Proceedings ArticleDOI
Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction
Zhiqiang Lin,Xiangyu Zhang,Dongyan Xu +2 more
- pp 281-290
TLDR
This paper presents a framework to determine if a given binary program is vulnerable to this attack and to construct a concrete trojan if so, and demonstrates that the reuse-oriented camouflaging trojans are a real threat and vulnerabilities of this type in legal binaries can be effectively revealed and confirmed.Abstract:
We introduce the reuse-oriented camouflaging trojan — a new threat to legitimate software binaries. To perform a malicious action, such a trojan identifies and reuses an existing function in a legal binary program instead of implementing the function itself. Furthermore, this trojan is stealthy in that the malicious invocation of a targeted function usually takes place in a location where it is legal to do so, closely mimicking a legal invocation. At the network level, the victim binary can still follow its communication protocol without exhibiting any anomalous behavior. Meanwhile, many close-source shareware binaries are rich in functions that can be maliciously “reused”, making them attractive targets of this type of attack. In this paper, we present a framework to determine if a given binary program is vulnerable to this attack and to construct a concrete trojan if so. Our experiments with a number of real-world software binaries demonstrate that the reuse-oriented camouflaging trojans are a real threat and vulnerabilities of this type in legal binaries can be effectively revealed and confirmed.read more
Citations
More filters
Proceedings ArticleDOI
Jump-oriented programming: a new class of code-reuse attack
TL;DR: This paper introduces a new class of code-reuse attack, called jump-oriented programming, which eliminates the reliance on the stack and ret instructions (including ret-like instructions such as pop+jmp) seen in return- oriented programming without sacrificing expressive power.
Proceedings ArticleDOI
Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
Yangchun Fu,Zhiqiang Lin +1 more
TL;DR: VMST is presented, an entirely new technique that can automatically bridge the semantic gap and generate the VMI tools and automatically enables an in-guest inspection program to become an introspection program.
Journal ArticleDOI
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
Yangchun Fu,Zhiqiang Lin +1 more
TL;DR: VMST is an entirely new technique that can automatically bridge the semantic gap and generate the VMI tools and automatically enables an in-guest inspection program to become an introspection program.
ReportDOI
Binary Code Extraction and Interface Identification for Security Applications
TL;DR: This paper proposes a novel technique to identify the prototype of an undocumented code fragment directly from the program's binary, without access to source code or symbol information, and designs and implements a tool that uses a combination of dynamic and static analysis to extract the instructions of an assembly function into a form that can be reused by other C code.
Proceedings ArticleDOI
Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries
TL;DR: This paper presents a novel approach to automatically extract, from a given binary executable, the algorithm related to a certain activity of the sample, and generates a so-called gadget, i.e., a stand-alone component that encapsulates a specific behavior.
References
More filters
Proceedings ArticleDOI
Valgrind: a framework for heavyweight dynamic binary instrumentation
TL;DR: Valgrind is described, a DBI framework designed for building heavyweight DBA tools that can be used to build more interesting, heavyweight tools that are difficult or impossible to build with other DBI frameworks such as Pin and DynamoRIO.
Proceedings Article
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
James Newsome,Dawn Song +1 more
TL;DR: TaintCheck as mentioned in this paper performs dynamic taint analysis by performing binary rewriting at run time, which can reliably detect most types of exploits and produces no false positives for any of the many different programs that were tested.
Journal ArticleDOI
Intrusion detection using sequences of system calls
TL;DR: Evidence is given that short sequences of system calls executed by running processes are a good discriminator between normal and abnormal operating characteristics of several common UNIX programs.
Proceedings ArticleDOI
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
TL;DR: A return-into-libc attack to be mounted on x86 executables that calls no functions at all is presented, and how to discover such instruction sequences by means of static analysis is shown.
Proceedings ArticleDOI
Dynamic program slicing
Hiralal Agrawal,J.R. Horgan +1 more
TL;DR: This paper investigates the concept of the dynamic slice consisting of all statements that actually affect the value of a variable occurrence for a given program input, and introduces the economical concept of a Reduced Dynamic Dependence Graph, proportional in size to the number of dynamic slices arising during the program execution.