Abstract
The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with ”being infected” and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or rebuilding software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
References
Cowan, C., Wagle, P., Pu, C., Beattie, S., Walpole, J.: Buffer Overflows - Attacks and Defenses for the Vulnerability of the Decade. In: DARPA Information Survivability Conference and Expo. (2000)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of Thirteenth Systems Administration Conference (LISA 1999), pp. 229–238 (1999)
Symantec Corporation: Bloodhound Technology, http://securityresponse.symantec.com/
Kim, G.H., Spafford, E.H.: Tripwire A File System Integrity Checker. In: ACM Conference on Computer and Communications Security, pp. 18–29 (1994)
Kosoresow, A.P., Hofmeyr, S.A.: Intrusion Detection Via System Call Traces. IEEE Software, 35–40 (1997)
Ghory, Z.: Openwall Improving security with the openwall patch, securityfocus (2002)
Linux Openwall project, http://www.openwall.com/
Larochelle, D., Evans, D.: Statically Detecting Likely Buffer Overflow Vulnerabilities. In: 2001 USENIX Security Symposium, Washington, D.C., August 13-17 (2001)
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proc. 7th USENIX Security Conference, pp. 63–78 (1998)
Baratloo, A., Singh, N., Tsai, T.: Libsafe: Protecting critical elements of stacks, http://www.research.avayalabs.com/project/libsafe/
Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static Detection of Malicious Code in Executable Programs. In: Proc. of the International Symposium on Requirements Engineering for Information Security (2001)
Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for array and pointers in C programs. In: AADEBUG 1997 (1997)
Intel Corporation: IA-32 IntelR Architecture Software Developer’s Manual, vol. 2A: Insruction Set Reference A-M (2004)
Intel Corporation: IA-32 IntelR Architecture Software Developer’s Manual, vol. 2B: Insruction Set Reference N-Z (2004)
Intel Corporation: IA-32 IntelR Architecture Software Developer’s Manual, vol. 3: System Programming Guide (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ando, R., Takefuji, Y. (2005). Self Debugging Mode for Patch-Independent Nullification of Unknown Remote Process Infection. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds) Cryptology and Network Security. CANS 2005. Lecture Notes in Computer Science, vol 3810. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11599371_8
Download citation
DOI: https://doi.org/10.1007/11599371_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30849-2
Online ISBN: 978-3-540-32298-6
eBook Packages: Computer ScienceComputer Science (R0)