Detecting patching of executables without system calls

Sebastian Banescu, Mohsen Ahmadvand, Alexander Pretschner, Robert Shield, Chris Hamilton

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

8 Scopus citations

Abstract

Popular software applications (e.g. web browsers) are targeted by malicious organizations which develop potentially unwanted programs (PUPs). If such a PUP executes on benign user devices, it is able to manipulate the process memory of popular applications, their locally stored resources or their environment in a profitable way for the attacker and in detriment to benign end-users. We describe the implementation of a tamper detection mechanism based on code selfchecksumming, able to detect static and dynamic patching of executables, performed by PUPs or other attackers. As opposed to other works based on code self-checksumming, our approach can also checksum instructions which contain absolute addresses affected by relocation, without using calls to external libraries. We implemented this solution for the x86 ISA and evaluated the performance impact and effectiveness. The results indicate that the run-Time overhead of selfchecksumming grows proportionally with the level of protection, which can be specified as input to our implementation. We have applied our implementation on the Chromium web-browser and observed that the overhead is practically unobservable for the end-user.

Original languageEnglish
Title of host publicationCODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages185-196
Number of pages12
ISBN (Electronic)9781450345231
DOIs
StatePublished - 22 Mar 2017
Event7th ACM Conference on Data and Application Security and Privacy, CODASPY 2017 - Scottsdale, United States
Duration: 22 Mar 201724 Mar 2017

Publication series

NameCODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Application Security and Privacy

Conference

Conference7th ACM Conference on Data and Application Security and Privacy, CODASPY 2017
Country/TerritoryUnited States
CityScottsdale
Period22/03/1724/03/17

Keywords

  • PUPs
  • Software protection
  • Tamper detection

Fingerprint

Dive into the research topics of 'Detecting patching of executables without system calls'. Together they form a unique fingerprint.

Cite this