Wuhan University Journal of Natural Sciences

, Volume 18, Issue 6, pp 489–498 | Cite as

ModuleGuard: A gatekeeper for dynamic module loading against malware



We analyze the attack steps of malware and focus on the malware loading. Our assumption is that a malware contains no less than one module, so monitoring module loading is indispensable to defeat malware. Moreover, we design security policies and employ these policies when a module is loaded by the operating system. These policies depend on properties of module, the connection to created modules, and the link to user intention. The properties of module and this connection can improve the accuracy of malware detection. User intention can be helpful to handle unknown module and enhances the flexibility of policy. Finally, ModuleGuard, a gatekeeper for dynamic module loading against malware, has been designed and implemented, which integrates these security policies. Our experimental results have shown the feasibility and effectiveness of our method.

Key words

module user intention security polices malware 

CLC number

TP 311.5 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Cui Weidong, Katz Randy H, Tan Waitian. Design and implementation of an extrusion-based break-in detector for personal computers [C]// 21st Annual Computer Security Applications Conference (ACSAC). Tucson: IEEE Press, 2005.Google Scholar
  2. [2]
    Lu Long, Vinod Y, Phillip P, et al. BLADE: An attack-agnostic approach for preventing drive-by malware infections [C]// ACM Conference on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.Google Scholar
  3. [3]
    Xu Kui, Yao Danfeng, Ma Qiang, et al. User-Behavior Based Detection of Infection Onset [R]. Virginia: Technical Report TR-10-09.Google Scholar
  4. [4]
    Mircosoft Co. Stuxnet Analysis Report [EB/OL]. [2013-03-25] http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.
  5. [5]
    Nanda S, Li W, Lam L C et al. Foreign code detection on the Windows/X86 platform [C]// The 22nd Annual Computer Security Applications Conference (ACSAC). Miami Beach: IEEE Press, 2006.Google Scholar
  6. [6]
    Litty L, Lagar-Cavilla H A, Lie D. Hypervisor support for identifying covertly executing binaries [C]//Proceedings of the 17th USENIX Security Symposium. Berkeley: USENIX, 2008.Google Scholar
  7. [7]
    Gilbert B, Kemmerer R, Kruegel C, et al. Dymo: Tracking dynamic code identity [C]// The 14th International Symposium on Recent Advances in Intrusion Detection (RAID). California: Springer-Verlag, 2011.Google Scholar
  8. [8]
    Tavallaee M, Stakhanova N, Ghorbani A A. Toward credible evaluation of anomaly-based intrusion-detection methods [J]. IEEE Transactions on Systems, Man, and Cybernetics, 2010, 40(5): 516–524.CrossRefGoogle Scholar
  9. [9]
    Andrea L Z, Christopher K. AccessMiner: Using system-centric models for malware protection [C]// ACM Conference on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.Google Scholar
  10. [10]
    Wagner D, Soto P. Mimicry attacks on host based intrusion detection systems [C]//9th ACM Conference on Computer and Communications Security, CCS 2002. Washington D C: ACM Press.Google Scholar
  11. [11]
    Parno B, Jonathan M. Perrig M A. Bootstrapping trust in commodity computers [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.Google Scholar
  12. [12]
    Sailer R, Zhang X, Jaeger T, et al. Design and implementation of a TCG-based integrity measurement architecture [C]//Proceedings of the 13th Conference on USENIX Security Symposium. Berkeley: USENIX, 2004.Google Scholar
  13. [13]
    Sadeghi A R, Stüble C. Property-based attestation for computing patforms: Caring about properties, not mechanisms [C]// Proceedings of the Workshop on New Security Paradigms. New York: ACM Press, 2004.Google Scholar
  14. [14]
    Bhatkar S, DuVarney D, Sekar R. Address obfuscation: An efficient approach to combat a broad range of memory error exploits [C]//Proceedings of 12th USENIX Security Symposium. Washington D C: USENIX, 2003.Google Scholar
  15. [15]
    Kc G S, Keromytis A D, Prevelakis V. Countering code-injection attacks with instruction-set randomization [C]// 10th ACM International Conference Computer and Communication Security. Chicago: ACM Press, 2003.Google Scholar
  16. [16]
    Bhatkar S, Sekar R. Data space randomization [C]//5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment. Paris: Springer-Verlag, 2008.Google Scholar
  17. [17]
    Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity [C]//Proceedings of the Conference on Computer and Communications Security, CCS 2005. Alexandria: ACM Press.Google Scholar
  18. [18]
    Castro M, Costa M, Harris T. Securing software by enforcing data-flow integrity [C]// the 7th Symposium on Operating Systems Design and Implementation. Berkeley: USENIX, 2006.Google Scholar
  19. [19]
    Fu Jianming, Peng Bichen, Du Hao. Dynamic detection of a component loading vulnerability [J]. Journal of Tsinghua University (Science and Technology), 2012, 52(10): 1356–1363(Ch).Google Scholar
  20. [20]
    Ronda T, Saroiu S, Wolman A. iTrustPage: A user-assisted anti-phishing tool [C]// Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys). Washington D C: ACM Press, 2003.Google Scholar
  21. [21]
    Shirley J, Evans D. The user is not the enemy: Fighting malware by tracking user intentions[C]// Proceedings of New Security Paradigms Workshop (NSPW). Lake Tahoe: ACM Press, 2008.Google Scholar
  22. [22]
    He Hongjun, Luo Li, Dong Liming, et al. The formal definition of generalized virus and recognition algorithms [J]. Chinese Journal of Computers, 2010, 33(3): 562–568(Ch).CrossRefGoogle Scholar
  23. [23]
    Provos N, McNamee D, Mavrommatis P, et al. The ghost in the browser analysis of web-based malware [C]// Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets. Berkeley: USENIX, 2007.Google Scholar
  24. [24]
    Stone-Gross B, Cova M, Cavallaro L, et al. Your botnet is my botnet: analysis of a botnet takeover[C]//14th ACM Conference on Computer and Communications Security. Chicago: ACM Press, 2009.Google Scholar
  25. [25]
    PAX Team. Memory Protection Technologies [EB/OL]. [2013-01-21]. http://pax.grsecurity.net/.
  26. [26]
    Wang Zhi, Jiang Xuxian. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.Google Scholar
  27. [27]
    Microsoft Corporation. Microsoft high-risk extensions [EB/OL]. [2013-03-19]. http://support.microsoft.com/kb/883260.
  28. [28]
    Bassov A. Hooking the native API and controlling process creation on a system-wide basis [EB/OL]. [2013-03-19]. http://www.codeproject.com/KB/system/soviet_protector.aspx.

Copyright information

© Wuhan University and Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.School of ComputerWuhan UniversityWuhanHubei, China
  2. 2.State Key Laboratory of Aerospace Information Security and Trusted ComputingMinistry EducationWuhanHubei, China
  3. 3.State Key Laboratory of Software EngineeringWuhan UniversityWuhanHubei, China

Personalised recommendations