Self debugging mode for patch-independent nullification of unknown remote process infection

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with "being infected" and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or re-building software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.

Original languageEnglish
Title of host publicationCryptology and Network Security - 4th International Conference, CANS 2005, Proceedings
PublisherSpringer Verlag
Pages85-95
Number of pages11
ISBN (Print)3540308490, 9783540308492
DOIs
Publication statusPublished - 2005 Jan 1
Event4th International Conference on Cryptology and Network Security, CANS 2005 - Xiamen, China
Duration: 2005 Dec 142005 Dec 16

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume3810 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other4th International Conference on Cryptology and Network Security, CANS 2005
CountryChina
CityXiamen
Period05/12/1405/12/16

Keywords

  • BranchIP recorder
  • Debug register
  • Improved debug exception handler
  • Real-time nullification
  • Self-debugging mode

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'Self debugging mode for patch-independent nullification of unknown remote process infection'. Together they form a unique fingerprint.

  • Cite this

    Ando, R., & Takefuji, Y. (2005). Self debugging mode for patch-independent nullification of unknown remote process infection. In Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings (pp. 85-95). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3810 LNCS). Springer Verlag. https://doi.org/10.1007/11599371_8