Abstract
A common way by which attackers gain control of hosts is through remote exploits. A new dimension to the problem is added by worms which use exploit code to self-propagate, and are becoming a commonplace occurrence. Defense mechanisms exist but popular ones are signature-based techniques which use known byte patterns, and they can be thwarted using polymorphism, metamorphism and other obfuscations. In this paper, we argue that exploit code is characterized by more than just a byte pattern because, in addition, there is a definite control and data flow. We propose a fast static analysis based approach which is essentially a litmus test and operates by making a distinction between data, programs and program-like exploit code. We have implemented a prototype called styx and evaluated it against real data collected at our organizational network. Results show that it is able to detect a variety of exploit code and can also generate very specific signatures. Moreover, it shows initial promise against polymorphism and metamorphism.
This material is based upon work supported by the Air Force Research Laboratory – Rome Labs under Contract No. FA8750-04-C-0249.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
F-secure virus descriptions: Santy, http://www.fsecure.com/v-descs/santy_ashtml
IA-32 Intel Architecture Software Developer’s Manual
Metasploit Project, http://www.metasploit.com/
Slammer/Sapphire Code Disassembly, http://www.immunitysec.com/downloads/disassembly.txt
The Twenty Most Critical Internet Security Vulnerabilities (Updated) The Experts Consensus, http://files.sans.org/top20.pdf
VX heavens, http://vx.netlux.org
Tool Interface Standard (TIS), Executable and Linking Format (ELF) Specification, Version 1.2 (1995)
Microsoft Portable Executable and Common Object File Format Specification, Revision 6.0 (1999), http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
Cifuentes, C., Gough, K.: Decompilation of Binary Programs. Software Practice & Experience 25(7), 811–829 (1995)
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium (Security 2003), August 2003, pp. 169–186. USENIX Association (2003)
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, Security 2003 (2003)
Cifuentes, C., Emmerik, M.V.: UQBT: Adaptable binary translation at low cost. Computer 33(3), 60–66 (2000)
Cowan, C., Pu, C., Maier, D., Hinton, H., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: 7th USENIX Security Symposium, San Antonio, TX (January 1998)
Binkley, D.W., Gallagher, K.B.: Program Slicing. Advances in Computers 43, 1–50 (1996)
Feng, H.H., Giffin, J.T., Huang, Y., Jha, S., Lee, W., Miller, B.P.: Formalizing sensitivity in static analysis for intrusion detection. In: IEEE Symposium on Security and Privacy, p. 194 (2004)
Hittel, S.: Detection of jump-based ids-evasive noop sleds using snort (May 2002), http://aris.securityfocus.com/rules/020527-Analysis-Jump-NOOP.pdf
Horwitz, S., Prins, J., Reps, T.: Integrating noninterfering versions of programs. ACM Trans. Program. Lang. Syst. 11(3), 345–387 (1989)
Jones, R., Kelly, P.: Bounds Checking for C, http://www-ala.doc.ic.ac.uk/phjk/BoundsChecking.html
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symposium on Security and Privacy (May 2004)
Kamkar, M.: An overview and comparative classification of program slicing techniques. J. Syst. Softw. 31(3), 197–214 (1995)
Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, Security 2004 (2004)
Kolesnikov, O., Dagon, D., Lee, W.: Advanced polymorphic worms: Evading ids by blending in with normal traffic. Technical Report GIT-CC-04-15, College of Computing, Georgia Institute of Technology (2004)
Krawetz, N.: The Honeynet files: Anti-honeypot technology. IEEE Security and Privacy 2(1), 76–79 (2004)
Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the 13th USENIX Security 2004, Security 2004 (2004)
Landi, W.: Undecidability of Static Analysis. ACM Letters on Programming Languages and Systems 1(4), 323–337 (1992)
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static analysis. In: 10th ACM Conference of Computer and Communications Security, CCS (2003)
LURHQ Threat Intelligence Group. Phatbot trojan analysis, http://www.lurhq.com/phatbot.html
Weiser, M.: Program Slicing: Formal, Psychological and Practical Investigations of an Automatic Program Abstraction Method. PhD thesis, The University of Michigan, Ann Arbor, Michigan (1979)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Security and Privacy 1(4), 33–39 (2003)
Ottenstein, K.J., Ottenstein, L.M.: The program dependence graph in a software development environment. SIGPLAN Not. 19(5), 177–184 (1984)
Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, R., Fan, K.: Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In: 9th IEEE/IFIP Network Operation and Management Symposium (NOMS 2004), May 2004, Seoul, S. Korea (2004) (to appear)
Ramalingam, G.: The Undecidability of Aliasing. ACM Transactions on Programming Languages and Systems 16(5), 1467–1471 (1994)
Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time (2002)
Tip, F.: A survey of program slicing techniques. Technical Report CS-R9438, CWI (Centre for Mathematics and Computer Science), Amsterdam, The Netherlands (1994)
Toth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)
Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th Usenix Security Symposium, Security 2003 (2003)
Wagner, D., Dean, D.: Intrusion detection via static analysis. In: SP 2001: Proceedings of the IEEE Symposium on Security and Privacy, p. 156. IEEE Computer Society, Los Alamitos (2001)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: First ACM Workshop on Rapid Malcode, WORM (2003)
Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: USENIX Security Symposium, pp. 29–44 (2004)
Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: USENIX Security Symposium, pp. 29–44 (2004)
Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 190–199. ACM Press, New York (2003)
Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 138–147. ACM Press, New York (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chinchani, R., van den Berg, E. (2006). A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_15
Download citation
DOI: https://doi.org/10.1007/11663812_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)