skip to main content
10.1145/1368310.1368334acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

A practical mimicry attack against powerful system-call monitors

Published: 18 March 2008 Publication History

Abstract

System-call monitoring has become the basis for many host-based intrusion detection as well as policy enforcement techniques. Mimicry attacks attempt to evade system-call monitoring IDS by executing innocuous-looking sequences of system calls that accomplish the attacker's goals. Mimicry attacks may execute a sequence of dozens of system calls in order to evade detection. Finding such a sequence is difficult, so researchers have focused on tools for automating mimicry attacks and extending them to gray-box IDS1. In this paper, we describe an alternative approach for building mimicry attacks using only skills and technologies that hackers possess today, making this attack a more immediate and realistic threat. These attacks, which we call persistent interposition attacks, are not as powerful as traditional mimicry attacks --- an adversary cannot obtain a root shell using a persistent interposition attack --- but are sufficient to accomplish the goals of today's cyber-criminals. Persistent interposition attacks are stealthier than standard mimicry attacks and are amenable to covert information-harvesting attacks, features that are likely to be attractive to profit-motivated criminals. Persistent interposition attacks are not IDS specific -- they can evade a large class of system-call-monitoring intrusion-detection systems, which we call I/O-data-oblivious. I/O-data-oblivious monitors have perfect knowledge of the values of all system call arguments as well as their relationships, with the exception of data buffer arguments to read and write. Many of today's black-box and gray-box IDS are I/O-data-oblivious and hence vulnerable to persistent interposition attacks.

References

[1]
The PaX team. http://pax.grsecurity.net.
[2]
Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-flow integrity - principles, implementations, and applications. In ACM conference on Computer and Communications Security (CCS), 2005.
[3]
S. Bhatkar, A. Chaturvedi, and R. Sekar. Dataflow anomaly detection. In IEEE Symposium on Security and Privacy, 2006.
[4]
Sandeep Bhatkar, R. Sekar, and Daniel C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th Usenix Security Symposium, pages 271--286, August 2005.
[5]
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravi Iyer. Non-control-data attacks are realistic threats. In USENIX Security Symposium, Baltimore, MD, August 2005.
[6]
"Solar Eclipse". openssl-too-open. http://www.phreedom.org/solar/exploits/apache-openssl/.
[7]
H. Feng, J. T. Giffin, Y. Huang, S. Jha, W. Lee, and B. P. Miller. Formalizing sensitivity in static analysis for intrusion detection. In IEEE Symposium on Security and Privacy, 2004.
[8]
H. Feng, O. Kolesnikov, P. Folga, W. Lee, and W. Gong. Anomaly detection using call stack information. In IEEE Symposium on Security and Privacy, May 2003.
[9]
Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, and Wenke Lee. Polymorphic blending attacks. In USENIX Security Symposium, August 2006.
[10]
Debin Gao, Michael K. Reiter, and Dawn Song. Gray-box extraction of execution graphs for anomaly detection. In ACM conference on Computer and Communications Security (CCS), pages 318--329, Washington, DC, October 2004.
[11]
Debin Gao, Michael K. Reiter, and Dawn Song. On gray-box program tracking for anomaly detection. In USENIX Security Symposium, pages 103--118, San Diego, CA, USA, August 2004.
[12]
T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In USENIX Security Symposium, Washington, DC, USA, August 2003.
[13]
Jonathon T. Giffin, David Dagon, Somesh Jha, Wenke Lee, and Barton P. Miller. Environment-sensitive intrusion detection. In Recent Advances in Intrusion Detection (RAID), September 2005.
[14]
Jonathon T Giffin, Somesh Jha, and Barton P. Miller. Efficient context-sensitive intrusion detection. In Network and Distributed System Security Symposium, San Diego, CA, February 2004.
[15]
Jonathon T. Giffin, Somesh Jha, and Barton P. Miller. Automated discovery of mimicry attacks. In Diego Zamboni and Christopher Krügel, editors, RAID, volume 4219 of Lecture Notes in Computer Science, pages 41--60. Springer, 2006.
[16]
Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security (JCS), 6(3):151--180, 1998.
[17]
Robert W. M. Jones and Paul H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In M. Kamkar and D. Byers, editors, Third International Workshop on Automated Debugging. Linkoping University Electronic Press, 1997.
[18]
Calvin Ko, George Fink, and Karl Levitt. Automated detection of vulnerabilities in privileged programs by execution monitoring. In Annual Computer Security Applications Conference (ACSAC), December 1994.
[19]
C. Kruegel, D. Mutz, F. Valeur, and G. Vigna. On the detection of anomalous system call arguments. In European Symposium on Research in Computer Security, Gjøvik, Norway, October 2003.
[20]
Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. Automating mimicry attacks using static binary analysis. In USENIX Security Symposium, Baltimore, MD, August 2005.
[21]
Christopher Kruegel and Giovanni Vigna. Anomaly detection of web-based attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), 2003.
[22]
Lap Chung Lam and T. Chiueh. Automatic extraction of accurate application-specific sandboxing policy. In Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, French Riviera, France, September 2004.
[23]
P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. In Proc. of the FREENIX Track: 2001 USENIX Annual Technical Conference, 2001.
[24]
George C. Necula, Scott McPeak, and Westley Weimer. CCured: type-safe retrofitting of legacy code. In Symposium on Principles of Programming Languages (POPL '02), pages 128--139, Portland, OR, January 2002.
[25]
Niels Provos. Improving host security with system call policies. In USENIX Security Symposium, Washington, DC, USA, August 2003.
[26]
Olatunji Ruwase and Monica S. Lam. A practical dynamic buffer overflow detector. In Network and Distributed System Security Symposium (NDSS), February 2004.
[27]
R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A fast automaton-based method for detecting anomalous program behaviors. In IEEE Symposium on Security and Privacy, 2001.
[28]
R. Sekar and P. Uppuluri. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In Usenix Security Symposium, August 1999.
[29]
Kymie Tan, Kevin Killourhy, and Roy Maxion. Undermining an anomaly-based intrusion detection system using common exploits. In Recent Advances in Intrusion Detection (RAID), LNCS 2516, pages 54--73, Zurich, Switzerland, October 2002. Springer-Verlag.
[30]
G. Tandon and P. Chan. Learning rules from system call arguments and sequences for anomaly detection. In ICDM Workshop on Data Mining for Computer Security (DMSEC), pages 20--29, 2003.
[31]
D. Wagner and P. Soto. Mimicry attacks on host based intrusion detection systems. In ACM conference on Computer and Communications Security (CCS), 2002.
[32]
David Wagner and Drew Dean. Intrusion detection via static analysis. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.
[33]
Ke Wang and Salvatore J. Stolfo. Anomalous payload-based network intrusion detection. In Proceeding of 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.
[34]
A. Wespi, M. Dacier, and H. Debar. Intrusion detection using variable-length audit trail patterns. In Recent Advances in Intrusion Detection (RAID), Toulouse, France, October 2000.

