Self Debugging Mode for Patch-Independent Nullification of Unknown Remote Process Infection

Ando, Ruo; Takefuji, Yoshiyasu

doi:10.1007/11599371_8

Ruo Ando²⁰ &
Yoshiyasu Takefuji²⁰

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3810))

Included in the following conference series:

International Conference on Cryptology and Network Security

852 Accesses

Abstract

The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with ”being infected” and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or rebuilding software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Cowan, C., Wagle, P., Pu, C., Beattie, S., Walpole, J.: Buffer Overflows - Attacks and Defenses for the Vulnerability of the Decade. In: DARPA Information Survivability Conference and Expo. (2000)
Google Scholar
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of Thirteenth Systems Administration Conference (LISA 1999), pp. 229–238 (1999)
Google Scholar
Symantec Corporation: Bloodhound Technology, http://securityresponse.symantec.com/
Kim, G.H., Spafford, E.H.: Tripwire A File System Integrity Checker. In: ACM Conference on Computer and Communications Security, pp. 18–29 (1994)
Google Scholar
Kosoresow, A.P., Hofmeyr, S.A.: Intrusion Detection Via System Call Traces. IEEE Software, 35–40 (1997)
Google Scholar
Ghory, Z.: Openwall Improving security with the openwall patch, securityfocus (2002)
Google Scholar
Linux Openwall project, http://www.openwall.com/
Larochelle, D., Evans, D.: Statically Detecting Likely Buffer Overflow Vulnerabilities. In: 2001 USENIX Security Symposium, Washington, D.C., August 13-17 (2001)
Google Scholar
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proc. 7th USENIX Security Conference, pp. 63–78 (1998)
Google Scholar
Baratloo, A., Singh, N., Tsai, T.: Libsafe: Protecting critical elements of stacks, http://www.research.avayalabs.com/project/libsafe/
Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static Detection of Malicious Code in Executable Programs. In: Proc. of the International Symposium on Requirements Engineering for Information Security (2001)
Google Scholar
Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for array and pointers in C programs. In: AADEBUG 1997 (1997)
Google Scholar
Intel Corporation: IA-32 IntelR Architecture Software Developer’s Manual, vol. 2A: Insruction Set Reference A-M (2004)
Google Scholar
Intel Corporation: IA-32 IntelR Architecture Software Developer’s Manual, vol. 2B: Insruction Set Reference N-Z (2004)
Google Scholar
Intel Corporation: IA-32 IntelR Architecture Software Developer’s Manual, vol. 3: System Programming Guide (2004)
Google Scholar

Download references

Author information

Authors and Affiliations

Graduate School of Media and Governance, Keio University, Endo 5322, Fujisawa, 2528520, Japan
Ruo Ando & Yoshiyasu Takefuji

Authors

Ruo Ando
View author publications
You can also search for this author in PubMed Google Scholar
Yoshiyasu Takefuji
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science, University College London,
Yvo G. Desmedt
Centre for Advanced Computing - Algorithms and Cryptography Department of Computing, Macquarie University, Australia
Huaxiong Wang
Centre for Computer and Information Security Research School of Computer Science and Software Engineering, University of Wollongong, Australia
Yi Mu
Fujian Normal University, 350007, Fuzhou, Fujian, China
Yongqing Li

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Ando, R., Takefuji, Y. (2005). Self Debugging Mode for Patch-Independent Nullification of Unknown Remote Process Infection. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds) Cryptology and Network Security. CANS 2005. Lecture Notes in Computer Science, vol 3810. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11599371_8

Download citation

DOI: https://doi.org/10.1007/11599371_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30849-2
Online ISBN: 978-3-540-32298-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics