Persistent Data-only Malware: Function Hooks without Code

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Vogl, Sebastian ^a   Pfoh, Jonas ^a   Kittel, Thomas ^a   Eckert, Claudia ^a  

^a TECHNICAL UNIVERSITY OF MUNICH   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); HOOKS;

ADDRESS SPACE LAYOUT RANDOMIZATIONS; ATTACK MECHANISM; MALWARES; PROOF OF CONCEPT; PROTECTION MECHANISMS; RETURN-ORIENTED PROGRAMMING; SECURE BOOTS; SHELLCODE; SIMPLE++; SYSTEM SECURITY;

MALWARE;

EID: 85089583900     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23019     Document Type: Conference Paper

References (39)

1. “Kernel patch protection: Frequently asked questions,” January 2007. [Online]. Available: http://msdn.microsoft.com/en-us/windows/hardware/gg487353.aspx
2. ARM Architecture Reference Manual ARMv7-A and ARMv7-R edition, Section B3.7.2, ARM, July 2012.
3. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, “Jump-oriented programming: a new class of code-reuse attack,” in Proceedings of the 6th Symposium on Information, Computer and Communications Security. ACM, 2011.
4. E. Buchanan, R. Roemer, H. Shacham, and S. Savage, “When good instructions go bad: generalizing return-oriented programming to risc,” in Proceedings of the 15th conference on Computer and communications security. ACM, 2008.
5. Bulba and Kil3r, “Bypassing stackguard and stackshield,” Phrack, vol. 56, no. 5, January 2000. [Online]. Available: http://www.phrack.org/issues.html?issue=56&id=5
6. M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang, “Mapping kernel objects to enable systematic integrity checking,” in Proceedings of the 16th conference on Computer and communications security. ACM, 2009.
7. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, “Return-oriented programming without returns,” in Proceedings of the 17th conference on Computer and communications security. ACM, 2010.
8. S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham, “Can DREs provide long-lasting security? The case of return-oriented programming and the avc advantage,” in Proceedings of the conference on Electronic voting technology/workshop on trustworthy elections. USENIX Association, 2009.
9. P. Chen, X. Xing, B. Mao, and L. Xie, “Return-oriented rootkit without returns (on the x86),” in Information and Communications Security, ser. LNCS. Springer, 2010, vol. 6476, pp. 340–354.
10. corelanc0d3r, “Exploit writing tutorial part 11: Heap spraying demystified,” Corelan Team, Tech. Rep., December 2011. [Online]. Available: https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
11. C. Cowan, S. Beattie, J. Johansen, and P. Wagle, “Pointguard tm: protecting pointers from buffer overflow vulnerabilities,” in Proceedings of the 12th USENIX Security Symposium. USENIX Association, 2003.
12. C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks,” in Proceedings of the 7th USENIX Security Symposium. USENIX Association, 1998.
13. D. A. Dai Zovi, “Practical return-oriented programming,” April 2010. [Online]. Available: http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf
14. L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, “Return-oriented programming without returns on arm,” Ruhr-University Bochum, Tech. Rep. HGI-TR-2010-002, 2010.
15. L. Davi, A.-R. Sadeghi, and M. Winandy, “Ropdefender: a detection tool to defend against return-oriented programming attacks,” in Proceedings of the 6th Symposium on Information, Computer and Communications Security. ACM, 2011.
16. A. Francillon, D. Perito, and C. Castelluccia, “Defending embedded systems against control flow attacks,” in Proceedings of the 1st Workshop on Secure execution of untrusted code. ACM, 2009.
17. C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum, “Enhanced operating system security through efficient and fine-grained address space randomization,” in Proceedings of the 21st USENIX Security symposium. USENIX Association, 2012.
18. R. Hund, T. Holz, and F. C. Freiling, “Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms,” in Proceedings of the 18th USENIX Security Symposium. USENIX Association, 2009.
19. R. Hund, C. Willems, and T. Holz, “Practical timing side channel attacks against kernel space aslr,” in Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 2013.
20. Intel 64 and IA-32 Architectures Software Developer’s Manual Volumes 3: System Programming Guide, Intel Corporation, March 2013.
21. V. Katoch, “Whitepaper on bypassing aslr/dep,” Secfence, Tech. Rep., September 2011. [Online]. Available: http://www.exploit-db.com/wp-content/themes/exploit/docs/17914.pdf
22. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, “Defeating return-oriented rootkits with”return-less” kernels,” in Proceedings of the 5th European conference on Computer systems. ACM, 2010.
23. Nergal, “The advanced return-into-lib(c) exploits,” Phrack, vol. 58, no. 4, December 2001. [Online]. Available: http://www.phrack.org/issues.html?issue=58&id=4
24. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda, “G-Free: defeating return-oriented programming through gadget-less binaries,” in Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 12 2010.
25. A. One, “Smashing the stack for fun and profit,” Phrack, vol. 49, no. 14, November 1996. [Online]. Available: http://www.phrack.org/issues.html?issue=49&id=14
26. V. Pappas, M. Polychronakis, and A. D. Keromytis, “Smashing the gadgets: Hindering return-oriented programming using in-place code randomization,” in Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 2012.
27. N. L. Petroni, Jr. and M. Hicks, “Automated detection of persistent kernel control-flow attacks,” in Proceedings of the 14th conference on Computer and communications security. ACM, 2007.
28. J. Pincus and B. Baker, “Beyond stack smashing: recent advances in exploiting buffer overruns,” Security & Privacy, vol. 2, no. 4, pp. 20–27, 2004.
29. R. Riley, X. Jiang, and D. Xu, “Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing,” in Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection. Springer, 2008.
30. C. Schneider, J. Pfoh, and C. Eckert, “Bridging the semantic gap through static code analysis,” in Proceedings of the 5th European Workshop on System Security. ACM, 2012.
31. E. J. Schwartz, T. Avgerinos, and D. Brumley, “Q: Exploit hardening made easy,” in Proceedings of the USENIX Security Symposium. USENIX Association, 2011.
32. H. Shacham, “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86),” in Proceedings of the 14th conference on Computer and communications security. ACM, 2007.
33. A. Shishkin and I. Smit. (2012, September) Bypassing intel smep on windows 8 x64 using return-oriented programming. [Online]. Available: http://blog.ptsecurity.com/2012/09/bypassing-intel-smep-on-windows-8-x64.html
34. sickness, “Linux exploit writing tutorial part 2: Atack overflow aslr bypass using ret2reg,” Tech. Rep., March 2011. [Online]. Available: http://dl.packetstormsecurity.net/papers/attack/lewt2-aslrbypass.pdf
35. Solar Designer, “Getting around non-executable stack (and fix),” Bugtraq Mailing List, Aug. 1997.
36. UEFI Specification, 2nd ed., UEFI Inc., July 2013. [Online]. Available: http://www.uefi.org/specs/download/UEFI_2_4.pdf
37. S. Vogl and C. Eckert, “Using hardware performance events for instruction-level monitoring on the x86 architecture,” in Proceedings of the 5th European Workshop on System Security. ACM, 2012.
38. Z. Wang, X. Jiang, W. Cui, and P. Ning, “Countering kernel rootkits with lightweight hook protection,” in Proceedings of the 16th conference on Computer and communications security. ACM, 2009.
39. Z. Wang, X. Jiang, W. Cui, and X. Wang, “Countering persistent kernel rootkits through systematic hook discovery,” in Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection. Springer, 2008.