<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">mais</journal-id><journal-title-group><journal-title xml:lang="ru">Моделирование и анализ информационных систем</journal-title><trans-title-group xml:lang="en"><trans-title>Modeling and Analysis of Information Systems</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1818-1015</issn><issn pub-type="epub">2313-5417</issn><publisher><publisher-name>Yaroslavl State University</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.18255/1818-1015-2020-2-138-151</article-id><article-id custom-type="elpub" pub-id-type="custom">mais-1321</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>Computer System Organization</subject></subj-group></article-categories><title-group><article-title>Об обнаружении эксплуатации уязвимостей, приводящей к запуску вредоносного кода</article-title><trans-title-group xml:lang="en"><trans-title>On the Detection of Exploitation of Vulnerabilities Leading to the Execution of a Malicious Code</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0002-1491-524X</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Косолапов</surname><given-names>Юрий Владимирович</given-names></name><name name-style="western" xml:lang="en"><surname>Kosolapov</surname><given-names>Yury V.</given-names></name></name-alternatives><bio xml:lang="ru"><p>канд. техн. наук</p><p>ул. Мильчакова, 8а, г. Ростов-на-Дону, 344090 </p></bio><bio xml:lang="en"><p>PhD.</p><p>8a Milchakova str., Rostov-on-Don 344090</p></bio><email xlink:type="simple">itaim@mail.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Южный Федеральный Университет</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Southern Federal University</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2020</year></pub-date><pub-date pub-type="epub"><day>24</day><month>06</month><year>2020</year></pub-date><volume>27</volume><issue>2</issue><fpage>138</fpage><lpage>151</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Косолапов Ю.В., 2020</copyright-statement><copyright-year>2020</copyright-year><copyright-holder xml:lang="ru">Косолапов Ю.В.</copyright-holder><copyright-holder xml:lang="en">Kosolapov Y.V.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.mais-journal.ru/jour/article/view/1321">https://www.mais-journal.ru/jour/article/view/1321</self-uri><abstract><p>Задача защиты программного обеспечения от эксплуатации возможных неизвестных уязвимостей может решаться как путем поиска (например, с помощью символьного исполнения) и последующего устранения уязвимостей, так и путем использования систем обнаружения и/или предотвращения вторжений. В последнем случае эта задача решается обычно путем формирования профиля нормального выполнения программ, а недопустимое отклонение от нормального состояния расценивается как аномалия или атака. В настоящей работе рассматривается задача защиты заданного исполнимого файла (программы) P от эксплуатации неизвестных уязвимостей в нем. Для этого предлагается способ построения профиля нормального выполнения программы P, в котором кроме набора легальных цепочек системных и библиотечных функций длины l учитывается расстояние между соседними вызовами функций, вычисляемое как разность адресов вызова соответствующих функций. Учет расстояний между вызовами функций позволяет выявлять исполнение вредоносного шеллкода, использующего вызовы системных и/или библиотечных функций, если хотя бы один из используемых в шеллкоде вызовов находится на нетипичном для программы P расстоянии от предыдущего вызова. В работе строится алгоритм и система обнаружения аномального выполнения кода и проводятся эксперименты в случае, когда P — браузер FireFox для операционной системы Windows.</p></abstract><trans-abstract xml:lang="en"><p>Software protection from exploitation of possible unknown vulnerabilities can be performed both by searching (for example, using symbolic execution) and subsequent elimination of the vulnerabilities and by using detection and / or intrusion prevention systems. In the latter case, this problem is usually solved by forming a profile of a normal behavior and deviation from normal behavior over a predetermined threshold is regarded as an anomaly or an attack. In this paper, the task is to protect a given software P from exploiting unknown vulnerabilities. For this aim a method is proposed for constructing a profile of the normal execution of the program P, in which, in addition to a set of legal chains of system and library functions, it is proposed to take into account the distances between adjacent function calls. At the same time, a profile is formed for each program. It is assumed that taking into account the distances between function calls will reveal shell code execution using system and / or library function calls. An algorithm and a system for detecting abnormal code execution are proposed. The work carried out experiments in the case when P is the FireFox browser. During the experiments the possibility of applying the developed algorithm to identify abnormal behavior when launching publicly available exploits was investigated.