DROP: Detecting return-oriented programming malicious code

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5905 LNCS, Issue , 2009, Pages 163-177

  Chen, Ping ^a   Xiao, Hai ^a   Shen, Xiaobin ^b   Yin, Xinchun ^b   Mao, Bing ^a   Xie, Li ^a  

^a NANJING UNIVERSITY   (China)

^b YANGZHOU UNIVERSITY   (China)

Author keywords

[No Author keywords available]

Indexed keywords

ANTI VIRUS; CONTROL FLOWS; EXECUTABLES; FALSE POSITIVE; FUNCTION CALLS; INTRINSIC FEATURES; MALICIOUS CODES; MEMORY SPACE; PROGRAM DESIGN; SCANNING TECHNIQUES;

INFORMATION SYSTEMS;

NETWORK SECURITY;

EID: 71549162538     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-10772-6_13     Document Type: Conference Paper

References (45)

1. The pax project (2004), http://pax.grsecurity.net/
2. linux/x86 execve("/bin/sh", ["/bin/sh", null]). milw0rm (2006), http://www.milw0rm.com/shellcode/1635
3. linux/x86 execve(rm -rf /) shellcode. milw0rm (2006), http://www.milw0rm.com/shellcode/2801
4. linux/x86 normal exit w/ random (so to speak) return value. milw0rm (2006), http://www.milw0rm.com/shellcode/1435
5. linux/x86 portbind (define your own port). milw0rm (2006), http://www.milw0rm.com/shellcode/1979
6. linux/x86 /sbin/iptables -f. milw0rm (2007), http://www.milw0rm.com/ shellcode/3445
7. linux/x86 edit /etc/sudoers for full access. milw0rm (2008), http://www.milw0rm.com/shellcode/7161
8. linux/x86 chmod ("/etc/shadow",666) & exit(0). milw0rm (2009), http://www.milw0rm.com/shellcode/8081
9. linux/x86 killall5 shellcode. milw0rm (2009), http://www.milw0rm.com/ shellcode/8972
10. linux/x86 push reboot(). milw0rm (2009), http://www.milw0rm.com/ shellcode/7808
11. linux/x86 setreuid(geteuid(),geteuid()),execve("/bin/sh",0,0). milw0rm (2009), http://www.milw0rm.com/shellcode/8972
12. Abadi, M., Budiu, M., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS), pp. 340-353. ACM Press, New York (2005)
13. Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, p. 21. USENIX Association, Berkeley (2000)
14. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security(CCS), pp. 27-38. ACM, New York (2008)
15. Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: Lisabeth: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the 4th International Workshop on Software Engineering for Secure Systems(SESS), pp. 41-48. ACM, New York (2008)
16. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worm epidemics. ACM Transactions on Computer Systems (TOCS) 26(4), 1-68 (2008)
17. Cowan, C., Pu, C., Maier, D.,Walpole, J., Bakke, P., Beattie, S., Grier, A.,Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium, p. 5. USENIX Association, Berkeley (1998)
18. Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: Formatguard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the 10th conference on USENIX Security Symposium, p. 2003 (2000)
19. Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguardtm: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th Conference on USENIX Security Symposium, p. 7. USENIX Association, Berkeley (2003)
20. Crandall, J.R., Su, Z.,Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zeroday polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS), pp. 235-248 (2005)
21. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: Proceedings of 18th USENIX Security Symposium (2009)
22. Kim, H.A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th Conference on USENIX Security Symposium, p. 19. USENIX Association, Berkeley (2004)
23. Krahmer, S.: X86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. Phrack Magazine (2005), http://www.suse.de/krahmer/no- nx.pdf
24. Kreibich, C., Crowcroft, J.: Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Computer Communication Review 34(1), 51-56 (2004)
25. Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 32-47 (2006)
26. Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 190-200. ACM, New York (2005)
27. McDonald, J.: Defeating solaris/sparc non-executable stack protection. Bugtraq (1999)
28. milw0rm: http://www.milw0rm.com/shellcode/linux/x86
29. Nergal: The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine (2001), http://www.phrack.org/archives/58/p58-0x04
30. Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Proceedings of the 2007 PLDI Conference, vol. 42(6), pp. 89-100 (2007)
31. Newsome, J., Brumley, D., Song, D.: Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium, NDSS (2006)
32. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 226-241 (2005)
33. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software (2005)
34. Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of the 7th Conference on USENIX Security Symposium, Berkeley, CA, USA, p. 3 (1998)
35. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54-73. Springer, Heidelberg (2006)
36. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of nonself-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87-106. Springer, Heidelberg (2007)
37. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: Systems, languages, and applications (2009) (in review)
38. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, pp. 229-238. USENIX Association, Berkeley (1999)
39. Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), pp. 159-169 (2004)
40. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 552-561. ACM, New York (2007)
41. Shimamura, M., Kono, K.: Yataglass: Network-level code emulation for analyzing memoryscanning attacks. In: Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 68-87 (2009)
42. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation( OSDI), p. 4. USENIX Association, Berkeley (2004)
43. Wang, X., Pan, C.C., Liu, P., Zhu, S.: Sigfree: A signature-free buffer overflow attack blocker. IEEE Transactions on Dependable and Secure Computing 99(2) (2006)
44. Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium (USENIX-SS 2006). USENIX Association, Berkeley (2006)
45. Zhang, Q., Reeves, D.S., Ning, P., Iyer, S.P.: Analyzing network traffic to detect selfdecrypting exploit code. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 4-12. ACM, New York (2007)