Abstract
Computer malwares (e.g., botnets, rootkits, spware) are one of the most serious threats to all computers and networks. Most malwares conduct their malicious actions via hijacking the control flow of the infected system or program. Therefore, it is critically important to protect our mission critical systems from malicious control flows.
Inspired by the self-nonself discrimination in natural immune system, this research explores a new direction in building the artificial malware immune systems. Most existing models of self of the protected program or system are passive reflection of the existing being (e.g., system call sequence) of the protected program or system. Instead of passively reflecting the existing being of the protected program, we actively assign a unique mark to the protected program or system. Such a dynamically assigned unique mark forms dynamically assigned sense of self of the protected program or system that enables us to effectively and efficiently distinguish the unmarked nonself (e.g., malware actions) from marked self with no false positive. Since our artificial malware immunization technique does not require any specific knowledge of the malwares, it can be effective against new and previously unknown malwares.
We have implemented a proof-of-concept prototype of our artificial malware immunization based on such dynamically assigned sense of self in Linux, and our automatic malware immunization tool has successfully immunized real-world, unpatched, vulnerable applications (e.g., Snort 2.6.1 with over 140,000 lines C code) against otherwise working exploits. In addition, our artificial malware immunization is effective against return-to-libc attacks and recently discovered return-oriented exploits. The overall run time performance overhead of our artificial malware immunization prototype is no more than 4%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
ghttpd Daemon Buffer Overflow Vulnerability, http://www.securityfocus.com/bid/2879
Snort Open Source Network Intrusion Prevention and Detection System (IDS/IPS), http://www.snort.org/
Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability, http://www.securityfocus.com/bid/22616
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-Flow Integrity: Principles, Implementations, and Applications. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005), pp. 340–353. ACM, New York (November 2005)
Alexey Smirnov, T.-c.C.: DIRA: Automatic detection, identification, and repair of controlhijacking attacks. In: Proceedings of the 12th Network and Distributed System Security Symposium, NDSS 2005 (February 2005)
Barrantes, E., Ackley, D., Forrest, S., Palmer, T., Stefanovic, D., Zovi, D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 281–289. ACM, New York (October 2003)
Barrantes, G., Ackley, D., Forrest, S., Stefanovic, D.: Randomized Instruction Set Emulation. ACM Transactions on Information Systems Security (TISSEC) 8(1), 3–40 (2005)
Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow Anomaly Detection. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P 2006). IEEE, Los Alamitos (May 2006)
Burnet, F.M.: Self and Not-Self. Cambridge University Press, Cambridge (1969)
Castro, M., Costa, M., Harris, T.: Securing Software by Enforcing Data-Flow Integrity. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI 2006), pp. 147–160 (November 2006)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-Control-Data Attacks Are Realistic Threats. In: Proceedings of the 14th USENIX Security Symposium. USENIX (August 2005)
Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: Proceedings of the 7th USENIX Security Symposium, pp. 63–78. USENIX (August 1998)
Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (S&P 2003). IEEE, Los Alamitos (May 2003)
Forrest, S., Hofmeyr, S., Somayaji, A.: Computer Immunology. Communications of the ACM 40(10), 88–96 (1997)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (S&P 1996). IEEE, Los Alamitos (May 1996)
Frantzen, M., Shuey, M.: StackGhost: Hardware Facilitated Stack Protection. In: Proceedings of the 10th USENIX Security Symposium, pp. 55–66. USENIX (August 2001)
Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P.: Environment-Sensitive Intrusion Detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 185–206. Springer, Heidelberg (2006)
Gopalakrishna, R., Spafford, E.H., Vitek, J.: Efficient Intrusion Detection using Automaton Inlining. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005). IEEE, Los Alamitos (May 2005)
Jim, T., Schlichting, R.D., Rajagopalan, M., Hiltunen, M.A.: System Call Monitoring Using Authenticated System Calls. IEEE Transactions on Dependable and Secure Computing 3(3), 216–229 (2006)
Jun Xu, Z.K., Iyer, R.K.: Transparent Runtime Randomization for Security. In: Proceedings of the 22nd Symposium on Reliable and Distributed Systems (SRDS 2003). IEEE, Los Alamitos (October 2003)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks with Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 272–280. ACM, New York (October 2003)
Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure Execution via Program Shepherding. In: Proceedings of the 11th USENIX Security Symposium, pp. 191–206. USENIX (August 2002)
Klein, J.: Immunology: The Science of Self-Nonself Discrimination. John Wiley & Sons, New York (1982)
Linn, C.M., Rajagopalan, M., Baker, S., Collberg, C., Debray, S.K., Hartman, J.H.: Protecting against Unexpected System Calls. In: Proceedings of the 14th USENIX Security Symposium. USENIX (August 2005)
Nebenzahl, D., Sagiv, M., Wool, A.: Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks. IEEE Transactions on Dependable and Secure Computing (TDSC) 3(1), 78–90 (2006)
Petroni, N., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2007). ACM, New York (October 2007)
Rajagopalan, M., Hiltunen, M., Jim, T., Schlichting, R.: Authenticated System Calls. In: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN 2005). IEEE, Los Alamitos (June 2005)
Sandeep Bhatkar, R.S., DuVarney, D.C.: Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In: Proceedings of the 14th USENIX Security Symposium. USENIX (August 2005)
Sekar, R., Bendre, M., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P 2001). IEEE, Los Alamitos (May 2001)
Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pp. 15–28 (October 2003)
Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007). ACM, New York (October 2007)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P 2001). IEEE, Los Alamitos (May 2001)
Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002). ACM, New York (October 2002)
Wang, X., Li, Z., Xu, J., Reiter, M.K., Kil, C., Choi, J.Y.: Packet Vaccine: Black-box Exploit Detection and Signature Generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006). ACM, New York (October 2006)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy (S&P 1999), pp. 133–145. IEEE, Los Alamitos (May 1999)
Wilander, J., Kamkar, M.: A comparison of publicly available tools for dynamic buffer overflow prevention. In: Proceedings of the 10th Network and Distributed System Security Symposium, NDSS 2003 (Feburary 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, X., Jiang, X. (2011). Artificial Malware Immunization Based on Dynamically Assigned Sense of Self. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds) Information Security. ISC 2010. Lecture Notes in Computer Science, vol 6531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-18178-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-18178-8_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-18177-1
Online ISBN: 978-3-642-18178-8
eBook Packages: Computer ScienceComputer Science (R0)