Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Abstract. Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vul-nerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim’s computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, send-ing spam emails, or participating in distributed denial of service attacks. To counter drive-by downloads, we propose a technique that relies on x86 instruc-tion emulation to identify JavaScript string buffers that contain shellcode. Our de-tection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensur-ing that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and le-gitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives

WS01.05 Development of a musculoskeletal screening tool for children and young people with cystic fibrosis (Addenbrooke’s MST): initial findings

© 2023 European Cystic Fibrosis Society. Published by Elsevier B.V. This is an open access article distributed under the Creative Commons Attribution License, to view a copy of the license, see: https://creativecommons.org/licenses/by/4.0/Objectives: Development of the Addenbrooke’s Musculoskeletal Screening Tool (MST) for children and young people (CYP) with CF. It is recommended by the Association of Chartered Physiotherapists in CF that Musculoskeletal (MSK) screening is carried out in all children from 7 years of age. Currently there is no specific tool for CYP with CF, only the Adult Manchester MST is available in CF (Ashbrook, Taylor and Jones, 2011). Methods: A paediatric MST was constructed by reviewing the Manchester MSK Screening Tool, the pGALS and recent literature surrounding both paediatric and CF related MSK conditions. The tool was developed with support from paediatric CF specialist physiotherapists, paediatric MSK specialist physiotherapists and respiratory consultants. This tool was then used over a one year period on a total of 58 CYP. Results: The MST was well accepted by clinicians and CYP, taking up to 5 minutes to complete. There were 81.8% more positive MSK screens in the year using this Addenbrooke’s MST (20) compared to the previous year using the Manchester MST (11). There were also 6 more referrals, all deemed appropriate by MSK specialist physiotherapists. MSK advice was given to 83% more children in the year using AMST (11) compared to the year using MMST (6). Urinary incontinence appears to be under reported in this population when comparing to other studies with only two positive screens. Kyphosis (as diagnosed by plumb line) was particularly prevalent in this population (20%) and those with kyphosis had a significantly reduced FEV1% (p = 0.008) and FVC% (p = 0.034), as well as tighter pectoralis major (p = 0.002). Conclusion: A screening tool designed for CYP with CF is important in identifying specific conditions to this population. There is an increased number of appropriate referrals when using this tool and interesting initial evidence on the use of pectoralis major length as an outcome measure, however further research and validation is required.Peer reviewe

Protecting Against Address Space Layout Randomization (ASLR) Compromises and Return-to-Libc Attacks Using Network Intrusion Detection Systems

Writable XOR eXecutable (W XOR X) and Address Space Layout Randomisation (ASLR), have elevated the understanding necessary to perpetrate buffer overflow exploits [1]. However, they have not proved to be a panacea [1] [2] [3] and so other mechanisms such as stack guards and prelinking have been introduced. In this paper we show that host based protection still does not offer a complete solution. To demonstrate, we perform an over the network brute force return-to-libc attack against a pre-forking concurrent server to gain remote access to W XOR X and ASLR. We then demonstrate that deploying a NIDS with appropriate signatures can detect this attack efficiently

Shellzer: a tool for the dynamic analysis of malicious shellcode

Abstract. Shellcode is malicious binary code whose execution is triggered after the exploitation of a vulnerability. The automated analysis of malicious shellcode is a challenging task, since encryption and evasion techniques are often used. This paper introduces Shellzer, a novel dynamic shellcode analyzer that generates a complete list of the API functions called by the shellcode, and, in addition, returns the binaries retrieved at run-time by the shellcode. The tool is able to modify on-thefly the arguments and the return values of certain API functions in order to simulate specific execution contexts and the availability of the external resources needed by the shellcode. This tool has been tested with over 24,000 real-world samples, extracted from both web-based driveby-download attacks and malicious PDF documents. The results of the analysis show that Shellzer is able to successfully analyze 98 % of the shellcode samples

Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks

Abstract. Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze in-jected code (often called shellcode), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emula-tors, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incor-porated memory-scanning attacks

Preface. Detection of Intrusions and Malware, and Vulnerability Assessment

On behalf of the Program Committee, it is our pleasure to present the proceedings of the 14th International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), which took place in Bonn, Germany, during July 6–7, 2017. Since 2004, DIMVA has been bringing together leading researchers and practitioners from academia, industry, and government to present and discuss novel security research in the broader areas of intrusion detection, malware analysis, and vulnerability assessment. DIMVA is organized by the Special Interest Group – Security, Intrusion Detection, and Response (SIDAR) – of the German Informatics Society (GI). This year, DIMVA received 67 valid submissions from academic and industrial organizations from 25 different countries. Each submission was carefully reviewed by at least three Program Committee members or external experts. The submissions were evaluated on the basis of scientific novelty, importance to the field, and technical quality. The final selection of papers was decided during a day-long Program Committee meeting that took place at Stony Brook University, USA, on April 7, 2017. In all, 18 full papers were selected for presentation at the conference and publication in the proceedings, resulting in an acceptance rate of 26.9%. The accepted papers present novel ideas, techniques, and applications in important areas of computer security, including enclaves and isolation, malware analysis, cyber-physical systems, detection and protection, code analysis, and Web security. Beyond the research papers, the conference program also included two insightful keynote talks by Thomas Dullien (Google) and Prof. Christopher Kruegel (University of California at Santa Barbara). A successful conference is the result of the joint effort of many people. We would like to express our appreciation to the Program Committee members and external reviewers for the time spent reviewing papers, participating in the online discussion, attending the Program Committee meeting in Stony Brook, and shepherding some of the papers to ensure the highest quality possible. We also deeply thank the members of the Organizing Committee for their hard work in making DIMVA 2017 such a successful event, and our invited speakers for their willingness to participate in the conference. We are wholeheartedly thankful to our sponsors ERNW, genua, Google, Huawei, Rohde & Schwarz Cybersecurity, Springer, and VMRay for generously supporting DIMVA 2017. We also thank Springer for publishing these proceedings as part of their LNCS series, and the DIMVA Steering Committee for their continuous support and assistance. Finally, DIMVA 2017 would not have been possible without the authors who submitted their work and presented their contributions as well as the attendees who came to the conference. We would like to thank them all, and we look forward to their future contributions to DIMVA

