On the Detection of Exploitation of Vulnerabilities Leading to the Execution of a Malicious Code

Software protection from exploitation of possible unknown vulnerabilities can be performed both by searching (for example, using symbolic execution) and subsequent elimination of the vulnerabilities and by using detection and / or intrusion prevention systems. In the latter case, this problem is usually solved by forming a profile of a normal behavior and deviation from normal behavior over a predetermined threshold is regarded as an anomaly or an attack. In this paper, the task is to protect a given software P from exploiting unknown vulnerabilities. For this aim a method is proposed for constructing a profile of the normal execution of the program P, in which, in addition to a set of legal chains of system and library functions, it is proposed to take into account the distances between adjacent function calls. At the same time, a profile is formed for each program. It is assumed that taking into account the distances between function calls will reveal shell code execution using system and / or library function calls. An algorithm and a system for detecting abnormal code execution are proposed. The work carried out experiments in the case when P is the FireFox browser. During the experiments the possibility of applying the developed algorithm to identify abnormal behavior when launching publicly available exploits was investigated.

1. A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, “Survey of intrusion detection systems: techniques, datasets and challenges”, Cybersecurity, vol. 2, no. 1, p. 20, 2019.

2. S. Forrest, S. Hofmeyr, and A. Somayaji, “The Evolution of System-Call Monitoring”, in Proceedings of 2008 Annual Computer Security Applications Conference (ACSAC), 2008, pp. 418–430.

3. S. Gupta, H. Sharma, and S. Kaur, “Malware Characterization Using Windows API Call Sequences”, Journal of Cyber Security and Mobility, vol. 7, no. 4, pp. 363–378, 2018.

4. R. Veeramani and N. Rai, “Windows API based Malware Detection and Framework Analysis”, International Journal of Scientific & Engineering Research, vol. 3, no. 3, pp. 1–6, 2012.

5. A. Singh, R. Arora, and H. Pareek, “Malware Analysis using Multiple API Sequence Mining Control Flow Graph”, CoRR. arXiv preprint arXiv:1707.02691, 2017.

6. M. L. Bernardi, M. Cimitile, D. Distante, F. Martinelli, and F. Mercaldo, “Dynamic malware detection and phylogeny analysis using process mining”, International Journal of Information Security, vol. 18, no. 3, pp. 257–284, 2019.

7. L. Viljanen, “A Survey of Application Level Intrusion Detection”, Technical report, Series of Publications C, Report C-2004-61 Helsinki, 2004.

8. G. Creech, “Developing a high-accuracy cross platform Host-Based Intrusion Detection System capable of reliably detecting zero-day attacks”, PhD thesis, University of New South Wales, Canberra, Australia, 2014.

9. H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang, “Data-oriented programming: On the expressiveness of non-control data attacks”, in 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 969–986.

10. K. K. Ispoglou, B. AlBassam, T. Jaeger, and M. Payer, “Block Oriented Programming: Automating Data-Only Attacks”, in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 1868–1882.

11. Y. V. Kosolapov, “About detection of code reuse attacks”, Modelirovanie i Analiz Informatsionnykh Sistem, vol. 26, no. 2, pp. 213–228, 2019.

12. D. Wagner and P. Soto, “Mimicry attacks on host-based intrusion detection systems”, in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, pp. 255–264.

13. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization”, in 2013 IEEE Symposium on Security and Privacy, 2013, pp. 574–588.

14. E. Stalmans and S. El-Sherei, Macro-less Code Exec in MSWord, Last access 12.12.2019. [Online]. Available: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/.

15. P. D. Borisov and Y. V. Kosolapov, “On the automatic analysis of the practical resistance of obfusting transformations”, Modelirovanie i Analiz Informatsionnykh Sistem, vol. 26, no. 3, pp. 317–331, 2019.

16. API Monito, Last access 28.11.2019. [Online]. Available: http://www.rohitab.com/apimonitor.

17. ListDLLs, Last access 28.11.2019. [Online]. Available: https://docs.microsof.com/en-us/sysinternals/downloads/listdlls.

18. M. Vervier, M. Orru, B. J. Wever, and E. Sesterhenn, Browser Security Whitepaper, Last access 05.12.2019. [Online]. Available: https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf.

19. R. Gawlik and T. Holz, “Sok: Make JIT-spray great again”, in WOOT’18 Proceedings of the 12th USENIX Conference on Offensive Technologies, 2018, pp. 1–14.

20. Offensive Security, Exploitdb/exploits/windows/remote/42484.html, Last access 05.12.2019. [Online]. Available: https://github.com/ofensive-security/exploitdb/blob/master/exploits/windows/remote/42484.html.

21. 0vercl0k, CVE-2019-9810, Last access 05.12.2019. [Online]. Available: https://github.com/0vercl0k/CVE-2019-9810.

22. Exploit Database, Last access 05.12.2019. [Online]. Available: https://www.exploit-db.com/.

23. CVE-2017-5375_ASM.JS_JIT-Spray, Last access 30.12.2019. [Online]. Available: https://github.com/rh0dev/expdev/tree/master.