A proposed approach to detect and thwart previously unknown code injection attacks

Simple item page
dc.AffiliationOctober University for modern sciences and Arts (MSA)
dc.contributor.authorHussein, Omar
dc.contributor.authorHamza, Nermin
dc.contributor.authorHefny, Hesham
dc.date.accessioned2020-02-13T10:26:04Z
dc.date.available2020-02-13T10:26:04Z
dc.date.issued2015
dc.descriptionMSA Google Scholaren_US
dc.description.abstractThis paper presents a proposed approach called VAIL System Call Monitor (YSCM) to detect and thwart previously unknown code injection attacks. The idea is based on the fact that any process needs to correctly invoke CreateProcessO system calls, otherwise child-process creation will fail. YSCM intercepts and verifies CreateProcessO system call invocations from a monitored process. In case an unknown executable is detected in the first parameter of a call, this indicates its maliciousness. In response, YSCM encrypts that parameter value to render the call invalid, thereby thwarting adversaries' attacks by preventing the operating system from loading and executing the new malicious child process. YSCM runs in a microkernel-based virtual machine in order to achieve two-fold advantages: (1) isolate security-critical information from probable adversaries' attacks; and (2) exploit security-related and performance-related advantages associated with thin virtual machine monitors. The expected effectiveness of YSCM is high since it is circumvention-proof, and precise in extracting the normal behavior of applications chosen to be monitored.en_US
dc.description.sponsorshipIEEEen_US
dc.description.urihttps://www.scimagojr.com/journalsearch.php?q=21100463145&tip=sid&clean=0
dc.identifier.citation1. "Createprocess function", Microsoft Developer Network, 2014. Show Context Google Scholar 2. "Vulnerability Notes Database. Vulnerability note VU#191609: Microsoft Windows animated cursor stack buffer overflow", CERT and US-CERT, 2013, [online] Available: http://www.kb.cert.org/vuls/id/191609. Show Context Google Scholar 3. "Vulnerability Notes Database. Vulnerability note VU#275219: Foxit advanced PDF editor 3 contains a stack buffer overrun vulnerability", CERT and US-CERT, 2013, [online] Available: http://www.kb.cert.org/vuls/id/275219. Show Context Google Scholar 4. "Bulletin (SB 13–035) vulnerability summary for the week of January 28 2013", United States Computer Emergency Readiness Team., 2013, [online] Available: http://www.us-cert.gov/ncas/bulletins/SBI3-035. Show Context Google Scholar 5. C. Cowan et al., "Protecting systems from stack smashing attacks with StackGuard", Proc. Security '98, pp. 119-129, 1998, [online] Available: . Show Context Google Scholar 6. "Stack Shield: A ‘stack smashing’ technique protection tool for Linux", Vendicator, 2013, [online] Available: http://www.angelfire.com/sk/stackshield/. Show Context Google Scholar 7. Bulba, Ki13r, Bypassing StackGuard and StackShield, 2000, [online] Available: http://phrack.org/issues/56/5.html. Show Context Google Scholar 8. N. Dor, M. Rodeh, M. Sagiv, "Cssv: Towards a realistic tool for statically detecting all buffer overflows in C", Proc. PLDI'03, pp. 155-167, 2003. Show Context Access at ACM Google Scholar 9. M. Zitser, R. Lippmann, T. Leek, "Testing static analysis tools using exploitable buffer overflows from open source code", Proc. SIGSOFT 04IFSE-12, pp. 97-106, 2004. Show Context Access at ACM Google Scholar 10. H. Ozdoganoglu, T. N. Vijaykumar, C.E. Brodley, B.A. Kuperman, A. Jalote, "SmashGuard: A hardware solution to prevent security attacks on the function return address", IEEE Transactions on Computers, vol. 55, pp. 1271-1285, Oct. 2006. Show Context View Article Full Text: PDF (1621KB) Google Scholar 11. Z. Shao, C. Xue, Q. Zhuge, E. H.-M. Sha, B. Xiao, "Security protection and checking for embedded system integration against buffer overflow attacks via hardware/software", IEEE Transactions on Computers, vol. 55, pp. 443-453, Apr. 2006. Show Context Google Scholar 12. S. Forrest, S. Hofmeyr, A. Somayaji, "The evolution of system-call monitoring", Proc. ACSA C24, pp. 418-430, 2008. Show Context Google Scholar 13. M. Christodorescu, S. Jha, C. Kruegel, "Mining specifications of malicious behavior", Proc. ESECIFSE'07, pp. 5-14, 2007. Show Context Access at ACM Google Scholar 14. C. Kolbitsch et al., "Effective and efficient malware detection at the end host", Proc. Security '09, pp. 351-366, 2009. Show Context Google Scholar 15. A. Liu, C. Martin, T. Hetherington, S. Matzner, "A comparison of system call feature representations for insider threat detection", Proc. IAW'05, pp. 340-347, 2005. Show Context Google Scholar 16. J. LeVasseur et al., "Pre-virtualization: soft layering for virtual machines", Proc. ACSAC, pp. 1-9, 2008. Show Context Google Scholar 17. G. Klein, "seL4: formal verification of an OS kernel", Proc. SOSP '09, pp. 207-220, 2009. Show Context Access at ACM Google Scholar 18. "Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197", 2001. Show Context 19. Recommendation for Block Cipher Modes of Operation: Methods and Techniques, National Institute of Standards and Technology 800–38A, 2001. Show Context Google Scholar 20. C. Kruegel, W. Robertson, F. Valeur, G. Vigna, "Static disassembly of obfuscated binaries", Proc. Security '04, pp. 255-270, 2004. Show Context Google Scholar 21. Microsoft Portable Executable and Common Object File Format Specification, Microsoft Corporation, 1999. Show Context Google Scholar 22. Hex-Rays., IDA disassembler and debugger, 2014, [online] Available: https://www.hex-rays.com/products/ida!overview.shtml. Show Context Google Scholar 23. Hex-Rays., Hex-Rays decompiler, 2014, [online] Available: https://www.hex-rays.com/products/decompiler/index.shtml.en_US
dc.identifier.doihttps://doi.org/10.1109/IntelCIS.2015.7397243
dc.identifier.isbn978-1-5090-1949-6
dc.identifier.otherhttps://doi.org/10.1109/IntelCIS.2015.7397243
dc.identifier.urihttps://t.ly/R36ZZ
dc.language.isoenen_US
dc.publisherIEEEen_US
dc.relation.ispartofseriesIntelligent Computing and Information Systems (ICICIS), 2015 IEEE Seventh International Conference on;Pages: 336-342
dc.subjectOctober University for University of Monitoring , Cryptography , Hardware , Computers , Reliabilityen_US
dc.titleA proposed approach to detect and thwart previously unknown code injection attacksen_US
dc.typeBook chapteren_US

Files

Original bundle

Now showing 1 - 1 of 1
Thumbnail Image
Name:
avatar_scholar_256.png
Size:
6.31 KB
Format:
Portable Network Graphics
Description:
Faculty Of Computer Science Research Paper
Download

License bundle

Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
51 B
Format:
Item-specific license agreed upon to submission
Description:
Download

Collections

Faculty Of Computer Science Research Paper