Skip to main content
SpringerLink
Log in
Book cover

Haifa Verification Conference

HVC 2017: Hardware and Software: Verification and Testing pp 67–82Cite as

Trace-based Analysis of Memory Corruption Malware Attacks

  • Conference paper
  • First Online:

  • 1130 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10629))

Abstract

Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.

This work was supported in part by SONIC (one of the six SRC STARnet centers, sponsored by MARCO and DARPA) and NSF Grant 1525936. Any opinions, findings, and conclusions presented here are those of the authors and do not necessarily reflect those of SONIC or NSF.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security

    Google Scholar 

  2. Bilar, D.: Opcodes as predictor for malware. International Journal of Electronic Security and Digital Forensics , 156–168 (2007)

    Google Scholar 

  3. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Tech. rep, DTIC Document (2006)

    Google Scholar 

  4. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (2005)

    Google Scholar 

  5. Davi, L., Hanreich, M., Paul, D., Sadeghi, A.-R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: Hafix: Hardware-assisted flow integrity extension. In: Proceedings of the 52nd Annual Design Automation Conference, p. 74. ACM (2015)

    Google Scholar 

  6. Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. SIGARCH Comput. Archit. News 41(3), 559–570 (2013)

    Article  Google Scholar 

  7. Gantz, J.F., Florean, A., Lee, R., Lim, V., Sikdar, B., Lakshmi, S.K.S., Madhavan, L., Nagappan, M.: The link between pirated software and cybersecurity breaches. https://news.microsoft.com/download/presskits/dcu/docs/idc_031814.pdf

  8. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)

    Article  Google Scholar 

  9. Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology 4(3), 251–266 (2008)

    Article  Google Scholar 

  10. Li, H.: Understanding and exploiting flash actionscript vulnerabilities (2011)

    Google Scholar 

  11. Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: A basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 213–222. ACM (2005)

    Google Scholar 

  12. Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Conference on Programming Language Design and Implementation (2005)

    Google Scholar 

  13. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-third AnnualComputer Security Applications Conference, ACSAC 2007 (2007)

    Google Scholar 

  14. Ozsoy, M., Donovick, C., Gorelik, I., Abu-Ghazaleh, N., Ponomarev, D.: Malware-aware processors: A framework for efficient online malware detection. In: 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA) (2015)

    Google Scholar 

  15. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security, vol. 30, p. 38 (2013)

    Google Scholar 

  16. Ringenburg, M. F., Grossman, D.: Preventing format-string attacks via automatic and efficient dynamic checking. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 354–363. ACM (2005)

    Google Scholar 

  17. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. Journal in Computer Virology 8, 37–52 (2012)

    Article  Google Scholar 

  18. Sen, K., Marinov, D., Agha, G.: Cute: A concolic unit testing engine for c. In: ACM SIGSOFT Software Engineering Notes, vol. 30, pp. 263–272. ACM (2005)

    Google Scholar 

  19. Sezer, E.C., Ning, P., Kil, C., Xu, J.: Memsherlock: an automated debugger for unknown memory corruption vulnerabilities. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 562–572. ACM(2007)

    Google Scholar 

  20. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM (2004)

    Google Scholar 

  21. Viega, J., Bloch, J.-T., Kohno, Y., McGraw, G.: Its4: A static vulnerability scanner for c and c++ code. In: Computer Security Applications (2000)

    Google Scholar 

  22. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_11

    Chapter  Google Scholar 

  23. Wang, Z., Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: 2010 IEEE Symposium on Security and Privacy (SP) (2010)

    Google Scholar 

  24. Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: Ripe: runtime intrusion prevention evaluator. In: 27th Computer Security Applications Conference (2011)

    Google Scholar 

  25. Xu, R.-G., Godefroid, P., Majumdar, R.: Testing for buffer overflows with length abstraction. In: Proceedings of the 2008 International Symposium on Software Testing and Analysis, pp. 27–38. ACM (2008)

    Google Scholar 

  26. Xu, Z., Ray, S., Subramanyan, P., Malik, S.: Malware detection using machine learning based analysis of virtual memory access patterns. In: Proceedings of the 2017 Design, Automation & Test in Europe Conference & Exhibition (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical Engineering, Princeton University, Princeton, USA

    Zhixing Xu & Sharad Malik

  2. Department of Computer Science, Princeton University, Princeton, USA

    Aarti Gupta

Authors
  1. Zhixing Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aarti Gupta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sharad Malik
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhixing Xu .

Editor information

Editors and Affiliations

  1. Technion - Israel Institute of Technology, Haifa, Israel

    Ofer Strichman

  2. IBM Research Lab, Haifa, Israel

    Rachel Tzoref-Brill

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Xu, Z., Gupta, A., Malik, S. (2017). Trace-based Analysis of Memory Corruption Malware Attacks . In: Strichman, O., Tzoref-Brill, R. (eds) Hardware and Software: Verification and Testing. HVC 2017. Lecture Notes in Computer Science(), vol 10629. Springer, Cham. https://doi.org/10.1007/978-3-319-70389-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-70389-3_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70388-6

  • Online ISBN: 978-3-319-70389-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation