In 2005, Kruegel et al. proposed a variation of the traditional mimicry attack, to which we will refer to as automatic mimicry, which can defeat existing system call based HIDS models. We show how such an attack can be defeated by using information provided by the Interprocedural Control Flow Graph (ICFG). Roughly speaking, by exploiting the ICFG of a protected binary, we propose a strategy based on the use of static analysis techniques which is able to localize critical regions inside a program, which are segments of code that could be used for exploiting an automatic mimicry attack. Once the critical regions have been recognized, their code is instrumented in such a way that, during the executions of such regions, the integrity of the dangerous code pointers is monitored, and any unauthorized modification will be restored at once with the legal values. Moreover, our experiments shows that such a defensive mechanism presents a low run-time overhead.
Static analysis on x86 executables for preventing automatic mimicry attack / D. Bruschi, L. Cavallaro, A. Lanzi - In: Detection of intrusions and malware, and vulnerability assessment : 4th International Conference, DIMVA 2007, Lucerne, Switzerland, July 12-13, 2007 : proceedings / [a cura di] B. M. Hämmerli, R. Sommer. - Berlin : Springer, 2007. - ISBN 9783540736134. - pp. 213-230 (( Intervento presentato al 4th. convegno International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - DIMVA tenutosi a Lucerna (CH) nel 2007 [10.1007/978-3-540-73614-1].
Static analysis on x86 executables for preventing automatic mimicry attack
D. BruschiPrimo
;A. LanziUltimo
2007
Abstract
In 2005, Kruegel et al. proposed a variation of the traditional mimicry attack, to which we will refer to as automatic mimicry, which can defeat existing system call based HIDS models. We show how such an attack can be defeated by using information provided by the Interprocedural Control Flow Graph (ICFG). Roughly speaking, by exploiting the ICFG of a protected binary, we propose a strategy based on the use of static analysis techniques which is able to localize critical regions inside a program, which are segments of code that could be used for exploiting an automatic mimicry attack. Once the critical regions have been recognized, their code is instrumented in such a way that, during the executions of such regions, the integrity of the dangerous code pointers is monitored, and any unauthorized modification will be restored at once with the legal values. Moreover, our experiments shows that such a defensive mechanism presents a low run-time overhead.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
