logo

SCIENCE CHINA Information Sciences, Volume 60, Issue 5: 052110(2017) https://doi.org/10.1007/s11432-016-5521-0

Accurate and efficient exploit capture and classification

More info
  • ReceivedOct 22, 2015
  • AcceptedNov 24, 2015
  • PublishedSep 13, 2016

Abstract

Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels. However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present \codename, which recognizes both control-flow-hijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident,\codename generates a succinct data representation, called an exploit skeleton}, to characterize the captured exploit. \codename then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons. To evaluate the efficiency of\codename, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that \codename is a practical system that successfully detects and correctly classifies all these exploit attacks.


Funded by

National Natural Science Foundation of China(61402125)

National Natural Science Foundation of China(61572149)


Acknowledgment

Acknowledgments

This work was supported by National Natural Science Foundation of China (Grant Nos. 61402125, 61572149).


References

[1] Portokalidis G, Slowinska A, Bos H. Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems. New York: ACM, 2006. 15--27. Google Scholar

[2] Bailey M, Cooke E, Watson D, et al. A hybrid honeypot architecture for scalable network monitoring. University of Michigan Technical Report CSE-TR-499-04. 2006. Google Scholar

[3] Kreibich C, Crowcroft J. Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Comput Commun Rev, 2004, 34: 51-56 CrossRef Google Scholar

[4] Spitzner L. Honeypots: concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference. New York: ACM, 2007. 321--326. Google Scholar

[5] Diebold P, Hess A, Schäfer G. A honeypot architecture for detecting and analyzing unknown network attacks. In: Proceedings of Kommunikation in Verteilten Systemen (KiVS). Berlin: Springer, 2005. 245--255. Google Scholar

[6] Nazario J. PhoneyC: a virtual client honeypot. In: Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. Berkeley: USENIX Association, 2009. 6. Google Scholar

[7] Cole E. Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Massachusetts: Syngress, 2012. 18--25. Google Scholar

[8] Cowan C, Pu C, Maier D, et al. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium. Berkeley: USENIX Association, 1998. 346--335. Google Scholar

[9] Microsoft Corp. Data Execution Prevention. Microsoft Knowledge Base KB875352. 2013. Google Scholar

[10] PaX Team. PaX Address Space Layout Randomization (ASLR). Pax Team Report. 2003. Google Scholar

[11] Crandall J, Su Z D. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 235--248. Google Scholar

[12] Li Z, Sanghi M, Chen Y, et al. Network-based and attack-resillient lenght signature generator for zero-day polymorphic worms. In: Proceedings of the 15th IEEE International Conference on Network Protocols. Calfornia: IEEE Computer Society, 2007. 164--173. Google Scholar

[13] Joshi A, King S, Dunlap G, et al. Detecting Past and Present Intrusions Through Vulnerability-specific Predicates. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles. New York: ACM, 2005. 91--104. Google Scholar

[14] Zhang M W, Prakash A, Li X L, et al. Identifying and analyzing pointer misuses for sophisticated memory-corruption exploit diagnosis. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium. Virginia: Internet Society, 2012. Google Scholar

[15] Dacier M, Leita C, Thonnard O, et al. Cyber Situational Awareness. Berlin: Springer, 2010. 130--136. Google Scholar

[16] Fogla P, Sharif M, Perdisci R, et al. Polymorphic blending attacks. In: Proceedings of the 15th USENIX Security Symposium. Berkeley: USENIX Association, 2006. 241--256. Google Scholar

[17] Gundy M, Balzarotti D, Vigna G. Catch me if you can: evading network signatures with web-based polymorphic worms. In: Proceedings of the 1st USENIX Workshop on Offesive Technologies. Berkeley: USENIX Association, 2007. 7. Google Scholar

[18] Bania P. Evading network-level emulation. Computing Research Repository, 2007. abs/0906.1. Google Scholar

[19] Szekeres L, Payer M, Wei T, et al. Sok: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2013. 48--62. Google Scholar

[20] Chen S, Xu J, Sezer E, et al. Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium. Berkeley: USENIX Association, 2005. 12--24. Google Scholar

[21] Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 340--353. Google Scholar

[22] Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 31st IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2010. 317--337. Google Scholar

[23] Symantec Corporation. Internet security threat report. Symantec Corporation Technical Report. 2012. Google Scholar

[24] Dunlap G, King S, Cinar S, et al. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. In: Proceedings of Symposium on Operating Systems Design and Implementation. New York: ACM, 2002. 211--224. Google Scholar

[25] Xu M, Malyguin V, Sheldon J, et al. Retrace: collecting execution trace with virtual machine deterministic replay. In: Proceedings of the 3rd Annual Workshop on Modeling, Benchmarking and Simulation. New York: ACM, 2007. 4--24. Google Scholar

