ModuleGuard: A gatekeeper for dynamic module loading against malware
We analyze the attack steps of malware and focus on the malware loading. Our assumption is that a malware contains no less than one module, so monitoring module loading is indispensable to defeat malware. Moreover, we design security policies and employ these policies when a module is loaded by the operating system. These policies depend on properties of module, the connection to created modules, and the link to user intention. The properties of module and this connection can improve the accuracy of malware detection. User intention can be helpful to handle unknown module and enhances the flexibility of policy. Finally, ModuleGuard, a gatekeeper for dynamic module loading against malware, has been designed and implemented, which integrates these security policies. Our experimental results have shown the feasibility and effectiveness of our method.
Key wordsmodule user intention security polices malware
CLC numberTP 311.5
Unable to display preview. Download preview PDF.
- Cui Weidong, Katz Randy H, Tan Waitian. Design and implementation of an extrusion-based break-in detector for personal computers [C]// 21st Annual Computer Security Applications Conference (ACSAC). Tucson: IEEE Press, 2005.Google Scholar
- Lu Long, Vinod Y, Phillip P, et al. BLADE: An attack-agnostic approach for preventing drive-by malware infections [C]// ACM Conference on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.Google Scholar
- Xu Kui, Yao Danfeng, Ma Qiang, et al. User-Behavior Based Detection of Infection Onset [R]. Virginia: Technical Report TR-10-09.Google Scholar
- Mircosoft Co. Stuxnet Analysis Report [EB/OL]. [2013-03-25] http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.
- Nanda S, Li W, Lam L C et al. Foreign code detection on the Windows/X86 platform [C]// The 22nd Annual Computer Security Applications Conference (ACSAC). Miami Beach: IEEE Press, 2006.Google Scholar
- Litty L, Lagar-Cavilla H A, Lie D. Hypervisor support for identifying covertly executing binaries [C]//Proceedings of the 17th USENIX Security Symposium. Berkeley: USENIX, 2008.Google Scholar
- Gilbert B, Kemmerer R, Kruegel C, et al. Dymo: Tracking dynamic code identity [C]// The 14th International Symposium on Recent Advances in Intrusion Detection (RAID). California: Springer-Verlag, 2011.Google Scholar
- Andrea L Z, Christopher K. AccessMiner: Using system-centric models for malware protection [C]// ACM Conference on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.Google Scholar
- Wagner D, Soto P. Mimicry attacks on host based intrusion detection systems [C]//9th ACM Conference on Computer and Communications Security, CCS 2002. Washington D C: ACM Press.Google Scholar
- Parno B, Jonathan M. Perrig M A. Bootstrapping trust in commodity computers [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.Google Scholar
- Sailer R, Zhang X, Jaeger T, et al. Design and implementation of a TCG-based integrity measurement architecture [C]//Proceedings of the 13th Conference on USENIX Security Symposium. Berkeley: USENIX, 2004.Google Scholar
- Sadeghi A R, Stüble C. Property-based attestation for computing patforms: Caring about properties, not mechanisms [C]// Proceedings of the Workshop on New Security Paradigms. New York: ACM Press, 2004.Google Scholar
- Bhatkar S, DuVarney D, Sekar R. Address obfuscation: An efficient approach to combat a broad range of memory error exploits [C]//Proceedings of 12th USENIX Security Symposium. Washington D C: USENIX, 2003.Google Scholar
- Kc G S, Keromytis A D, Prevelakis V. Countering code-injection attacks with instruction-set randomization [C]// 10th ACM International Conference Computer and Communication Security. Chicago: ACM Press, 2003.Google Scholar
- Bhatkar S, Sekar R. Data space randomization [C]//5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment. Paris: Springer-Verlag, 2008.Google Scholar
- Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity [C]//Proceedings of the Conference on Computer and Communications Security, CCS 2005. Alexandria: ACM Press.Google Scholar
- Castro M, Costa M, Harris T. Securing software by enforcing data-flow integrity [C]// the 7th Symposium on Operating Systems Design and Implementation. Berkeley: USENIX, 2006.Google Scholar
- Fu Jianming, Peng Bichen, Du Hao. Dynamic detection of a component loading vulnerability [J]. Journal of Tsinghua University (Science and Technology), 2012, 52(10): 1356–1363(Ch).Google Scholar
- Ronda T, Saroiu S, Wolman A. iTrustPage: A user-assisted anti-phishing tool [C]// Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys). Washington D C: ACM Press, 2003.Google Scholar
- Shirley J, Evans D. The user is not the enemy: Fighting malware by tracking user intentions[C]// Proceedings of New Security Paradigms Workshop (NSPW). Lake Tahoe: ACM Press, 2008.Google Scholar
- Provos N, McNamee D, Mavrommatis P, et al. The ghost in the browser analysis of web-based malware [C]// Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets. Berkeley: USENIX, 2007.Google Scholar
- Stone-Gross B, Cova M, Cavallaro L, et al. Your botnet is my botnet: analysis of a botnet takeover[C]//14th ACM Conference on Computer and Communications Security. Chicago: ACM Press, 2009.Google Scholar
- PAX Team. Memory Protection Technologies [EB/OL]. [2013-01-21]. http://pax.grsecurity.net/.
- Wang Zhi, Jiang Xuxian. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.Google Scholar
- Microsoft Corporation. Microsoft high-risk extensions [EB/OL]. [2013-03-19]. http://support.microsoft.com/kb/883260.
- Bassov A. Hooking the native API and controlling process creation on a system-wide basis [EB/OL]. [2013-03-19]. http://www.codeproject.com/KB/system/soviet_protector.aspx.