Tải bản đầy đủ - 0 (trang)
A.2 Generic Security of n-DDHI Assumption

A.2 Generic Security of n-DDHI Assumption

Tải bản đầy đủ - 0trang

Efficient Encrypted Keyword Search for Multi-user Data Sharing



191



Add (F1,τ1 , ξ1,τ1 ) to the list L1 and give ξ1,τ1 to A, then increment τ1 by one.

Group action queries in G are treated similarly.

Pairing. Given two operands ξ1,i and ξ1,j with 0 ≤ i, j < τ1 , compute the

product FT,τT ← FT,i FT,j . If FT,τT = FT,l for some l < τT , set ξT,τT ← ξT,l ;

otherwise, set ξT,τT to a string in {0, 1}∗ \ {ξT,0 , ..., ξT,τT −1 }. Add (FT,τT , ξT,τT )

to the list LT , and give ξT,τT to A, then increment τT by one.

Observe that at any time in the game, the total degree of any polynomial

in each of the two lists is bounded as follows: deg(F1,i ) ≤ 2n, deg(FT,i ) ≤ 4n.

After at most q queries, A terminates and returns a guess d ∈ {0, 1}. At this

point B chooses random α, γ, z ← Zp . Consider td ← αzγ

n+1 and t1−d ← r for

both choices of d ∈ {0, 1}. The simulation provided by B is perfect and reveals

nothing to A about d unless the chosen random values for the indeterminates

give rise to a nontrivial equality relation (identical polynomial in any of the lists

L1 , LT ) between the simulated group elements that was not revealed to A, i.e.,

when we assign A ← α, Γ ← γ, and either T0 ← αzγ

n+1 , T1 ← r or the converse

T0 ← r, T1 ← αzγ

n+1 . This happens only if for some i, j one of the following holds:

γ

, r)−

– F1,i (α, .., αn , αn+2 , . . . , α2n , γ, z, αn+1

γ

n

n+2

2n

, . . . , α , γ, z, αn+1

, r) = 0, yet F1,i = F1,j ,

F1,j (α, .., α , α

γ

, r)−

– FT,i (α, .., αn , αn+2 , . . . , α2n , γ, z, αn+1

γ

, r) = 0, yet FT,i = FT,j ,

FT,j (α, .., αn , αn+2 , . . . , α2n , γ, z, αn+1

γ

and r have been exchanged.

– any relation similar to the above in which αn+1



We now determine the probability of a random occurrence of a non-trivial

numeric cancellation. Since F1,i − F1,j for fixed i and j is a polynomial of degree

at most 2n, it vanishes for random assignment of the indeterminates in Zp with

probability at most 2n/p. Similarly, for fixed i and j, the second case occurs

with probability ≤ 4n/p. The same probabilities are found in the analogous

cases where γ/αn+1 and r have been exchanged.

Now, absent of any of the above events, the distribution of the bit d in A’s

view is independent, and A’s probability of making a correct guess is exactly 12 .

Thus, by summing over all valid pairs i, j in each case, we find that A makes a

correct guess with advantage

≤2



τT

τ1 2n

+

2 p

2



Since τ1 + τT ≤ q + 2n + 2, we have

A.3



4n

p



.



≤ 16n(q + n + 1)2 /p, as required.



Proof of Theorem 4



We will show trapdoor privacy that is the challenge keyword is indistinguishable

from the same length random keyword. To show this we will present two games

G1 , G2 . In G1 (ideal game), SIM chooses uniformly random r1 , r2 values while in

G2 (real game), SIM follows the protocol r = r1 + r2 and we show that these

two games are indistinguishable.



192



A. Kiayias et al.



Proof. We first consider G1 . Suppose there exists an adversary A that distinguishes between challenge keyword w∗ from random keyword with advantage .

Then we construct a simulator SIM that wins the n-DDHI game as follows.

γ

Once SIM gets a n-DDHI instance g, g1 , . . . , gn ,gn+2 , . . . , g2n ,g γ , h, Z = h αn+1 ,

the game between SIM and A is as follows:

– Init: A gives SIM the challenge keyword w∗ , user index i∗ that he wants to

be challenged on.