Cited By

View all
  • (2024)A watchdog model for physics-based anomaly detection in digital substationsInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2024.10066044:COnline publication date: 1-Mar-2024
  • (2024)Biometrics in extended reality: a reviewDiscover Artificial Intelligence10.1007/s44163-024-00190-94:1Online publication date: 13-Nov-2024
  • (2023)DISTDETProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620605(6575-6592)Online publication date: 9-Aug-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIACCS '08: Proceedings of the 2008 ACM symposium on Information, computer and communications security
March 2008
399 pages
ISBN:9781595939791
DOI:10.1145/1368310
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 March 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. buffer overflow
  2. intrusion-detection
  3. memory error
  4. mimicry attack
  5. system-call monitor

Qualifiers

  • Research-article

Funding Sources

Conference

Asia CCS '08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)26
  • Downloads (Last 6 weeks)4
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A watchdog model for physics-based anomaly detection in digital substationsInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2024.10066044:COnline publication date: 1-Mar-2024
  • (2024)Biometrics in extended reality: a reviewDiscover Artificial Intelligence10.1007/s44163-024-00190-94:1Online publication date: 13-Nov-2024
  • (2023)DISTDETProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620605(6575-6592)Online publication date: 9-Aug-2023
  • (2023)A Method for Summarizing and Classifying Evasive MalwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607207(455-470)Online publication date: 16-Oct-2023
  • (2022)C2CProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3559366(1243-1257)Online publication date: 7-Nov-2022
  • (2022)A clustered learning framework for host based intrusion detection in container environment2022 IEEE International Conference on Communications Workshops (ICC Workshops)10.1109/ICCWorkshops53468.2022.9814620(409-414)Online publication date: 16-May-2022
  • (2022)Design and Emulation of Physics-Centric Cyberattacks on an Electrical Power TransformerIEEE Access10.1109/ACCESS.2022.314804610(15227-15246)Online publication date: 2022
  • (2022)On the Feasibility of Anomaly Detection with Fine-Grained Program Tracing EventsJournal of Network and Systems Management10.1007/s10922-021-09635-330:2Online publication date: 20-Jan-2022
  • (2021)Downsampling Attack on Automatic Speaker Authentication System2021 IEEE/ACS 18th International Conference on Computer Systems and Applications (AICCSA)10.1109/AICCSA53542.2021.9686767(1-7)Online publication date: Nov-2021
  • (2020)Temporal system call specialization for attack surface reductionProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489311(1749-1766)Online publication date: 12-Aug-2020
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media