Comprehensive shellcode detection using runtime heuristics

Polychronakis, Michalis; Anagnostakis, Kostas G.; Markatos, Evangelos P.

doi:10.1145/1920261.1920305

Cited by 54 publications

(66 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In other words, our system tries each byte of the network stream as a potential entry point of shellcode. Similar to the dynamic approaches [1], [6], [9], we refer to a complete execution from each offset of the stream as an execution chain. Compared with the dynamic approaches that require intercepting and tracking each instruction, our approach allows instruction sequences being executed directly on the CPU, and only trap a small number of instructions selectively by utilizing hardware paging mechanisms.…”

Section: Overview Of Our Approachmentioning

confidence: 99%

“…In order to detect shellcode in our execution environment, we employ the PEB heuristic [6]. This detection heuristic relies on the conventional behaviour of shellcode: After executing the network string, the shellcode will first read the memory address of FS:[0x30] to locate the PEB, and then read the LoaderData field (0xc bytes offset) of the PEB to locate the PEB LDR DATA structure.…”

Section: Shellcode Detectionmentioning

confidence: 99%

“…When we utilize 2 CPU cores for two different detection processes, our system can achieve 73.8 Mbps network throughput without packet loss. Compared with the emulation-based methods [1], [6], [9], the network throughput is greatly improved.…”

Section: Throughputmentioning

confidence: 99%

“…In the past few years, many detection approaches [1], [3], [4], [6], [9] have been proposed. Basically, these methods can be divided into two categories: static analysis [3], [4] and dynamic analysis [1], [6], [9].…”

Section: Introductionmentioning

confidence: 99%

“…Basically, these methods can be divided into two categories: static analysis [3], [4] and dynamic analysis [1], [6], [9]. The core idea of static analysis is to disassemble the network stream and then analyze the code-level patterns that could be signatures obtained from existing shellcode.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Efficient Shellcode Detection on Commodity Hardware

Tian

Chen

et al. 2013

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYAs more and more software vulnerabilities are exposed, shellcode has become very popular in recent years. It is widely used by attackers to exploit vulnerabilities and then hijack program's execution. Previous solutions suffer from limitations in that: 1) Some methods based on static analysis may fail to detect the shellcode using obfuscation techniques. 2) Other methods based on dynamic analysis could impose considerable performance overhead. In this paper, we propose Lemo, an efficient shellcode detection system. Our system is compatible with commodity hardware and operating systems, which enables deployment. To improve the performance of our system, we make use of the multi-core technology. The experiments show that our system can detect shellcode efficiently.

show abstract

Section: Overview Of Our Approachmentioning

confidence: 99%

Section: Shellcode Detectionmentioning

confidence: 99%

Section: Throughputmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Efficient Shellcode Detection on Commodity Hardware

Tian

Chen

et al. 2013

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

Practical Enclave Malware with Intel SGX

Schwarz

Weiser

Gruss

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel's threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorlydeployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user's behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a codereuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware.

show abstract

NFDD: A Dynamic Malicious Document Detection Method Without Manual Feature Dictionary

Jiang

Wang

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Comprehensive shellcode detection using runtime heuristics

Cited by 54 publications

References 22 publications

Efficient Shellcode Detection on Commodity Hardware

Efficient Shellcode Detection on Commodity Hardware

Practical Enclave Malware with Intel SGX

NFDD: A Dynamic Malicious Document Detection Method Without Manual Feature Dictionary

Contact Info

Product

Resources

About