Self debugging mode for patch-independent nullification of unknown remote process infection

Ruo Ando; Yoshiyasu Takefuji

doi:10.1007/11599371_8

Self debugging mode for patch-independent nullification of unknown remote process infection

Ruo Ando, Yoshiyasu Takefuji

環境情報学部

研究成果: Conference contribution

抄録

The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with "being infected" and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or re-building software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.

本文言語	English
ホスト出版物のタイトル	Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings
出版社	Springer Verlag
ページ	85-95
ページ数	11
ISBN（印刷版）	3540308490, 9783540308492
DOI	https://doi.org/10.1007/11599371_8
出版ステータス	Published - 2005
イベント	4th International Conference on Cryptology and Network Security, CANS 2005 - Xiamen, China 継続期間: 2005 12月 14 → 2005 12月 16

出版物シリーズ

名前	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
巻	3810 LNCS
ISSN（印刷版）	0302-9743
ISSN（電子版）	1611-3349

Other

Other	4th International Conference on Cryptology and Network Security, CANS 2005
国/地域	China
City	Xiamen
Period	05/12/14 → 05/12/16

ASJC Scopus subject areas

理論的コンピュータサイエンス
コンピュータサイエンス（全般）

文献へのアクセス

10.1007/11599371_8

他のファイルとリンク

引用スタイル

Ando, R., & Takefuji, Y. (2005). Self debugging mode for patch-independent nullification of unknown remote process infection. In Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings (pp. 85-95). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3810 LNCS). Springer Verlag. https://doi.org/10.1007/11599371_8

Self debugging mode for patch-independent nullification of unknown remote process infection. / Ando, Ruo; Takefuji, Yoshiyasu.

Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings. Springer Verlag, 2005. p. 85-95 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3810 LNCS).

研究成果: Conference contribution

Ando, R & Takefuji, Y 2005, Self debugging mode for patch-independent nullification of unknown remote process infection. in Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3810 LNCS, Springer Verlag, pp. 85-95, 4th International Conference on Cryptology and Network Security, CANS 2005, Xiamen, China, 05/12/14. https://doi.org/10.1007/11599371_8

Ando R, Takefuji Y. Self debugging mode for patch-independent nullification of unknown remote process infection. In Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings. Springer Verlag. 2005. p. 85-95. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/11599371_8

Ando, Ruo ; Takefuji, Yoshiyasu. / Self debugging mode for patch-independent nullification of unknown remote process infection. Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings. Springer Verlag, 2005. pp. 85-95 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{a4266cbb906e4146971144bef736093f,

title = "Self debugging mode for patch-independent nullification of unknown remote process infection",

abstract = "The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with {"}being infected{"} and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or re-building software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.",

keywords = "BranchIP recorder, Debug register, Improved debug exception handler, Real-time nullification, Self-debugging mode",

author = "Ruo Ando and Yoshiyasu Takefuji",

year = "2005",

doi = "10.1007/11599371_8",

language = "English",

isbn = "3540308490",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "85--95",

booktitle = "Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings",

}

TY - GEN

T1 - Self debugging mode for patch-independent nullification of unknown remote process infection

AU - Ando, Ruo

AU - Takefuji, Yoshiyasu

PY - 2005

Y1 - 2005

N2 - The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with "being infected" and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or re-building software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.

AB - The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with "being infected" and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or re-building software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.

KW - BranchIP recorder

KW - Debug register

KW - Improved debug exception handler

KW - Real-time nullification

KW - Self-debugging mode

UR - http://www.scopus.com/inward/record.url?scp=33744821078&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33744821078&partnerID=8YFLogxK

U2 - 10.1007/11599371_8

DO - 10.1007/11599371_8

M3 - Conference contribution

AN - SCOPUS:33744821078

SN - 3540308490

SN - 9783540308492

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 85

EP - 95

BT - Cryptology and Network Security - 4th International Conference, CANS 2005, Proceedings

PB - Springer Verlag

T2 - 4th International Conference on Cryptology and Network Security, CANS 2005

Y2 - 14 December 2005 through 16 December 2005

ER -

Self debugging mode for patch-independent nullification of unknown remote process infection

抄録

出版物シリーズ

Other

ASJC Scopus subject areas

文献へのアクセス

他のファイルとリンク

フィンガープリント

引用スタイル