Title
Surviving malicious code attacks
Date of Award
1-2006
Degree Type
Dissertation
Degree Name
Doctor of Philosophy (PhD)
Department
Electrical Engineering and Computer Science
Advisor(s)
Steve Chapin
Keywords
Malicious code attacks, Intrusion detection, Intrusion mitigation, Address space randomization, Waypoint, Operating system security, Loadable kernel modules
Subject Categories
Computer Sciences | Databases and Information Systems | OS and Networks
Abstract
The goal of the research presented in this dissertation is to prevent, detect, and mitigate malicious code attacks that modify the legitimate program control flow at run time. This dissertation tries to answer the question "What can a computer system do to counter intrusions?" assuming that run-time errors are unavoidable and attackers may use any available intrusion techniques or create new exploit techniques.
This dissertation presents three new system techniques to support intrusion detection and mitigation: (1) an access monitoring technique for tightly-coupled binary programs, (2) a context-sensitive intrusion detection technique, and (3) an address space randomization technique. The dissertation describes how to monitor the boundary of a module in a tightly-coupled software environment using code instrumentation and an access specification. As an example, the technique is applied to monitor possibly vulnerable loadable kernel modules. After that, the dissertation shows how a computer system supports intrusion detection with reliable program context information. The technique can retrieve trustworthy program call flow proactively. The dissertation also presents a new address space randomization technique that randomizes relative distance between functions dynamically and maximally. This technique can best be applied to protect dedicated multi-threaded servers, which demand both strong protection and high availability.
The techniques presented in this dissertation are designed to detect and mitigate shellcode-based attacks, return-into-lib(c) attacks, and any other attacks that modify the program control flow or use unauthorized data or code. Such attacks are often a latter stage of a buffer overflow or format string exploit, the dominant exploit in the real world. Our techniques increase the difficulty for early-stage exploits to subvert a system.
Access
Surface provides description only. Full text is available to ProQuest subscribers. Ask your Librarian for assistance.
Recommended Citation
Xu, Haizhi, "Surviving malicious code attacks" (2006). Electrical Engineering and Computer Science - Dissertations. 64.
https://surface.syr.edu/eecs_etd/64
http://libezproxy.syr.edu/login?url=http://proquest.umi.com/pqdweb?did=1612973531&sid=1&Fmt=2&clientId=3739&RQT=309&VName=PQD