Using Hypervisors to Overcome Structured Exception Handler Attacks
Algawi, A., Kiperberg, M., Leon, R., & Zaidenberg, N. (2019). Using Hypervisors to Overcome Structured Exception Handler Attacks. In T. Cruz, & P. Simoes (Eds.), ECCWS 2019 : Proceedings of the 18th European Conference on Cyber Warfare and Security (pp. 1-5). Academic Conferences International. Proceedings of the European conference on information warfare and security.
Julkaistu sarjassa
Proceedings of the European conference on information warfare and securityPäivämäärä
2019Tekijänoikeudet
© The Author(s) 2019
Microsoft windows is a family of client and server operating systems that needs no introduction. Microsoft
windows operating system family has a feature to handle exceptions by storing in the stack the address of an exception handler. This feature of Microsoft Windows operating system family is called SEH (Structured exception handlers). When using SEH the exception handler address is specifically located on the stack like the function return address. When an exception occurs the address acts as a trampoline and the EIP jumps to the SEH address. By overwriting the stack one can create a unique type of return oriented programming (ROP) exploit that force the instruction pointer to jump to a random memory address. This memory address may contain random malicious code. Multiple Microsoft Windows applications are particularly vulnerable to this type of exploit. Attacks on Microsoft Window application that exploit these mechanisms are found in many common windows applications (including Microsoft Office, Adobe Acrobat, Flash and other popular software). These attacks are well documented in CVE database in numerous exploits. We previously described how hypervisors can be used to white list an end point and provide application control for a workstation and servers and protect against malware and viruses that may run on the end point computer. In this work we extend the protection mechanism for end points and servers that uses the hypervisor to white list the machine. The hypervisor detects permission elevation from user space to kernel space (system calls invocation) and detects anomalies in the software execution. The hypervisor based mechanism
allows for detection and prevention of SEH return oriented exploits execution. Our hypervisor based SEH-exploit prevention mechanism was tested on multiple well documented CVE vulnerabilities. Our hypervisor was found to prevent a large collection of different types of SEH exploits in multiple applications and multiple flavours and versions of Windows OS in both 32 and 64 bit environments
...
Julkaisija
Academic Conferences InternationalEmojulkaisun ISBN
978-1-912764-28-0Konferenssi
European Conference on Cyber Warfare and SecurityKuuluu julkaisuun
ECCWS 2019 : Proceedings of the 18th European Conference on Cyber Warfare and SecurityISSN Hae Julkaisufoorumista
2048-8602Julkaisu tutkimustietojärjestelmässä
https://converis.jyu.fi/converis/portal/detail/Publication/32432132
Metadata
Näytä kaikki kuvailutiedotKokoelmat
Lisenssi
Samankaltainen aineisto
Näytetään aineistoja, joilla on samankaltainen nimeke tai asiasanat.
-
HyperIO : A Hypervisor-Based Framework for Secure IO
Kiperberg, Michael; Zaidenberg, Nezer Jacob (MDPI AG, 2023)Malware often attempts to steal input and output through human interface devices to obtain confidential information. We propose to use a thin hypervisor, called “HyperIO”, to realize a secure path between input and output ... -
Hypervisor-assisted dynamic malware analysis
Leon, Roee S.; Kiperberg, Michael; Zabag, Anat Anatey Leon; Zaidenberg, Nezer Jacob (Springer, 2021)Malware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis ... -
Hypervisor memory acquisition for ARM
Ben Yehuda, Raz; Shlingbaum, Erez; Gershfeld, Yuval; Tayouri, Shaked; Zaidenberg, Nezer Jacob (Elsevier, 2021)Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the ... -
Stopping injection attacks with code and structured data
Tirronen, Ville (Springer, 2018)Injection attacks top the lists of the most harmful software vulnerabilities. Injection vulnerabilities are both commonplace and easy to exploit, which makes development of injection protection schemes important. In this ... -
Reducing the Time to Detect Cyber Attacks : Combining Attack Simulation With Detection Logic
Myllyla, Juuso; Costin, Andrei (FRUCT Oy, 2021)Cyber attacks have become harder to detect, causing the average detection time of a successful data breach to be over six months and typically costing the target organization nearly four million dollars. The attacks are ...
Ellei toisin mainittu, julkisesti saatavilla olevia JYX-metatietoja (poislukien tiivistelmät) saa vapaasti uudelleenkäyttää CC0-lisenssillä.