Abstract
Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze injected code (often called shellcode), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emulators, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incorporated memory-scanning attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
AlephOne: Smashing stack for fun and profit. Phrack (November 1996)
MITRE: OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability (2002), http://www.securityfocus.com/bid/5363
Sotirov, A.: Apache openssl heap overflow exploit (September 2002), http://www.phreedom.org/research/exploits/apache-openssl/
Li, W., cher Chiueh, T.: Automated format string attack prevention for win32/x86 binaries. In: Proc. of the 23rd Annual Computer Security Applications Conference ACSAC 2007, pp. 398–409 (2007)
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of the 13th USENIX Conference on Systems Administration LISA 1999, pp. 229–238 (1999)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Chinchani, R., van den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)
The Metasploit Project: Metasploit, http://www.metasploit.com/
Bania, P.: Tapion (2005), http://pb.specialised.info/all/tapion/
K2: Admmutate (2007), http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz
Sedalo, M.: Jempiscode (2006), http://goodfellas.shellcode.com.ar/proyectos.html
Krügel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network–level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)
Ma, J., Dunagan, J., Wang, H.J., Savage, S., Voelker, G.M.: Finding diversity in remote code injection exploits. In: Proc. of the 6th ACM SIGCOMM on Internet Measurement IMC 2006, October 2006, pp. 53–64 (2006)
Zhang, Q., Reeves, D.S., Ning, P.: Analyzing network traffic to detect self-decrypting exploit code. In: Proc. of the 2nd ASIAN ACM Symposium on Information, Computer and Communications Security ASIACCS 2007, March 2007, pp. 4–12 (2007)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)
Borders, K., Prakash, A., Zielinski, M.: Spector: Automatically analyzing shell code. In: Proc. of the 23rd Annual Computer Security Applications Conference ACSAC 2007, pp. 501–514 (2007)
Linn, C.M., Rajagopalan, M., Baker, S., Collberg, C., Debray, S.K., Hartman, J.: Protecting against unexpected system calls. In: Proc. of the 13th Usenix Security Symposium, August 2005, pp. 239–254 (2005)
Wang, X., Pan, C.C., Liu, P., Zhu, S.: SigFree: A Signature-free Buffer Overflow Attack Blocker. In: Proc. of the 15th Usenix Security Symposium, pp. 225–240 (2006)
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Proc. of the 13th ACM Conference on Computer and Communications Security CCS 2006, October 2006, pp. 322–335 (2006)
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proc. of the 2007 IEEE Symposium on Security and Privacy S&P 2007, May 2007, pp. 231–245 (2007)
Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Bitscope: Automatically dissecting malicious binaries. Technical Report CMU-CS-07-133, Carnegie Mellon University (2007)
SystemV Application Binary Interface Intel 386 Architecture Processor Supplement, http://www.caldera.com/developers/devspecs/abi386-4.pdf
jt: Libdasm (2006), http://www.klake.org/~jt/misc/libdasm-1.5.tar.gz
Smith, J.E., Nair, R.: Virtual Machines - Versatile Platforms for Systems and Processes. Elsevier, Amsterdam (2005)
MITRE: ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability (2001), http://www.securityfocus.com/bid/2302
MITRE: Wu-ftpd file globbing heap corruption vulnerability (2001), http://securityfocus.com/bid/3581
MITRE: rsync Signed Array Index Remote Code Execution Vulnerability (2002), http://www.securityfocus.com/bid/3958
MITRE: Wu-imapd Partial Mailbox Attribute Remote Buffer Overflow Vulnerability (2002), http://securityfocus.com/bid/4713
MITRE: Samba ’call_trans2open’ remote buffer overflow vulnerability (2003), http://securityfocus.com/bid/7294
MITRE: Cyrus IMAPD POP3D Remote Buffer Overflow Vulnerability (2006), http://www.securityfocus.com/bid/18506
SecurityFocus: http://securityfocus.com/
Milw0rm: http://www.milw0rm.com/
PaX Team: PaX address space layout randomization (ASLR), http://pax.grsecurity.net/docs/aslr.txt
Andersson, S., Clark, A., Mohay, G.M.: Network-based buffer overflow detection by exploit code analysis. In: Proc. of the AusCERT Asia Pacific Information Technology Security Conference, pp. 39–53 (2004)
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M., Chen, P.M.: Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Proc. of the 5th Symposium on Operating Systems Design and Implementation OSDI 2002, December 2002, pp. 211–224 (2002)
Andersson, S., Clark, A., Mohay, G.M., Schatz, B., Zimmermann, J.: A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX. In: Proc. of the 21st Annual Computer Security Applications Conference ACSAC 2005, pp. 49–58 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shimamura, M., Kono, K. (2009). Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks. In: Flegel, U., Bruschi, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2009. Lecture Notes in Computer Science, vol 5587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02918-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-02918-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02917-2
Online ISBN: 978-3-642-02918-9
eBook Packages: Computer ScienceComputer Science (R0)