Abstract
As new code-based defense technologies emerge, attackers move to data-only malware, which is capable of infecting a system without introducing any new code. To manipulate the control flow without code, data-only malware inserts a control data structure into the system, for example in the form of a ROP chain, which enables it to combine existing instructions into a new malicious program. Current systems try to hinder data-only malware by detecting the point in time when the malware starts executing. However, it has been shown that these approaches are not only performance consuming, but can also be subverted.
In this work, we introduce a new approach, Code Pointer Examination (CPE), which aims to detect data-only malware by identifying and classifying code pointers. Instead of targeting control flow changes, our approach targets the control structure of data-only malware, which mainly consists of pointers to the instruction sequences that the malware reuses. Since the control structure is comparable to the code region of traditional malware, this results in an effective detection approach that is difficult to evade. We implemented a prototype for recent Linux kernels that is capable of identifying and classifying all code pointers within the kernel. As our experiments show, our prototype is able to detect data-only malware in an efficient manner (less than 1 % overhead).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM conference on Computer and Communications Security, CCS 2005, pp. 340–353. ACM, New York (2005)
Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: Proceedings of the 29th IEEE International Symposium on Reliable Distributed Systems (SRDS 2010), New Delhi, October 2010
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 30–40. ACM, New York (2011)
C0ntex. Bypassing non-executable-stack during exploitation using return-to-libc
Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM conference on Computer and Communications Security (CCS 2009), pp. 555–565. ACM (2009)
Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 385–399. USENIX Association, San Diego, August 2014
Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attacks. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, February 23–26, 2014, San Diego (2014)
Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K. Z., Monrose, F.: Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In: Proceeding 22nd Network and Distributed Systems Security symposium (NDSS) (2015)
Davi, L., Sadeghi, A.-R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 401–416. USENIX Association, San Diego, August 2014
Evans, I., Fingeret, S., González, J., Otgonbaatar, U., Tang, T., Shrobe, H., Sidiroglou-Douskos, S., Rinard, M., Okhravi, H.: Missing the point (er): on the effectiveness of code pointer integrity (2015)
Feng, Q., Prakash, A., Yin, H., Lin, Z.: MACE: high-coverage and robust memory analysis for commodity operating systems. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 196–205. ACM, New York (2014)
Gilbert, B., Kemmerer, R., Kruegel, C., Vigna, G.: Dymo: tracking dynamic code identity. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 21–40. Springer, Heidelberg (2011)
Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 417–432. USENIX Association, San Diego, August 2014
Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Proceedings of 18th USENIX Security Symposium (2009)
Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: Ret2dir: rethinking kernel isolation. In: 23rd USENIX Security Symposium. USENIX Association, August 2014
Kemerlis, V.P., Portokalidis, G., Keromytis, A.D.: kGuard: lightweight kernel protection against return-to-user attacks. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012. USENIX Association, Berkeley (2012)
Kittel, T., Vogl, S., Lengyel, T.K., Pfoh, J., Eckert, C.: Code validation for modern OS kernels. In: Workshop on Malware Memory Forensics (MMF), December 2014
Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2014), pp. 147–163. USENIX Association, Broomfield, October 2014
Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). IEEE (2011)
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Usenix Security Symposium, pp. 243–258. USENIX Association, Berkeley (2008)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent rop exploit mitigation using indirect branch tracing. In: Presented as part of the 22nd USENIX Security Symposium (USENIX Security 2013), pp. 447–462. USENIX, Washington, D.C. (2013)
Petroni, Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM conference on Computer and communications security, CCS 2007. ACM, New York (2007)
Polychronakis, M., Keromytis, A.D.: ROP payload detection using speculative code execution. In: 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 58–65. IEEE (2011)
Sadeghi, A.-R., Davi, L., Larsen, P.: Securing legacy software against real-world code-reuse exploits: utopia, alchemy, or possible future? - keynote -. In: 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015), April 2015
Schneider, C., Pfoh, J., Eckert, C.: Bridging the semantic gap through static code analysis. In: Proceedings of EuroSec 2012, 5th European Workshop on System Security. ACM Press, April 2012
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In: 36th IEEE Symposium on Security and Privacy, Oakland, May 2015
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM conference on Computer and Communications Security, CCS 2007, pp. 552–561. ACM, New York (2007)
Stancill, B., Snow, K.Z., Otterness, N., Monrose, F., Davi, L., Sadeghi, A.-R.: Check my profile: leveraging static analysis for fast and accurate detection of ROP gadgets. In: 16th Research in Attacks, Intrusions and Defenses (RAID) Symposium, October 2013
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 48–62. IEEE Computer Society, Washington, DC (2013)
Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21th Annual Network & Distributed System Security Symposium (NDSS), February 2014
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM conference on Computer and Communications Security, CCS 2009, pp. 545–554. ACM, New York (2009)
Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering persistent kernel Rootkits through systematic hook discovery. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 21–38. Springer, Heidelberg (2008)
Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), DSN 2012, pp. 1–12. IEEE Computer Society, Washington, DC (2012)
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy (SP), pp. 559–573. IEEE (2013)
Acknowledgments
We thank the anonymous reviewers for their insightful comments. This work was supported by the Bavarian State Ministry of Education, Science and the Arts as part of the FORSEC research association.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kittel, T., Vogl, S., Kirsch, J., Eckert, C. (2015). Counteracting Data-Only Malware with Code Pointer Examination. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)