Enforcing system-wide control flow integrity for exploit detection and diagnosis
作者: Aravind Prakash , Heng Yin , Zhenkai Liang
关键词:
摘要: Modern malware like Stuxnet is complex and exploits multiple vulnerabilites in not only the user level processes but also OS kernel to compromise a system. A main trait of such manipulation control flow. There pressing need diagnose exploits. Existing solutions that monitor flow either have large overhead or high false positives negatives, hence making their deployment impractical. In this paper, we present Total-CFI, an efficient practical tool built on software emulator, capable exploit detection by enforcing system-wide Control Flow Integrity (CFI). Total-CFI performs punctual guest view reconstruction identify key semantics processes, code modules threads. It incorporates novel thread stack identification algorithm identifies boundaries for different threads Furthermore, enforces CFI policy - combination whitelist based shadow call approaches indirect flows detect We provide proof-of-concept implementation DECAF, top Qemu. tested 25 commonly used programs 7 recent real world Windows found 0 negatives respectively. The boot time was be no more than 64.1% average memory 7.46KB per loaded module, it feasible hardware integration.
acm.org
syr.edu参考文章(37)
Ravishankar K. Iyer, Emre C. Sezer, Shuo Chen, Prachi Gauriar, Jun Xu, Non-control-data attacks are realistic threats usenix security symposium. pp. 12- 12 ,(2005)
Mingwei Zhang, Aravind Prakash, Xiaolei Li, Zhenkai Liang, Heng Yin, None, Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis network and distributed system security symposium. ,(2012)
David A. Molnar, Michael Y. Levin, Patrice Godefroid, Automated Whitebox Fuzz Testing. network and distributed system security symposium. ,(2008)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, Jesus Molina, Copilot - a coprocessor-based kernel runtime integrity monitor usenix security symposium. pp. 13- 13 ,(2004)
Fabrice Bellard, QEMU, a fast and portable dynamic translator usenix annual technical conference. pp. 41- 41 ,(2005)
Heng Yin, Pongsin Poosankam, Steve Hanna, Dawn Song, HookScout: proactive binary-centric hook detection international conference on detection of intrusions and malware and vulnerability assessment. pp. 1- 20 ,(2010) , 10.1007/978-3-642-14215-4_1
Tal Garfinkel, Mendel Rosenblum, A Virtual Machine Introspection Based Architecture for Intrusion Detection. network and distributed system security symposium. ,(2003)
Cristian Cadar, Daniel Dunbar, Dawson Engler, KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs operating systems design and implementation. pp. 209- 224 ,(2008) , 10.5555/1855741.1855756
P.M. Chen, B.D. Noble, When virtual is better than real [operating system relocation to virtual machines] Proceedings Eighth Workshop on Hot Topics in Operating Systems. pp. 133- 138 ,(2001) , 10.1109/HOTOS.2001.990073
Lok Kwong Yan, Heng Yin, DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis usenix security symposium. pp. 29- 29 ,(2012)