Cybercriminals have all the interest in not being detected while perpetrating their intentions. Impeding such threats to spread has become of valuable importance. This goal can be achieved working on the threat vectors cybercriminals use or directly on the threat once identified. Among threat vectors we can cite application software vulnerabilities which can be abused by malware and malicious users to gain access to systems and confidential data. To be able to impede exploitation of such vulnerabilities, security specialists need to be aware of attack techniques used by malware and malicious users for to be able to design and implement effective protection techniques. For identifying threats, it is of vital importance to use effective analysis tools which expose no weaknesses to malware authors giving them the chance to evade detection. This dissertation presents two approaches for testing CPU emulators and system virtual machines which represent a fundamental component of dynamic malware analysis. These testing methodologies can be used to identify behavioural differences between real and emulated hardware. Differences exploitable by malware authors to detect emulation and hide their malicious behaviour. This dissertation also presents a new exploitation technique against memory error vulnerabilities able to circumvent widely adopted protection strategies like W^X and ASLR and the related countermeasure to impede exploitation.

THREATS ON REAL, EMULATED AND VIRTUALIZED INTEL X86 MACHINE CODE EXECUTION / G. Fresi Roglia ; relatore: Danilo Bruschi ; coordinatore: Ernesto Damiani. Universita' degli Studi di Milano, 2011 Mar 24. 22. ciclo, Anno Accademico 2009. [10.13130/fresi-roglia-giampaolo_phd2011-03-24].

THREATS ON REAL, EMULATED AND VIRTUALIZED INTEL X86 MACHINE CODE EXECUTION

G. FRESI ROGLIA
2011

Abstract

Cybercriminals have all the interest in not being detected while perpetrating their intentions. Impeding such threats to spread has become of valuable importance. This goal can be achieved working on the threat vectors cybercriminals use or directly on the threat once identified. Among threat vectors we can cite application software vulnerabilities which can be abused by malware and malicious users to gain access to systems and confidential data. To be able to impede exploitation of such vulnerabilities, security specialists need to be aware of attack techniques used by malware and malicious users for to be able to design and implement effective protection techniques. For identifying threats, it is of vital importance to use effective analysis tools which expose no weaknesses to malware authors giving them the chance to evade detection. This dissertation presents two approaches for testing CPU emulators and system virtual machines which represent a fundamental component of dynamic malware analysis. These testing methodologies can be used to identify behavioural differences between real and emulated hardware. Differences exploitable by malware authors to detect emulation and hide their malicious behaviour. This dissertation also presents a new exploitation technique against memory error vulnerabilities able to circumvent widely adopted protection strategies like W^X and ASLR and the related countermeasure to impede exploitation.
24-mar-2011
Settore INF/01 - Informatica
testing ; emulation ; virtualization ; return-to-libc ; buffer overflow ; return-oriented programming
BRUSCHI, DANILO MAURO
DAMIANI, ERNESTO
Doctoral Thesis
THREATS ON REAL, EMULATED AND VIRTUALIZED INTEL X86 MACHINE CODE EXECUTION / G. Fresi Roglia ; relatore: Danilo Bruschi ; coordinatore: Ernesto Damiani. Universita' degli Studi di Milano, 2011 Mar 24. 22. ciclo, Anno Accademico 2009. [10.13130/fresi-roglia-giampaolo_phd2011-03-24].
File in questo prodotto:
File Dimensione Formato  
phd_unimi_R06979.pdf

accesso aperto

Tipologia: Tesi di dottorato completa
Dimensione 1.14 MB
Formato Adobe PDF
1.14 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/155476
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact