CCured: type-safe retrofitting of legacy code
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Integrating Flexible Support for Security Policies into the Linux Operating System
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Gray-box extraction of execution graphs for anomaly detection
Proceedings of the 11th ACM conference on Computer and communications security
Proceedings of the 12th ACM conference on Computer and communications security
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Improving host security with system call policies
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
On gray-box program tracking for anomaly detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Automating mimicry attacks using static binary analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Non-control-data attacks are realistic threats
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Efficient techniques for comprehensive protection from memory error exploits
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Synthesizing fast intrusion prevention/detection systems from high-level specifications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Intrusion detection using sequences of system calls
Journal of Computer Security
Undermining an anomaly-based intrusion detection system using common exploits
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Environment-sensitive intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Automated discovery of mimicry attacks
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Swarm Attacks against Network-Level Emulation/Analysis
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Proceedings of the 4th ACM European conference on Computer systems
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Mimimorphism: a new approach to binary code obfuscation
Proceedings of the 17th ACM conference on Computer and communications security
Expressive, efficient and obfuscation resilient behavior based IDS
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
A gray-box DPDA-based intrusion detection technique using system-call monitoring
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Run-time malware detection based on positive selection
Journal in Computer Virology
Identifying native applications with high assurance
Proceedings of the second ACM conference on Data and Application Security and Privacy
Taint-enhanced anomaly detection
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Runtime countermeasures for code injection attacks against C and C++ programs
ACM Computing Surveys (CSUR)
Minimizing lifetime of sensitive data in concurrent programs
Proceedings of the 4th ACM conference on Data and application security and privacy
| Hi-index | 0.00 |
System-call monitoring has become the basis for many host-based intrusion detection as well as policy enforcement techniques. Mimicry attacks attempt to evade system-call monitoring IDS by executing innocuous-looking sequences of system calls that accomplish the attacker's goals. Mimicry attacks may execute a sequence of dozens of system calls in order to evade detection. Finding such a sequence is difficult, so researchers have focused on tools for automating mimicry attacks and extending them to gray-box IDS1. In this paper, we describe an alternative approach for building mimicry attacks using only skills and technologies that hackers possess today, making this attack a more immediate and realistic threat. These attacks, which we call persistent interposition attacks, are not as powerful as traditional mimicry attacks --- an adversary cannot obtain a root shell using a persistent interposition attack --- but are sufficient to accomplish the goals of today's cyber-criminals. Persistent interposition attacks are stealthier than standard mimicry attacks and are amenable to covert information-harvesting attacks, features that are likely to be attractive to profit-motivated criminals. Persistent interposition attacks are not IDS specific -- they can evade a large class of system-call-monitoring intrusion-detection systems, which we call I/O-data-oblivious. I/O-data-oblivious monitors have perfect knowledge of the values of all system call arguments as well as their relationships, with the exception of data buffer arguments to read and write. Many of today's black-box and gray-box IDS are I/O-data-oblivious and hence vulnerable to persistent interposition attacks.