To demonstrate our technique, we implemented an easy-to-use tool and API called AVLeak. We propose a novel black-box technique to efficiently extract emulator fingerprints without reverse-engineering. As an alternative, researchers have demonstrated fingerprinting attacks using simple black-box testing, but these techniques are slow, inefficient, and generally awkward to use. Due to their immense complexity and the expert knowledge required to effectively analyze them, reverse-engineering AV emulators to discover fingerprints is an extremely challenging task. Malware may detect emulation by looking for emulator " fingerprints " such as unique environmental values, timing inconsistencies, or bugs in CPU emulation. Malware authors have responded by creating malware that attempts to evade detection by behaving benignly while running in an emulator. To fight the ever-increasing proliferation of novel mal-ware, antivirus (AV) vendors have turned to emulation-based automated dynamic malware analysis. Where our proposed approach is feasible (i.e., in an emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a low-overhead protection mechanism, and can easily complement other mechanisms. The performance penalty in this case is minimal. We demonstrate this by modifying the Perl interpreter to permit randomized script execution. Our approach is equally applicable against code-injecting attacks in scripting and interpreted languages, e.g., web-based SQL injection. Although the performance penalty is significant, our prototype demonstrates the feasibility of the approach, and should be directly usable on a suitable-modified processor (e.g., the Transmeta Crusoe). To determine the difficulty of integrating support for the proposed mechanism in the operating system, we modified the Linux kernel, the GNU binu-tils tools, and the bochs-x86 emulator. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that ran-domized processor, causing a runtime exception. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. We describe a new, general approach for safeguarding systems against any type of code-injection attack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |