Yataglass: Network-level code emulation for analyzing memory-scanning attacks

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5587 LNCS, Issue , 2009, Pages 68-87

  Shimamura, Makoto ^a   Kono, Kenji ^a,b  

^a KEIO UNIVERSITY   (Japan)

^b JAPAN SCIENCE AND TECHNOLOGY AGENCY   (Japan)

Author keywords

Code injection attack; Intrusion analysis; Intrusion detection; Memory scanning attack; Network level code emulation

Indexed keywords

CODE-INJECTION ATTACK; COMPUTER SECURITY; INTRUSION ANALYSIS; MEMORY-SCANNING ATTACK; NETWORK-LEVEL CODE EMULATION; REMOTE CODE; SHELLCODE;

COMPUTER CRIME; SCANNING;

INTRUSION DETECTION;

EID: 70350658277     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-02918-9_5     Document Type: Conference Paper

References (37)

1. AlephOne: Smashing stack for fun and profit. Phrack (November 1996)
2. MITRE: OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability (2002), http://www.securityfocus.com/bid/5363
3. Sotirov, A.: Apache openssl heap overflow exploit (September 2002), http://www.phreedom.org/research/exploits/apache-openssl/
4. Li, W., cher Chiueh, T.: Automated format string attack prevention for win32/x86 binaries. In: Proc. of the 23rd Annual Computer Security Applications Conference ACSAC 2007, pp. 398-409 (2007)
5. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of the 13th USENIX Conference on Systems Administration LISA 1999, pp. 229-238 (1999)
6. Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435-2463 (1999)
7. Chinchani, R., Berg, E.V.D.: A fast static analysis approach to detect exploit code in network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284-308. Springer, Heidelberg (2006)
8. The Metasploit Project: Metasploit, http://www.metasploit.com/
9. Bania, P.: Tapion (2005), http://pb.specialised.info/all/tapion/
10. K2: Admmutate (2007), http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz
11. Sedalo, M.: Jempiscode (2006), http://goodfellas.shellcode.com.ar/ proyectos.html
12. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207-226. Springer, Heidelberg (2006)
13. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54-73. Springer, Heidelberg (2006)
14. Ma, J., Dunagan, J., Wang, H.J., Savage, S., Voelker, G.M.: Finding diversity in remote code injection exploits. In: Proc. of the 6th ACM SIGCOMM on Internet Measurement IMC 2006, October 2006, pp. 53-64 (2006)
15. Zhang, Q., Reeves, D.S., Ning, P.: Analyzing network traffic to detect self-decrypting exploit code. In: Proc. of the 2nd ASIAN ACM Symposium on Information, Computer and Communications Security ASIACCS 2007, March 2007, pp. 4-12 (2007)
16. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87-106. Springer, Heidelberg (2007)
17. Borders, K., Prakash, A., Zielinski, M.: Spector: Automatically analyzing shell code. In: Proc. of the 23rd Annual Computer Security Applications Conference ACSAC 2007, pp. 501-514 (2007)
18. Linn, C.M., Rajagopalan, M., Baker, S., Collberg, C., Debray, S.K., Hartman, J.: Protecting against unexpected system calls. In: Proc. of the 13th Usenix Security Symposium, August 2005, pp. 239-254 (2005)
19. Wang, X., Pan, C.C., Liu, P., Zhu, S.: SigFree: A Signature-free Buffer Overflow Attack Blocker. In: Proc. of the 15th Usenix Security Symposium, pp. 225-240 (2006)
20. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Proc. of the 13th ACM Conference on Computer and Communications Security CCS 2006, October 2006, pp. 322-335 (2006)
21. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proc. of the 2007 IEEE Symposium on Security and Privacy S&P 2007, May 2007, pp. 231-245 (2007)
22. Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Bitscope: Automatically dissecting malicious binaries. Technical Report CMU-CS-07-133, Carnegie Mellon University (2007)
23. SystemV Application Binary Interface Intel 386 Architecture Processor Supplement, http://www.caldera.com/developers/devspecs/abi386-4.pdf
24. jt: Libdasm (2006), http://www.klake.org/~jt/misc/libdasm-1.5.tar.gz
25. Smith, J.E., Nair, R.: Virtual Machines - Versatile Platforms for Systems and Processes. Elsevier, Amsterdam (2005)
26. MITRE: ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability (2001), http://www.securityfocus.com/bid/2302
27. MITRE: Wu-ftpd file globbing heap corruption vulnerability (2001), http://securityfocus.com/bid/3581
28. MITRE: rsync Signed Array Index Remote Code Execution Vulnerability (2002), http://www.securityfocus.com/bid/3958
29. MITRE: Wu-imapd Partial Mailbox Attribute Remote Buffer Overflow Vulnerability (2002), http://securityfocus.com/bid/4713
30. MITRE: Samba 'call trans2open' remote buffer overflow vulnerability (2003), http://securityfocus.com/bid/7294
31. MITRE: Cyrus IMAPD POP3D Remote Buffer Overflow Vulnerability (2006), http://www.securityfocus.com/bid/18506
32. SecurityFocus: http://securityfocus.com/
33. Milw0rm: http://www.milw0rm.com/
34. PaX Team: PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt
35. Andersson, S., Clark, A., Mohay, G.M.: Network-based buffer overflow detection by exploit code analysis. In: Proc. of the AusCERT Asia Pacific Information Technology Security Conference, pp. 39-53 (2004)
36. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M., Chen, P.M.: Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Proc. of the 5th Symposium on Operating Systems Design and Implementation OSDI 2002, December 2002, pp. 211-224 (2002)
37. Andersson, S., Clark, A., Mohay, G.M., Schatz, B., Zimmermann, J.: A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX. In: Proc. of the 21st Annual Computer Security Applications Conference ACSAC 2005, pp. 49-58 (2005)