Skip to main content
SpringerLink
Log in

Xede: Practical Exploit Early Detection

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Included in the following conference series:

Abstract

Code reuse and code injection attacks have become the popular techniques for advanced persistent threat (APT) to bypass exploit-mitigation mechanisms deployed in modern operating systems. Meanwhile, complex, benign programs such as Microsoft Office employ many advanced techniques to improve the performance. Code execution patterns generated by these techniques are surprisingly similar to exploits. This makes the practical exploit detection very challenging, especially on the Windows platform. In this paper, we propose a practical exploit early detection system called Xede to comprehensively detect code reuse and code injection attacks. Xede can effectively reduce false positives and false negatives in the exploit detection. We demonstrate the effectiveness of Xede by experimenting with exploit samples and deploying Xede on the Internet. Xede can accurately detect all types of exploits. In particular, it can capture many exploits that cannot be captured by mainstream anti-virus software and detect exploits that fail to compromise the systems due to variations in the system configurations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. ACM (2005)

    Google Scholar 

  2. Amnpardaz. http://jevereg.amnpardaz.com/

  3. Anubis. https://anubis.iseclab.org/

  4. Flame Malware. http://en.wikipedia.org/wiki/Flame_malware

  5. Sony Pictures Entertainment hack. http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack

  6. Stuxnet. http://en.wikipedia.org/wiki/Stuxnet

  7. Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)

    Google Scholar 

  8. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM (2010)

    Google Scholar 

  9. Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: Ropecker: a generic and practical approach for defending against rop attacks. In: Symposium on Network and Distributed System Security (NDSS) (2014)

    Google Scholar 

  10. contagiodump. http://contagiodump.blogspot.com/

  11. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: end-to-end containment of internet worms. ACM SIGOPS Oper. Syst. Rev. 39, 133–147 (2005). ACM

    Article  Google Scholar 

  12. Crandall, J.R., Chong, F.: Minos: architectural support for software security through control data integrity. In: International Symposium on Microarchitecture (2004)

    Google Scholar 

  13. Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 235–248. ACM (2005)

    Google Scholar 

  14. CVE-2012-0158. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158

  15. CVE-2014-1761. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1761

  16. Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51. ACM (2011)

    Google Scholar 

  17. Data Execution Prevention. http://en.wikipedia.org/wiki/Data_Execution_Prevention

  18. exploit-db. http://www.exploit-db.com/

  19. FireEye. http://www.fireeye.com/

  20. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the 10th Network and Distributed System Security Symposium, Febuary 2003

    Google Scholar 

  21. Goktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 575–589. IEEE (2014)

    Google Scholar 

  22. IDA Pro. https://www.hex-rays.com/products/ida/

  23. Intel: Intel 64 and IA-32 Architectures Software Developerś Manual, Febuary 2014

    Google Scholar 

  24. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “Out-Of-the-Box" semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007

    Google Scholar 

  25. Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: Accessminer: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 399–412. ACM (2010)

    Google Scholar 

  26. Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: automated software diversity. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014 (2014)

    Google Scholar 

  27. LastLine. https://www.lastline.com/

  28. Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 524–533. ACM (2009)

    Google Scholar 

  29. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software (2005)

    Google Scholar 

  30. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: USENIX Security, pp. 447–462 (2013)

    Google Scholar 

  31. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 287–296. ACM (2010)

    Google Scholar 

  32. Polychronakis, M., Keromytis, A.D.: Rop payload detection using speculative code execution. In: 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 58–65. IEEE (2011)

    Google Scholar 

  33. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. ACM SIGOPS Oper. Syst. Rev. 40, 15–27 (2006). ACM

    Article  Google Scholar 

  34. Rabek, J.C., Khazan, R.I., Lewandowski, S.M., Cunningham, R.K.: Detection of injected, dynamically generated, and obfuscated malicious code. In: Proceedings of the 2003 ACM Workshop on Rapid malcode, pp. 76–82. ACM (2003)

    Google Scholar 

  35. Ratanaworabhan, P., Livshits, V.B., Zorn, B.G.: Nozzle: A defense against heap-spraying code injection attacks. In: USENIX Security Symposium, pp. 169–186 (2009)

    Google Scholar 

  36. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 317–331. IEEE (2010)

    Google Scholar 

  37. Secunia: Secunia vulnerability review 2015. Technical report, Secunia (2014). http://secunia.com/vulnerability-review/

  38. securityfocus. http://www.securityfocus.com/

  39. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007

    Google Scholar 

  40. Snow, K.Z., Monrose, F.: Automatic hooking for forensic analysis of document-based code injection attacks (2012)

    Google Scholar 

  41. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. ACM Sigplan Not. 39, 85–96 (2004). ACM

    Article  Google Scholar 

  42. TCA Malware Analysis platform. http://www.tcasoft.com/

  43. VirusTotal. https://www.virustotal.com/

  44. Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Still: exploit code detection via static taint and initialization analyses. In: 2008 Annual Computer Security Applications Conference, ACSAC 2008, pp. 289–298. IEEE (2008)

    Google Scholar 

  45. WildFire. https://www.paloaltonetworks.com/products/technologies/wildfire.html

  46. XecScan. http://scan.xecure-lab.com/

  47. Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: Usenix Security, pp. 337–352 (2013)

    Google Scholar 

Download references

Acknowledgement

We would like to thank our shepherd Christopher Kruegel, and the anonymous reviewers for their insightful comments. This work is partially supported by the National Basic Research Program of China (973 Program) (Grant No.2012CB315804), and the National Natural Science Foundation of China (Grant No.91418206).

Author information

Authors and Affiliations

  1. Trusted Computing and Information Assurance Laboratory, Institute of Software, CAS, Beijing, People’s Republic of China

    Meining Nie, Purui Su, Lingyun Ying & Dengguo Feng

  2. State Key Laboratory of Computer Science, Institute of Software, CAS, Beijing, China

    Purui Su

  3. Tsinghua University, Beijing, China

    Qi Li

  4. Florida State University, Tallahassee, USA

    Zhi Wang

  5. South China University of Technology, Guangzhou, China

    Jinlong Hu

Authors
  1. Meining Nie
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Purui Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qi Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhi Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lingyun Ying
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jinlong Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Dengguo Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Purui Su .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Nie, M. et al. (2015). Xede: Practical Exploit Early Detection. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation