STILL: Exploit code detection via static taint and initialization analyses

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2008, Pages 289-298

  Wang, Xinran ^a   Jhi, Yoon Chan ^a   Zhu, Sencun ^a,b   Liu, Peng ^b  

^a The Pennsylvania State University   (United States)

^b PENNSYLVANIA STATE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ANALYSIS APPROACHES; ANALYSIS SOLUTIONS; ANTI STATICS; CODE DETECTIONS; CODE OBFUSCATIONS; CONTROL FLOW GRAPHS; INITIALIZATION ANALYSIS; INTERNET SERVICES;

COMPUTER APPLICATIONS; INTERNET; SECURITY SYSTEMS; STATIC ANALYSIS;

CODES (SYMBOLS);

EID: 60649104827     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2008.37     Document Type: Conference Paper

References (31)

1. Computer emergency response team (cert). http://www.cert.org.
2. Intel ia-32 architecture software developer's manual volume 1: Basic architecture. Intel Corporation.
3. Jempiscodes - a polymorphic shellcode generator. http://www.shellcode. com.ar/en/proyectos.html.
4. The metasploit project. http://www.metasploit.com.
5. Microsoft security bulletin. http://www.microsoft.com/technet/security/ current.aspx.
6. the de facto standard for intrusion deetection/preventions. http://www.snort.org.
7. G. Balakrishnan and T. Reps. Analyzing memory accesses in x86 executables. In 13th International Conference on Compiler Construction, 2004.
8. R. Chinchani and E. Van Den Berg. A fast static analysis approach to detect exploit code inside network flows. In RAID, 2005.
9. C. Cifuentes and A. Fraboulet. Intraprocedural static slicing of binary executables.
10. C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148, University of Auckland, July 1997.
11. Solar Designer. Getting around non-executable stack (and fix). http://seclists.org/bugtraq/1997/Aug/0063.html.
12. T. Detristan, T. Ulenspiegel, Y. Malcom, and M. Superbus Von Underduk. Polymorphic shellcode engine using spectrum analysis. http://www.phrack.org/ show.php?p=61&a=9.
13. C. Ionescu. Getpc code. http://www.securityfocus.com/archive/82/327348/ 2006-01-03/1.
14. J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7), 1976.
15. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In RAID, 2005.
16. C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proceedings of USENIX Security 2004, August 2004.
17. Z. Li, M. Sanghi, Y. Chen, M. Y. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In IEEE Symposium on Security and Privacy, May 2006.
18. C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In ACM CCS, 2003.
19. S. Macaulay. Admmutate: Polymorphic shellcode engine. http://www.ktwo.ca/security.html.
20. A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In Proceedings of the 23rd ACSAC, 2007.
21. J. Newsome, B. Karp, and D. Song. Polygraph: Automatic signature generation for polymorphic worms. In IEEE Security and Privacy Symposium, May 2005.
22. Noir. Getpc code. http://www.securityfocus.com/archive/82/327100/2006-01- 03/1.
23. M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. In DIMVA, 2006.
24. S. Singh, C. Estan, G. Varghese, and S. Savage. Earlybird system for real-time detection of unknown worms. Technical report, Univ. of California at San Diego, 2003.
25. sk. History and advances in windows shellcode. Phrack, vol. 11, no. 62, July 2004.
26. P. Szor. The Art of Computer Virus Research and Defense. Addison-Wesley, 2005.
27. G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutant exploits. In ACM CCS, 2005.
28. X. Wang, C. Pan, P. Liu, and S. Zhu. Sigfree: A signature-free buffer overflow attack blocker. In 15th Usenix Security Symposium, July 2006.
29. X. F. Wang, Z. Li, J. Xu, M. K. Reiter, C. Kil, and J. Y. Choi. Packet vaccine: Black-box exploit detection and signature generation. In ACM Conference on CCS, 2006.
30. O. Yuschuk. Ollydbg disassembler, 2006.
31. Q. Zhang, D. S. Reeves, P. Ning, and S. Purushothaman Iyer. Analyzing network traffic to detect self-decrypting exploit code. In AsiaCCS, 2007.