[26] Shacham H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007. 552--561. Google Scholar

[27] Agrawal H, Horgan J, Krauser E, et al. Incremental regression testing. In: Proceedings of the Conference on Software Maintenance. Washington DC: IEEE Computer Society, 1993. 348--357. Google Scholar

[28] Dinaburg A, Royal P, Sharif M, et al. Ether: malware analysis via hardware virtualization extensions. In: Proceedings of 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008. 51--62. Google Scholar

[29] Luk C, Cohn R, Muth R, et al. Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM, 2005. 190--200. Google Scholar

[30] Kemerlis V, Portokalidis G, Jee K, et al. libdft: practical dynamic data flow tracking for commodity systems. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments. New York: ACM, 2012. 121--132. Google Scholar

[31] Blazakis D. Interpreter exploitation. In: Proceedings of the 4th USENIX Conference on Offensive Technologies. Berkeley: USENIX Association, 2010. 1--9. Google Scholar

[32] Wei T, Mao J, Zou W, et al. A new algorithm for identifying loops in decompilation, In: Proceedings of the 14th International Conference on Static Analysis. Berlin/Heidelberg: Springer-Verlag, 2007. 170--183. Google Scholar

[33] Levenshtein V. Binary codes capable of correcting deletions, insertions and reversals. Sov Phys Dokl, 1966, 10: 707-710 Google Scholar

[34] Chen K Z J, Gu G F, Zhuge J W, et al. WebPatrol: automated collection and replay of web-based malware scenarios. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2011. 186--195. Google Scholar

[35] Yu Y. DEP/ASLR bypass without ROP/JIT. 13th Annual CanSecWest Conference Report. 2013. Google Scholar

[36] Clause J, Li W C, Orso A. Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York: ACM, 2007. 196--206. Google Scholar

[37] Tucek J, Newsome J, Lu S, et al. Sweeper: a lightweight end-to-end system for defending against fast worms. In: Proceedings of ACM SIGOPS/EuroSys European Conference on Computer Systems. New York: ACM, 2007. 115--128. Google Scholar

[38] Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity principles, implementations, and applications. ACM Trans Inform Syst Secur, 2009, 13: 1-40 Google Scholar

[39] Yee B, Sehr D, Dardyk G. Native client: a sandbox for portable, untrusted x86 native code. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2009. 79--93. Google Scholar

[40] Erlingsson U, Valley S, Abadi M, et al. XFI: software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Berkeley: USENIX Association, 2006. 75--88. Google Scholar

[41] Castro M, Costa M, Martin J, et al. Fast byte-granularity software fault isolation, In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, New York: ACM, 2009. 45--58. Google Scholar

[42] Wang Z, Jiang X X. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 31st IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2010. 380--395. Google Scholar

[43] Lattner C, Adve V. LLVM: a compilation framework for lifelong program analysis & transformation. In: Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization. Washington DC: IEEE Computer Society, 2004. 75--86. Google Scholar

[44] Bletsch T, Jiang X X, Freeh V. Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference. New York: ACM, 2011. 353--362. Google Scholar

[45] Wang L J, Li Z C, Chen Y, et al. Thwarting zero-day polymorphic worms with network-level length-based signature generation. Trans Netw, 2010, 18: 53-66 CrossRef Google Scholar

[46] Wang H J, Guo C X, Simon D R, et al. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In: Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. New York: ACM, 2004. 193--204. Google Scholar

[47] Mason J, Small S, Monrose F, et al. English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. New York: ACM, 2009. 524--533. Google Scholar

[48] Wang R W, Ning P, Xie T, et al. Metasymploit: day-one defense against script-based attacks with security-enhanced symbolic analysis. In: Proceedings of the 22nd USENIX Conference on Security. Berkeley: USENIX Association, 2013. 65--80. Google Scholar

[49] Newsome J, Brumley D, Song D. Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th Symposium on Network and Distributed System Security. Virginia: Internet Society, 2005. Google Scholar

[50] Newsome J, Brumley D, Song D. Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 27th IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2006. 2--16. Google Scholar

[51] Newsome J. Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2005. 226--241. Google Scholar

[52] Liang Z K, Sekar R. Automatic generation of buffer overflow attack signatures: an approach based on program behavior models. In: Proceedings of the 21st Annual Computer Security Applications Conference. Washington DC: IEEE Computer Society, 2005. 215--224. Google Scholar

[53] Liang Z K, Sekar R. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 213--222. Google Scholar

Copyright 2019 Science China Press Co., Ltd. 《中国科学》杂志社有限责任公司 版权所有

京ICP备18024590号-1