Symbol diversification of linux binaries

Laurén, Samuel; Mäki, Petteri; Rauti, Sampsa; Hosseinzadeh, Shohreh; Hyrynsalmi, Sami; Leppänen, Ville

doi:10.1109/worldcis.2014.7028170

Cited by 14 publications

(9 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Lauren et at. propose to diversify library entry points to system calls [14], [15]. Since entry points are unique in each computer, it becomes very difficult for malware to access system resources.…”

Section: B System Callsmentioning

confidence: 99%

PhantomFS: File-Based Deception Technology for Thwarting Malicious Users

Lee

Choi

Lee³

et al. 2020

IEEE Access

View full text Add to dashboard Cite

File-based deception technologies can be used as an additional security barrier when adversaries have successfully gained access to a host evading intrusion detection systems. Adversaries are detected if they access fake files. Though previous works have mainly focused on using user data files as decoys, this concept can be applied to system files. If so, it is expected to be effective in detecting malicious users because it is very difficult to commit an attack without accessing a single system file. However, it may suffer from excessive false alarms by legitimate system services such as file indexing and searching. Legitimate users may also access fake files by mistake. This paper addresses this issue by introducing a hidden interface. Legitimate users and applications access files through the hidden interface which does not show fake files. The hidden interface can also be utilized to hide sensitive files by hiding them from the regular interface. By experiments, we demonstrate the proposed technique incurs negligible performance overhead, and it is an effective countermeasure to various attack scenarios and practical in that it does not generate false alarms for legitimate applications and users.

show abstract

Section: B System Callsmentioning

confidence: 99%

PhantomFS: File-Based Deception Technology for Thwarting Malicious Users

Lee

Choi

Lee³

et al. 2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Ergo, the malware that is not aware of the new system call numbers is unable to interact with the environment. Symbol diversification [18,19] diversifies the symbol names used with dynamic linking of shared libraries. Shared libraries implement functions that are used by other libraries or executables.…”

Section: Related Workmentioning

confidence: 99%

“…In addition, the changed names are propagated to all ELF files that depend on the entities whose symbolic names were diversified. To experiment with symbol diversification on Raspbian, we employed our old tool that was previously used to diversify x86_64 Linux [18]. To be run on Raspbian, the tool needed to be modified to support 32-bit ELF files, which was relatively straightforward.…”

Section: Symbol Diversification On Raspbianmentioning

confidence: 99%

See 1 more Smart Citation

Internal Interface Diversification as a Security Measure in Sensor Networks

Rauti¹,

Koivunen²,

Mäki³

et al. 2018

JSAN

Self Cite

View full text Add to dashboard Cite

More actuator and sensor devices are connected to the Internet of Things (IoT) every day, and the network keeps growing, while software security of the devices is often incomplete. Sensor networks and the IoT in general currently cover a large number of devices with an identical internal interface structure. By diversifying the internal interfaces, the interfaces on each node of the network are made unique, and it is possible to break the software monoculture of easily exploitable identical systems. This paper proposes internal interface diversification as a security measure for sensor networks. We conduct a study on diversifiable internal interfaces in 20 IoT operating systems. We also present two proof-of-concept implementations and perform experiments to gauge the feasibility in the IoT environment. Internal interface diversification has practical limitations, and not all IoT operating systems have that many diversifiable interfaces. However, because of low resource requirements, compatibility with other security measures and wide applicability to several interfaces, we believe internal interface diversification is a promising and effective approach for securing nodes in sensor networks.

show abstract

“…Several diversification schemes employing this general idea have been published in the literature [4]. In the Linux operating system, these schemes often propose diversification of three important interfaces: (1) the system call interface [6]; (2) binary symbols and library functions [7]; and (3) command shell language [8,9]. In this study, our aim is to investigate the feasibility of each solution for system's multi-layered security.…”

Section: Introductionmentioning

confidence: 99%

Internal interface diversification as a method against malware

Rauti

Laurén

Mäki

et al. 2020

Journal of Cyber Security Technology

Self Cite

View full text Add to dashboard Cite

Internal interface diversification is a proactive software security method that prevents malware from using the fundamental services provided by an operating system by uniquely diversifying internal interfaces and propagating the information only to trusted programs. There are three main internal interfaces in operating systems that have been diversified in previous studies: (1) system calls (2) library functions and (3) shell commands. Based on previous studies and our own work, we implemented diversification for all interfaces in order to test their suitability and feasibility for real-world use. All three solutions enhanced the multi-layer security of the testing environment with little to no cost on system performance. However, maintaining such diversification tools might be troublesome in large and complex systems where new software is frequently added and software versions are updated. Thus, the solutions would be ideal for IoT devices and other smaller systems which rarely require updating, as well as restricted and static systems and critical systems with high-security requirements.

show abstract

Symbol diversification of linux binaries

Cited by 14 publications

References 13 publications

PhantomFS: File-Based Deception Technology for Thwarting Malicious Users

PhantomFS: File-Based Deception Technology for Thwarting Malicious Users

Internal Interface Diversification as a Security Measure in Sensor Networks

Internal interface diversification as a method against malware

Contact Info

Product

Resources

About