection usenix security symposium. pp. 8- 8 ,(2004)
Barton P. Miller, Somesh Jha, Jonathon T. Giffin, Detecting Manipulated Remote Call Streams usenix security symposium. pp. 61- 79 ,(2002)
Henry Hanping Feng, J.T. Giffin, Yong Huang, S. Jha, Wenke Lee, B.P. Miller, Formalizing sensitivity in static analysis for intrusion detection ieee symposium on security and privacy. pp. 194- 208 ,(2004) , 10.1109/SECPRI.2004.1301324
Patrick Cousot, Radhia Cousot, Abstract interpretation Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages - POPL '77. pp. 238- 252 ,(1977) , 10.1145/512950.512973
James C. King, Symbolic execution and program testing Communications of The ACM. ,vol. 19, pp. 385- 394 ,(1976) , 10.1145/360248.360252