Spector: Automatically Analyzing Shell Code

A
ACSAC
2007
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)
Abstract - Spector: Automatically Analyzing Shell Code

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Kevin Borders Articles by Atul Prakash Articles by Mark Zielinski

Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)

Miami Beach, Florida, USA

December 10-December 14

ISBN: 0-7695-3060-5

	ASCII Text	x
	Kevin Borders, Atul Prakash, Mark Zielinski, "Spector: Automatically Analyzing Shell Code," Computer Security Applications Conference, Annual, pp. 501-514, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007.

	BibTex	x
	@article{ 10.1109/ACSAC.2007.11, author = {Kevin Borders and Atul Prakash and Mark Zielinski}, title = {Spector: Automatically Analyzing Shell Code}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2007}, issn = {1063-9527}, pages = {501-514}, doi = {http://doi.ieeecomputersociety.org/10.1109/ACSAC.2007.11}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Spector: Automatically Analyzing Shell Code SN - 1063-9527 SP501 EP514 A1 - Kevin Borders, A1 - Atul Prakash, A1 - Mark Zielinski, PY - 2007 VL - 0 JA - Computer Security Applications Conference, Annual ER -

Kevin Borders

Atul Prakash

Mark Zielinski

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ACSAC.2007.11

Detecting the presence of buffer overflow attacks in network messages has been a major focus. Only knowing whether a message contains an attack, however, is not always enough to mitigate the threat. It may also be critical to know what it does. Unfortunately, shell code is written in low-level assembly language, and can be obfuscated. The current method of analyzing shell code, manual reverse engineering, is time-consuming, requires significant expertise, and would be nearly impossible for a wide-scale polymorphic attack. In this paper, we introduce Spector, a symbolic execution engine that extracts meaningful high-level actions from shell code. Spector's high-level output helps facilitate attack mitigation and classification of different payloads that have the same behavior. To evaluate Spector, we tested it with over 23,000 unique payloads. It identified eleven different classes of shell code, and processed all the payloads in just over three hours. Spector also successfully classified polymorphic instances of the same shell code.

Citation:

Kevin Borders, Atul Prakash, Mark Zielinski, "Spector: Automatically Analyzing Shell Code," acsac, pp.501-514, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.