Streamed Analysis of Network Files to avoid False Positives and to Detect Client-side Attacks

Attacks exploiting client-side vulnerabilities are common nowadays. Those attacks are more difficult to be addressed due the complexity of protocols and file formats. Generic detection mechanisms, such as code disassembly, are often inefficient against client-side vulnerabilities due to size constraints in the gateway inspection and the embedded encoding specific to some file formats. This article discusses the challenges of file-type aware inspection and how to make such inspection in streaming mode. We use a network disassembly engine as the detection base and an implementation to detect invalid binaries in streaming mode to confirm the validity of the disassembly engine. Results of detection of real shellcodes and normal executable codes of a complete Linux installation are provided.