SDCI Sec: New Software Platforms for Supporting Network-wide Detection of Code Injection Attacks

In recent years, code-injection attacks have become one of the most

common forms of attack on modern computer systems. At a high level,

code-injection attacks on network services (e.g. file sharing and

webservers) and client-based programs (e.g., browsers and document

viewers) enable redirection of the flow of execution in the vulnerable

program to arbitrary code, called shellcode, which is provided as part

of the attack. The injected code often enables unauthorized control of

system resources, applications, and data. The key to detecting these

attacks lies in accurately discovering the presence of the shellcode

being injected into the vulnerable program.

The intent of this research is to design, implement, and deploy a new

framework, called ShellOS, that continuously analyzes network streams

or program buffers to detect the presence of executable code that may

be harmful. The proposed approach addresses the shortcomings of

current dynamic analysis techniques that use software-based CPU

emulation for detecting shellcode. Unlike previous approaches, this approach takes

advantage of hardware virtualization to allow for more efficient and

accurate inspection of buffers by directly executing instruction

sequences on the CPU. In doing so, this project enables more scalable

techniques for protecting cyberinfrastructure against code injection

attacks. Where possible, the project also plans to release anonymized forms of

detected attacks. The availability of such data can play a significant

role in fostering collaboration and ensuring U.S. technical leadership

in network security research. The tools created as part of this

project will be made available to the broader research community under

an open source license.