Enabling fast detection and forensic analysis of code injection attacks
Abstract: The availability of off-the-shelf exploitation toolkits for
compromising hosts, coupled with the rapid rate of exploit discovery and disclosure,
has made exploit or vulnerability-based detection far less effective than it once was.
For instance, the increasing use of metamorphic and polymorphic techniques to deploy
code injection attacks continues to confound signature-based detection techniques. The
key to detecting these attacks lies in the ability to discover the presence of the
injected code (or, shellcode). One promising technique for doing so is to examine data
(be that from network streams or buffers of a process) and efﬁciently execute its
content to ﬁnd what lurks within. Unfortunately, current approaches for achieving this
goal are not robust to evasion or scalable, primarily because of their reliance on
software-based CPU emulators. In this paper, we argue that the use of software-based
emulation techniques are not necessary, and instead propose a new framework that
leverages hardware virtualization to better enable the detection of code injection
attacks. We also report on our experience using this framework to analyze a corpus of
malicious Portable Document Format (PDF) ﬁles and network-based attacks.