– Setup: SIM lets g, g1 , . . . , gn , gn+2 , . . . , g2n in the simulation be as in the

instance and picks a1 , b1 , a2 , b2 , ζ, ζ , θ, θ values from Zp . He also sets h0,1 ←





g −w ζ+ζ , h1,1 ← g ζ , h0,2 ← g −w θ+θ , h1,2 ← g θ , He computes public key





1

1

1

1

= (g a1 )−w ζ+ζ , ha1,1

= (g a1 )ζ , hb0,1

= (g b1 )−w ζ+ζ , hb1,1

=

parameters as ha0,1





a

a

b

b

b1 ζ

a2 −w θ+θ

a2 θ

b2 −w θ+θ

b2 θ

2

2

2

2

(g ) , h0,2 = (g )

, h1,2 = (g ) , h0,2 = (g )

, h1,2 = (g ) ,

v = g γ and gives them to both A and Said . SIM generates user secret keys

ski by running Setup algorithm. As a note that, the simulator does not know

the values α, γ. Then, SIM gives public parameters to A and Said .

– Query: A makes the following queries to SIM adaptively. For encryption

query (S , w ),

/ S , the simulator picks k, k1 , k2 encryption keys for file

If w = w∗ ∧ i∗ ∈

and gives the computed values,





hdr ,1 = g a1 (w −w )ζk1 g a1 ζ k1 , hdr ,2 = g (w −w )b1 ζ(k−k1 ) g b1 ζ (k−k1 ) , hdr ,3 =





g a2 (w −w )θk2 g a2 θ k2 , hdr ,4 = g (w −w )b2 θ(k−k2 ) g b2 θ (k−k1 ) , hdr ,5 = g k ,

k



hdr ,6 = g γ j∈S gn+1−j , hdr ,7 = e(gn+1 , g)k , S and gives them to A

and gives hdr ,5 , hdr ,6 , hdr ,7 , S to Said .

if i∗ ∈ S ∨ w∗ = wl : The simulator outputs ⊥.

r

(r is unknown to SIM).

– Guess: SIM assigns h is the form of h = gn+1+i

He picks random ρi1 , ρi1 , ρi2 , ρi2 , r, r then computes the trapdoor as

tr1 = Zg a1 b1 ζ X g a2 b2 θ Y , tr2 = g a1 X , tr3 = g a2 Y , tr4 = g b1 X , tr5 = g b2 Y , tr6 =

r

, where X = ρi1 r + ρi1 r , Y = ρi2 r + ρi2 r . Then, he gives

h = gn+1+i

tr1 , tr2 , tr3 , tr4 , tr5 , tr6 , r2 to A and r1 to Said .

– Output: A outputs a bit b. To conclude, the simulator forwards b as its own

answer in the n-DDHI game. If the n-DDHI instances are well formed, the

adversary outputs b = 0 which is a random keyword, otherwise it outputs

b = 1 which keyword is w∗ .

Analysis: Under the restriction in the encryption phase, Said does not store

keyword ciphertext that is formed by the challenge index (the public key of the

challenge user gi∗ ). Therefore, the challenge trapdoor and any keyword ciphertexts are not going to be compatible when Said computes function of r1 , C . It

means that the challenge trapdoor is independent of w∗ , the adversary’s best

success probability is 1/2 when A outputs b = 0 if the game is totally random.

The success probability is Pr[winA (λ)] < 1/2 + when A outputs b = 1 if the

n-DDHI instances are well formed. So, SIM breaks n-DDHI assumption with

probability | Pr(A(b = 1) = 1) − Pr(A(b = 0) = 1|=1/2 + − 1/2 = , which is

non-negligible. So

Pr G1A ≥



Efficient Encrypted Keyword Search for Multi-user Data Sharing



193



In G2 , SIM follows real game, chooses r1 and r2 such that r = r1 + r2

and gives r1 to Said and r2 to A. In the real game, A can not ask encryption

queries that user index i∗ ∈ S or w∗ = wl . This results A is not able to test

if the keyword is w∗ or a random keyword. We argue that since A gets the

function of r1 and C and he is not able to learn any non-trivial information

about r1 under the restriction of the game. The function of r1 and C is totally

random to A for every r1 since for each encryption of a keyword w the challenger

chooses fresh (random) elements (k, k1 , k2 ) from Zp . Basically, the information

(randomized ciphertext) given to A is semantically secure. Let ε is the advantage

of A winning the semantic security encryption then we can say SIM breaks nDDHI assumption with probability | Pr(A(b = 1) = 1) − Pr(A(b = 0) = 1|=1/2

+ − (1/2 + ε) = − ε. Then,

Pr G2A

As a result,



Pr G1A



≤ −ε



− Pr G2A



≤ε



This completes the proof.



