5 research outputs found
Jit spraying and mitigations
Abstract With the discovery of new exploit techniques, novel protection mechanisms are needed as well. Mitigations like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization) created a significantly more difficult environment for exploitation. Attackers, however, have recently researched new exploitation methods which are capable of bypassing the operating system's memory mitigations. One of the newest and most popular exploitation techniques to bypass both of the aforementioned security protections is JIT memory spraying, introduced by Dion Blazakis In this article we will present a short overview of the JIT spraying technique and also novel mitigation methods against this innovative class of attacks. An anti-JIT spraying library was created as part of our shellcode execution prevention system
Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis
Exploits that successfully attack computers are mostly based on some form of shellcode, i.e., illegitimate code that is injected by the attacker to take control of the system. Detecting and extracting such code is the first step to detailed analysis of malware containing illegitimate code. The amount and sophistication of modern malware calls for automated mechanisms that perform such detection and extraction. In this paper we present a novel generic and fully automatic approach to detect the execution of illegitimate code and extract such code upon detection. The basic idea of the approach is to flag critical memory pages as non-executable and use a modified page fault handler to dump corresponding memory pages. We present an implementation of the approach for the Windows platform called CWXDetector. Evaluations using malicious PDF documents as example show that CWXDetector produces no false positives and has a similarly low false negative rate
Design and implementation of robust systems for secure malware detection
Malicious software (malware) have significantly increased in terms of number and effectiveness
during the past years. Until 2006, such software were mostly used to disrupt
network infrastructures or to show coders’ skills. Nowadays, malware constitute a very
important source of economical profit, and are very difficult to detect. Thousands of
novel variants are released every day, and modern obfuscation techniques are used to
ensure that signature-based anti-malware systems are not able to detect such threats.
This tendency has also appeared on mobile devices, with Android being the most targeted
platform. To counteract this phenomenon, a lot of approaches have been developed
by the scientific community that attempt to increase the resilience of anti-malware systems.
Most of these approaches rely on machine learning, and have become very popular
also in commercial applications. However, attackers are now knowledgeable about these
systems, and have started preparing their countermeasures. This has lead to an arms
race between attackers and developers. Novel systems are progressively built to tackle
the attacks that get more and more sophisticated. For this reason, a necessity grows
for the developers to anticipate the attackers’ moves. This means that defense systems
should be built proactively, i.e., by introducing some security design principles in their
development. The main goal of this work is showing that such proactive approach can
be employed on a number of case studies. To do so, I adopted a global methodology that
can be divided in two steps. First, understanding what are the vulnerabilities of current
state-of-the-art systems (this anticipates the attacker’s moves). Then, developing novel
systems that are robust to these attacks, or suggesting research guidelines with which
current systems can be improved. This work presents two main case studies, concerning
the detection of PDF and Android malware. The idea is showing that a proactive approach
can be applied both on the X86 and mobile world. The contributions provided on
this two case studies are multifolded. With respect to PDF files, I first develop novel attacks
that can empirically and optimally evade current state-of-the-art detectors. Then,
I propose possible solutions with which it is possible to increase the robustness of such
detectors against known and novel attacks. With respect to the Android case study,
I first show how current signature-based tools and academically developed systems are
weak against empirical obfuscation attacks, which can be easily employed without particular
knowledge of the targeted systems. Then, I examine a possible strategy to build a
machine learning detector that is robust against both empirical obfuscation and optimal
attacks. Finally, I will show how proactive approaches can be also employed to develop
systems that are not aimed at detecting malware, such as mobile fingerprinting systems.
In particular, I propose a methodology to build a powerful mobile fingerprinting system,
and examine possible attacks with which users might be able to evade it, thus preserving
their privacy. To provide the aforementioned contributions, I co-developed (with the cooperation
of the researchers at PRALab and Ruhr-Universität Bochum) various systems:
a library to perform optimal attacks against machine learning systems (AdversariaLib),
a framework for automatically obfuscating Android applications, a system to the robust
detection of Javascript malware inside PDF files (LuxOR), a robust machine learning system
to the detection of Android malware, and a system to fingerprint mobile devices. I
also contributed to develop Android PRAGuard, a dataset containing a lot of empirical
obfuscation attacks against the Android platform. Finally, I entirely developed Slayer
NEO, an evolution of a previous system to the detection of PDF malware. The results
attained by using the aforementioned tools show that it is possible to proactively build
systems that predict possible evasion attacks. This suggests that a proactive approach
is crucial to build systems that provide concrete security against general and evasion
attacks