CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Gaoning Pan,Tianxiang Luo,Yiming Tao,Xiao Lei,Shuangxi Chen,Hui Liu,Chunming Wu

DOI: https://doi.org/10.1109/PST58708.2023.10319984

2023-01-01

Abstract:With the popularity of computers and mobile devices and the development of the Internet, browsers (applications used to retrieve and display information resources on the World Wide Web) are often included by default and have become an indispensable software. Therefore, research on browser security issues is essential for protecting information assets. Among many browsers in the industry, Chrome, as a cross-platform web browser developed by Google, occupies a large market share in desktop browsers, and its security risks are further amplified as its kernel is used by many other browsers. Therefore, the research on the security issues of Chrome browser is critical for browser security. This paper focuses on the vulnerability detection of the process communication interface in Chrome browser, and designs and implements a fuzzing framework, auto-mojo-fuzz (AMF). The fuzzing process mainly designs a sample optimization technique to ensure the effectiveness of input samples and improve the efficiency of fuzzing. After implementing the AMF solution, we evaluate the generated test samples to demonstrate the effectiveness of the sample optimization technique. We also prove the possibility of discovering more vulnerabilities with AMF, and tests it with the latest version of Chrome browser, finding five unique crashes, four of which are verified as security vulnerabilities, effectively proving the automatic and efficient ability of this framework to discover vulnerabilities in the process communication interfaces in browsers.

ZHOU Hu-sheng,WEN Wei-ping,YIN Liang,FU Jun

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.014

2011-01-01

Abstract:GS Stack Protection,SafeSEH,Heap Protection,DEP,ASLR are five key technologies for the memory protection mechanism of Windows 7,these technologies significantly contribute to mitigate buffer overflow attacks.Based on the analysis of these technologies,we also tested the possibility of bypassing the protection mechanisms in Windows 7.Evaluating the effect of resisting buffer overflow of Windows 7,we pointed out that Windows 7 couldn't resist the buffer overflow attacks absolutely.Finally several measures were introduced to improve system security more comprehensively.

Jungwon Lim,Yonghwi Jin,Mansour Alharthi,Xiaokuan Zhang,Jinho Jung,Rajat Gupta,Kuilin Li,Daehee Jang,Taesoo Kim

DOI: https://doi.org/10.48550/arXiv.2112.15561

2022-01-01

Abstract:Web browsers are integral parts of everyone's daily life. They are commonly used for security-critical and privacy sensitive tasks, like banking transactions and checking medical records. Unfortunately, modern web browsers are too complex to be bug free (e.g., 25 million lines of code in Chrome), and their role as an interface to the cyberspace makes them an attractive target for attacks. Accordingly, web browsers naturally become an arena for demonstrating advanced exploitation techniques by attackers and state-of-the-art defenses by browser vendors. Web browsers, arguably, are the most exciting place to learn the latest security issues and techniques, but remain as a black art to most security researchers because of their fast-changing characteristics and complex code bases. To bridge this gap, this paper attempts to systematize the security landscape of modern web browsers by studying the popular classes of security bugs, their exploitation techniques, and deployed defenses. More specifically, we first introduce a unified architecture that faithfully represents the security design of four major web browsers. Second, we share insights from a 10-year longitudinal study on browser bugs. Third, we present a timeline and context of mitigation schemes and their effectiveness. Fourth, we share our lessons from a full-chain exploit used in 2020 Pwn2Own competition. and the implication of bug bounty programs to web browser security. We believe that the key takeaways from this systematization can shed light on how to advance the status quo of modern web browsers, and, importantly, how to create secure yet complex software in the future.

Cryptography and Security

CAO Zhiwei,HUANG Hao

DOI: https://doi.org/10.14188/j.1671-8836.2013.02.014

2013-01-01

Abstract:We deeply analyze the major browsers’ process and thread behavior in Windows operating system,such as Chrome and IE,and then put forward a method of fine-grained capability control in the web browser components.Making use of the technical methods like process address space analysis,thread stack analysis,Kernel monitoring module,etc,we realize a fine-grained IE capability security monitoring module.The module can improve the host’s security performance by stopping the web browser attacking.

XU You-fu,ZHANG Jin-han,WEN Wei-ping

DOI: https://doi.org/10.3969/j.issn.1671-1122.2009.05.019

2009-01-01

Abstract:SEH(Structured Exception Handling) , a mechanism which is provided by Windows operating system to handle errors or exceptions. However, because of the limitations in SEH 's design, the attacker can make use of SEH exception handling chain to sucessfully attack the system when there is a buffer overflow bug. Therefore, changes of SEH implementation mechanism were made in accordance with different versions of Microsoft Windows operating system. As a result, two improved mechanisms-SafeSEH and SEHOP appeared. Nevertheless, different degrees of defects still exist in these improved mechanisms. This paper provides a profound research on the implementation of and security defects in different versions of the SEH mechanisms through technologies afforded by Microsoft, such as GS, ASLR. Also provided are some improvement advices of the corresponding security defects.

