research-article

Robust Fingerprinting for Relocatable Code

Authors:

Vassil Roussev,

Aisha Ali GombeAuthors Info & Claims

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Pages 219 - 229

https://doi.org/10.1145/2699026.2699104

Published: 02 March 2015 Publication History

Abstract

Robust fingerprinting of executable code contained in a memory image is a prerequisite for a large number of security and forensic applications, especially in a cloud environment. Prior state of the art has focused specifically on identifying kernel versions by means of complex differential analysis of several aspects of the kernel code implementation.

In this work, we present a novel technique that can identify any relocatable code, including the kernel, based on inherent patterns present in relocation tables. We show that such patterns are very distinct and can be used to accurately and efficiently identify known executables in a memory snapshot, including remnants of prior executions. We develop a research prototype, codeid, and evaluate its efficacy on more than 50,000 sample executables containing kernels, kernel modules, applications, dynamic link libraries, and malware. The empirical results show that our method achieves almost 100% accuracy with zero false negatives.

References

[1]

W. L. Bryan D. Payne Martim D. P. de A. Carbone. Secure and exible monitoring of virtual machines. In Proceedings of the Annual Computer Security Applications Conference, 2007.

[2]

M. Christodorescu, R. Sailer, D. L. Schales, D. Sgandurra, and D. Zamboni. Cloud security is not (just) virtualization security: A short paper. In Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW'09, pages 97--102, New York, NY, USA, 2009. ACM.

Digital Library

[3]

Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. OS-Sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the Third ACM Symposium on Cloud Computing, SoCC'12, pages 5:1--5:13, New York, NY, USA, 2012. ACM.

Digital Library

[4]

imageinfo. https://code.google.com/p/volatility/wiki/CommandReference#imageinfo.

[5]

N. L. P. Jr., A. Walters, T. Fraser, and W. A. Arbaugh. Fatkit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4):197--210, 2006.

Digital Library

[6]

libguestfs. http://libguestfs.org/.

[7]

libvmi. http://code.google.com/p/vmitools/.

[8]

Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In NDSS, 2011.

[9]

R. Love. Linux Kernel Development. Addison-Wesley Professional, third edition, 2010.

Digital Library

[10]

nmap. http://nmap.org/.

[11]

B. D. Payne. Simplifying virtual machine introspection using libvmi, 2012. Sandia Report SAND2012--7818, http://prod.sandia.gov/techlib/access-control.cgi/2012/127818.pdf.

[12]

qemu. http://qemu.org.

[13]

N. A. Quynh. Operating system fingerprinting for virtual machines. In DEFCON 18, 2010.http://www.defcon.org/images/defcon-18/dc-18-presentations/Quynh/DEFCON-18-Quynh-OS-Fingerprinting-VM.pdf.

[14]

V. Roussev. Data fingerprinting with similarity digests. In Advances in Digital Forensics VI, pages 207--226. Springer, 2010.

[15]

M. E. Russinovich, D. A. Solomon, and A. Ionescu. Windows Internals: Including Windows Server 2008 and Windows Vista. Microsoft Press, fifth edition, 2009.

Digital Library

[16]

sdhash. http://sdhash.org.

[17]

virt-inspector. http://libguestfs.org/virt-inspector.1.html.

[18]

Volatility. https://code.google.com/p/volatility/.

[19]

VX Heaven. http://vxheaven.org.

[20]

Xprobe2. http://sourceforge.net/projects/xprobe/files/xprobe2/.

Cited By

Jiang ZZhang YXu JWen QWang ZZhang XXing XYang MYang ZLigatti JOu XKatz JVigna G(2020)PDiff: Semantic-based Patch Presence Testing for Downstream KernelsProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417240(1149-1163)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417240
Deshpande PAhmed IHawthorne EPérez-Quiñones MHeckman SZhang J(2019)Topological Scoring of Concept Maps for Cybersecurity EducationProceedings of the 50th ACM Technical Symposium on Computer Science Education10.1145/3287324.3287495(731-737)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3287324.3287495
Deshpande PLee CAhmed IHawthorne EPérez-Quiñones MHeckman SZhang J(2019)Evaluation of Peer Instruction for Cybersecurity EducationProceedings of the 50th ACM Technical Symposium on Computer Science Education10.1145/3287324.3287403(720-725)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3287324.3287403
Show More Cited By

Index Terms

Robust Fingerprinting for Relocatable Code
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

An ensemble framework for interpretable malicious code detection
Abstract
Malicious code is an ever‐growing security threats to computer systems and networks, while malware detection provides effective defense against malicious codes. In this paper, a brief overview is presented on currently prevalent methods to detect ...
Malware detection using adaptive data compression
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISec

A popular approach in current commercial anti-malware software detects malicious programs by searching in the code of programs for scan strings that are byte sequences indicative of malicious code. The scan strings, also known as the signatures of ...
RansomSpector: An introspection-based approach to detect crypto ransomware
Abstract
Crypto ransomware encrypts user files and then extorts a ransom for decryption, thus it brings a big threat to users. To address this problem, we propose RansomSpector, an introspection-based approach to detect crypto ransomware. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

March 2015

362 pages

ISBN:9781450331913

DOI:10.1145/2699026

General Chair:
Jaehong Park
University of Texas at San Antonio, USA
,
Program Chair:
Anna Squicciarini
The Pennsylvania State University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 March 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'15

Sponsor:

SIGSAC

CODASPY'15: Fifth ACM Conference on Data and Application Security and Privacy

March 2 - 4, 2015

Texas, San Antonio, USA

Acceptance Rates

CODASPY '15 Paper Acceptance Rate 19 of 91 submissions, 21%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
143
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jiang ZZhang YXu JWen QWang ZZhang XXing XYang MYang ZLigatti JOu XKatz JVigna G(2020)PDiff: Semantic-based Patch Presence Testing for Downstream KernelsProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417240(1149-1163)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417240
Deshpande PAhmed IHawthorne EPérez-Quiñones MHeckman SZhang J(2019)Topological Scoring of Concept Maps for Cybersecurity EducationProceedings of the 50th ACM Technical Symposium on Computer Science Education10.1145/3287324.3287495(731-737)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3287324.3287495
Deshpande PLee CAhmed IHawthorne EPérez-Quiñones MHeckman SZhang J(2019)Evaluation of Peer Instruction for Cybersecurity EducationProceedings of the 50th ACM Technical Symposium on Computer Science Education10.1145/3287324.3287403(720-725)Online publication date: 22-Feb-2019
https://dl.acm.org/doi/10.1145/3287324.3287403
Hebbal YLaniepce SMenaud J(2017)K-binID: Kernel binary code identification for Virtual Machine Introspection2017 IEEE Conference on Dependable and Secure Computing10.1109/DESEC.2017.8073801(107-114)Online publication date: Aug-2017
https://doi.org/10.1109/DESEC.2017.8073801
Gu YLin ZBertino ESandhu RPretschner A(2016)Derandomizing Kernel Address Space Layout for Memory Introspection and ForensicsProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857707(62-72)Online publication date: 9-Mar-2016
https://dl.acm.org/doi/10.1145/2857705.2857707

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents