Skip to main content
SpringerLink
Log in

Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5587))

Abstract

Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze injected code (often called shellcode), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emulators, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incorporated memory-scanning attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. AlephOne: Smashing stack for fun and profit. Phrack (November 1996)

    Google Scholar 

  2. MITRE: OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability (2002), http://www.securityfocus.com/bid/5363

  3. Sotirov, A.: Apache openssl heap overflow exploit (September 2002), http://www.phreedom.org/research/exploits/apache-openssl/

  4. Li, W., cher Chiueh, T.: Automated format string attack prevention for win32/x86 binaries. In: Proc. of the 23rd Annual Computer Security Applications Conference ACSAC 2007, pp. 398–409 (2007)

    Google Scholar 

  5. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of the 13th USENIX Conference on Systems Administration LISA 1999, pp. 229–238 (1999)

    Google Scholar 

  6. Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)

    Article  Google Scholar 

  7. Chinchani, R., van den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  8. The Metasploit Project: Metasploit, http://www.metasploit.com/

  9. Bania, P.: Tapion (2005), http://pb.specialised.info/all/tapion/

  10. K2: Admmutate (2007), http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz

  11. Sedalo, M.: Jempiscode (2006), http://goodfellas.shellcode.com.ar/proyectos.html

  12. Krügel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network–level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)

    Google Scholar 

  14. Ma, J., Dunagan, J., Wang, H.J., Savage, S., Voelker, G.M.: Finding diversity in remote code injection exploits. In: Proc. of the 6th ACM SIGCOMM on Internet Measurement IMC 2006, October 2006, pp. 53–64 (2006)

    Google Scholar 

  15. Zhang, Q., Reeves, D.S., Ning, P.: Analyzing network traffic to detect self-decrypting exploit code. In: Proc. of the 2nd ASIAN ACM Symposium on Information, Computer and Communications Security ASIACCS 2007, March 2007, pp. 4–12 (2007)

    Google Scholar 

  16. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  17. Borders, K., Prakash, A., Zielinski, M.: Spector: Automatically analyzing shell code. In: Proc. of the 23rd Annual Computer Security Applications Conference ACSAC 2007, pp. 501–514 (2007)

    Google Scholar 

  18. Linn, C.M., Rajagopalan, M., Baker, S., Collberg, C., Debray, S.K., Hartman, J.: Protecting against unexpected system calls. In: Proc. of the 13th Usenix Security Symposium, August 2005, pp. 239–254 (2005)

    Google Scholar 

  19. Wang, X., Pan, C.C., Liu, P., Zhu, S.: SigFree: A Signature-free Buffer Overflow Attack Blocker. In: Proc. of the 15th Usenix Security Symposium, pp. 225–240 (2006)

    Google Scholar 

  20. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Proc. of the 13th ACM Conference on Computer and Communications Security CCS 2006, October 2006, pp. 322–335 (2006)

    Google Scholar 

  21. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proc. of the 2007 IEEE Symposium on Security and Privacy S&P 2007, May 2007, pp. 231–245 (2007)

    Google Scholar 

  22. Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Bitscope: Automatically dissecting malicious binaries. Technical Report CMU-CS-07-133, Carnegie Mellon University (2007)

    Google Scholar 

  23. SystemV Application Binary Interface Intel 386 Architecture Processor Supplement, http://www.caldera.com/developers/devspecs/abi386-4.pdf

  24. jt: Libdasm (2006), http://www.klake.org/~jt/misc/libdasm-1.5.tar.gz

  25. Smith, J.E., Nair, R.: Virtual Machines - Versatile Platforms for Systems and Processes. Elsevier, Amsterdam (2005)

    MATH  Google Scholar 

  26. MITRE: ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability (2001), http://www.securityfocus.com/bid/2302

  27. MITRE: Wu-ftpd file globbing heap corruption vulnerability (2001), http://securityfocus.com/bid/3581

  28. MITRE: rsync Signed Array Index Remote Code Execution Vulnerability (2002), http://www.securityfocus.com/bid/3958

  29. MITRE: Wu-imapd Partial Mailbox Attribute Remote Buffer Overflow Vulnerability (2002), http://securityfocus.com/bid/4713

  30. MITRE: Samba ’call_trans2open’ remote buffer overflow vulnerability (2003), http://securityfocus.com/bid/7294

  31. MITRE: Cyrus IMAPD POP3D Remote Buffer Overflow Vulnerability (2006), http://www.securityfocus.com/bid/18506

  32. SecurityFocus: http://securityfocus.com/

  33. Milw0rm: http://www.milw0rm.com/

  34. PaX Team: PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt

  35. Andersson, S., Clark, A., Mohay, G.M.: Network-based buffer overflow detection by exploit code analysis. In: Proc. of the AusCERT Asia Pacific Information Technology Security Conference, pp. 39–53 (2004)

    Google Scholar 

  36. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M., Chen, P.M.: Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Proc. of the 5th Symposium on Operating Systems Design and Implementation OSDI 2002, December 2002, pp. 211–224 (2002)

    Google Scholar 

  37. Andersson, S., Clark, A., Mohay, G.M., Schatz, B., Zimmermann, J.: A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX. In: Proc. of the 21st Annual Computer Security Applications Conference ACSAC 2005, pp. 49–58 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information and Computer Science, Keio University, Japan

    Makoto Shimamura & Kenji Kono

  2. CREST, Japan Science and Technology Agency, Japan

    Kenji Kono

Authors
  1. Makoto Shimamura
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kenji Kono
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SAP Research Center Karlsruhe, Karlsruhe, Germany

    Ulrich Flegel

  2. Dipartimento di Informatica e Comunicazione, Università degli Studi di Milano, Milano, Italy

    Danilo Bruschi

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Shimamura, M., Kono, K. (2009). Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks. In: Flegel, U., Bruschi, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2009. Lecture Notes in Computer Science, vol 5587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02918-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-02918-9_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-02917-2

  • Online ISBN: 978-3-642-02918-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation