Self debugging mode for patch-independent nullification of unknown remote process infection

Ruo Ando, Yoshiyasu Takefuji

研究成果: Conference contribution

抄録

The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with "being infected" and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or re-building software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.

本文言語English
ホスト出版物のタイトルCryptology and Network Security - 4th International Conference, CANS 2005, Proceedings
出版社Springer Verlag
ページ85-95
ページ数11
ISBN(印刷版)3540308490, 9783540308492
DOI
出版ステータスPublished - 2005
イベント4th International Conference on Cryptology and Network Security, CANS 2005 - Xiamen, China
継続期間: 2005 12 142005 12 16

出版物シリーズ

名前Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
3810 LNCS
ISSN(印刷版)0302-9743
ISSN(電子版)1611-3349

Other

Other4th International Conference on Cryptology and Network Security, CANS 2005
国/地域China
CityXiamen
Period05/12/1405/12/16

ASJC Scopus subject areas

  • 理論的コンピュータサイエンス
  • コンピュータ サイエンス(全般)

フィンガープリント

「Self debugging mode for patch-independent nullification of unknown remote process infection」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。

引用スタイル