{"title":"利用额外的CPU内核检测NOP Sleds使用沙盒执行","authors":"Nopphon Phringmongkol, P. Ratanaworabhan","doi":"10.1109/ICTEMSYS.2019.8695955","DOIUrl":null,"url":null,"abstract":"At present, antivirus software backed by database of virus signatures is the most popular solution to malware detection problem. Even though its shortfalls are well-known - it requires large database that needs to be updated constantly and it is vulnerable to zero-day exploit - the security community has not successfully come up with better alternatives to it. However, the advent of multicores allows us to revisit this problem and look for alternatives that were deemed inefficient with previous generations of hardware.This paper proposes a lightweight dynamic analysis scheme that scans and executes objects allocated in the main memory. Our scheme looks for the presence of NOP sleds, which signals the existence of malware. Separate threads are spawn or woken up to perform object execution in sandboxed environment. This action takes place whenever applications allocate objects in memory. Extra CPU cores can execute these threads independently in parallel, providing close to ideal speedup. Our solution obviates the need for the virus database and can protect against zero-day exploit. We show that our dynamic analysis approach incurs low overhead, offers attractive false positive rate, and maintains zero false negative rate by design.","PeriodicalId":220516,"journal":{"name":"2019 10th International Conference of Information and Communication Technology for Embedded Systems (IC-ICTES)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Exploiting Extra CPU Cores to Detect NOP Sleds Using Sandboxed Execution\",\"authors\":\"Nopphon Phringmongkol, P. Ratanaworabhan\",\"doi\":\"10.1109/ICTEMSYS.2019.8695955\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"At present, antivirus software backed by database of virus signatures is the most popular solution to malware detection problem. Even though its shortfalls are well-known - it requires large database that needs to be updated constantly and it is vulnerable to zero-day exploit - the security community has not successfully come up with better alternatives to it. However, the advent of multicores allows us to revisit this problem and look for alternatives that were deemed inefficient with previous generations of hardware.This paper proposes a lightweight dynamic analysis scheme that scans and executes objects allocated in the main memory. Our scheme looks for the presence of NOP sleds, which signals the existence of malware. Separate threads are spawn or woken up to perform object execution in sandboxed environment. This action takes place whenever applications allocate objects in memory. Extra CPU cores can execute these threads independently in parallel, providing close to ideal speedup. Our solution obviates the need for the virus database and can protect against zero-day exploit. We show that our dynamic analysis approach incurs low overhead, offers attractive false positive rate, and maintains zero false negative rate by design.\",\"PeriodicalId\":220516,\"journal\":{\"name\":\"2019 10th International Conference of Information and Communication Technology for Embedded Systems (IC-ICTES)\",\"volume\":\"41 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-03-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 10th International Conference of Information and Communication Technology for Embedded Systems (IC-ICTES)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICTEMSYS.2019.8695955\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 10th International Conference of Information and Communication Technology for Embedded Systems (IC-ICTES)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICTEMSYS.2019.8695955","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Exploiting Extra CPU Cores to Detect NOP Sleds Using Sandboxed Execution
At present, antivirus software backed by database of virus signatures is the most popular solution to malware detection problem. Even though its shortfalls are well-known - it requires large database that needs to be updated constantly and it is vulnerable to zero-day exploit - the security community has not successfully come up with better alternatives to it. However, the advent of multicores allows us to revisit this problem and look for alternatives that were deemed inefficient with previous generations of hardware.This paper proposes a lightweight dynamic analysis scheme that scans and executes objects allocated in the main memory. Our scheme looks for the presence of NOP sleds, which signals the existence of malware. Separate threads are spawn or woken up to perform object execution in sandboxed environment. This action takes place whenever applications allocate objects in memory. Extra CPU cores can execute these threads independently in parallel, providing close to ideal speedup. Our solution obviates the need for the virus database and can protect against zero-day exploit. We show that our dynamic analysis approach incurs low overhead, offers attractive false positive rate, and maintains zero false negative rate by design.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
