Skip to main content
SpringerLink
Log in

ModuleGuard: A gatekeeper for dynamic module loading against malware

  • Published:
Wuhan University Journal of Natural Sciences

Abstract

We analyze the attack steps of malware and focus on the malware loading. Our assumption is that a malware contains no less than one module, so monitoring module loading is indispensable to defeat malware. Moreover, we design security policies and employ these policies when a module is loaded by the operating system. These policies depend on properties of module, the connection to created modules, and the link to user intention. The properties of module and this connection can improve the accuracy of malware detection. User intention can be helpful to handle unknown module and enhances the flexibility of policy. Finally, ModuleGuard, a gatekeeper for dynamic module loading against malware, has been designed and implemented, which integrates these security policies. Our experimental results have shown the feasibility and effectiveness of our method.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Cui Weidong, Katz Randy H, Tan Waitian. Design and implementation of an extrusion-based break-in detector for personal computers [C]// 21st Annual Computer Security Applications Conference (ACSAC). Tucson: IEEE Press, 2005.

    Google Scholar 

  2. Lu Long, Vinod Y, Phillip P, et al. BLADE: An attack-agnostic approach for preventing drive-by malware infections [C]// ACM Conference on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.

    Google Scholar 

  3. Xu Kui, Yao Danfeng, Ma Qiang, et al. User-Behavior Based Detection of Infection Onset [R]. Virginia: Technical Report TR-10-09.

  4. Mircosoft Co. Stuxnet Analysis Report [EB/OL]. [2013-03-25] http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf .

  5. Nanda S, Li W, Lam L C et al. Foreign code detection on the Windows/X86 platform [C]// The 22nd Annual Computer Security Applications Conference (ACSAC). Miami Beach: IEEE Press, 2006.

    Google Scholar 

  6. Litty L, Lagar-Cavilla H A, Lie D. Hypervisor support for identifying covertly executing binaries [C]//Proceedings of the 17th USENIX Security Symposium. Berkeley: USENIX, 2008.

    Google Scholar 

  7. Gilbert B, Kemmerer R, Kruegel C, et al. Dymo: Tracking dynamic code identity [C]// The 14th International Symposium on Recent Advances in Intrusion Detection (RAID). California: Springer-Verlag, 2011.

    Google Scholar 

  8. Tavallaee M, Stakhanova N, Ghorbani A A. Toward credible evaluation of anomaly-based intrusion-detection methods [J]. IEEE Transactions on Systems, Man, and Cybernetics, 2010, 40(5): 516–524.

    Article  Google Scholar 

  9. Andrea L Z, Christopher K. AccessMiner: Using system-centric models for malware protection [C]// ACM Conference on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.

    Google Scholar 

  10. Wagner D, Soto P. Mimicry attacks on host based intrusion detection systems [C]//9th ACM Conference on Computer and Communications Security, CCS 2002. Washington D C: ACM Press.

  11. Parno B, Jonathan M. Perrig M A. Bootstrapping trust in commodity computers [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.

    Google Scholar 

  12. Sailer R, Zhang X, Jaeger T, et al. Design and implementation of a TCG-based integrity measurement architecture [C]//Proceedings of the 13th Conference on USENIX Security Symposium. Berkeley: USENIX, 2004.

    Google Scholar 

  13. Sadeghi A R, Stüble C. Property-based attestation for computing patforms: Caring about properties, not mechanisms [C]// Proceedings of the Workshop on New Security Paradigms. New York: ACM Press, 2004.

    Google Scholar 

  14. Bhatkar S, DuVarney D, Sekar R. Address obfuscation: An efficient approach to combat a broad range of memory error exploits [C]//Proceedings of 12th USENIX Security Symposium. Washington D C: USENIX, 2003.

    Google Scholar 

  15. Kc G S, Keromytis A D, Prevelakis V. Countering code-injection attacks with instruction-set randomization [C]// 10th ACM International Conference Computer and Communication Security. Chicago: ACM Press, 2003.

    Google Scholar 

  16. Bhatkar S, Sekar R. Data space randomization [C]//5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment. Paris: Springer-Verlag, 2008.

    Google Scholar 

  17. Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity [C]//Proceedings of the Conference on Computer and Communications Security, CCS 2005. Alexandria: ACM Press.

  18. Castro M, Costa M, Harris T. Securing software by enforcing data-flow integrity [C]// the 7th Symposium on Operating Systems Design and Implementation. Berkeley: USENIX, 2006.

    Google Scholar 

  19. Fu Jianming, Peng Bichen, Du Hao. Dynamic detection of a component loading vulnerability [J]. Journal of Tsinghua University (Science and Technology), 2012, 52(10): 1356–1363(Ch).

    Google Scholar 

  20. Ronda T, Saroiu S, Wolman A. iTrustPage: A user-assisted anti-phishing tool [C]// Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys). Washington D C: ACM Press, 2003.

    Google Scholar 

  21. Shirley J, Evans D. The user is not the enemy: Fighting malware by tracking user intentions[C]// Proceedings of New Security Paradigms Workshop (NSPW). Lake Tahoe: ACM Press, 2008.

    Google Scholar 

  22. He Hongjun, Luo Li, Dong Liming, et al. The formal definition of generalized virus and recognition algorithms [J]. Chinese Journal of Computers, 2010, 33(3): 562–568(Ch).

    Article  Google Scholar 

  23. Provos N, McNamee D, Mavrommatis P, et al. The ghost in the browser analysis of web-based malware [C]// Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets. Berkeley: USENIX, 2007.

    Google Scholar 

  24. Stone-Gross B, Cova M, Cavallaro L, et al. Your botnet is my botnet: analysis of a botnet takeover[C]//14th ACM Conference on Computer and Communications Security. Chicago: ACM Press, 2009.

    Google Scholar 

  25. PAX Team. Memory Protection Technologies [EB/OL]. [2013-01-21]. http://pax.grsecurity.net/ .

  26. Wang Zhi, Jiang Xuxian. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.

    Google Scholar 

  27. Microsoft Corporation. Microsoft high-risk extensions [EB/OL]. [2013-03-19]. http://support.microsoft.com/kb/883260 .

  28. Bassov A. Hooking the native API and controlling process creation on a system-wide basis [EB/OL]. [2013-03-19]. http://www.codeproject.com/KB/system/soviet_protector.aspx.

Download references

Author information

Authors and Affiliations

  1. School of Computer, Wuhan University, Wuhan, 430072, Hubei, China

    Shuang Ding, Jianming Fu & Bichen Peng

  2. State Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry Education, Wuhan, 430072, Hubei, China

    Shuang Ding, Jianming Fu & Bichen Peng

  3. State Key Laboratory of Software Engineering, Wuhan University, Wuhan, 430072, Hubei, China

    Jianming Fu

Authors
  1. Shuang Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jianming Fu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bichen Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jianming Fu.

Additional information

Foundation item: Supported by the National Natural Science Foundation of China(61373168, 61202387), Major Projects of National Science and Technology of China (2010ZX03006-001-01), and Doctoral Fund of Ministry of Education of China (20120141110002)

Biography: DING Shuang, female, Master candidate, research direction

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ding, S., Fu, J. & Peng, B. ModuleGuard: A gatekeeper for dynamic module loading against malware. Wuhan Univ. J. Nat. Sci. 18, 489–498 (2013). https://doi.org/10.1007/s11859-013-0962-4

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11859-013-0962-4

Key words

CLC number

Search

Navigation