Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns
IEEE Security and Privacy
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Analyzing network traffic to detect self-decrypting exploit code
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
The ghost in the browser analysis of web-based malware
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Swarm Attacks against Network-Level Emulation/Analysis
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
When good instructions go bad: generalizing return-oriented programming to RISC
Proceedings of the 15th ACM conference on Computer and communications security
STILL: Exploit Code Detection via Static Taint and Initialization Analyses
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
SS'08 Proceedings of the 17th conference on Security symposium
Proceedings of the eighteenth international symposium on Software testing and analysis
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Filter-resistant code injection on ARM
Proceedings of the 16th ACM conference on Computer and communications security
Proceedings of the 16th ACM conference on Computer and communications security
Analyzing and Detecting Malicious Flash Advertisements
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Accurate buffer overflow detection via abstract payload execution
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Detection and analysis of drive-by-download attacks and malicious JavaScript code
Proceedings of the 19th international conference on World wide web
Emulation-based detection of non-self-contained polymorphic shellcode
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Malicious shellcode detection with virtual memory snapshots
INFOCOM'10 Proceedings of the 29th conference on Information communications
An empirical study of real-world polymorphic code injection attacks
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
NOZZLE: a defense against heap-spraying code injection attacks
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
A fistful of red-pills: how to automatically generate procedures to detect CPU emulators
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
Comprehensive shellcode detection using runtime heuristics
Proceedings of the 26th Annual Computer Security Applications Conference
Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks
Proceedings of the 26th Annual Computer Security Applications Conference
Combining static and dynamic analysis for the detection of malicious documents
Proceedings of the Fourth European Workshop on System Security
ZOZZLE: fast and precise in-browser JavaScript malware detection
SEC'11 Proceedings of the 20th USENIX conference on Security
Network–Level polymorphic shellcode detection using emulation
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Hybrid engine for polymorphic shellcode detection
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
ISC'07 Proceedings of the 10th international conference on Information Security
A practical approach for detecting executable codes in network traffic
APNOMS'07 Proceedings of the 10th Asia-Pacific conference on Network Operations and Management Symposium: managing next generation networks and services
Toward efficient querying of compressed network payloads
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Using memory management to detect and extract illegitimate code for malware analysis
Proceedings of the 28th Annual Computer Security Applications Conference
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Hi-index | 0.00 |
The availability of off-the-shelf exploitation toolkits for compromising hosts, coupled with the rapid rate of exploit discovery and disclosure, has made exploit or vulnerability-based detection far less effective than it once was. For instance, the increasing use of metamorphic and polymorphic techniques to deploy code injection attacks continues to confound signature-based detection techniques. The key to detecting these attacks lies in the ability to discover the presence of the injected code (or, shellcode). One promising technique for doing so is to examine data (be that from network streams or buffers of a process) and efficiently execute its content to find what lurks within. Unfortunately, current approaches for achieving this goal are not robust to evasion or scalable, primarily because of their reliance on software-based CPU emulators. In this paper, we argue that the use of software-based emulation techniques are not necessary, and instead propose a new framework that leverages hardware virtualization to better enable the detection of code injection attacks. We also report on our experience using this framework to analyze a corpus of malicious Portable Document Format (PDF) files and network-based attacks.