Conference Paper

System Call API Obfuscation (Extended Abstract)

DOI: 10.1007/978-3-540-87403-4_36 Conference: Recent Advances in Intrusion Detection, 11th International Symposium, RAID 2008, Cambridge, MA, USA, September 15-17, 2008. Proceedings
Source: DBLP


We claim that attacks can evade the comprehension of security tools that rely on knowledge of standard system call interfaces
to reason about process execution behavior. Our attack, called Illusion, will invoke privileged operations in a Windows or Linux kernel at the request of user-level processes without requiring
those processes to call the actual system calls corresponding to the operations. The Illusion interface will hide system operations
from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion will alter neither
static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory.

1 Follower
22 Reads
  • [Show abstract] [Hide abstract]
    ABSTRACT: Detecting unseen illegal codes is always a challenging task. As the main action to deal with this problem, the behavior detection is unsatisfactory in both effectiveness and efficiency. This paper proposes task-based behavior detection (TBBD) which detects new illegal codes based on the user’s task instead of only on the software behavior. First, the paper proposes three prerequisites of TBBD and four judgment rules, i.e., resource abnormal rule, relation abnormal rule, space abnormal rule and time abnormal rule. Then, by analyzing the effectiveness and comparison of the four judgment rules, we present an explicit judgment process of TBBD. Finally, the paper carries on the experiments. The test result verifies the validity and feasibility of TBBD.
    Mathematical and Computer Modelling 01/2012; 55(1-2):80-86. DOI:10.1016/j.mcm.2011.01.052 · 1.41 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Malware obfuscation obscures malware into a different form that's functionally identical to the original one, and makes syntactic signature ineffective. Furthermore, malware samples are huge and growing at an exponential pace. Behavioral signature is an effective way to defeat obfuscation. However, state-of-the-art behavioral signature, behavior graph, is although very effective but unfortunately too complicated and not scalable to handle exponential growing malware samples; in addition, it is too slow to be used as real-time detectors. This paper proposes an anti-obfuscation and scalable behavioral signature generation system, DiffSig, which voids information-flow tracking which is the chief culprit for the complex and inefficiency of graph behavior, thus, losing some data dependencies, but describes handle dependencies more accurate than graph behavior by restrict the profile type of resource that each handle dependency can reference to. Our experiment results show that DiffSig is scalable and efficient, and can detect new malware samples effectively.
    Proceedings of the 2013 international conference on Information and Communication Technology; 03/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: People-centric sensing (PCS) is an emerging paradigm of sensor network which turns daily used mobile devices (such as smartphones and PDAs) to sensors. It is promising but faces severe security problems. As smartphones are already and will keep up to be attractive targets to attackers, even more, with strong connectivity and homogeneous applications, all mobile devices in PCS will risk being infected by malware more rapidly. Even worse, attackers usually obfuscate their malwares in order to avoid simple (syntactic signature based) detection. Thus, more intelligent (behavioral signature based) detection is needed. But in the field of network security, the state-of-the-art behavioral signature—behavior graph—is too complicated to be used in mobile devices. This paper proposes a novel behavioral signature generation system—SimBehavior—to generate lightweight behavioral signature for malware detection in PCS. Generated lightweight behavioral signature is a bit like regex (regular expression) rules. And thus, unlike malware detection using behavior graph is NP-Complete, using our lightweight behavioral signature is efficient and very suitable for malware detection in PCS. Our experimental results show that SimBehavior can extract behavioral signatures effectively, and generated lightweight behavioral signatures can be used to detect new malware samples in PCS efficiently and effectively.
    Wireless Personal Communications 04/2014; 75(3). DOI:10.1007/s11277-013-1400-9 · 0.65 Impact Factor
Show more