research-article

Tappan Zee (north) bridge: mining memory accesses for introspection

Authors:

Brendan Dolan-Gavitt,

Wenke LeeAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 839 - 850

https://doi.org/10.1145/2508859.2516697

Published: 04 November 2013 Publication History

Abstract

The ability to introspect into the behavior of software at runtime is crucial for many security-related tasks, such as virtual machine-based intrusion detection and low-artifact malware analysis. Although some progress has been made in this task by automatically creating programs that can passively retrieve kernel-level information, two key challenges remain. First, it is currently difficult to extract useful information from user-level applications, such as web browsers. Second, discovering points within the OS and applications to hook for active monitoring is still an entirely manual process. In this paper we propose a set of techniques to mine the memory accesses made by an operating system and its applications to locate useful places to deploy active monitoring, which we call tap points. We demonstrate the efficacy of our techniques by finding tap points for useful introspection tasks such as finding SSL keys and monitoring web browser activity on five different operating systems (Windows 7, Linux, FreeBSD, Minix and Haiku) and two processor architectures (ARM and x86).

References

[1]

Raspberry Pi: An ARM GNU/Linux box for $25. http://www.raspberrypi.org/.

[2]

D. Arthur and S. Vassilvitskii. k-means++: the advantages of careful seeding. In Proceedings of the ACM-SIAM symposium on Discrete algorithms, 2007.

Digital Library

[3]

A. Banerjee, S. Merugu, I. S. Dhillon, and J. Ghosh. Clustering with Bregman divergences. J. Mach. Learn. Res., 6, Dec. 2005.

Digital Library

[4]

F. Bellard. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, 2005.

Digital Library

[5]

E. Bursztein, M. Hamburg, J. Lagarenne, and D. Boneh. OpenConflict: Preventing real time map hacks in online games. In Proceedings of the IEEE Symposium on Security and Privacy, 2011.

Digital Library

[6]

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In Proceedings of the ACM conference on Computer and communications security, 2007.

Digital Library

[7]

V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A platform for in-vivo multi-path analysis of software systems. ACM SIGARCH Computer Architecture News, 39(1), 2011.

Digital Library

[8]

T. Chiueh and F. Hsu. RAD: a compile-time solution to buffer overflow attacks. In International Conference on Distributed Computing Systems, 2001.

Digital Library

[9]

W. Cui, J. Kannan, and H. J. Wang. Discoverer: automatic protocol reverse engineering from network traces. In Proceedings of the USENIX Security Symposium, 2007.

Digital Library

[10]

W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz. Tupni: automatic reverse engineering of input formats. In Proceedings of the 15th ACM conference on Computer and communications security, 2008.

Digital Library

[11]

B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the IEEE Symposium on Security and Privacy, May 2011.

Digital Library

[12]

Y. Fu and Z. Lin. Space traveling across VM: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the IEEE Symposium on Security and Privacy, May 2012.

Digital Library

[13]

K. Gilbert. Hurricane sandy serves as lure to deliver Sykipot. http://securityblog.verizonbusiness.com/2012/10/31/hurricane-sandy-serves-as-lure-to-deliver-sykipot/.

[14]

L. Hubert and P. Arabie. Comparing partitions. Journal of Classification, 2(1), 1985.

[15]

J. Jarmoc. SSL/TLS interception proxies and transitive trust. In Black Hat Europe, March 2012.

[16]

S. Kullback and R. A. Leibler. On information and sufficiency. Annals of Mathematical Statistics, 22, 1951.

[17]

J. Lee, T. Avgerinos, and D. Brumley. TIE: Principled reverse engineering of types in binary programs. In Network and Distributed System Security Symposium, 2011.

[18]

J. Lin. Divergence measures based on the Shannon entropy. IEEE Trans. Inf. Theor., 37(1), Sept. 2006.

Digital Library

[19]

Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic protocol format reverse engineering through context-aware monitored execution. In Network and Distributed Systems Symposium, 2008.

[20]

Z. Lin and X. Zhang. Deriving input syntactic structure from execution. In Proceedings of the ACM SIGSOFT International Symposium on Foundations of software engineering, 2008.

Digital Library

[21]

Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Network and Distributed System Security Symposium, 2010.

[22]

mathfigure. ICU64: Real-time hacking of a C64 emulator.

[23]

Microsoft Corporation. EvtQuery function. http://msdn.microsoft.com/en-us/library/windows/desktop/aa385466(v=vs.85).aspx.

[24]

T. Muller, F. C. Freiling, and A. Dewald. TRESOR runs encryption securely outside RAM. In Proceedings of the 20th USENIX conference on Security, 2011.

Digital Library

[25]

B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In IEEE Symposium on Security and Privacy, 2008.

Digital Library

[26]

D. Rumsfeld. DoD news briefing - Secretary Rumsfeld and Gen. Myers. February 2002.

[27]

S. Sinnadurai, Q. Zhao, and W. Wong. Transparent runtime shadow stack: Protection against malicious return address modifications. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.5702, 2008.