Lei Duan,Tao Wei,Tielei Wang,Tianfang Guo,Wei Zou

2010-01-01

Abstract:Just-in-time (JIT)-spraying, which first appeared in Blackhat DC 2010, is a new kind of attack techniques based on JIS compilation. This technique allows attackers to bypass data execution prevention (DEP) and address space layout randomization (ASLR). There are not yet any public methods to prevent this kind of attack which makes users quite vulnerable. This attack was analyzed to build models for Sledge, Shellcode's handover, and other key points to develop a JIT-spraying prevention mechanism based on random instruction padding. Quantitative analysis of the method's effectiveness shows that the best solution reduces the success rate of JIT-spraying attacks to less than 10 -6 and only introduces about 13% more padding instructions. This approach is demonstrated in V8, which is the JavaScript engine of the Chrome browser, and the performance overhead is less than 1%. The mechanism can also be used in other JIT compilers to provide more effective safety protection combined with DEP and ASLR.

Piotr Bania

DOI: https://doi.org/10.48550/arXiv.1009.1038

2010-09-06

Cryptography and Security

Abstract:With the discovery of new exploit techniques, novel protection mechanisms are needed as well. Mitigations like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization) created a significantly more difficult environment for exploitation. Attackers, however, have recently researched new exploitation methods which are capable of bypassing the operating system's memory mitigations. One of the newest and most popular exploitation techniques to bypass both of the aforementioned security protections is JIT memory spraying, introduced by Dion Blazakis. In this article we will present a short overview of the JIT spraying technique and also novel mitigation methods against this innovative class of attacks. An anti-JIT spraying library was created as part of our shellcode execution prevention system.

王帅,刘胜利

2010-01-01

Abstract:In order to improve the security abilities of Internet Explorer 7 programs on Windows Vista,a method enhancing security based on IE protection mode architecture is presented.Firstly,this text made a reorganization of system access control mechanism on Windows Vista and Internet Explore 7,at the same time,decomposed both of them.Secondly,the security vulnerability of IE protection mode architecture is pointed out when executed user interface privilege isolation policies.And the security threats resulted from it is anal-yzed such as the attackers might illegally access the user resources bypassing the limitation of IE protection mode.Lastly,this text designed and realized a suit of components which can enhance the security of IE protection mode according to the cause of this vulnera-bility,and verified the feasibility and efficiency of it.

魏强,韦韬,王嘉捷

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.10.015

2011-01-01

Abstract:Vulnerability exploitation and its mitigation technologies have always been important in vulnerability offense and defense research.Major operating systems and compilers provide support for exploit mitigation.This paper summarizes research on heap protection,address randomization,sandbox protection and other related technologies which have been developed.Among them,the three rounds of combat for GS and SafeSEH for stack protection focus on both offensive and defensive strategies.ROP,DeActive,Spray breakthroughs and counterattacking are analyzed to illustrate the evolution of data execution prevention.The truncation attack vector is used to monitor data integration destruction,undermine reliable exploitation,prevent control flow redirection,and isolate failure risk.Current exploit mitigation methods use data integrity testing protection,memory features removal based protection,execution control based protection,and fault isolation protection.The lack of bypass protection and other protection measure make existing mitigation methods less effective for protecting data flow hijacking and compound attack vectors.

Muhammad Usman Rana,Munam Ali Shah,Mohammad Abdulaziz Al-Naeem,Carsten Maple

DOI: https://doi.org/10.1109/access.2024.3477631

IF: 3.9

2024-10-19

IEEE Access

Abstract:Ransomware has appeared to be the most damaging and devastating type of malware attack in any cyber physical system. The resilience of a web browser to deal with the malware attack is of significance importance, however, evaluating the performance of a browser to tackle these attacks is a challenging task. Due to various automation techniques, web applications can be tested without human intervention. Technologies such as Junit, Chakram, and Selenium are useful in automated testing but the problem is that the attacker uses harmful code and automated web approaches to distribute their malware. In this research,our contribution is twofold. Firstly, we examine a new attack vector that cyber adversaries can possibly use in the future to infect an operating system with a malware. Currently, attackers use various techniques to gain access to victims' personal computers. Secondly, we present a novel automated web defence to countermeasure these malware attacks. The proposed research aims to provide a better understanding of the new computer virus-spreading techniques that intruders can use in the future. We provide the insight of these attacks and present ways to countermeasure the attacks and to reduce the attack surface. Experiments and flow diagrams have been used to demonstrate the attack and defence approach. To offer malware lateral movement and to encrypt the date of users' device, we use Selenium automation tool on a social media platform. For our experimentation, we developed an application which has been tested on a variety of browsers including Google Chrome, Firefox, and Safari. Our research has revealed that we have an 85 percent success rate when testing in a head-on environment. We have expanded our experiments on headless applications and interestingly, the accuracy rate improved and the probability of success increased to 95 percent. Lastly, we have demonstrated a unique method for detecting and stopping web automation that is generally applicable.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Tao,Wang Tielei,Duan Lei,Luo Jing

