Eudaemon: Involuntary and on-demand emulation against zero-day exploits

EuroSys'08 - Proceedings of the EuroSys 2008 Conference

Volumn , Issue , 2008, Pages 287-299

  Portokalidis, Georgios ^a   Bos, Herbert ^a  

^a VU UNIVERSITY AMSTERDAM   (Netherlands)

Author keywords

Honeypots; Operating systems; Security

Indexed keywords

CONTROL FLOWS; END USERS; FLEXIBLE MECHANISMS; HONEYPOT; HONEYPOTS; HYPERVISOR; INTRUSION DETECTION AND PREVENTIONS; MALICIOUS CODES; ON DEMANDS; OPERATING SYSTEM SUPPORTS; OPERATING SYSTEMS; PERFORMANCE PENALTIES; RUNNING PROCESS; RUNNING SYSTEMS; SECURITY; SOURCE CODES; VULNERABLE REGIONS;

CODES (SYMBOLS); COMPUTER OPERATING SYSTEMS; TIME SERIES;

INTRUSION DETECTION;

EID: 59249104752     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1352592.1352622     Document Type: Conference Paper

References (39)

1. Infecting elf-files using function padding for linux. http://vx.netlux.org/lib/vhe00.html.
2. Runtime process infection. http://www.phrack.org/archives/59/p59-0x08. txt.
3. Writing parasitic code in C. http://ares.x25zine.org/ES/txt/C-parasites. txt.
4. A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In EuroSys, Leuven, Belgium, April 2006.
5. K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, E. M. K. Xinidis, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Usenix Security, Baltimore, MD, August 2005.
6. F. Bellard. QEMU, a fast and portable dynamic translator. In Proc. of USENIX ATC, pages 41-46, Anaheim, CA, April 2005.
7. S. Bhansali, W.-K. Chen, S. D. Jong, A. Edwards, and M. Drinic. Framework for instruction-level tracing and analysis of programs. In Proceedings of the 2nd International Conference on Virtual Execution Environments (VEE'06), pages 154-163, Ottawa, Canada, June 2006.
8. S. Bhatkar, D. D. Varney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In Proc. of USENIX Security, pages 105-120, August 2003.
9. D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Security and Privacy, Oakland, CA, May 2006.
10. C. Cowan, S. Beattie, J. Johansen and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In In Proc. of the 12th USENIX Security Symposium, pages 91-104, August 2003.
11. J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proc. of the 37th annual International Symposium on Microarchitecture, pages 221-232, Portland, Oregon, 2004.
12. Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, PerryWagle and Qian Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, In 7th USENIX Security Symposium, San Francisco, CA, 2002.
13. W. Cui, V. Paxson, N. Weaver, and R. Katz. Protocol-independent adaptive replay of application dialog. In The 13th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2006.
14. W. de Bruijn, A. Slowinska, K. van Reeuwijk, T. Hruby, L. Xu, and H. Bos. Safecard: a gigabit ips on the network card. In Proceedings of 9th International Symposium on Recent Advances in Intrusion Detection (RAID'06), pages 311-330, Hamburg, Germany, September 2006.
15. D. Denning. A lattice model of secure information flow. ACM Transactions on Communications, 19(5):236-243, 1976.
16. eEye. eeye industry newsletter. http://www.eeye.com/html/resources/ newsletters/versa/VE20070516.html#techtal%k, May 2007.
17. W. W. Hsu and A. J. Smith. Characteristics of i/o traffic in personal computer and server workloads. IBM Systems Journal, 42(2), 2003.
18. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. of the ACM Computer and Communications Security (CCS), pages 272-280, Washington, DC, October 2003.
19. N. Krawetz. Anti-honeypot technology. IEEE Security and Privacy, 2(1):76-79, January 2004.
20. B. Lampson. Accountability and freedom. In Cambridge Computer Seminar, Cambridge, UK, October 2005.
21. C. Leita, M. Dacier, and F. Massicotte. Automatic handling of protocol dependencies and reaction to 0-day attacks with scriptgen based honeypots. In Proceedings of RAID'06, pages 185-205, Hamburg, Germany, September 2006.
22. M. E. Locasto, S. Sidiroglou, and A. D. Keromytis. Application communities: Using monoculture for dependability. In Proceedings of the 1st Workshop on Hot Topics in System Dependability (HotDep), pages 288-292, Yokohama, Japan, June 2005.
23. M. E. Locasto, A. Stavrou, G. F. Cretu, and A. D. Keromytis. From stem to sead: Speculative execution for automated defense. In Proceedings of the 2007 USENIX Annual Technical Conference, pages 219-232, June 2007.
24. M. Costa, J. Crowcroft, M. Castro, A Rowstron, L. Zhou, L. Zhang and P. Barham. Vigilante: End-to-end containment of internet worms. In In Proc. of the 20th ACM Symposium on Operating Systems Principles (SOSP), Brighton, UK, October 2005.
25. A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware in the web. In Proc. of NDSS'06, February 2006.
26. J. Newsome, D. Brumley, J. Franklin, and D. Song. Replayer: automatic protocol replay by binary analysis. In CCS'06: Proceedings of the 13th ACM conference on Computer and communications security, pages 311-321, New York, NY, USA, 2006. ACM Press.
27. J. Newsome and D. Song. Dynamic taint analysis for automatic detection analysis and signature generation of exploits on commodity software. In Proc. of the 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.
28. G. Portokalidis, A. Slowinska, and H. Bos. Argos: an Emulator for Fingerprinting Zero-Day Attacks. In Proc.of the 1st ACM SIGOPS EUROSYS, Leuven. Belgium, April 2006.
29. J. Richter. Load your 32-bit dll into another process's address space using injlib. Microsoft Systems Journal (MSJ), January 1996.
30. SANS. Sans institute press update. http: //www.sans.org/top20/2006/press- release.pdf, 2006.
31. H. Shacham, M. Page, B. Pfaff, E. Goh, and N. Modadugu. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security, pages 298-307. ACM, 2004.
32. S. Sidiroglou, M. Locasto, S. Boyd, and A. Keromytis. Building a reactive immune system for software services. In Proceedings of the 2005 USENIX Annual Technical Conference, 2005.
33. A. Slowinska and H. Bos. The age of data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack. In 23rd Annual Computer Security Applications Conference (ACSAC'07), Miami, FLA, December 2007.
34. P. Szor and P. Ferrie. Hunting for metamorphic. In Virus Bulletin Conference, pages 123-144, Abingdon, Oxfordshire, England, September 2001.
35. J. Tucek, S. Lu, C. Luang, S. Xanthos, Y. Zhou, J. Newsome, D. Brunmley, and D. Song. Sweeper: a light-weight end-to-end system for defending against fast worms. In Proceedings of Eurosys 2007, Lisbon, Portugal, April 2007.
36. X. Wang, Z., Li, J. Xu, M. K. Reiter, C. Kil, and J. Y. Choi. Packet vaccine: black-box exploit detection and signature generatio n. In CCS'06: Proceedings of the 13th ACM conference on Computer and communications security, pages 37-46, New York, NY, USA, 2006. ACM Press.
37. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. Network and Distributed System Security (NDSS), San Diego, CA, February 2006.
38. S. M. B. William R. Cheswick, Aviel D. Rubin. Firewalls and Internet Security: repelling the wily hacker (2nd ed.). Addison-Wesley, ISBN 020163466X, 2003.
39. C. C. Zou and R. Cunningham. Honeypot-aware advanced botnet construction and maintenance. In The International Conference on Dependable Systems and Networks (DSN-2006), Philadelphia, PA, USA, June 2006.