Abstract
We analyze the attack steps of malware and focus on the malware loading. Our assumption is that a malware contains no less than one module, so monitoring module loading is indispensable to defeat malware. Moreover, we design security policies and employ these policies when a module is loaded by the operating system. These policies depend on properties of module, the connection to created modules, and the link to user intention. The properties of module and this connection can improve the accuracy of malware detection. User intention can be helpful to handle unknown module and enhances the flexibility of policy. Finally, ModuleGuard, a gatekeeper for dynamic module loading against malware, has been designed and implemented, which integrates these security policies. Our experimental results have shown the feasibility and effectiveness of our method.
Similar content being viewed by others
References
Cui Weidong, Katz Randy H, Tan Waitian. Design and implementation of an extrusion-based break-in detector for personal computers [C]// 21st Annual Computer Security Applications Conference (ACSAC). Tucson: IEEE Press, 2005.
Lu Long, Vinod Y, Phillip P, et al. BLADE: An attack-agnostic approach for preventing drive-by malware infections [C]// ACM Conference on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.
Xu Kui, Yao Danfeng, Ma Qiang, et al. User-Behavior Based Detection of Infection Onset [R]. Virginia: Technical Report TR-10-09.
Mircosoft Co. Stuxnet Analysis Report [EB/OL]. [2013-03-25] http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf .
Nanda S, Li W, Lam L C et al. Foreign code detection on the Windows/X86 platform [C]// The 22nd Annual Computer Security Applications Conference (ACSAC). Miami Beach: IEEE Press, 2006.
Litty L, Lagar-Cavilla H A, Lie D. Hypervisor support for identifying covertly executing binaries [C]//Proceedings of the 17th USENIX Security Symposium. Berkeley: USENIX, 2008.
Gilbert B, Kemmerer R, Kruegel C, et al. Dymo: Tracking dynamic code identity [C]// The 14th International Symposium on Recent Advances in Intrusion Detection (RAID). California: Springer-Verlag, 2011.
Tavallaee M, Stakhanova N, Ghorbani A A. Toward credible evaluation of anomaly-based intrusion-detection methods [J]. IEEE Transactions on Systems, Man, and Cybernetics, 2010, 40(5): 516–524.
Andrea L Z, Christopher K. AccessMiner: Using system-centric models for malware protection [C]// ACM Conference on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.
Wagner D, Soto P. Mimicry attacks on host based intrusion detection systems [C]//9th ACM Conference on Computer and Communications Security, CCS 2002. Washington D C: ACM Press.
Parno B, Jonathan M. Perrig M A. Bootstrapping trust in commodity computers [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.
Sailer R, Zhang X, Jaeger T, et al. Design and implementation of a TCG-based integrity measurement architecture [C]//Proceedings of the 13th Conference on USENIX Security Symposium. Berkeley: USENIX, 2004.
Sadeghi A R, Stüble C. Property-based attestation for computing patforms: Caring about properties, not mechanisms [C]// Proceedings of the Workshop on New Security Paradigms. New York: ACM Press, 2004.
Bhatkar S, DuVarney D, Sekar R. Address obfuscation: An efficient approach to combat a broad range of memory error exploits [C]//Proceedings of 12th USENIX Security Symposium. Washington D C: USENIX, 2003.
Kc G S, Keromytis A D, Prevelakis V. Countering code-injection attacks with instruction-set randomization [C]// 10th ACM International Conference Computer and Communication Security. Chicago: ACM Press, 2003.
Bhatkar S, Sekar R. Data space randomization [C]//5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment. Paris: Springer-Verlag, 2008.
Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity [C]//Proceedings of the Conference on Computer and Communications Security, CCS 2005. Alexandria: ACM Press.
Castro M, Costa M, Harris T. Securing software by enforcing data-flow integrity [C]// the 7th Symposium on Operating Systems Design and Implementation. Berkeley: USENIX, 2006.
Fu Jianming, Peng Bichen, Du Hao. Dynamic detection of a component loading vulnerability [J]. Journal of Tsinghua University (Science and Technology), 2012, 52(10): 1356–1363(Ch).
Ronda T, Saroiu S, Wolman A. iTrustPage: A user-assisted anti-phishing tool [C]// Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys). Washington D C: ACM Press, 2003.
Shirley J, Evans D. The user is not the enemy: Fighting malware by tracking user intentions[C]// Proceedings of New Security Paradigms Workshop (NSPW). Lake Tahoe: ACM Press, 2008.
He Hongjun, Luo Li, Dong Liming, et al. The formal definition of generalized virus and recognition algorithms [J]. Chinese Journal of Computers, 2010, 33(3): 562–568(Ch).
Provos N, McNamee D, Mavrommatis P, et al. The ghost in the browser analysis of web-based malware [C]// Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets. Berkeley: USENIX, 2007.
Stone-Gross B, Cova M, Cavallaro L, et al. Your botnet is my botnet: analysis of a botnet takeover[C]//14th ACM Conference on Computer and Communications Security. Chicago: ACM Press, 2009.
PAX Team. Memory Protection Technologies [EB/OL]. [2013-01-21]. http://pax.grsecurity.net/ .
Wang Zhi, Jiang Xuxian. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.
Microsoft Corporation. Microsoft high-risk extensions [EB/OL]. [2013-03-19]. http://support.microsoft.com/kb/883260 .
Bassov A. Hooking the native API and controlling process creation on a system-wide basis [EB/OL]. [2013-03-19]. http://www.codeproject.com/KB/system/soviet_protector.aspx.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National Natural Science Foundation of China(61373168, 61202387), Major Projects of National Science and Technology of China (2010ZX03006-001-01), and Doctoral Fund of Ministry of Education of China (20120141110002)
Biography: DING Shuang, female, Master candidate, research direction
Rights and permissions
About this article
Cite this article
Ding, S., Fu, J. & Peng, B. ModuleGuard: A gatekeeper for dynamic module loading against malware. Wuhan Univ. J. Nat. Sci. 18, 489–498 (2013). https://doi.org/10.1007/s11859-013-0962-4
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-013-0962-4