Malicious shellcode detection with virtual memory snapshots
INFOCOM'10 Proceedings of the 29th conference on Information communications
IEEE Transactions on Very Large Scale Integration (VLSI) Systems
Runtime countermeasures for code injection attacks against C and C++ programs
ACM Computing Surveys (CSUR)
AutoDunt: dynamic latent dependence analysis for detection of zero day vulnerability
ICISC'11 Proceedings of the 14th international conference on Information Security and Cryptology
HeapSentry: kernel-assisted protection against heap overflows
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hi-index | 0.00 |
We present e-NeXSh, a novel security approach that utilises kernel and LIBC support for efficiently defending systems against process-subversion attacks. Such attacks exploit vulnerabilities in software to override its program control-flow and consequently invoke system calls, causing out-of-process damage. Our technique defeats such attacks by monitoring all LIBC function and system-call invocations, and validating them against process-specific information that strictly prescribes the permissible behaviour for the program (unlike general sandboxing techniques that require manually maintained, explicit policies, we use the program code itself as a guideline for an implicit policy). Any deviation from this behaviour is considered malicious, and we halt the attack, limiting its damage to within the subverted process. We implemented e-NeXSh as a set of modifications to the linux-2.4.18-3 kernel and a new user-space shared library (e-NeXSh.so). The technique is transparent, requiring no modifications to existing libraries or applications. e-NeXSh was able to successfully defeat both codeinjection and libc-based attacks in our effectiveness tests. The technique is simple and lightweight, demonstrating no measurable overhead for select UNIX utilities, and a negligible 1.55% performance impact on the Apache web server.