Dymo: Tracking Dynamic Code Identity

  • Bob Gilbert
  • Richard Kemmerer
  • Christopher Kruegel
  • Giovanni Vigna
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6961)


Code identity is a primitive that allows an entity to recognize a known, trusted application as it executes. This primitive supports trusted computing mechanisms such as sealed storage and remote attestation. Unfortunately, there is a generally acknowledged limitation in the implementation of current code identity mechanisms in that they are fundamentally static. That is, code identity is captured at program load-time and, thus, does not reflect the dynamic nature of executing code as it changes over the course of its run-time. As a result, when a running process is altered, for example, because of an exploit or through injected, malicious code, its identity is not updated to reflect this change.

In this paper, we present Dymo, a system that provides a dynamic code identity primitive that tracks the run-time integrity of a process and can be used to detect code integrity attacks. To this end, a host-based component computes an identity label that reflects the executable memory regions of running applications (including dynamically generated code). These labels can be used by the operating system to enforce application-based access control policies. Moreover, to demonstrate a practical application of our approach, we implemented an extension to Dymo that labels network packets with information about the process that originated the traffic. Such provenance information is useful for distinguishing between legitimate and malicious activity at the network level.


code identity process integrity access control 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A View on Current Malware Behaviors. In: 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (2009)Google Scholar
  2. 2.
    Bhatkar, S., DuVarney, D., Sekar, R.: Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. In: 12th USENIX Security Symposium (2003)Google Scholar
  3. 3.
    Blazakis, D.: Interpreter Exploitation. In: 4th USENIX Workshop on Offensive Technologies (2010)Google Scholar
  4. 4.
    Chen, C., Xu, J., Sezer, E., Gauriar, P., Iyer, R.: Non-Control-Data Attacks Are Realistic Threats. In: 14th USENIX Security Symposium (2005)Google Scholar
  5. 5.
    Fewer, S.: Reflective DLL Injection. Tech. rep., Harmony Security (2008)Google Scholar
  6. 6.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for UNIX Processes. In: 17th IEEE Symposium on Security and Privacy (1996)Google Scholar
  7. 7.
    Frias-Martinez, V., Sherrick, J., Stolfo, S.J., Keromytis, A.D.: A Network Access Control Mechanism Based on Behavior Profiles. In: 25th Annual Computer Security Applications Conference (2009)Google Scholar
  8. 8.
    Haitsma, J., Kalker, T., Oostveen, J.: Robust Audio Hashing for Content Identification. In: 2nd International Workshop on Content-Based Multimedia Indexing (2001)Google Scholar
  9. 9.
    Haldar, V., Chandra, D., Franz, M.: Semantic Remote Attestation A Virtual Machine Directed Approach to Trusted Computing. In: 3rd USENIX Virtual Machine Research and Technology Symposium (2004)Google Scholar
  10. 10.
    Hardy, N.: The Confused Deputy. Operating Systems Review 22(4), 36–38 (1988)CrossRefGoogle Scholar
  11. 11.
    Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions. In: 3rd USENIX Windows NT Symposium (1999)Google Scholar
  12. 12.
    Kim, G.H., Spafford, E.H.: The Design and Implementation of Tripwire: A File System Integrity Checker. In: 2nd ACM Conference on Computer and Communications Security (1994)Google Scholar
  13. 13.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor Support for Identifying Covertly Executing Binaries. In: 17th USENIX Security Symposium (2008)Google Scholar
  15. 15.
    Mandelin, D.: An Overview of TraceMonkey (July 2009),
  16. 16.
    Microsoft Corporation: A detailed description of the Data Execution Prevention (DEP) feature (September 2006),
  17. 17.
    Microsoft Corporation: Windows Vista Application Development Requirements for User Account Control (UAC) (April 2007),
  18. 18.
    Parno, B., McCune, J.M., Perrig, A.: Bootstrapping Trust in Commodity Computers. In: 31st IEEE Symposium on Security and Privacy (2010)Google Scholar
  19. 19.
    Ramachandran, A., Bhandankar, K., Tariq, M.B., Feamster, N.: Packets with Provenance. Tech. Rep. GT-CS-08-02, Georgia Institute of Technology (2008)Google Scholar
  20. 20.
    Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: 13th USENIX Security Symposium (2004)Google Scholar
  21. 21.
    Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  22. 22.
    Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In: 14th ACM Conference on Computer and Communications Security (2007)Google Scholar
  23. 23.
    Zeigler, A.: IE8 and Loosely-Coupled IE (LCIE) (March 2008),
  24. 24.
    Zetter, K.: Google Hack Attack Was Ultra Sophisticated, New Details Show (January 2010),

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Bob Gilbert
    • 1
  • Richard Kemmerer
    • 1
  • Christopher Kruegel
    • 1
  • Giovanni Vigna
    • 1
  1. 1.Computer Security Group, Department of Computer ScienceUniversity of CaliforniaSanta BarbaraUSA

Personalised recommendations