Ecole d'ingénieur et centre de recherche en Sciences du numérique

Micro-virtualization memory tracing to detect and prevent spraying attacks

Stefano, Cristalli; Pagnozzi, Mattia; Graziano, Mariano; Lanzi, Andrea; Balzarotti, Davide

USENIX 2016, 25th USENIX Security Symposium, August 10-12, 2016, Austin, TX, USA

Spraying is a common payload delivery technique used by attackers to execute arbitrary code in presence of Address Space Layout Randomisation (ASLR). In this paper we present Graffiti, an efficient hypervisorbased memory analysis framework for the detection and prevention of spraying attacks. Compared with previous solutions, our system is the first to offer an efficient, complete, extensible, and OS independent protection against all spraying techniques known to date. We developed a prototype open source framework based on our approach, and we thoroughly evaluated it against all known variations of spraying attacks on two operating systems: Linux and Microsoft Windows. Our tool can be applied out of the box to protect any application, and its overhead can be tuned according to the application behavior and to the desired level of protection.

Document Bibtex

Titre:Micro-virtualization memory tracing to detect and prevent spraying attacks
Type:Conférence
Langue:English
Ville:Austin
Pays:ÉTATS-UNIS
Date:
Département:Sécurité numérique
Eurecom ref:4902
Copyright: Copyright Usenix. Personal use of this material is permitted. The definitive version of this paper was published in USENIX 2016, 25th USENIX Security Symposium, August 10-12, 2016, Austin, TX, USA and is available at :
Bibtex: @inproceedings{EURECOM+4902, year = {2016}, title = {{M}icro-virtualization memory tracing to detect and prevent spraying attacks}, author = {{S}tefano, {C}ristalli and {P}agnozzi, {M}attia and {G}raziano, {M}ariano and {L}anzi, {A}ndrea and {B}alzarotti, {D}avide}, booktitle = {{USENIX} 2016, 25th {USENIX} {S}ecurity {S}ymposium, {A}ugust 10-12, 2016, {A}ustin, {TX}, {USA}}, address = {{A}ustin, {\'{E}}{TATS}-{UNIS}}, month = {08}, url = {http://www.eurecom.fr/publication/4902} }
Voir aussi: