Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks

Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze injected code (often called shellcode ), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emulators, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incorporated memory-scanning attacks.

[1]  Eric van den Berg,et al.  A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows , 2005, RAID.

[2]  Peng Ning,et al.  Analyzing network traffic to detect self-decrypting exploit code , 2007, ASIACCS '07.

[3]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[4]  Evangelos P. Markatos,et al.  Emulation-Based Detection of Non-self-contained Polymorphic Shellcode , 2007, RAID.

[5]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[6]  Kevin Borders,et al.  Spector: Automatically Analyzing Shell Code , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[7]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[8]  Zhenkai Liang,et al.  BitScope: Automatically Dissecting Malicious Binaries , 2007 .

[9]  George M. Mohay,et al.  Network-Based Buffer Overflow Detection by Exploit Code Analysis , 2004 .

[10]  Wei Li,et al.  Automated Format String Attack Prevention for Win32/X86 Binaries , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[11]  George M. Mohay,et al.  A framework for detecting network-based code injection attacks targeting Windows and UNIX , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[12]  Evangelos P. Markatos,et al.  Network-level polymorphic shellcode detection using emulation , 2006, Journal in Computer Virology.

[13]  Helen J. Wang,et al.  Finding diversity in remote code injection exploits , 2006, IMC '06.

[14]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[15]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[16]  Christian S. Collberg,et al.  Protecting Against Unexpected System Calls , 2005, USENIX Security Symposium.

[17]  Vitaly Osipov,et al.  SSLv2 Malformed Client Key Remote Buffer Overflow Vuln , 2005 .

[18]  James E. Smith,et al.  Virtual machines - versatile platforms for systems and processes , 2005 .

[19]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[20]  Sencun Zhu,et al.  SigFree: A Signature-Free Buffer Overflow Attack Blocker , 2010, IEEE Transactions on Dependable and Secure Computing.

[21]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.