References

1. Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., MaloneLee, J., Neven, G., Paillier, P., Shi, H.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Shoup, V. (ed.)

CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005)

2. Attrapadung, N.: Unified Frameworks for Practical Broadcast Encryption and Public Key Encryption with High Functionalities. Ph.D. thesis, University of Tokyo

(2007)

3. Attrapadung, N., Furukawa, J., Imai, H.: Forward-secure and searchable broadcast

encryption with short ciphertexts and private keys. In: Lai, X., Chen, K. (eds.)

ASIACRYPT 2006. LNCS, vol. 4284, pp. 161–177. Springer, Heidelberg (2006)

4. Bao, F., Deng, R.H., Ding, X., Yang, Y.: Private query on encrypted data in multiuser settings. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991,

pp. 71–85. Springer, Heidelberg (2008)

5. Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable

encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552.

Springer, Heidelberg (2007)

6. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with

constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol.

3494, pp. 440–456. Springer, Heidelberg (2005)

7. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.)

CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)

8. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption

with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004.

LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004)

9. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with

short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol.

3621, pp. 258–275. Springer, Heidelberg (2005)



194



A. Kiayias et al.



10. Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted

data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer,

Heidelberg (2007)

11. Boyen, X., Waters, B.: Anonymous hierarchical identity-based encryption (without

random oracles). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307.

Springer, Heidelberg (2006)

12. Cash, D., Jarecki, S., Jutla, C.S., Krawczyk, H., Ro¸su, M.-C., Steiner, M.: Highlyscalable searchable symmetric encryption with support for boolean queries. In:

Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 353–

373. Springer, Heidelberg (2013)

13. Chang, Y.-C., Mitzenmacher, M.: Privacy preserving keyword searches on remote

encrypted data. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005.

LNCS, vol. 3531, pp. 442–455. Springer, Heidelberg (2005)

14. Chu, C.-K., Chow, S.S.M., Tzeng, W.-G., Zhou, J., Deng, R.H.: Key-aggregate

cryptosystem for scalable data sharing in cloud storage. IEEE Trans. Parallel Distrib. Syst. 25(2), 468–477 (2014)

15. Cui, B., Liu, Z., Wang, L.: Key-aggregate searchable encryption (KASE) for group

data sharing via cloud storage. IEEE Trans. Comput. 65(8), 2374–2385 (2016)

16. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: CCS (2006)

17. Dong, C., Russello, G., Dulay, N.: Shared and searchable encrypted data for

untrusted servers. In: Proceeedings of the 22nd Annual IFIP WG 11.3 Working

Conference on Data and Applications Security (2008)

18. Faber, S., Jarecki, S., Krawczyk, H., Nguyen, Q., Rosu, M., Steiner, M.: Rich

queries on encrypted data: beyond exact matches. In: Pernul, G., Ryan, P.Y.A.,

Weippl, E. (eds.) ESORICS. LNCS, vol. 9327, pp. 123–145. Springer, Heidelberg

(2015). doi:10.1007/978-3-319-24177-7 7

19. Goh, E.-J.: Secure indexes. Cryptology eprint archive, report 2003/216 (2003)

20. Jarecki, S., Jutla, C.S., Krawczyk, H., Rosu, M., Steiner, M.: Outsourced symmetric

private information retrieval. In: CCS (2013)

21. Kamara, S., Papamanthou, C., Roeder, T.: Dynamic searchable symmetric encryption. In: CCS (2012)

22. Kiayias, A., Oksuz, O., Tang, Q.: Distributed parameter generation for bilinear

Diffie Hellman exponentiation and applications. In: L´

opez, J., Mitchell, C.J. (eds.)