On Emulation-Based Network Intrusion Detection Systems

Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an in- strumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., en- crypted) shellcode. In this paper we investigate and test the actual effec- tiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, ex- ploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms

A Survey of Removable Partial Denture Casts and Major Connector Designs Found in Commercial Laboratories, Athens, Greece

Purpose: This survey was conducted to study the prevalence of partial edentulism, the type of removable partial denture (RPD) support, the type of major connectors, and the frequency of their use in relation to the partial edentulism classes encountered, concerning patients in Athens, Greece. Materials and Methods: The material comprised 628 final casts for RPDs. Each cast was photographed in a way that would allow the number of existing teeth, the classification of partial edentulism, the RPD support, and the particular parts of the metal framework to be identified. Data collected were analyzed statistically using prevalence tables and the χ2 test. Results: Two hundred seventy six (43.9%) casts were for the maxilla and 352 (56.1%) for the mandible. The most frequently encountered group was Kennedy class I for both arches, while class IV was the classification least encountered (p < 0.001). Of all RPDs constructed, 96.8% had a metal framework (tooth-borne and tooth/tissue-borne), while 3.2% of the RPDs were frameless (tissue-borne, acrylic dentures). The U-shaped palatal connector (horseshoe) in the maxilla and the lingual bar in the mandible were the most frequently used for all partial edentulism classes, at 55.2% and 95%, respectively. Conclusions: Analysis of the casts revealed that the type of major connectors selected does not comply with the indications for their applications, considering the lack of dental history and clinical examination. This notes the need for further training dentists and dental technicians in aspects of RPD framework design. © 2013 by the American College of Prosthodontists

A survey of Removable Partial Denture (RPD) retentive elements in relation to type of edentulism and abutment teeth in commercial laboratories in Athens [Pregled retencijskih elemenata mobilnih djelomičnih proteza ovisno o vrsti bezubosti i zubima nosačima u komercijalnim laboratorijima u Ateni]

Objective: The aim of this survey was to record removable partial denture (RPD) retentive elements and abutment teeth in partially edentulous patients, identified in commercial laboratories in Athens, Greece. Material and Methods: 628 master casts with the corresponding cast metal frameworks used in the construction of RPDs were evaluated. Casts were photographed to identify the number and position of existing teeth, the partial edentulism class and the retentive elements. Prevalence tables and the x2 test were used for the statistical analysis of the collected data (α=.05). Results: There were 276 maxillary (43.9%) and 352 (56.1%) mandibular casts. Maxillary edentulism entailed almost a total absence of right third molars in 96.7% and left third molars 96.0% of casts, with lower rates for the first and second molars. Edentulism in the posterior mandible presented a similar pattern. The most profound findings concerning retentive elements were: 91.9% of the retainers used were clasps and the remaining 8.1% were attachments. Of the clasps used, 48.9% were of the Roach Τ type, a finding more common in Kennedy Class I as compared to other Kennedy Classes (p<0.01). The circumferential clasps accounted for 19.3% of the total clasps used, and it was less frequently presented (8.8%) in Kennedy I Classes (p<0.01). Conclusions. Roach clasps were used in the majority of cases whereas RPI clasps and attachments were rarely used

Piranha: A Fast Lookup Pattern Matching Algorithm for Intrusion Detection

Network Intrusion Detection Systems (nIDS) are nowadays an increasingly important defensive mechanism against numerous attacks taking place on the Internet. As network speed is increasing faster than processor speed, intrusion detection at link speed becomes increasingly more challenging. The most expensive part of a nIDS is pattern matching: finding patterns of attack inside packet payload. This paper presents Piranha, a fast algorithm for pattern matching oriented to intrusion detection domain. It is based on the observation that if the rarest substring of a pattern does not appear, then the whole pattern will definitely not match. Our results, based on traces that represent various network environments, indicate that Piranha can enhance the performance of a nIDS by 11% to 28% in terms of processing time and by 18% to 73% in terms of memory consumption comparing to existing state-of-the-art algorithms. Keywords: network security, intrusion detection, pattern matching, network monitoring, network performance