DOI: https://doi.org/10.1145/1866307.1866415

2010-01-01

Abstract:DCG (Dynamic Code Generation) technologies have found widely applications in the Web 2.0 era, Dion Blazakis recently presented a Flash JIT-Spraying attack against Adobe Flash Player that easily circumvented DEP and ASLR protection mechanisms built in modern operating systems. We have generalized and extended JIT Spraying into DCG Spraying. Based our analyses on this abstract model of DCG Spraying, we have found that all mainstream DCG implementations (Java/ JavaScript/ Flash/ .Net/ SilverLight) are vulnerable against DCG Spraying attack, and none of the existing ad hoc defenses such as compilation optimization, random NOP padding and constant splitting provides effective protection. Furthermore, we propose a new protection method, INSeRT, which combines randomization of intrinsic elements of machine instructions and randomly planted special trapping snippets. INSeRT practically renders the "sprayed code" ineffective, while alerts the host program of ongoing attacking attempts. We implemented a prototype of INSeRT on the V8 JavaScript engine, and the performance overhead is less than 5%, which should be acceptable in practical application.

Tao Wei,Tielei Wang,Lei Duan,Jing Luo

DOI: https://doi.org/10.1109/icist.2011.5765261

2011-01-01

Abstract:DCG (Dynamic Code Generation) technologies have found widely applications in the Web 2.0 era, and DCG-Spraying attack can easily circumvent DEP and ASLR protection mechanisms built in modern operating systems. We propose a new protection method, INSeRT, which combines randomization of intrinsic elements of machine instructions and randomly planted special trapping snippets. INSeRT practically renders the “sprayed code” ineffective, while alerts the host program of ongoing attacking attempts. We implemented a prototype of INSeRT on the V8 JavaScript engine with a performance overhead of less than 5%, which should be acceptable in practical application.

WANG Hai-chen,SHI Yong,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.04.023

2011-01-01

Abstract:Key-loggers for malicious purpose acquire the confidential information by capturing users' input key-stokes,thus resulting in serious threat on computers' security. Research and implementation of secure password input tools can protect the system from such threat. Aiming at various key-logging techniques,How to protect password input and implement one utility in combination of protection in both Ring 0 and Ring 3 is studied. In Ring 3,Windows Hooks and IAT Hook are applied to preventing message interceptions. In Ring 0,protection is realized by using IOAPIC to reassign the keyboard interrupt handler. This paper provides a useful way for guaranteeing the safety of password input.

Chengyu Song,Jianwei Zhuge,Xinhui Han,Zhiyuan Ye

DOI: https://doi.org/10.1145/1755688.1755705

2010-01-01

Abstract:Drive-by download attack is one of the most severe threats to Internet users. Typically, only visiting a malicious page will result in compromise of the client and infection of malware. By the end of 2008, drive-by download had already become the number one infection vector of malware [5]. The downloaded malware may steal the users' personal identification and password. They may also join botnet to send spams, host phishing site or launch distributed denial of service attacks. Generally, these attacks rely on successful exploits of the vulnerabilities in web browsers or their plug-ins. Therefore, we proposed an inter-module communication monitoring based technique to detect malicious exploitation of vulnerable components thus preventing the vulnerability being exploited. We have implemented a prototype system that was integrated into the most popular web browser Microsoft Internet Explorer. Experimental results demonstrate that, on our test set, by using vulnerability-based signature, our system could accurately detect all attacks targeting at vulnerabilities in our definitions and produced no false positive. The evaluation also shows the performance penalty is kept low.

刘磊,王轶骏,薛质

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.06.032

2012-01-01

Abstract:Heap Spray, as a very popular vulnerability-exploiting technology in recent years, is widely-used in the attacks against the browser. This technology greatly reduces the difficulty in address jump after the buffer overflow and significantly improves the success rate of buffer overflow attacks. This paper, through analysis on the principle of Heap Spray technology, gives some technical details. Then the existing detection technologies are divided into three types, including detection based on string, detection based on memory protection, and detection based on system call. And these detections are expounded with some typical examples.