ISC 2015. LNCS, vol. 9290, pp. 548–567. Springer, Heidelberg (2015)

23. Liang, K., Susilo, W.: Searchable attribute-based mechanism with efficient data

sharing for secure cloud storage. IEEE Trans. Inform. Forensics Secur. 10, 1981–

1992 (2015)

24. Liu, Z., Li, J., Chen, X., Yang, J., Jia, C.: TMDS: thin-model data sharing scheme

supporting keyword search in cloud storage. In: Susilo, W., Mu, Y. (eds.) ACISP

2014. LNCS, vol. 8544, pp. 115–130. Springer, Heidelberg (2014)

25. Popa, R.A., Zeldovich, N.: Multi Key Searchable Encryption (2013). https://

people.csail.mit.edu/nickolai/papers/popa-multikey-eprint.pdf

26. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy,

W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg

(1997)

27. Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted

data. In: IEEE Symposium on Security and Privacy (2000)



Efficient Encrypted Keyword Search for Multi-user Data Sharing



195



28. Tang, Q.: Nothing is for free: security in searching shared and encrypted data.

IEEE Trans. Inform. Forensics Secur. 9, 19431952 (2014)

ă

29. Van Rompay, C., Molva, R., Onen,

M.: Multi-user searchable encryption in the

cloud. In: L´

opez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 299–316.

Springer, Heidelberg (2015)

30. Zheng, Q., Xu, S., Ateniese, G.: VABKS: verifiable attribute-based keyword search

over outsourced encrypted data. In: INFOCOM (2014)



Detection and Monitoring



Membrane: A Posteriori Detection of Malicious

Code Loading by Memory Paging Analysis



abor P´ek(B) , Zsombor L´

az´ar, Zolt´

an V´

arnagy, M´

ark F´elegyh´azi,

and Levente Butty´

an

CrySyS Lab, Budapest University of Technology and Economics, Budapest, Hungary

pek@crysys.hu



Abstract. In this paper, we design and implement Membrane, a memory forensics tool to detect code loading behavior by stealthy malware.

Instead of trying to detect the code loading itself, we focus on the changes

it causes on the memory paging of the Windows operating system. As

our method focuses on the anomalies caused by code loading, we are able

to detect a wide range of code loading techniques. Our results indicate

that we can detect code loading malware behavior with 86–98 % success in most cases, including advanced targeted attacks. Our method is

generic enough and hence could significantly raise the bar for attackers

to remain stealthy and persist for an extended period of time.

Keywords: Code loading · Memory paging · Windows · Memory forensics



1



Introduction



Recent years’ targeted attack have shown that even the most advanced systems

can be compromised. Some of these targeted attacks used sophisticated intrusion

techniques [3] and others were quite simple [1]. These malware attacks typically

employed a sequence of steps to compromise a target system. A majority of these

malware codes have information gathering and information stealing capabilities.

Once they have access to their target, these malware codes typically perform a

number of operations to cover their traces and remain undetected. Intuitively,

the more the malware can persist in the target system, the more information

it can collect. Often, the attacks persist for years in the target systems and

the attackers get access to a substantial amount of confidential information (as

reported for example in [11]). It is reasonable to assume that these long-term

operations leave a noticeable trace, yet many examples show that the complexity

and rich features of contemporary operating systems leaves ample space for the

attackers to hide their operation.

Code loading is one of the key techniques that malware employs to achieve

persistence. Code loading happens when the malware adds to or replaces the

functionality of existing code to execute its own components. It is typically

c Springer International Publishing Switzerland 2016

I. Askoxylakis et al. (Eds.): ESORICS 2016, Part I, LNCS 9878, pp. 199–216, 2016.

DOI: 10.1007/978-3-319-45744-4 10



200



G. P´ek et al.



possible as, for example, the Windows operating systems provides various methods (e.g., legitimate API functions, registry entries) to support this. Thus, code

loading usually exploits the conditions given by a legitimate process. That is

why code loading is used to achieve evasion of detection or bypass restrictions

enforced on a process level.

