ShellOS: Enabling fast detection and forensic analysis of code injection attacks

Kevin Snow
Srinivas Krishnan
Fabian Monrose
Niels Provos
USENIX Security Symposium (2011)

Abstract

The availability of off-the-shelf exploitation toolkits for
compromising hosts, coupled with the rapid rate of
exploit discovery and disclosure, has made exploit or
vulnerability-based detection far less effective than it
once was. For instance, the increasing use of metamorphic and polymorphic techniques to deploy code injection attacks continues to confound signature-based detection techniques. The key to detecting these attacks
lies in the ability to discover the presence of the injected
code (or, shellcode). One promising technique for doing so is to examine data (be that from network streams
or buffers of a process) and efficiently execute its content to find what lurks within. Unfortunately, current approaches for achieving this goal are not robust to evasion or scalable, primarily because of their reliance on
software-based CPU emulators. In this paper, we argue that the use of software-based emulation techniques
are not necessary, and instead propose a new framework
that leverages hardware virtualization to better enable the
detection of code injection attacks. We also report on
our experience using this framework to analyze a corpus
of malicious Portable Document Format (PDF) files and
network-based attacks.