Abstract not found

Spyware is rapidly becoming a major security issue. Spyware programs are surreptitiously installed on a user’s workstation to monitor his/her actions and gather private information about a user’s behavior. Current antispyware tools operate in a way similar to traditional antivirus tools, where signatures associated with known spyware programs are checked against newly-installed applications. Unfortunately, these techniques are very easy to evade by using simple obfuscation transformations. This paper presents a novel technique for spyware detection that is based on the characterization of spywarelike behavior. The technique is tailored to a popular class of spyware applications that use Internet Explorer’s Browser Helper Object (BHO) and toolbar interfaces to monitor a user’s browsing behavior. Our technique uses a composition of static and dynamic analysis to determine whether the behavior of BHOs and toolbars in response to simulated browser events should be considered malicious. The evaluation of our technique on a representative set of spyware samples shows that it is possible to behavioral characterization.

Abstract not found

A Computing Community is a group of cooperating machines that behave like a single system and runs all general-purpose applications---without any modifications to the shrink-wrapped binary applications or the operating system. In order to realize such a system, we inject a wrapper DLL into an application at runtime that manages the execution of the application and endows it with features such as virtualization and mobility. This paper describes the concept of virtualization, and the mechanism of injection and the implementation of a wrapper DLL. We focus on one kind of applications, those that use sockets to communicate with other processes. We show how these processes can migrate between machines without disrupting the socket communications. We have implemented the software that needs to be injected into the application to enable this feature. Handling more application types is part of the continued research in the Computing Communities project. 1. Introduction The ...

Different strategies for binary analysis are widely used in systems dealing with software maintenance and system security. Binary code is self-contained; though it is easy to execute, it is not easy to read and understand. Binary analysis tools are useful in software maintenance because the binary of software has all the information necessary to recover the source code. It is also incredibly important and sensitive in the domain of security. Malicious binary code can infect other applications, hide in their binary code, contaminate the whole system or travel through Internet and attack other systems. This makes it imperative for security personnel to scan and analyze binary codes with the aid of the binary code analysis tools. On the other hand, crackers can reverse engineer the binary code to assembly code in order to break the secrets embedded in the binary code, such as registration number, password or secret algorithms. This motivates researches to prevent malicious monitoring by binary code analysis tools. Evidently, binary analysis tools play an important doublesided role in security. This paper surveys binary code analysis from the most fundamental perspective views: the binary code formats, several of the most basic analysis tools, such as disassembler, debugger and the instrumentation tools based on them. The previous research on binary analysis are investigated and summarized and a new approach of analysis, disasembler-based binary interpreter, is proposed and discussed. 1.

312 teaching abilities, and Dan Lavery for his mentoring efforts in the early days of my IMPACT membership. In addition, I want to thank our corporate research partners. First, thanks to Advanced Micro Devices, in particular Dr. David Christie. The AMD team has provided hardware, software tools, and invaluable insight into the K6 microarchitecture and into the entire software development process. Thanks to Microsoft for their donation of the Microsoft Developer iii Network tool set and to Microsoft Research for our post-link optimization discussions. And thanks to Hewlett-Packard for my internship opportunity and for general support of the IMPACT research group. Last, I want to thank my family for their constant support. My wife, Polly, is understanding about my long work hours, encourages me when I get discouraged, celebrates with me in my triumphs, and in general, is the loving support that drives me each day. My parents, parentsin -law, and sister are always confident in

With the growth of the global Internet, users have begun to download and run programs for more different purposes and from more varied sources than ever before. These programs should not be allowed to cause harm to a user’s system or data, either as a result of malicious code created by an adversary or buggy code that could cause accidentally. Users may have different ideas of what constitutes harm than the program’s authors, so they need a flexible way to specify the capabilities and limitations of untrusted programs. Naccio is a platform-independent architecture for defining safety policies that describe what a program cannot do. To enforce those policies, programs are transformed to integrate safety checking into their operation at run-time. This thesis presents the design of Naccio/Win32, which applies the Naccio architecture to enforce policies on executables running under Microsoft Windows. A prototype implementation provides a proof of concept, and results presented here provide a demonstration of the effectiveness and efficiency of Naccio/Win32’s mechanisms. Naccio/Win32 provides a greater degree of flexibility than any previous code safety system. Safety policies can be written and enforced with no in-depth knowledge of the system, and are specified as general constraints on program actions, rather than being targeted reactions known attacks. New policies can easily be deployed to adapt to changing security needs or system vulnerabilities. The enforcement of policies through transformation is optimized to minimize the overhead introduced, so that users will not suffer a noticeable loss of performance.

This paper covers the issues of using weak, US government-approved security as well as problems with flawed security measures, examines some of the measures necessary to provide an adequate level of security, and then suggests several possible solutions. This paper is targeted at people with a responsibility for computer security as well as those currently considering the extent to which their organisation may wish to become involved in Internet commerce, and includes fairly extensive coverage of past and present Internet commerce related security problems in order to given a general idea of areas to look out for. Although little security knowledge is assumed, some sections are intended for more technically-aware readers and may be skipped if desired. Problems in Internet-Based Electronic Commerce The creation of a global electronic commerce system will provide an extremely powerful magnet for hackers, criminals, disgruntled employees, and hostile (but also "friendly") governments' intelligence agencies. This problem is magnified by the nature of the Internet, which allows attackers to quickly disseminate technical details on performing attacks and software to exploit vulnerabilities. A single skilled attacker willing to share their knowledge can enable hordes of dilettantes around the world to exploit a security hole in an operating system or application software within a matter of hours [Gordon 1994]. One example of how easy these tools make it for neophytes to attack a system involved someone gaining super-user privileges on a Unix system and then trying to execute DOS commands. The Internet also enables an attacker to perform attacks over long distances with little chance of detection and even less chance of apprehension. The ability to carry this out more or less ...

Graphical User Interface (GUI) Driven Applications (GDAs) are ubiquitous. We present a model and techniques that take closed and monolithic GDAs and integrate them into an open, collaborative environment. The central idea is to objectify the GUI of a GDA, thereby creating an object that enables programmatic control of that GDA.

In order to conduct accurate simulations of new approaches to energy management, we needed to collect detailed, time-stamped traces of several diverse types of activity on Windows NT and Windows 2000. For this purpose, we wrote VTrace, which collects data about processes, threads, messages, disk operations, network operations, the keyboard, the mouse, and the cursor. Building this tool required a large number of special techniques, which we describe in this paper. These techniques included using a DLL loaded into the address space of every process to intercept Win32 system calls; establishing hook functions for Windows NT kernel system calls; modifying the context switch code in memory to log context switches despite inadequate operating system support; and using device filters to log accesses to devices such as file systems, disk partitions, network transport layers, and the keyboard. We also describe related issues, such as where we found the necessary information, and how to debug a tracing tool that is intimately connected to the operating system kernel. Finally, since VTrace was originally written for Windows NT but later modified and extended to run with Windows 2000, we briefly discuss some of the changes required for Windows 2000.