• PDF / 312,992 Bytes
• 15 Pages / 430 x 660 pts Page_size
• 50 Downloads / 154 Views

DOWNLOAD

REPORT

Abstract. Preventing malware from causing damage to its host system has become a topic of increasing importance over the past decade, as the frequency and impact of malware infections have continued to rise. Most existing approaches to malware defence cannot guarantee complete protection against the threats posed. Execution monitors can be used to defend against malware: they enable a target program’s execution to be analysed and can prevent any deviation from its intended behaviour, recovering from such deviations where necessary. They are, however, difficult for the end-user to define or modify. This paper describes a high-level policy language in which users can express a priori judgments about program behavior, which are compiled into execution monitors. We show how this approach can defend against previously unseen malware and software vulnerability exploits.

1

Introduction

Malware is software designed to penetrate or damage a computer system without a user’s awareness or consent. It is written by a programmer with malicious intent to purposefully compromise the confidentiality, integrity or availability of a user’s data, services or devices. Defective software can cause similar problems: it has a legitimate purpose but contains ‘bugs’ which may allow such harmful behaviour. For these reasons it is difficult for a user to trust any executable they use. A program may contain features the user requires but may also invoke unwanted behaviour, which its user is generally unaware of. 1.1

Execution Monitoring

Execution monitoring is a technique which can be used to defend against malicious or defective software. An execution monitor is a co-routine that executes in parallel with a third-party application in order to fully regulate that program’s interaction with its host machine, enabling harmful behavior to be prevented and recovered from in real-time. By analysing the system calls a program makes, or by viewing the calls it makes to some application programming interface (API), an execution monitor affords the host a fine-grained view of a program behavior. Monitoring at the system call level can be problematic: it is often difficult to attribute a sequence L. Chen, Y. Mu, and W. Susilo (Eds.): ISPEC 2008, LNCS 4991, pp. 233–247, 2008. c Springer-Verlag Berlin Heidelberg 2008 

234

A. Brown and M. Ryan

of system calls to a program event. Further, one may wish to analyse an action which does not involve the target program making a system call [8,11]. API calls are give a more abstract representation of program behaviour, allowing policies to reason about advanced behaviour with lower policy development effort. Monitoring executions in this way presents new opportunities for defending against malware. However, authoring the policies which define an execution monitor usually requires programming ability: even monitoring a program at the API call level requires the policy author to predict the sequences of calls that a target program will make to an API. End-users and system administrators require a mechanism for tran

Recommend Documents

Checking Interaction-Based Declassification Policies for Android Using Symbolic Execution

203 4 732KB

A Bytecode Interpreter for Secure Program Execution in Untrusted Main Memory

165 106 407KB

Allocation Priority Policies for Serverless Function-Execution Scheduling Optimisation

148 25 38MB

Testing adaptation policies for software components

139 73 2MB

Software Testing in the Cloud Migration and Execution

174 46 3MB

RTAMT: Online Robustness Monitors from STL

155 4 19MB

ECMO from Conception to Execution

179 6 12MB

Secure Agile Software Development: Policies and Practices for Agile Teams

174 42 35MB

Dependable Software Generation and Execution on Embedded Systems

190 98 26MB

A Survey on the Software and Hardware-Based Influences on the Worst-Case Execution Time

155 98 58MB

Verified Rust Monitors for Lola Specifications

165 89 33MB

Corporate Restructuring From Cause Analysis to Execution

184 68 2MB