Counteracting Data-Only Malware with Code Pointer Examination

As new code-based defense technologies emerge, attackers move to data-only malware, which is capable of infecting a system without introducing any new code. To manipulate the control flow without code, data-only malware inserts a control data structure into the system, for example in the form of a ROP chain, which enables it to combine existing instructions into a new malicious program. Current systems try to hinder data-only malware by detecting the point in time when the malware starts executing. However, it has been shown that these approaches are not only performance consuming, but can also be subverted. In this work, we introduce a new approach, Code Pointer Examination CPE, which aims to detect data-only malware by identifying and classifying code pointers. Instead of targeting control flow changes, our approach targets the control structure of data-only malware, which mainly consists of pointers to the instruction sequences that the malware reuses. Since the control structure is comparable to the code region of traditional malware, this results in an effective detection approach that is difficult to evade. We implemented a prototype for recent Linux kernels that is capable of identifying and classifying all code pointers within the kernel. As our experiments show, our prototype is able to detect data-only malware in an efficient manner less than 1i¾?% overhead.

[1]  Zhi Wang,et al.  Countering Persistent Kernel Rootkits through Systematic Hook Discovery , 2008, RAID.

[2]  Angelos D. Keromytis,et al.  kGuard: Lightweight Kernel Protection against Return-to-User Attacks , 2012, USENIX Security Symposium.

[3]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[4]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[5]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[6]  Heng Yin,et al.  MACE: high-coverage and robust memory analysis for commodity operating systems , 2014, ACSAC '14.

[7]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[8]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[9]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[10]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Ahmad-Reza Sadeghi,et al.  Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets , 2013, RAID.

[12]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[13]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[14]  Christopher Krügel,et al.  Dymo: Tracking Dynamic Code Identity , 2011, RAID.

[15]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[16]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.

[17]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[18]  C. Eckert,et al.  Code Validation for Modern OS Kernels , 2014 .

[19]  Per Larsen,et al.  Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? , 2015, AsiaCCS.

[20]  Claudia Eckert,et al.  Persistent Data-only Malware: Function Hooks without Code , 2014, NDSS.

[21]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[22]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Angelos D. Keromytis,et al.  ret2dir: Rethinking Kernel Isolation , 2014, USENIX Security Symposium.

[24]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[25]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[26]  Herbert Bos,et al.  Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard , 2014, USENIX Security Symposium.

[27]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[28]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[29]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[30]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[31]  C. Eckert,et al.  Bridging the Semantic Gap Through Static Code Analysis , 2012 .

[32]  Angelos D. Keromytis,et al.  ROP payload detection using speculative code execution , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[33]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[34]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.