发布求助
文献互助 智能选刊 最新文献

Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)最新文献

筛选
英文 中文
Limits of Static Analysis for Malware Detection 静态分析对恶意软件检测的限制
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-10 DOI: 10.1109/ACSAC.2007.21
Andreas Moser, Christopher Krügel, E. Kirda
{"title":"Limits of Static Analysis for Malware Detection","authors":"Andreas Moser, Christopher Krügel, E. Kirda","doi":"10.1109/ACSAC.2007.21","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.21","url":null,"abstract":"Malicious code is an increasingly important problem that threatens the security of computer systems. The traditional line of defense against malware is composed of malware detectors such as virus and spyware scanners. Unfortunately, both researchers and malware authors have demonstrated that these scanners, which use pattern matching to identify malware, can be easily evaded by simple code transformations. To address this shortcoming, more powerful malware detectors have been proposed. These tools rely on semantic signatures and employ static analysis techniques such as model checking and theorem proving to perform detection. While it has been shown that these systems are highly effective in identifying current malware, it is less clear how successful they would be against adversaries that take into account the novel detection mechanisms. The goal of this paper is to explore the limits of static analysis for the detection of malicious code. To this end, we present a binary obfuscation scheme that relies on the idea of opaque constants, which are primitives that allow us to load a constant into a register such that an analysis tool cannot determine its value. Based on opaque constants, we build obfuscation transformations that obscure program control flow, disguise access to local and global variables, and interrupt tracking of values held in processor registers. Using our proposed obfuscation approach, we were able to show that advanced semantics-based malware detectors can be evaded. Moreover, our opaque constant primitive can be applied in a way such that is provably hard to analyze for any static code analyzer. This demonstrates that static analysis techniques alone might no longer be sufficient to identify malware.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"87 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121235829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 870
Spector: Automatically Analyzing Shell Code Spector:自动分析Shell代码
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-10 DOI: 10.1109/ACSAC.2007.11
Kevin Borders, A. Prakash, Mark Zielinski
{"title":"Spector: Automatically Analyzing Shell Code","authors":"Kevin Borders, A. Prakash, Mark Zielinski","doi":"10.1109/ACSAC.2007.11","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.11","url":null,"abstract":"Detecting the presence of buffer overflow attacks in network messages has been a major focus. Only knowing whether a message contains an attack, however, is not always enough to mitigate the threat. It may also be critical to know what it does. Unfortunately, shell code is written in low-level assembly language, and can be obfuscated. The current method of analyzing shell code, manual reverse engineering, is time-consuming, requires significant expertise, and would be nearly impossible for a wide-scale polymorphic attack. In this paper, we introduce Spector, a symbolic execution engine that extracts meaningful high-level actions from shell code. Spector's high-level output helps facilitate attack mitigation and classification of different payloads that have the same behavior. To evaluate Spector, we tested it with over 23,000 unique payloads. It identified eleven different classes of shell code, and processed all the payloads in just over three hours. Spector also successfully classified polymorphic instances of the same shell code.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126765399","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 19
Personal Privacy without Computational Obscurity: Rethinking Privacy Protection Strategies for Open Information Networks 没有计算模糊的个人隐私:对开放信息网络隐私保护策略的再思考
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-10 DOI: 10.1109/ACSAC.2007.50
D. Weitzner
{"title":"Personal Privacy without Computational Obscurity: Rethinking Privacy Protection Strategies for Open Information Networks","authors":"D. Weitzner","doi":"10.1109/ACSAC.2007.50","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.50","url":null,"abstract":"Summary form only given. Throughout the history of computer and network security research, privacy has been treated as synonymous with confidentiality, with the presumed high water mark of privacy being mathematically provable anonymity. Despite the fact that technical innovation in cryptography and network security has enabled all manner of confidentiality control over the exposure of identity in information systems, the vast majority of Internet user remain deeply worried about their privacy rights and correctly believe that they are far more exposed today than they might have been a generation earlier. Have we just failed to deploy the proper security technology to protect privacy, are our laws inadequate to meet present day privacy threats, or have business practices and social conventions simply rendered privacy dead? While there is some truth to each possibility, the central failure to achieve robust privacy in the information age can be traced to an a long-standing misassocation of privacy with confidentiality and access control. In order to revitalize privacy protection, we should shift our legal attention away from rules limiting disclosure of personal information toward policies governing how personal information can be used. And technical efforts currently focused on access control and anonymization should be redirected toward technical measures that make information usage more transparent and accountable to clearly stated policies that address proper and improper users of personal information.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114490057","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Establishing and Sustaining System Integrity via Root of Trust Installation 通过信任根的安装建立和维持系统完整性
