IJWMT Vol. 1, No. 1, 15 Feb. 2011
Cover page and Table of Contents: PDF (size: 157KB)
Full Text (PDF, 157KB), PP.13-22
Views: 0 Downloads: 0
Exploit Code, Polymorphism, Abstract Execution, Symbolic Execution, NOOP Instruction Sequence
Remote exploit attacks are the most serious threats in network security area. Polymorphism is a kind of code-modifying technique used to evade detection. A novel approach using static analysis methods is proposed to discover the polymorphic exploit codes hiding in network data flows. The idea of abstract execution is firstly adopted to construct control flow graph, then both symbolic execution and taint analysis are used to detect exploit payloads, at last predefined length of NOOP instruction sequence is recognized to help detection. Experimental results show that the approach is capable of correctly distinguishing the exploit codes from regular network flows.
Guo Fan, Lu JiaXing, Yu Min,"Detecting Polymorphic Buffer Overflow Exploits with a Static Analysis Approach", IJWMT, vol.1, no.1, pp.13-22, 2011. DOI: 10.5815/ijwmt.2011.01.03
[1] H.D. Moore. The metasploit framework[EB/OL]. http://www.metasploit.com, 2010.
[2] M. Polychronakis, K.G. Anagnostakis. Network-level polymorphic shellcode detection using emulation[C]. In Proceedings of the GI/IEEE SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment, 2006
[3] T. Toth, C. Kruegel. Accurate buffer overflow detection via abstract payload execution[C]. Recent Advance in Intrusion Detection, 2002
[4] C. Cruegel, E. Kirda. Polymorphic worm detection using structural information of executables[C]. Recent advance in Intrusion Detection, 2005
[5] R. Chinchani R, E. Berg. A fast static analysis approach to detect exploit code inside network flows[C]. Recent advance in Intrusion Detection, 2005
[6] X.R. Wang, Y.C. Jhi, S.C Zhu, P. Liu. STILL: Exploit code detection via static taint and initialization analyses[C]. In Annual Computer Security Applications Conference, 2008
[7] J.C. King. Symbolic Execution and Program Testing[J]. Communications of the ACM, 19(7):385-394, 1976.