Search For:

Displaying 1-18 out of 18 total
AUTOVAC: Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization
Found in: 2013 IEEE 33rd International Conference on Distributed Computing Systems (ICDCS)
By Zhaoyan Xu, Jialong Zhang, Guofei Gu, Zhiqiang Lin
Issue Date:July 2013
pp. 112-123
Malware often contains many system-resource-sensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from m...
 
Manipulating semantic values in kernel data structures: Attack assessments and implications
Found in: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
By Aravind Prakash,Eknath Venkataramani,Heng Yin,Zhiqiang Lin
Issue Date:June 2013
pp. 1-12
Semantic values in kernel data structures are critical to many security applications, such as virtual machine introspection, malware analysis, and memory forensics. However, malware, or more specifically a kernel rootkit, can often directly tamper with the...
 
Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
Found in: 2012 IEEE Symposium on Security and Privacy
By Yangchun Fu, Zhiqiang Lin
Issue Date:May 2012
pp. 586-600
It is generally believed to be a tedious, time consuming, and error-prone process to develop a virtual machine introspection (VMI) tool manually because of the semantic gap. Recent advances in Virtuoso show that we can largely narrow the semantic gap. But ...
   
Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction
Found in: Dependable Systems and Networks, International Conference on
By Zhiqiang Lin, Xiangyu Zhang, Dongyan Xu
Issue Date:July 2010
pp. 281-290
We introduce the reuse-oriented camouflaging trojan — a new threat to legitimate software binaries. To perform a malicious action, such a trojan identifies and reuses an existing function in a legal binary program instead of implementing the function itsel...
 
Reverse Engineering Input Syntactic Structure from Program Execution and Its Applications
Found in: IEEE Transactions on Software Engineering
By Zhiqiang Lin, Xiangyu Zhang, Dongyan Xu
Issue Date:September 2010
pp. 688-703
Program input syntactic structure is essential for a wide range of applications such as test case generation, software debugging, and network security. However, such important information is often not available (e.g., most malware programs make use of secr...
 
A Practical Framework for Dynamically Immunizing Software Security Vulnerabilities
Found in: Availability, Reliability and Security, International Conference on
By Zhiqiang Lin, Bing Mao, Li Xie
Issue Date:April 2006
pp. 348-357
Many security attacks are caused by software vulnerabilities such as buffer overflow. How to eliminate or mitigate these vulnerabilities, in particular with unstoppable software, is a great challenge for security researchers and practitioners. In this pape...
 
On the Trustworthiness of Memory Analysis —An Empirical Study from the Perspective of Binary Execution
Found in: IEEE Transactions on Dependable and Secure Computing
By Aravind Prakash,Eknath Venkataramani,Heng Yin,Zhiqiang Lin
Issue Date:February 2015
pp. 1
Memory analysis serves as a foundation for many security applications such as memory forensics, virtual machine introspection and malware investigation. However, malware, or more specifically a kernel rootkit, can often tamper with kernel memory data, putt...
 
Subverting system authentication with context-aware, reactive virtual machine introspection
Found in: Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC '13)
By Kevin W. Hamlen, Yangchun Fu, Zhiqiang Lin
Issue Date:December 2013
pp. 229-238
Recent advances in bridging the semantic gap between virtual machines (VMs) and their guest processes have a dark side: They can be abused to subvert and compromise VM file system images and process images. To demonstrate this alarming capability, a contex...
     
Obfuscation resilient binary code reuse through trace-oriented programming
Found in: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13)
By Dongyan Xu, Junyuan Zeng, Zhiqiang Lin, Kenneth A. Miller, Xiangyu Zhang, Yangchun Fu
Issue Date:November 2013
pp. 487-498
With the wide existence of binary code, it is desirable to reuse it in many security applications, such as malware analysis and software patching. While prior approaches have shown that binary code can be extracted and reused, they are often based on stati...
     
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
Found in: ACM Transactions on Information and System Security (TISSEC)
By Yangchun Fu, Zhiqiang Lin
Issue Date:September 2013
pp. 1-29
It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed ...
     
CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
Found in: Proceedings of the 40th Annual International Symposium on Computer Architecture (ISCA '13)
By JongHyuk Lee, Junyuan Zeng, Weidong Shi, Yuanfeng Wen, Zhiqiang Lin, Ziyi Liu
Issue Date:June 2013
pp. 392-403
Increasingly, cyber attacks (e.g., kernel rootkits) target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. To eliminate these threats, it is imperative to develop innovative solutions r...
     
EXTERIOR: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery
Found in: Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments (VEE '13)
By Yangchun Fu, Zhiqiang Lin
Issue Date:March 2013
pp. 97-110
This paper presents EXTERIOR, a dual-VM architecture based external shell that can be used for trusted, timely out-of-VM management of guest-OS such as introspection, configuration, and recovery. Inspired by recent advances in virtual machine introspection...
     
Securing untrusted code via compiler-agnostic binary rewriting
Found in: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC '12)
By Kevin W. Hamlen, Richard Wartell, Vishwath Mohan, Zhiqiang Lin
Issue Date:December 2012
pp. 299-308
Binary code from untrusted sources remains one of the primary vehicles for malicious software attacks. This paper presents Reins, a new, more general, and lighter-weight binary rewriting and in-lining system to tame and secure untrusted binary programs. Un...
     
Automatic generation of vaccines for malware immunization
Found in: Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12)
By Guofei Gu, Jialong Zhang, Zhaoyan Xu, Zhiqiang Lin
Issue Date:October 2012
pp. 1037-1039
Inspired by the biological vaccines, we explore the possibility of developing similar vaccines for malware immunization. We provide the first systematic study towards this direction and present a prototype system, AGAMI, for automatic generation of vaccine...
     
Binary stirring: self-randomizing instruction addresses of legacy x86 binary code
Found in: Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12)
By Kevin W. Hamlen, Richard Wartell, Vishwath Mohan, Zhiqiang Lin
Issue Date:October 2012
pp. 157-168
Unlike library code, whose instruction addresses can be randomized by address space layout randomization (ASLR), application binary code often has static instruction addresses. Attackers can exploit this limitation to craft robust shell codes for such appl...
     
Characterizing kernel malware behavior with kernel data access patterns
Found in: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS '11)
By Dongyan Xu, Junghwan Rhee, Zhiqiang Lin
Issue Date:March 2011
pp. 207-216
Characterizing malware behavior using its control flow faces several challenges, such as obfuscations in static analysis and the behavior variations in dynamic analysis. This paper introduces a new approach to characterizing kernel malware's behavior by us...
     
Strict control dependence and its effect on dynamic information flow analyses
Found in: Proceedings of the 19th international symposium on Software testing and analysis (ISSTA '10)
By Dongyan Xu, Tao Bao, Xiangyu Zhang, Yunhui Zheng, Zhiqiang Lin
Issue Date:July 2010
pp. 13-24
Program control dependence has substantial impact on applications such as dynamic information flow tracking and data lineage tracing (a technique tracking the set of inputs that affects individual outputs). Without considering control dependence, informati...
     
Deriving input syntactic structure from execution
Found in: Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering (SIGSOFT '08/FSE-16)
By Xiangyu Zhang, Zhiqiang Lin
Issue Date:November 2008
pp. 1-2
Program input syntactic structure is essential for a wide range of applications such as test case generation, software debugging and network security. However, such important information is often not available (e.g., most malware programs make use of secre...
     
 1