[28]

A. Slowinska, T. Stancescu, and H. Bos. Howard: A dynamic excavator for reverse engineering data structures. In Network and Distributed Systems Symposium, 2011.

[29]

D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Information systems security. 2008.

Digital Library

[30]

D. Srinivasan, Z. Wang, X. Jiang, and D. Xu. Process out-grafting: an efficient "out-of-vm" approach for fine-grained process execution monitoring. In Proceedings of the ACM conference on Computer and communications security, 2011.

Digital Library

[31]

H. Steinhaus. Sur la division des corp materiels en parties. Bull. Acad. Polon. Sci, 1, 1956.

[32]

Vendicator. Stack shield: A "stack smashing" technique protection tool for Linux. http://www.angelfire.com/sk/stackshield/.

[33]

Z. Yan. perf, x86: Haswell LBR call stack support. http://lwn.net/Articles/535152/.

Cited By

Moriconi FLevillain OFrancillon ATroncy RQuek TGao DZhou JCardenas A(2024)X-Ray-TLS: Transparent Decryption of TLS Sessions by Extracting Session Keys from MemoryProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637654(35-48)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637654
Zhu WFeng ZZhang ZChen JOu ZYang MZhang C(2023)Callee: Recovering Call Graphs for Binaries with Transfer and Contrastive Learning2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179482(2357-2374)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179482
Dovgalyuk PKlimushenkova MFursova NVasiliev IStepanov V(2023)Natch: Detecting Attack Surface for Multi-Service Systems with Hybrid Introspection2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00023(176-185)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00023
Show More Cited By

Index Terms

Tappan Zee (north) bridge: mining memory accesses for introspection
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Lares: An Architecture for Secure Active Monitoring Using Virtualization
SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy

Host-based security tools such as anti-virus and intrusion detection systems are not adequately protected on today's computers. Malware is often designed to immediately disable any security tools upon installation, rendering them useless. While current ...
Building Trustworthy Intrusion Detection through VM Introspection
IAS '07: Proceedings of the Third International Symposium on Information Assurance and Security

Psyco-Virt is a high assurance intrusion detection tool that merges host and network intrusion detection technologies with virtual machine introspection. Psyco-Virt architecture includes a cluster of virtual machines, the monitored VMs, which run the OS ...
SPECTRE: A dependable introspection framework via System Management Mode
DSN '13: Proceedings of the 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Virtual Machine Introspection (VMI) systems have been widely adopted for malware detection and analysis. VMI systems use hypervisor technology for system introspection and to expose malicious activity. However, recent malware can detect the presence of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
647
Total Downloads

Downloads (Last 12 months)48
Downloads (Last 6 weeks)3

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Moriconi FLevillain OFrancillon ATroncy RQuek TGao DZhou JCardenas A(2024)X-Ray-TLS: Transparent Decryption of TLS Sessions by Extracting Session Keys from MemoryProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637654(35-48)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637654
Zhu WFeng ZZhang ZChen JOu ZYang MZhang C(2023)Callee: Recovering Call Graphs for Binaries with Transfer and Contrastive Learning2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179482(2357-2374)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179482
Dovgalyuk PKlimushenkova MFursova NVasiliev IStepanov V(2023)Natch: Detecting Attack Surface for Multi-Service Systems with Hybrid Introspection2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00023(176-185)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00023
Holl TBogad KGruber M(2023)Whiteboxgrind – Automated Analysis of Whitebox CryptographyConstructive Side-Channel Analysis and Secure Design10.1007/978-3-031-29497-6_11(221-240)Online publication date: 23-Mar-2023
https://doi.org/10.1007/978-3-031-29497-6_11
Fioraldi AMaier DZhang DBalzarotti DYin HStavrou ACremers CShi E(2022)LibAFLProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560602(1051-1065)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560602
Franzen FHoll TAndreas MKirsch JGrossklags J(2022)Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory SnapshotsProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545980(214-231)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545980
Pham C(2022)Multi-layered Monitoring for Virtual MachinesSystem Dependability and Analytics10.1007/978-3-031-02063-6_6(99-140)Online publication date: 26-Jul-2022
https://doi.org/10.1007/978-3-031-02063-6_6
Menendez H(2021)Malware: The Never-Ending Arm RaceOpen Journal of Cybersecurity10.46723/ojc.1.1.3(1-25)Online publication date: 7-Sep-2021
https://doi.org/10.46723/ojc.1.1.3
Connelly JRoberts TGao XXiao JWang HStavrou A(2021)CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00047(350-362)Online publication date: Jun-2021
https://doi.org/10.1109/DSN48987.2021.00047
Cui PUmphress D(2020)Towards Unsupervised Introspection of Containerized ApplicationProceedings of the 2020 10th International Conference on Communication and Network Security10.1145/3442520.3442530(42-51)Online publication date: 27-Nov-2020
https://dl.acm.org/doi/10.1145/3442520.3442530
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents