Anti-disassembly using Cryptographic Hash Functions

Aycock, John; deGraaf, Rennie; Jacobson, Michael J.

doi:10.1007/s11416-006-0011-3

Cited by 13 publications

(10 citation statements)

References 7 publications

(8 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that the techniques presented here are rather trivial, compared to elaborate binary code obfuscation methods [30][31][32], but powerful enough to illustrate the limitations of detection methods based on static analysis. Advanced techniques for complicating static analysis have also been extensively used for tamper-resistant software and for preventing the reverse engineering of executables, as a defense against software piracy [33][34][35].…”

Section: Static Analysis Resistant Polymorphic Shellcodementioning

confidence: 99%

Network-level polymorphic shellcode detection using emulation

2006

View full text Add to dashboard Cite

Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to defeat these defenses. A major outstanding question in security research and engineering is thus whether we can proactively develop the tools needed to contain advanced polymorphic and metamorphic attacks. While recent results have been promising, most of the existing proposals can be defeated using only minor enhancements to the attack vector. In fact, some publicly-available polymorphic shellcode engines are currently one step ahead of the most advanced publicly-documented network-level detectors. In this paper, we present a heuristic detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. In contrast to previous work, our approach relies on a NIDSembedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. Our analysis demonstrates that the proposed

show abstract

Section: Static Analysis Resistant Polymorphic Shellcodementioning

confidence: 99%

Network-level polymorphic shellcode detection using emulation

2006

View full text Add to dashboard Cite

show abstract

“…A special case of CKPE is hash-armoring [28]. Hash-armoring uses a cryptographic hash function with a context-based key to hash an (arbitrary) salt.…”

Section: Limitations Of Faithful Emulationmentioning

confidence: 99%

On Emulation-Based Network Intrusion Detection Systems

Abbasi

Wetzels

Bokslag

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode. In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

show abstract

“…The possibilities in terms of exploiting user data include sending more convincing spam (Aycock, & Friess, 2006) and establishing markets for efficient sales of purloined data (Friess, Aycock, & Vogt, 2008). In terms of using the computing power of compromised machines, the output from cryptographic hash functions has been searched for useful values for anti-disassembly (Aycock, De Graaf, & Jacobson, 2006), and the computing power required to forge SSL server certificates has been estimated (Hemmingsen, Aycock, & Jacobson, 2007). This latter work brings up to date an earlier publication by White, looking at using computer viruses' application to distributed computing (White, 1989).…”

Section: Related Workmentioning

confidence: 99%

Code Obfuscation Using Pseudo-random Number Generators

Aycock

Cardenas²,

Castro

2009

2009 International Conference on Computational Science and Engineering

Self Cite

View full text Add to dashboard Cite

We describe a novel method for malicious code obfuscation that uses code already present in systems: a pseudo-random number generator. This can also be seen as an antidisassembly and anti-debugging technique, depending on deploy-ment, because the actual code does not exist until run -it is generated dynamically by the pseudo-random number generator. A year's worth of experiments are used to demonstrate that this technique is a viable code obfuscation option for a malicious adversary with access to large amounts of computing power.Key words: obfuscation, pseudo-random, generator. ResumenSe describe un nuevo método para la ofuscación de códigos maliciosos que utiliza códigos ya presentes en los sistemas: un generador de números pseudo-aleatorios. Esto también puede verse como una técnica anti-desmontaje y anti-depuración, dependiendo de su despliegue, debido a que el código real no existe hasta su ejecución -que se genera de forma dinámica por el generador de números pseudo-aleatorios. Se han usado xperimentos de todo un año para demostrar que esta técnica de ofuscación es viable para un adversario malicioso con acceso a una gran potencia computacional.

show abstract

Anti-disassembly using Cryptographic Hash Functions

Abstract: Abstract

Cited by 13 publications

References 7 publications

Network-level polymorphic shellcode detection using emulation

Network-level polymorphic shellcode detection using emulation

On Emulation-Based Network Intrusion Detection Systems

Code Obfuscation Using Pseudo-random Number Generators

Contact Info

Product

Resources

About