{"title":"驱动:动态运行时完整性验证和评估","authors":"André Rein","doi":"10.1145/3052973.3052975","DOIUrl":null,"url":null,"abstract":"Classic security techniques use patterns (e.g., virus scanner) for detecting malicious software, compiler features (e.g., canaries, tainting) or hardware memory protection features (e.g., DEP) for protecting software. An alternative approach is the verification of software based on the comparison between the binary code loaded before runtime and the actual memory image during runtime. The expected memory image is predictable based on the ELF-file, the loading mechanism, and its allocated memory addresses. Using binary files as references for verifying the memory during execution allows for the definition of white-lists based on the actual software used. This enables a novel way of detecting sophisticated attacks to executed code, which is not considered by current approaches. This paper presents the background, design, implementation, and verification of a non-intrusive runtime memory verification concept, which is based on the comparison of binary executables and the actual memory image.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":"{\"title\":\"DRIVE: Dynamic Runtime Integrity Verification and Evaluation\",\"authors\":\"André Rein\",\"doi\":\"10.1145/3052973.3052975\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Classic security techniques use patterns (e.g., virus scanner) for detecting malicious software, compiler features (e.g., canaries, tainting) or hardware memory protection features (e.g., DEP) for protecting software. An alternative approach is the verification of software based on the comparison between the binary code loaded before runtime and the actual memory image during runtime. The expected memory image is predictable based on the ELF-file, the loading mechanism, and its allocated memory addresses. Using binary files as references for verifying the memory during execution allows for the definition of white-lists based on the actual software used. This enables a novel way of detecting sophisticated attacks to executed code, which is not considered by current approaches. This paper presents the background, design, implementation, and verification of a non-intrusive runtime memory verification concept, which is based on the comparison of binary executables and the actual memory image.\",\"PeriodicalId\":20540,\"journal\":{\"name\":\"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-04-02\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"9\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3052973.3052975\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3052973.3052975","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
DRIVE: Dynamic Runtime Integrity Verification and Evaluation
Classic security techniques use patterns (e.g., virus scanner) for detecting malicious software, compiler features (e.g., canaries, tainting) or hardware memory protection features (e.g., DEP) for protecting software. An alternative approach is the verification of software based on the comparison between the binary code loaded before runtime and the actual memory image during runtime. The expected memory image is predictable based on the ELF-file, the loading mechanism, and its allocated memory addresses. Using binary files as references for verifying the memory during execution allows for the definition of white-lists based on the actual software used. This enables a novel way of detecting sophisticated attacks to executed code, which is not considered by current approaches. This paper presents the background, design, implementation, and verification of a non-intrusive runtime memory verification concept, which is based on the comparison of binary executables and the actual memory image.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
