{"title":"Spector:自动分析Shell代码","authors":"Kevin Borders, A. Prakash, Mark Zielinski","doi":"10.1109/ACSAC.2007.11","DOIUrl":null,"url":null,"abstract":"Detecting the presence of buffer overflow attacks in network messages has been a major focus. Only knowing whether a message contains an attack, however, is not always enough to mitigate the threat. It may also be critical to know what it does. Unfortunately, shell code is written in low-level assembly language, and can be obfuscated. The current method of analyzing shell code, manual reverse engineering, is time-consuming, requires significant expertise, and would be nearly impossible for a wide-scale polymorphic attack. In this paper, we introduce Spector, a symbolic execution engine that extracts meaningful high-level actions from shell code. Spector's high-level output helps facilitate attack mitigation and classification of different payloads that have the same behavior. To evaluate Spector, we tested it with over 23,000 unique payloads. It identified eleven different classes of shell code, and processed all the payloads in just over three hours. Spector also successfully classified polymorphic instances of the same shell code.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":"{\"title\":\"Spector: Automatically Analyzing Shell Code\",\"authors\":\"Kevin Borders, A. Prakash, Mark Zielinski\",\"doi\":\"10.1109/ACSAC.2007.11\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Detecting the presence of buffer overflow attacks in network messages has been a major focus. Only knowing whether a message contains an attack, however, is not always enough to mitigate the threat. It may also be critical to know what it does. Unfortunately, shell code is written in low-level assembly language, and can be obfuscated. The current method of analyzing shell code, manual reverse engineering, is time-consuming, requires significant expertise, and would be nearly impossible for a wide-scale polymorphic attack. In this paper, we introduce Spector, a symbolic execution engine that extracts meaningful high-level actions from shell code. Spector's high-level output helps facilitate attack mitigation and classification of different payloads that have the same behavior. To evaluate Spector, we tested it with over 23,000 unique payloads. It identified eleven different classes of shell code, and processed all the payloads in just over three hours. Spector also successfully classified polymorphic instances of the same shell code.\",\"PeriodicalId\":199101,\"journal\":{\"name\":\"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)\",\"volume\":\"33 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-12-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"19\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ACSAC.2007.11\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ACSAC.2007.11","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Detecting the presence of buffer overflow attacks in network messages has been a major focus. Only knowing whether a message contains an attack, however, is not always enough to mitigate the threat. It may also be critical to know what it does. Unfortunately, shell code is written in low-level assembly language, and can be obfuscated. The current method of analyzing shell code, manual reverse engineering, is time-consuming, requires significant expertise, and would be nearly impossible for a wide-scale polymorphic attack. In this paper, we introduce Spector, a symbolic execution engine that extracts meaningful high-level actions from shell code. Spector's high-level output helps facilitate attack mitigation and classification of different payloads that have the same behavior. To evaluate Spector, we tested it with over 23,000 unique payloads. It identified eleven different classes of shell code, and processed all the payloads in just over three hours. Spector also successfully classified polymorphic instances of the same shell code.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
