Counteracting Data-Only Malware with Code Pointer Examination
As new code-based defense technologies emerge, attackers move to data-only malware, which is capable of infecting a system with- out introducing any new code. To manipulate the control flow without code, data-only malware inserts a control data structure into the system e. g. in the form of a ROP chain, which enables it to combine existing instructions into a new malicious program. Current systems try to hin- der data-only malware by detecting the point in time, when the malware starts executing. However, it has been shown that these approaches are not only performance consuming, but can also be subverted. In this work, we introduce a new approach, Code Pointer Examination (CPE), that aims to detect data-only malware by identifying and clas- sifying code pointers. Instead of targeting control flow changes, our ap- proach thus targets the control structure of data-only malware, which mainly consists of pointers to the instruction sequences that the mal- ware reuses. Since the control structure is comparable to the code region of traditional malware, this results in an effective detection approach that is diffcult to evade. We implemented a prototype for recent Linux ker- nels that is capable of identifying and classifying all code pointers within the kernel. As our experiments show, our prototype is able to detect data-only malware in an effcient manner (less than 1% overhead).
Counteracting Data-Only Malware with Code Pointer Examination
18th International Symposium on Research in Attacks, Intrusions and Defenses
Authors: | Thomas Kittel, Julian Kirsch, and Claudia Eckert |
Year/month: | 2015/11 |
Booktitle: | 18th International Symposium on Research in Attacks, Intrusions and Defenses |
Fulltext: | kittelraid2015.pdf |
Abstract |
|
As new code-based defense technologies emerge, attackers move to data-only malware, which is capable of infecting a system with- out introducing any new code. To manipulate the control flow without code, data-only malware inserts a control data structure into the system e. g. in the form of a ROP chain, which enables it to combine existing instructions into a new malicious program. Current systems try to hin- der data-only malware by detecting the point in time, when the malware starts executing. However, it has been shown that these approaches are not only performance consuming, but can also be subverted. In this work, we introduce a new approach, Code Pointer Examination (CPE), that aims to detect data-only malware by identifying and clas- sifying code pointers. Instead of targeting control flow changes, our ap- proach thus targets the control structure of data-only malware, which mainly consists of pointers to the instruction sequences that the mal- ware reuses. Since the control structure is comparable to the code region of traditional malware, this results in an effective detection approach that is diffcult to evade. We implemented a prototype for recent Linux ker- nels that is capable of identifying and classifying all code pointers within the kernel. As our experiments show, our prototype is able to detect data-only malware in an effcient manner (less than 1% overhead). |
Bibtex:
@inproceedings { kittel2015,author = { Thomas Kittel and Julian Kirsch and Claudia Eckert},
title = { Counteracting Data-Only Malware with Code Pointer Examination },
year = { 2015 },
month = { November },
booktitle = { 18th International Symposium on Research in Attacks, Intrusions and Defenses },
url = {https://www.sec.in.tum.de/i20/publications/counteracting-data-only-malware-with-code-pointer-examination/@@download/file/kittelraid2015.pdf}
}