Title :
Malicious Shellcode Detection with Virtual Memory Snapshots
Author :
Gu, Boxuan ; Bai, Xiaole ; Yang, Zhimin ; Champion, Adam C. ; Xuan, Dong
Author_Institution :
Dept. of Comput. Sci. & Eng., Ohio State Univ., Columbus, OH, USA
Abstract :
Malicious shellcodes are segments of binary code disguised as normal input data. Such shellcodes can be injected into a target process´s virtual memory. They overwrite the process´s return addresses and hijack control flow. Detecting and filtering out such shellcodes is vital to prevent damage. In this paper, we propose a new malicious shellcode detection methodology in which we take snapshots of the process´s virtual memory before input data are consumed, and feed the snapshots to a malicious shellcode detector. These snapshots are used to instantiate a runtime environment that emulates the target process´s input data consumption to monitor shellcodes´ behaviors. The snapshots can also be used to examine the system calls that shellcodes invoke, these system call parameters, and the process´s execution flow. We implement a prototype system in Debian Linux with kernel version 2.6.26. Our extensive experiments with real traces and thousands of malicious shellcodes illustrate our system´s performance with low overhead and few false negatives and few false positives.
Keywords :
binary codes; security of data; virtual storage; Debian Linux; binary code; hijack control flow; input data; kernel version 2.6.26; malicious shellcode detection; process execution flow; process return addresses; prototype system; shellcode behavior monitoring; target process; virtual memory snapshots; Binary codes; Communications Society; Computer science; Data engineering; Detectors; Feeds; Filtering; Pattern analysis; Runtime environment; USA Councils;
Conference_Titel :
INFOCOM, 2010 Proceedings IEEE
Conference_Location :
San Diego, CA
Print_ISBN :
978-1-4244-5836-3
DOI :
10.1109/INFCOM.2010.5461950