Denis Pogonin,Igor Korkin

DOI: https://doi.org/10.48550/arXiv.2210.02821

2022-10-06

Abstract:Windows OS is facing a huge rise in kernel attacks. An overview of popular techniques that result in loading kernel drivers will be presented. One of the key targets of modern threats is disabling and blinding Microsoft Defender, a default Windows AV. The analysis of recent driver-based attacks will be given, the challenge is to block them. The survey of user- and kernel-level attacks on Microsoft Defender will be given. One of the recently published attackers techniques abuses Mandatory Integrity Control (MIC) and Security Reference Monitor (SRM) by modifying Integrity Level and Debug Privileges for the Microsoft Defender via syscalls. However, this user-mode attack can be blocked via the Windows 'trust labels' mechanism. The presented paper discovered the internals of MIC and SRM, including the analysis of Microsoft Defender during malware detection. We show how attackers can attack Microsoft Defender using a kernel-mode driver. This driver modifies the fields of the Token structure allocated for the Microsoft Defender application. The presented attack resulted in disabling Microsoft Defender, without terminating any of its processes and without triggering any Windows security features, such as PatchGuard. The customized hypervisor-based solution named MemoryRanger was used to protect the Windows Defender kernel structures. The experiments show that MemoryRanger successfully restricts access to the sensitive kernel data from illegal access attempts with affordable performance degradation.

Cryptography and Security,Operating Systems

Jun Zhu,Bill Chu,Heather Richter Lipford

DOI: https://doi.org/10.1145/2914642.2914661

2016-01-01

Abstract:ABSTRACTPrivilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a successful breach of access control is achieved. This paper presents an approach to automatically instrument application source code to report events of failed access attempts that may indicate privilege escalation attacks to a run time application protection mechanism. The focus of this paper is primarily on the problem of instrumenting web application source code to detect access control attack events. We evaluated false positives and negatives of our approach using two open source web applications.

YANG Song-Tao,CHEN Kai-Xiang,WANG Zhun,ZHANG Chao

DOI: https://doi.org/10.21655/ijsi.1673-7288.00290

2022-01-01

International Journal of Software and Informatics

Abstract:PDF HTML XML Export Cite reminder Exploit-oriented Automated Information Leakage DOI: 10.21655/ijsi.1673-7288.00290 Author: Affiliation: Clc Number: Fund Project: Article | Figures | Metrics | Reference | Related | Cited by | Materials | Comments Abstract:Automatic Exploit Generation (AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). This paper presents the automatic solution EoLeak that can exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the Proof-Of-Concept (POC) input that triggers the heap vulnerabilities, characterizes the memory profile from the trace, locates sensitive data (e.g., code pointers), constructs leakage primitives that disclose sensitive data, and generates exploits for the entire process when possible. We have implemented a prototype of EoLeak and evaluated it on a set of Capture The Flag (CTF) binary programs and several real-world applications. Evaluation results reveal that EoLeak is effective at leaking data and generating exploits. Reference Related Cited by

Jianhao Xu,Luca Di Bartolomeo,Flavio Toffalini,Bing Mao,Mathias Payer

DOI: https://doi.org/10.1109/SP46215.2023.10179433

2023-01-01

Abstract:Code-reuse attacks are dangerous threats that attracted the attention of the security community for years. These attacks aim at corrupting important control-flow transfers for taking control of a process without injecting code. Nowadays, the combinations of multiple mitigations (e.g., ASLR, DEP, and CFI) drastically reduced this attack surface, making running code-reuse exploits more challenging. Unfortunately, security mitigations are combined with compiler optimizations, that do not distinguish between securityrelated and application code. Blindly deploying code optimizations over code-reuse mitigations may undermine their security guarantees. For instance, compilers may introduce doublefetch vulnerabilities that lead to concurrency issues such as Time-Of-Check to Time-Of-Use (TOCTTOU) attacks. In this work, we propose a new attack vector, called WarpAttack, that exploits compiler-introduced double-fetch optimizations to mount TOCTTOU attacks and bypass codereuse mitigations. We study the mechanism underlying this attack and present a practical proof-of-concept exploit against the last version of Firefox. Additionally, we propose a lightweight analysis to locate vulnerable double-fetch code (with 3% false positives) and conduct research over six popular applications, five operating systems, and four architectures (32 and 64 bits) to study the diffusion of this threat. Moreover, we study the implication of our attack against six CFI implementations. Finally, we investigate possible research lines for addressing this threat and propose practical solutions to be deployed in existing projects.