Software binary analysis
While there is common agreement that this additional information complicates the task for the attacker, it is less clear to which extent an intruder is constrained. In this paper, we present a novel technique to evade the extended detection features of state-of-the-art intrusion detection systems and reduce the task of the intruder to a traditional mimicry attack. We have developed a static analysis tool for Intel x86 binaries that uses symbolic execution to automatically identify instructions that can be used to redirect control flow and to compute the necessary modifications to the environment of the process.
We used our tool to successfully exploit three vulnerable programs and evade detection by existing state-of-the-art system call monitors. In addition, we analyzed three real-world applications to verify the general applicability of our techniques. Network-based intrusion detection systems analyze network traffic looking for evidence of attacks. The analysis is usually performed using signatures, which are rules that describe what traffic should be considered as malicious. If the signatures are known, it is possible to either craft an attack to avoid detection or to send synthetic traffic that will match the signature to over-stimulate the network sensor causing a denial of service attack.
To prevent these attacks, commercial systems usually do not publish their signature sets and their analysis algorithms. This paper describes a reverse engineering process and a reverse engineering tool that are used to analyze the way signatures are matched by network-based intrusion detection systems.
The results of the analysis are used to either generate variations of attacks that evade detection or produce non-malicious traffic that over-stimulates the sensor. This shows that security through obscurity does not work. That is, keeping the signatures secret does not necessarily increase the resistance of a system to evasion and over-stimulation attacks.
A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence. However, for operating systems that support loadable kernel modules e. Instead, these rootkits operate within the kernel, modifying critical data structures such as the system call table or the list of currently-loaded kernel modules.
Our technique relies on an abstract model of module behavior that is not affected by small changes in the binary image of the module. Therefore, the technique is resistant to attempts to conceal the malicious nature of a kernel module. Automated Inference of High-Level Program Structure Decomposing binary artifacts into logical modules Cyber Security and Complex Software Systems Office of Naval Research ONR binary analysis dynamic analysis static analysis Critical software is often delivered as binary artifacts that is difficult to understand both in terms of its structure and potential run-time behaviors.
The aim of this project was to develop techniques for decomposing binary artifacts into logical modules responsible for well-defined high-level behaviors.
Most performance analysis tools use dynamic program analysis techniques. From Wikipedia, the free encyclopedia. This article has multiple issues. Please help improve it or discuss these issues on the talk page.
Learn how and when to remove these template messages. This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources.
Unsourced material may be challenged and removed. February Learn how and when to remove this template message. This article does not cite any sources. This article provides insufficient context for those unfamiliar with the subject. Please help improve the article with a good introductory style. This article is missing information about description. Please expand the article to include this information.