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-10 DOI: 10.1109/ACSAC.2007.25
Luke St. Clair, Joshua Schiffman, T. Jaeger, P. Mcdaniel
{"title":"Establishing and Sustaining System Integrity via Root of Trust Installation","authors":"Luke St. Clair, Joshua Schiffman, T. Jaeger, P. Mcdaniel","doi":"10.1109/ACSAC.2007.25","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.25","url":null,"abstract":"Integrity measurements provide a means by which distributed systems can assess the trustability of potentially compromised remote hosts. However, current measurement techniques simply assert the identity of software, but provide no indication of the ongoing status of the system or its data. As a result, a number of significant vulnerabilities can result if the system is not configured and managed carefully. To improve the management of a system's integrity, we propose a Root of Trust Installation (ROTI) as a foundation for high integrity systems. A ROTI is a trusted system installer that also asserts the integrity of the trusted computing base software and data that it installs to enable straightforward, comprehensive integrity verification for a system. The ROTI addresses a historically limiting problem in integrity measurement: determining what constitutes a trusted system state in a heterogeneous, evolving environment. Using the ROTI, a high integrity system state is defined by its installer, thus enabling a remote party to verify integrity guarantees that approximate classical integrity models (e.g., Biba). In this paper, we examine what is necessary to prove the integrity of the trusted computing base (sCore) of a distributed security architecture, called the Shamon. We describe the design and implementation of our custom ROTI sCore installer and study the costs and effectiveness of binding system integrity to installation in the distributed Shamon. This demonstration shows that strong integrity guarantees can be efficiently achieved in large, diverse environments with limited administrative overhead.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129145558","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 27
Toward Realistic and Artifact-Free Insider-Threat Data 走向现实和无人工的内部威胁数据
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-10 DOI: 10.1109/ACSAC.2007.31
Kevin S. Killourhy, R. Maxion
{"title":"Toward Realistic and Artifact-Free Insider-Threat Data","authors":"Kevin S. Killourhy, R. Maxion","doi":"10.1109/ACSAC.2007.31","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.31","url":null,"abstract":"Progress in insider-threat detection is currently limited by a lack of realistic, publicly available, real-world data. For reasons of privacy and confidentiality, no one wants to expose their sensitive data to the research community. Data can be sanitized to mitigate privacy and confidentiality concerns, but the mere act of sanitizing the data may introduce artifacts that compromise its utility for research purposes. If sanitization artifacts change the results of insider-threat experiments, then those results could lead to conclusions which are not true in the real world. The goal of this work is to investigate the consequences of sanitization artifacts on insider-threat detection experiments. We assemble a suite of tools and present a methodology for collecting and sanitizing data. We use these tools and methods in an experimental evaluation of an insider-threat detection system. We compare the results of the evaluation using raw data to the results using each of three types of sanitized data, and we measure the effect of each sanitization strategy. We establish that two of the three sanitization strategies actually alter the results of the experiment. Since these two sanitization strategies are commonly used in practice, we must be concerned about the consequences of sanitization artifacts on insider-threat research. On the other hand, we demonstrate that the third sanitization strategy addresses these concerns, indicating that realistic, artifact-free data sets can be created with appropriate tools and methods.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131162199","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 12
Quarantining Untrusted Entities: Dynamic Sandboxing Using LEAP 隔离不受信任的实体:使用LEAP的动态沙箱
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-01 DOI: 10.1109/ACSAC.2007.46
M. Radhakrishnan, Jon A. Solworth
{"title":"Quarantining Untrusted Entities: Dynamic Sandboxing Using LEAP","authors":"M. Radhakrishnan, Jon A. Solworth","doi":"10.1109/ACSAC.2007.46","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.46","url":null,"abstract":"Jails, Sandboxes and other isolation mechanisms limit the damage from untrusted programs by reducing a process's privileges to the minimum. Sandboxing is designed to thwart such threats as (1) a program created by an attacker or (2) an input crafted to exploit a security vulnerability in a program. Examples of the later include input containing interpreted code or machine language to be injected via a buffer overflow. Traditionally, sandboxes are created by an invoking process. This is effective for (1) but only partially so for (2). For example, when a file is downloaded by a browser or processed as a mail attachment, the invoking process can sandbox it. However, sandboxing protections can be circumvented when the file is copied outside the sandbox. The problem is that traditional sandboxes do not provide complete mediation. We introduce dynamic sandboxes, and show how even when data is saved and/or copied, sandboxing protections are not lost. In addition, and in contrast to traditional sandbox implementations, dynamic sandboxes are implemented using general purpose access controls. Not only does this provide a more flexible sandbox mechanism, and enable complete mediation, but these same primitives can be used to build other (non-sandbox) authorization policies.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117184888","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 8
Efficient Distributed Detection of Node Replication Attacks in Sensor Networks 传感器网络中节点复制攻击的高效分布式检测
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-01 DOI: 10.1109/ACSAC.2007.26
Bo Zhu, Venkata Gopala Krishna Addada, Sanjeev Setia, S. Jajodia, Sankardas Roy