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>системные вызовы</kwd><kwd>вызовы библиотек</kwd><kwd>уязвимости программного обеспечения</kwd></kwd-group><kwd-group xml:lang="en"><kwd>system calls</kwd><kwd>library calls</kwd><kwd>software vulnerability</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, “Survey of intrusion detection systems: techniques, datasets and challenges”, Cybersecurity, vol. 2, no. 1, p. 20, 2019.</mixed-citation><mixed-citation xml:lang="en">A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, “Survey of intrusion detection systems: techniques, datasets and challenges”, Cybersecurity, vol. 2, no. 1, p. 20, 2019.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">S. Forrest, S. Hofmeyr, and A. Somayaji, “The Evolution of System-Call Monitoring”, in Proceedings of 2008 Annual Computer Security Applications Conference (ACSAC), 2008, pp. 418–430.</mixed-citation><mixed-citation xml:lang="en">S. Forrest, S. Hofmeyr, and A. Somayaji, “The Evolution of System-Call Monitoring”, in Proceedings of 2008 Annual Computer Security Applications Conference (ACSAC), 2008, pp. 418–430.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">S. Gupta, H. Sharma, and S. Kaur, “Malware Characterization Using Windows API Call Sequences”, Journal of Cyber Security and Mobility, vol. 7, no. 4, pp. 363–378, 2018.</mixed-citation><mixed-citation xml:lang="en">S. Gupta, H. Sharma, and S. Kaur, “Malware Characterization Using Windows API Call Sequences”, Journal of Cyber Security and Mobility, vol. 7, no. 4, pp. 363–378, 2018.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">R. Veeramani and N. Rai, “Windows API based Malware Detection and Framework Analysis”, International Journal of Scientific &amp; Engineering Research, vol. 3, no. 3, pp. 1–6, 2012.</mixed-citation><mixed-citation xml:lang="en">R. Veeramani and N. Rai, “Windows API based Malware Detection and Framework Analysis”, International Journal of Scientific &amp; Engineering Research, vol. 3, no. 3, pp. 1–6, 2012.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">A. Singh, R. Arora, and H. Pareek, “Malware Analysis using Multiple API Sequence Mining Control Flow Graph”, CoRR. arXiv preprint arXiv:1707.02691, 2017.</mixed-citation><mixed-citation xml:lang="en">A. Singh, R. Arora, and H. Pareek, “Malware Analysis using Multiple API Sequence Mining Control Flow Graph”, CoRR. arXiv preprint arXiv:1707.02691, 2017.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">M. L. Bernardi, M. Cimitile, D. Distante, F. Martinelli, and F. Mercaldo, “Dynamic malware detection and phylogeny analysis using process mining”, International Journal of Information Security, vol. 18, no. 3, pp. 257–284, 2019.</mixed-citation><mixed-citation xml:lang="en">M. L. Bernardi, M. Cimitile, D. Distante, F. Martinelli, and F. Mercaldo, “Dynamic malware detection and phylogeny analysis using process mining”, International Journal of Information Security, vol. 18, no. 3, pp. 257–284, 2019.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">L. Viljanen, “A Survey of Application Level Intrusion Detection”, Technical report, Series of Publications C, Report C-2004-61 Helsinki, 2004.</mixed-citation><mixed-citation xml:lang="en">L. Viljanen, “A Survey of Application Level Intrusion Detection”, Technical report, Series of Publications C, Report C-2004-61 Helsinki, 2004.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">G. Creech, “Developing a high-accuracy cross platform Host-Based Intrusion Detection System capable of reliably detecting zero-day attacks”, PhD thesis, University of New South Wales, Canberra, Australia, 2014.</mixed-citation><mixed-citation xml:lang="en">G. Creech, “Developing a high-accuracy cross platform Host-Based Intrusion Detection System capable of reliably detecting zero-day attacks”, PhD thesis, University of New South Wales, Canberra, Australia, 2014.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang, “Data-oriented programming: On the expressiveness of non-control data attacks”, in 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 969–986.</mixed-citation><mixed-citation xml:lang="en">H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang, “Data-oriented programming: On the expressiveness of non-control data attacks”, in 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 969–986.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">K. K. Ispoglou, B. AlBassam, T. Jaeger, and M. Payer, “Block Oriented Programming: Automating Data-Only Attacks”, in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 1868–1882.</mixed-citation><mixed-citation xml:lang="en">K. K. Ispoglou, B. AlBassam, T. Jaeger, and M. Payer, “Block Oriented Programming: Automating Data-Only Attacks”, in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 1868–1882.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Y. V. Kosolapov, “About detection of code reuse attacks”, Modelirovanie i Analiz Informatsionnykh Sistem, vol. 26, no. 2, pp. 213–228, 2019.</mixed-citation><mixed-citation xml:lang="en">Y. V. Kosolapov, “About detection of code reuse attacks”, Modelirovanie i Analiz Informatsionnykh Sistem, vol. 26, no. 2, pp. 213–228, 2019.