On Detecting Code Reuse Attacks

— Today, a code reuse technique is often used when exploiting software vulnerabilities, such as a buffer overflow. These attacks bypass the protection against execution of code in the stack, which is implemented on the hardware and software levels in modern information systems. The attacks are based...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:Automatic control and computer sciences Ročník 54; číslo 7; s. 573 - 583
Hlavní autor: Kosolapov, Y. V.
Médium: Journal Article
Jazyk:angličtina
Vydáno: Moscow Pleiades Publishing 01.12.2020
Springer Nature B.V
Témata:
Algorithms
Chains
Code reuse
Computer Science
Control Structures and Microprogramming
Information systems
Malware
Microprocessors
Software reuse
software vulnerabilities
code reuse
ISSN:0146-4116, 1558-108X
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:— Today, a code reuse technique is often used when exploiting software vulnerabilities, such as a buffer overflow. These attacks bypass the protection against execution of code in the stack, which is implemented on the hardware and software levels in modern information systems. The attacks are based on finding suitable sections of executable code–gadgets–in the vulnerable program and linking these gadgets into chains. The article proposes a method to protect applications against code reuse attacks. The method is based on detecting properties that distinguish between chains of gadgets and typical chains of legitimate program basic blocks. The appearance of an atypical chain of basic blocks during program execution may indicate the execution of a malicious code. One of the properties of a chain of gadgets is that at the end of the chain a special processor instruction used to call a function of the operating system is executed. Experiments are carried out for the x86/64 Linux operating system which show the importance of this property for detecting malicious code execution. An algorithm for identifying atypical chains is developed which makes it possible to detect all currently known code reuse techniques.
Bibliografie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0146-4116
1558-108X
DOI:10.3103/S0146411620070111