Authors:
Jennifer Bellizzi
and
Mark Vella
Affiliation:
University of Malta, Malta
Keyword(s):
Web Code-injections, Dynamic Binary Instrumentation, JIT Binary Modification.
Related
Ontology
Subjects/Areas/Topics:
Information and Systems Security
;
Intrusion Detection & Prevention
;
Network Security
;
Reliability and Dependability
;
Security Deployment
;
Security in Information Systems
;
Wireless Network Security
Abstract:
Web applications constitute a prime target for attacks. A subset of these inject code into their targets, posing
a threat to the entire hosting infrastructure rather than just to the compromised application. Existing web intrusion
detection systems (IDS) are easily evaded when code payloads are obfuscated. Dynamic analysis in
the form of instruction set emulation is a well-known answer to this problem, which however is a solution
for off-line settings rather than the on-line IDS setting and cannot be used for all types of web attacks payloads.
Host-based approaches provide an alternative, yet all of them impose runtime overheads. This work
proposes just-in-time (JIT) binary modification complemented with payload-based heuristics for the provision
of obfuscation-resistant web IDS at the network level. A number of case studies conducted with WeXpose, a
prototype implementation of the technique, shows that JIT binary modification fits the on-line setting due to
native instruction execut
ion, while also isolating harmful attack side-effects that consequentially become of
concern. Avoidance of emulation makes the approach relevant to all types of payloads, while payload-based
heuristics provide practicality.
(More)