There has been efforts to develop various memory and disk forensics techniques to pinpoint system anomalies caused by such malware infections [5]. One

of the biggest problem with current memory forensics techniques is that they only

utilize memory locations that were actively used by the OS at the moment of

acquisition. That is, important information about code loading can be lost if the

malware or part of it was inactive when the memory was grabbed. Furthermore,

the rich feature set of Windows allows miscreants to build unique code loading

techniques (e.g., Flame’s code loading mechanism) that evades signature-based

protections.

In this paper, we explore the realm of Windows memory management, systematically identify key paging states and build upon the details of these paging

states to detect malicious behavior after a successful system compromise. We

design and implement Membrane, an anomaly-based memory forensics tool to

detect code loading attacks by malicious software. Membrane is based on the

popular memory forensics framework Volatility [18]. Membrane performs detection by analyzing the number of memory paging states. Our approach is different from approaches in related work because we focus on detecting anomalies

(symptoms) concerning paging states of malware code loading behavior instead

of the code loading actions themselves. While code loading actions can only be

pinpointed by live analysis, our approach focuses on the consequences of these

actions that may persist in the system for an extended period of time.

Our cardinality-based analysis is advantageous for several reasons: (i) it is

generic, (ii) this technique is less researched and can provide new insights into

malware detection, (iii) it can be used in combination with other detection techniques to maximize the confidence of detection, and (iv) arguably, evasion against

this method is difficult (see Sect. 6). These characteristics allow us to provide a

solution that can detect a wide variety of code loading attacks. This could significantly raise the bar for miscreants to implement memory-resident and stealthy

malware attacks.

This paper is organized as follows. In Sect. 2, we give an overview of code

loading techniques employed by malware and mitigation techniques designed

against code loading attacks. Section 3 gives a short motivation and a highlevel overview about our memory paging based approach to detect the traces

of malware code loading after infection. In Sect. 4, we present Membrane and

give details of our methodology including the implementation of Membrane.

Section 5 shows the efficiency of Membrane to detect a posteriori code loading

attacks. We discuss evasion techniques and other concerns in Sect. 6. Finally,

Sect. 7 summarizes our work.



Membrane: A Posteriori Detection of Malicious Code Loading



2

2.1



201



Background and Related Work

Code Loading Techniques and Types



Malware can use a wide range of means to take control over a system and hide

its presence. Due to its versatility, code loading is commonly used by contemporary malware in spite of the effort that has been spent on developing defenses.

Recent advanced targeted attacks, most prominently infostealers, still used this

technique to surpass defenses and ensure an extended operation. To achieve this

goal, the malware employs more complex code loading techniques that go beyond

the simple use of operating system functions (e.g., the Flame malware described

in Sect. 3.1).

First and quite surprisingly, Windows provides a wide range of user

mode (e.g., VirtualAllocEx, WriteProcessMemory) and kernel mode functions (e.g., KeAttachProcess, ZwAllocateVirtualMemory) that can be used

to inject code into processes. DLL loading can be achieved by using, for

example VirtualAllocEx and WriteProcessMemory to allocate private memory in a target process and to store the name of the DLL to load. Then,

CreateRemoteThread is called to start a new thread in the virtual address space

of the target process which loads the corresponding DLL.

The detours library was implemented by Microsoft back in 1999 which provides a rich feature set to load DLL into running processes or program binaries.

Miscreants can also insert various DLL paths into the AppInit DLLs registry

value, which forces newly created processes to load those DLLs. DLL preloading is another notorious technique, which enforces legitimate binaries to load

illegitimate DLLs when the program starts. Another technique is called process

replacement where the malware launches a legitimate process, but replaces its

memory content when the image file is mapped into memory. For completeness,

we mention pure kernel rootkits which load a new kernel driver or hijack an existing one. They operate without using any user-space component. Writing reliable

kernel rootkits is challenging, however, as it is difficult to control simple functionalities from the kernel space such as network communication. Another challenge

for malware writers is that the kernel is quite volatile and this requires that the

kernel space malware is well-written. Additionally, recent Windows operating

systems enforce code signing for kernel drivers, whose evasion requires an extra

effort from attackers (e.g., Flame, Duqu [2]).

In this work, we focus on detecting code loading techniques in the user space.

As discussed above, malware manipulating only the kernel functionality requires

more substantial effort from attackers. We note, however, that our method does

detect kernel-space malware with user-space components.

