원문정보
초록
영어
Code injection attacks are widely used by attackers to compromise computer systems. Attackers could obtain the control of a victim's computer system by injecting shellcode to the vulnerable program. The existing solutions to detect shellcode can be grouped into two categories: static analysis and dynamic analysis. Static analysis can detect shellcode efficiently, but cannot handle the shellcode that employs obfuscation techniques. Dynamic analysis is able to detect the obfuscated shellcode, however it is still limited to detect the recent virtualization-aware shellcode. In this paper, we present a novel shellcode detection approach without using any virtualization technology. We implement our approach based on the commodity OS kernel which is compatible to the existing system. Our approach is able to detect the shellcode that could be aware of the virtualization environment and reduces the probability of exposing detection environment. Our experimental evaluations show that our system can effectively detect a large set of shellcode instances with good performance.
목차
1. Introduction
2. Threat Model
3. Design Overview
3.1. Shellcode Detection
3.2. Register and Memory Protection
3.3. Exception Handling
3.4. Infinite Loop Detection
3.5. Architecture
3.6. System Robustness
3.7. System Deployment
4. Implementation
4.1. Shellcode Detection
4.2. Register and Memory Save and Restoration
4.3. Exception Handling
4.4. Dealing with Infinite Loop
4.5. Execution Loop Control
4.6. Implementation on Linux
5. Evaluation
5.1. Effectiveness
5.2. Performance
6. Discussion
7. Related Work
8. Conclusion
Acknowledgments
References