ROP payload detection using speculative code execution

Proceedings of the 2011 6th International Conference on Malicious and Unwanted Software, Malware 2011

Volumn , Issue , 2011, Pages 58-65

  Polychronakis, Michalis ^a   Keromytis, Angelos D ^a  

^a Och Spine at New York Presbyterian Hospitals   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ADDRESS SPACE; ATTACK VECTOR; CODE EXECUTION; CODE INJECTION ATTACKS; DETECTION METHODS; DETECTION TECHNIQUE; EXPERIMENTAL EVALUATION; FALSE POSITIVE; INPUT DATAS; MEMORY BUFFERS; MEMORY PAGES; NETWORK TRAFFIC; PROTOTYPE IMPLEMENTATIONS; RUNTIMES; SHELLCODE; WINDOWS APPLICATION;

COMPUTER CRIME;

CODES (SYMBOLS);

EID: 84855846511     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/MALWARE.2011.6112327     Document Type: Conference Paper

References (26)

1. http://www.whitephosphorus.org/
2. http://www.exploit-db.com/
3. http://www.metasploit.com/
4. P. Baecher and M. Koetter. libemu. http://libemu.carnivore.it/
5. K. Baumgartner. The ROP pack. In Proceedings of the 20th Virus Bulletin International Conference (VB), 2010.
6. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of the 17th ACM conference on Computer and Communications Security (CCS), 2010.
7. Corelan Team. Corelan ROPdb. https://www.corelan.be/index.php/security/ corelan-ropdb/
8. M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th International World Wide Web Conference (WWW), 2010.
9. M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heapspraying code injection attacks. In Proceedings of the 6th international conference on Detection of Intrusions and Malware, & Vulnerability Assessment (DIMVA), 2009.
10. Ú. Erlingsson. Low-level software security: Attack and defenses. Technical Report MSR-TR-07-153, Microsoft Research, 2007. http://research. microsoft.com/pubs/64363/tr-2007-153.pdf
11. R. Hensing. Understanding DEP as a mitigation technology. 2009. http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as- amitigation-technology-part-1.aspx
12. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.
13. M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Comprehensive shellcode detection using runtime heuristics. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December 2010.
14. M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Network-level polymorphic shellcode detection using emulation. In Proceedings of the Third Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2006.
15. M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2007.
16. P. Ratanaworabhan, B. Livshits, and B. Zorn. NOZZLE: A defense against heap-spraying code injection attacks. In Proceedings of the 18th USENIX Security Symposium, Aug. 2009.
17. H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS), 2007.
18. K. Z. Snow, S. Krishnan, F. Monrose, and N. Provos. ShellOS: Enabling fast detection and forensic analysis of code injection attacks. In Proceedings of the 20th USENIX Security Symposium, 2011.
19. Solar Designer. Getting around non-executable stack (and fix). http://seclists.org/bugtraq/1997/Aug/63
20. P.Solé. Hanging on a ROPe. http://www.immunitysec.com/downloads/ DEPLIB20-ekoparty.pdf
21. T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th Symposium on Recent Advances in Intrusion Detection (RAID), Oct. 2002.
22. Z. Tzermias, G. Sykiotakis, M. Polychronakis, and E. P. Markatos. Combining static and dynamic analysis for the detection of malicious documents. In Proceedings of the European Workshop on System Security (EuroSec), April 2011.
23. X. Wang, C.-C. Pan, P. Liu, and S. Zhu. Sigfree: A signature-free buffer overflow attack blocker. In Proceedings of the USENIX Security Symposium, Aug. 2006.
24. G. Wicherski. libscizzle. http://code.mwcollect.org/projects/libscizzle
25. Q. Zhang, D. S. Reeves, P. Ning, and S. P. Lyer. Analyzing network traffic to detect self-decrypting exploit code. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2007.
26. D. A. D. Zovi. Practical return-oriented programming. SOURCE Boston, 2010.