{"title":"Efficient Distributed Detection of Node Replication Attacks in Sensor Networks","authors":"Bo Zhu, Venkata Gopala Krishna Addada, Sanjeev Setia, S. Jajodia, Sankardas Roy","doi":"10.1109/ACSAC.2007.26","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.26","url":null,"abstract":"Wireless sensor nodes lack hardware support for tamper- resistance and are often deployed in unattended environments, thus leaving them vulnerable to capture and compromise by an adversary. In a node replication attack, an adversary uses the credentials of a compromised node to surreptitiously introduce replicas of that node into the network. These replicas are then used to launch a variety of attacks that subvert the goal of the sensor application, and the operation of the underlying protocols. We present a novel distributed approach called Localized Multicast for detecting node replication attacks. We evaluate the performance and security of our approach both theoretically and via simulation. Our results show that Localized Multicast is more efficient than previous distributed approaches in terms of communication and memory costs. Further, in our approach, the probability of detecting node replicas is much higher than that achieved in previous distributed protocols.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123686360","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 160
The Age of Data: Pinpointing Guilty Bytes in Polymorphic Buffer Overflows on Heap or Stack 数据时代:在堆或堆栈的多态缓冲区溢出中精确定位错误字节
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-01 DOI: 10.1109/ACSAC.2007.32
Asia Slowinska, H. Bos
{"title":"The Age of Data: Pinpointing Guilty Bytes in Polymorphic Buffer Overflows on Heap or Stack","authors":"Asia Slowinska, H. Bos","doi":"10.1109/ACSAC.2007.32","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.32","url":null,"abstract":"Heap and stack buffer overflows are still among the most common attack vectors in intrusion attempts. In this paper, we ask a simple question that is surprisingly difficult to answer: which bytes contributed to the overflow? By careful observation of all scenarios that may occur in overflows, we identified the information that needs to be tracked to pinpoint the offending bytes. There are many reasons why this is a hard problem. For instance, by the time an overflow is detected some of the bytes may already have been overwritten, creating gaps. Additionally, it is hard to tell the offending bytes apart from unrelated network data. In our solution, we tag data from the network with an age stamp whenever it is written to a buffer. Doing so allows us to distinguish between different bytes and ignore gaps, and provide precise analysis of the offending bytes. By tracing these bytes to protocol fields, we obtain accurate signatures that cater to polymorphic attacks.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115117803","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 25
Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms 特征遗漏漏洞:阻碍多态蠕虫的签名生成
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-01 DOI: 10.1109/ACSAC.2007.42
M. Gundy, Hao Chen, Z. Su, G. Vigna
{"title":"Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms","authors":"M. Gundy, Hao Chen, Z. Su, G. Vigna","doi":"10.1109/ACSAC.2007.42","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.42","url":null,"abstract":"To combat the rapid infection rate of today's Internet worms, signatures for novel worms must be generated soon after an outbreak. This is especially critical in the case of polymorphic worms, whose binary representation changes frequently during the infection process. In this paper, we examine the assumptions underlying two leading network-based signature generation systems for polymorphic worms: polygraph [14] and Hamsa [12]. By identifying an assumption of both systems not met by all vulnerabilities, we discover a class of vulnerabilities (feature omission vulnerabilities) that neither system can accurately characterize. We demonstrate the limitations of polygraph and Hamsa by testing the signatures that they generate for exploits targeting a feature omission vulnerability. We discuss why feature omission vulnerabilities are difficult to characterize and how increased semantic awareness can help the signature generation process.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125902185","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 11
Secure Input for Web Applications Web应用程序的安全输入
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-01 DOI: 10.1109/ACSAC.2007.28
M. Szydlowski, Christopher Krügel, E. Kirda
{"title":"Secure Input for Web Applications","authors":"M. Szydlowski, Christopher Krügel, E. Kirda","doi":"10.1109/ACSAC.2007.28","DOIUrl":"https://doi.org/10.1109/ACSAC.2007.28","url":null,"abstract":"The Web is an indispensable part of our lives. Every day, millions of users purchase items, transfer money, retrieve information and communicate over the Web. Although the Web is convenient for many users because it provides any time, anywhere access to information and services, at the same time, it has also become a prime target for miscreants who attack unsuspecting Web users with the aim of making an easy profit. The last years have shown a significant rise in the number of Web-based attacks, highlighting the importance of techniques and tools for increasing the security of Web applications. An important Web security research problem is how to enable a user on an untrusted platform (e.g., a computer that has been compromised by malware) to securely transmit information to a Web application. Solutions that have been proposed to date are mostly hardware-based and require (often expensive) peripheral devices such as smart-card readers and chip cards. In this paper, we discuss some common aspects of client-side attacks (e.g., Trojan horses) against Web applications and present two simple techniques that can be used by Web applications to enable secure user input. We also conducted two usability studies to examine whether the techniques that we propose are feasible.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124918259","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 33
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信