A software behavior model based on dynamic taint analysis

doi:10.7523/j.issn.2095-6134.2017.05.016

Abstract

Abstract: Based on the fine-grained binary dynamic analysis platform,we propose a taint analysis method to construct the software behavior model using the system call arguments.Firstly,the method obtains the associations between the arguments,between an argument and a local variable,and between an argument and a foreign data through monitoring the applications running and tracking the taint propagation of system call arguments at the instruction level,and then the taint propagation chains between arguments are generated.Secondly,a software behavior model,which covers control-flow and data-flow,is built according to these chains and system call sequence.Finally,the experimental and analytical results demonstrate that this model can be used to detect stealthy non-control attacks.

Key words: system call arguments, non-control data, virtual machine, dynamic taint analysis, intrusion detection

CLC Number:

TP309

YIN Zhiyi, SHEN Jiahui, GUO Xiaobo, ZHA Daren. A software behavior model based on dynamic taint analysis[J]. , 2017, 34(5): 647-656.

References

[1] Tandon G, Chan P K. On the learning of system call attributes for host-based anomaly detection[J]. International Journal on Artificial Intelligence Tools, 2006, 15(6):875-892.
[2] Kruegel C, Mutz D, Valeur F, et al. On the detection of anomalous system call arguments//Snekkenes E, Gollmann D. Computer Security-Esorics 2003, Proceedings.Berlin:Springer-Verlag Berlin, 2003:326-343.
[3] Oyama Y, Yonezawa A. Prevention of code-injection attacks by encrypting system call arguments. University of Tokyo, 2006. https://www.researchgate.net/profile/Akinori_Yonezawa2/publication/228576079_Prevention_of_code-injection_attacks_by_encrypting_system_call_arguments/links/53eaf9ee0cf2fb1b9b6ad0fd.pdf.
[4] Sufatrio, Yap R H C. Improving host-based IDS with argument abstraction to prevent mimicry attacks//Valdes A, Zamboni D. Recent Advances in Intrusion Detection.Berlin:Springer-Verlag Berlin, 2006:146-164.
[5] Demay J C, Totel E, Tronel F. SIDAN:a tool dedicated to software instrumentation for detecting attacks on non-control-data//Risks and Security of Internet and Systems (CRiSIS), 2009 Fourth International Conference on. IEEE, 2009:51-58.
[6] Bhatkar S, Chaturvedi A, Sekar R, et al. Dataflow anomaly detection//2006 IEEE Symposium on Security and Privacy, Proceedings.Los Alamitos:Ieee Computer Soc, 2006:48-62.
[7] Li P, Park H, Gao D, et al. Bridging the gap between data-flow and control-flow analysis for anomaly detection//24th Annual Computer Security Applications Conference, Proceedings.Los Alamitos:Ieee Computer Soc, 2008:392-401.
[8] Clause J, Li W, Orso A. Dytan:a generic dynamic taint analysis framework//Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 2007:196-206.
[9] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software//Proceedings of NDSS' 05.San Diego, California, USA:2005.
[10] Chen K, Feng D, Su P, et al. Black-box testing based on colorful taint analysis[J]. Science China Information Sciences, 2012, 55(1):171-183.
[11] Ma J X, Zhang P H, Dong G W, et al. TWalker:an efficient taint analysis tool//201410th International Conference on Information Assurance and Security.New York:Ieee, 2014:18-22.
[12] Haller I, Slowinska A, Neugschwandtner M, et al. Dowsing for overflows:a guided fuzzer to find buffer boundary violations//22nd USENIX Security Symposium (USENIX Security 13). 2013:49-64.
[13] Kong J, Zou CC, Zhou H. Improving software security via runtime instruction-level taint checking//Proceedings of the 1st workshop on Architectural and system support for improving software dependability. ACM, 2006:18-24.
[14] Qin F, Wang C, Li Z, et al. LIFT:a low-overhead practical information flow tracking system for detecting security attacks//200639th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06). 2006:135-148.
[15] Halfond W G J, Orso A, Manolios P. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks//Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering.Portland, Oregon, USA:ACM, 2006:175-185.
[16] Kiezun A, Guo PJ, Jayaraman K, et al. Automatic creation of SQL injection and cross-site scripting attacks//200931st International Conference on Software Engineering, Proceedings.New York:Ieee, 2009:199-209.
[17] Vogt P, Nentwich F, Jovanovic N, et al. Cross site scripting prevention with dynamic data tainting and static analysis//NDSS. 2007:12.
[18] Yin H, Song D, Egele M, et al. Panorama:capturing system-wide information flow for malware detection and analysis//Proceedings of the 14th ACM conference on Computer and communications security.Alexandria, Virginia, USA:ACM, 2007:116-127.
[19] Song D, Brumley D, Yin H, et al. Information systems security:4th International Conference, ICISS 2008, Hyderabad, India, December 16-20, 2008 Proceedings[M]. Berlin, Heidelberg:Springer Berlin Heidelberg, 2008:1-25.
[20] Sekar R, Bendre M, Dhurjati D, et al. A fast automaton-based method for detecting anomalous program behaviors//2001 Ieee Symposium on Security and Privacy, Proceedings.Los Alamitos:Ieee Computer Soc, 2001:144-155.
[21] Chen S, Xu J, Sezer E C, et al. Non-control-data attacks are realistic threats//USENIX Association Proceedings of the 14th USENIX Security Symposium.Berkeley:Usenix Assoc, 2005:177-191.
[22] Hu H, Shinde S, Adrian S, et al. Data-oriented programming:on the expressiveness of non-control data attacks//2016 IEEE Symposium on Security and Privacy (SP).San Jose, USA:2016:969-986.
[23] Delamore B, Ko R K L. A global, empirical analysis of the shellshock vulnerability in web applications//Trustcom/BigDataSE/ISPA, 2015 IEEE. 2015:1129-1135.
[24] Zalewski M. SSH1 CRC-32 compensation attack detector vulnerability. (2001). http://www.securityfocus.com/advisories/3088.