2.2



Mitigating Code Loading Attacks



Windows implements various protection mechanisms, for example, a private virtual address space for processes to mitigate code loading attacks. But, it also

allows to use simple API functions to circumvent such protections. For instance



202



G. P´ek et al.



WriteProcessMemory can write into a target process when called with appropriate privileges. As WriteProcessMemory invokes kernel mode code in the context

of the target process no address space restriction is violated. In this section, we

present various techniques preventing and detecting code loading attacks and

discuss their merits and limitations.

Prevention. Various preventive methods have been designed in recent years to

thwart the loading of illegitimate codes. These techniques include the use of

whitelisting, checksums or enforcing signed code loading. Unfortunately all of

these techniques can be circumvented by determined attackers. An example for

this is Flame, which created fake, but valid certificates for its component to

deceit Windows.

Recent targeted attacks have demonstrated that preventive approaches might

not be able to block attackers. Thus, we assume that attackers succeed in compromising the target system and focus on detecting their activity.

Detection. There are various approaches suggested over the years to detect the

integrity violations of operating system structures [7,17] using either virtualization or a new architecture design [13]. In memory forensics, integrity protection of user-space code using cryptographic hashes has been proposed by White

et al. [19] to detect in-memory code placed by malware. The proposed hashing

algorithm matches the in-memory code with its binary counterpart. The problem with integrity checking is that dynamically allocated memory locations (e.g.,

heap) cannot be verified in this way due to its alternating nature. Srivastava and

Giffin [17] design and develop a hypervisor-based system using virtual machine

introspection, Pyren´ee. This aggregates and correlates information from sensors

at the network level, the network-to-host boundary, and the host level to identify the true origin of malicious behavior. While Pyren´ee’s host-based sensor

checks code loading mechanisms from the perspective of processes, Membrane is

a system-centric approach which makes our detection mechanism more generic.

For this reason, Membrane includes the detection of widely-used code loading

techniques such as AppInit DLLs or DLL preloading previously overlooked by

related work.

The Volatility memory forensics tool [18] offers the malfind plugin to find

malicious or hidden code segments from memory dumps. Malfind crawls process

VADs (see Sect. 3.2) and looks for entries with suspicious protection bits (i.e.,

RWX) and type. However, these permission bits can be manipulated by the

malware at a later point of time, which may turn such solutions ineffective. In

contrast to malfind which checks only VAD entries, Membrane tracks per process

memory paging modifications from the perspective of the OS. Various free antirootkit tools are also available to hunt for hidden threads and processes. Unfortunately, none of the tested 33 anti-rootkit tools could detect hidden processes

or threads in case of Flame [2]. Thus, we need another approach which tackles

the problem of code loading from another aspect. We believe, that Membrane

can be successfully used in combination with previous solutions to build more

effective detectors.



Membrane: A Posteriori Detection of Malicious Code Loading



3

3.1



203



Approach

Motivation: The Case Study of Flame



For motivation, we quickly show a case study about the Flame [2] targeted

attack. Flame employs an entirely unique, but sophisticated thread injection

method to hide its malicious activity via a chain of system processes. This unique

technique allows Flame to completely mimic the behavior of a normal Windows

update process by the runtime patching of services.exe, explorer.exe and

iexplore.exe. As Flame uses iexplore.exe for network connection [3], it can

evade many malware scanners by default.



Fig. 1. Cardinality of different paging states in services.exe,winlogon.exe and

explorer.exe on a clean and a Flame-infected 32-bit Windows 7 system.



For demonstration purposes, we infected a 32-bit Windows 7 machine with

Flame malware to see what kind of page type modifications it causes. Surprisingly, the fine-grained process injection method it used to stay silent, entirely

distorts the normal memory usage of system processes. Figure 1 shows that the

number of certain page types (see Sect. 4.2 for more details) increases significantly when Flame is present.

This observation started us on a quest to use memory usage anomalies to

detect code loading attacks.

3.2



Windows Memory Management



In order to understand, how different code loading attacks modify the state of

memory, we introduce some important details about Windows’ internal memory

management. This will lead us to create our code loading detection technique in

Sect. 4.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

A.2 Generic Security of n-DDHI Assumption

Tải bản đầy đủ ngay(0 tr)

×