ShellOS: Enabling fast detection and forensic analysis of code injection attacks
Venue
USENIX Security Symposium (2011)
Publication Year
2011
Authors
Kevin Snow, Srinivas Krishnan, Fabian Monrose, Niels Provos
BibTeX
Abstract
The availability of off-the-shelf exploitation toolkits for compromising hosts,
coupled with the rapid rate of exploit discovery and disclosure, has made exploit
or vulnerability-based detection far less effective than it once was. For instance,
the increasing use of metamorphic and polymorphic techniques to deploy code
injection attacks continues to confound signature-based detection techniques. The
key to detecting these attacks lies in the ability to discover the presence of the
injected code (or, shellcode). One promising technique for doing so is to examine
data (be that from network streams or buffers of a process) and efficiently execute
its content to find what lurks within. Unfortunately, current approaches for
achieving this goal are not robust to evasion or scalable, primarily because of
their reliance on software-based CPU emulators. In this paper, we argue that the
use of software-based emulation techniques are not necessary, and instead propose a
new framework that leverages hardware virtualization to better enable the detection
of code injection attacks. We also report on our experience using this framework to
analyze a corpus of malicious Portable Document Format (PDF) files and network-based
attacks.
