TY - GEN
T1 - Detecting patching of executables without system calls
AU - Banescu, Sebastian
AU - Ahmadvand, Mohsen
AU - Pretschner, Alexander
AU - Shield, Robert
AU - Hamilton, Chris
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/3/22
Y1 - 2017/3/22
N2 - Popular software applications (e.g. web browsers) are targeted by malicious organizations which develop potentially unwanted programs (PUPs). If such a PUP executes on benign user devices, it is able to manipulate the process memory of popular applications, their locally stored resources or their environment in a profitable way for the attacker and in detriment to benign end-users. We describe the implementation of a tamper detection mechanism based on code selfchecksumming, able to detect static and dynamic patching of executables, performed by PUPs or other attackers. As opposed to other works based on code self-checksumming, our approach can also checksum instructions which contain absolute addresses affected by relocation, without using calls to external libraries. We implemented this solution for the x86 ISA and evaluated the performance impact and effectiveness. The results indicate that the run-Time overhead of selfchecksumming grows proportionally with the level of protection, which can be specified as input to our implementation. We have applied our implementation on the Chromium web-browser and observed that the overhead is practically unobservable for the end-user.
AB - Popular software applications (e.g. web browsers) are targeted by malicious organizations which develop potentially unwanted programs (PUPs). If such a PUP executes on benign user devices, it is able to manipulate the process memory of popular applications, their locally stored resources or their environment in a profitable way for the attacker and in detriment to benign end-users. We describe the implementation of a tamper detection mechanism based on code selfchecksumming, able to detect static and dynamic patching of executables, performed by PUPs or other attackers. As opposed to other works based on code self-checksumming, our approach can also checksum instructions which contain absolute addresses affected by relocation, without using calls to external libraries. We implemented this solution for the x86 ISA and evaluated the performance impact and effectiveness. The results indicate that the run-Time overhead of selfchecksumming grows proportionally with the level of protection, which can be specified as input to our implementation. We have applied our implementation on the Chromium web-browser and observed that the overhead is practically unobservable for the end-user.
KW - PUPs
KW - Software protection
KW - Tamper detection
UR - http://www.scopus.com/inward/record.url?scp=85018467078&partnerID=8YFLogxK
U2 - 10.1145/3029806.3029835
DO - 10.1145/3029806.3029835
M3 - Conference contribution
AN - SCOPUS:85018467078
T3 - CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Application Security and Privacy
SP - 185
EP - 196
BT - CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
T2 - 7th ACM Conference on Data and Application Security and Privacy, CODASPY 2017
Y2 - 22 March 2017 through 24 March 2017
ER -