Abstract
Code reuse and code injection attacks have become the popular techniques for advanced persistent threat (APT) to bypass exploit-mitigation mechanisms deployed in modern operating systems. Meanwhile, complex, benign programs such as Microsoft Office employ many advanced techniques to improve the performance. Code execution patterns generated by these techniques are surprisingly similar to exploits. This makes the practical exploit detection very challenging, especially on the Windows platform. In this paper, we propose a practical exploit early detection system called Xede to comprehensively detect code reuse and code injection attacks. Xede can effectively reduce false positives and false negatives in the exploit detection. We demonstrate the effectiveness of Xede by experimenting with exploit samples and deploying Xede on the Internet. Xede can accurately detect all types of exploits. In particular, it can capture many exploits that cannot be captured by mainstream anti-virus software and detect exploits that fail to compromise the systems due to variations in the system configurations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. ACM (2005)
Amnpardaz. http://jevereg.amnpardaz.com/
Anubis. https://anubis.iseclab.org/
Flame Malware. http://en.wikipedia.org/wiki/Flame_malware
Sony Pictures Entertainment hack. http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack
Stuxnet. http://en.wikipedia.org/wiki/Stuxnet
Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 559–572. ACM (2010)
Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: Ropecker: a generic and practical approach for defending against rop attacks. In: Symposium on Network and Distributed System Security (NDSS) (2014)
contagiodump. http://contagiodump.blogspot.com/
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: end-to-end containment of internet worms. ACM SIGOPS Oper. Syst. Rev. 39, 133–147 (2005). ACM
Crandall, J.R., Chong, F.: Minos: architectural support for software security through control data integrity. In: International Symposium on Microarchitecture (2004)
Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 235–248. ACM (2005)
CVE-2012-0158. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158
CVE-2014-1761. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1761
Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51. ACM (2011)
Data Execution Prevention. http://en.wikipedia.org/wiki/Data_Execution_Prevention
exploit-db. http://www.exploit-db.com/
FireEye. http://www.fireeye.com/
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the 10th Network and Distributed System Security Symposium, Febuary 2003
Goktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 575–589. IEEE (2014)
Intel: Intel 64 and IA-32 Architectures Software Developerś Manual, Febuary 2014
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “Out-Of-the-Box" semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007
Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: Accessminer: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 399–412. ACM (2010)
Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: automated software diversity. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014 (2014)
LastLine. https://www.lastline.com/
Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 524–533. ACM (2009)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software (2005)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: USENIX Security, pp. 447–462 (2013)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 287–296. ACM (2010)
Polychronakis, M., Keromytis, A.D.: Rop payload detection using speculative code execution. In: 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 58–65. IEEE (2011)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. ACM SIGOPS Oper. Syst. Rev. 40, 15–27 (2006). ACM
Rabek, J.C., Khazan, R.I., Lewandowski, S.M., Cunningham, R.K.: Detection of injected, dynamically generated, and obfuscated malicious code. In: Proceedings of the 2003 ACM Workshop on Rapid malcode, pp. 76–82. ACM (2003)
Ratanaworabhan, P., Livshits, V.B., Zorn, B.G.: Nozzle: A defense against heap-spraying code injection attacks. In: USENIX Security Symposium, pp. 169–186 (2009)
Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 317–331. IEEE (2010)
Secunia: Secunia vulnerability review 2015. Technical report, Secunia (2014). http://secunia.com/vulnerability-review/
securityfocus. http://www.securityfocus.com/
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007
Snow, K.Z., Monrose, F.: Automatic hooking for forensic analysis of document-based code injection attacks (2012)
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. ACM Sigplan Not. 39, 85–96 (2004). ACM
TCA Malware Analysis platform. http://www.tcasoft.com/
VirusTotal. https://www.virustotal.com/
Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Still: exploit code detection via static taint and initialization analyses. In: 2008 Annual Computer Security Applications Conference, ACSAC 2008, pp. 289–298. IEEE (2008)
WildFire. https://www.paloaltonetworks.com/products/technologies/wildfire.html
XecScan. http://scan.xecure-lab.com/
Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: Usenix Security, pp. 337–352 (2013)
Acknowledgement
We would like to thank our shepherd Christopher Kruegel, and the anonymous reviewers for their insightful comments. This work is partially supported by the National Basic Research Program of China (973 Program) (Grant No.2012CB315804), and the National Natural Science Foundation of China (Grant No.91418206).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Nie, M. et al. (2015). Xede: Practical Exploit Early Detection. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)