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">D. Wagner and P. Soto, “Mimicry attacks on host-based intrusion detection systems”, in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, pp. 255–264.</mixed-citation><mixed-citation xml:lang="en">D. Wagner and P. Soto, “Mimicry attacks on host-based intrusion detection systems”, in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, pp. 255–264.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization”, in 2013 IEEE Symposium on Security and Privacy, 2013, pp. 574–588.</mixed-citation><mixed-citation xml:lang="en">K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization”, in 2013 IEEE Symposium on Security and Privacy, 2013, pp. 574–588.</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">E. Stalmans and S. El-Sherei, Macro-less Code Exec in MSWord, Last access 12.12.2019. [Online]. Available: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/.</mixed-citation><mixed-citation xml:lang="en">E. Stalmans and S. El-Sherei, Macro-less Code Exec in MSWord, Last access 12.12.2019. [Online]. Available: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/.</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">P. D. Borisov and Y. V. Kosolapov, “On the automatic analysis of the practical resistance of obfusting transformations”, Modelirovanie i Analiz Informatsionnykh Sistem, vol. 26, no. 3, pp. 317–331, 2019.</mixed-citation><mixed-citation xml:lang="en">P. D. Borisov and Y. V. Kosolapov, “On the automatic analysis of the practical resistance of obfusting transformations”, Modelirovanie i Analiz Informatsionnykh Sistem, vol. 26, no. 3, pp. 317–331, 2019.</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">API Monito, Last access 28.11.2019. [Online]. Available: http://www.rohitab.com/apimonitor.</mixed-citation><mixed-citation xml:lang="en">API Monito, Last access 28.11.2019. [Online]. Available: http://www.rohitab.com/apimonitor.</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">ListDLLs, Last access 28.11.2019. [Online]. Available: https://docs.microsof.com/en-us/sysinternals/downloads/listdlls.</mixed-citation><mixed-citation xml:lang="en">ListDLLs, Last access 28.11.2019. [Online]. Available: https://docs.microsof.com/en-us/sysinternals/downloads/listdlls.</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">M. Vervier, M. Orru, B. J. Wever, and E. Sesterhenn, Browser Security Whitepaper, Last access 05.12.2019. [Online]. Available: https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf.</mixed-citation><mixed-citation xml:lang="en">M. Vervier, M. Orru, B. J. Wever, and E. Sesterhenn, Browser Security Whitepaper, Last access 05.12.2019. [Online]. Available: https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf.</mixed-citation></citation-alternatives></ref><ref id="cit19"><label>19</label><citation-alternatives><mixed-citation xml:lang="ru">R. Gawlik and T. Holz, “Sok: Make JIT-spray great again”, in WOOT’18 Proceedings of the 12th USENIX Conference on Offensive Technologies, 2018, pp. 1–14.</mixed-citation><mixed-citation xml:lang="en">R. Gawlik and T. Holz, “Sok: Make JIT-spray great again”, in WOOT’18 Proceedings of the 12th USENIX Conference on Offensive Technologies, 2018, pp. 1–14.</mixed-citation></citation-alternatives></ref><ref id="cit20"><label>20</label><citation-alternatives><mixed-citation xml:lang="ru">Offensive Security, Exploitdb/exploits/windows/remote/42484.html, Last access 05.12.2019. [Online]. Available: https://github.com/ofensive-security/exploitdb/blob/master/exploits/windows/remote/42484.html.</mixed-citation><mixed-citation xml:lang="en">Offensive Security, Exploitdb/exploits/windows/remote/42484.html, Last access 05.12.2019. [Online]. Available: https://github.com/ofensive-security/exploitdb/blob/master/exploits/windows/remote/42484.html.</mixed-citation></citation-alternatives></ref><ref id="cit21"><label>21</label><citation-alternatives><mixed-citation xml:lang="ru">0vercl0k, CVE-2019-9810, Last access 05.12.2019. [Online]. Available: https://github.com/0vercl0k/CVE-2019-9810.</mixed-citation><mixed-citation xml:lang="en">0vercl0k, CVE-2019-9810, Last access 05.12.2019. [Online]. Available: https://github.com/0vercl0k/CVE-2019-9810.</mixed-citation></citation-alternatives></ref><ref id="cit22"><label>22</label><citation-alternatives><mixed-citation xml:lang="ru">Exploit Database, Last access 05.12.2019. [Online]. Available: https://www.exploit-db.com/.</mixed-citation><mixed-citation xml:lang="en">Exploit Database, Last access 05.12.2019. [Online]. Available: https://www.exploit-db.com/.</mixed-citation></citation-alternatives></ref><ref id="cit23"><label>23</label><citation-alternatives><mixed-citation xml:lang="ru">CVE-2017-5375_ASM.JS_JIT-Spray, Last access 30.12.2019. [Online]. Available: https://github.com/rh0dev/expdev/tree/master.</mixed-citation><mixed-citation xml:lang="en">CVE-2017-5375_ASM.JS_JIT-Spray, Last access 30.12.2019. [Online]. Available: https://github.com/rh0dev/expdev/tree/master.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
