Lockdown-Protection:Unintended Execution Attack Prevention Based on Program Behavior Analysis
Delivering malware to invoke security-sensitive services is a necessary step in cyber-attacks to implement theft,destruction and denial-of-service attacks,putting cyberspace at serious risk.Malware that calls security-sensitive services performs sensitive operations such as file read or write,access control,and system management,posing a direct and significant threat to system security.For instance,in the WannaCry ransomware incident that began in 2017 involved attackers spreading ransomware to victims'devices through vulnerabilities.This ransomware encrypted and overwrote files by invoking the system's file writing services,aiming for ransom.In this paper,we define such attacks as unintended execution attacks,which are difficult to detect by existing techniques.The unintended execution attacks can lead to system crashes,data leakage,or destruction,with serious implications for personal privacy,business operations,and national security.Analyzing the MITRE ATT&CK attack matrix,we conclude that strategies closer to the end of the attack chain are more technically necessary.The invocation of security-sensitive services with high access and execution privileges at the end of the attack chain is a prerequisite for achieving attack objectives,making unintended execution attacks inevitable.Existing defense techniques primarily focus on mitigating and detecting the process of malicious code injection and exploitation,preventing attackers from executing malicious code injection,control flow hijacking,and privilege escalation through code injection or exploiting vulnerabilities in programs.However,with the emergence of new types of vulnerability exploitation techniques,such as code reuse attacks,and considering the performance overhead of mitigation techniques in commercial systems,practical defense solutions are vulnerable to being bypassed.In particular,when attackers enter the system in an unknown manner and run malicious software with privileged accounts,existing defense techniques fail to detect such unintended execution attacks in real time.Therefore,researching countermeasures against unintended execution attacks,serving as the last line of defense to block malicious activities by attackers,is of significant importance for ensuring the baseline security of critical information systems.By a deep understanding of the mechanisms and behavioral characteristics of unintended execution attacks,this paper designs and implements a lockdown protection mechanism,which complement existing defense techniques and act as a security bottom line,which is the last line of defense to intercept malware execution.This mechanism includes three key steps to detect and block unintended execution attacks:(1)expected behavior analysis,(2)actual behavior monitoring,and(3)blocking unexpected behaviors.Specifically,the lockdown protection structure analyzes the expected behaviors of a target program with respect to security-sensitive services at compile time,monitors the actual behaviors of the program at runtime,and verifies that the actual behavior of the program matches the expected behavior prior to service execution.If inconsistencies are detected,the invocation is identified as an unintended execution attack.This defense approach is rooted in the observation that the program's execution behavior during an unintended execution attack deviates from its expected behavior.Based on the observation of critical elements that could affect service behavior,we propose a lockdown-protection model as a theoretical model for defending against unintended execution attacks.We then implement a prototype of lockdown-protection structure on Linux platform.We utilize real-world APT malware,kernel privilege escalation exploits,and popular applications to evaluate the effectiveness of our prototype.We also evaluate the performance overhead of the prototype.Experiment results show that our prototype is effective in defending against typical unintended execution attacks,introducing a performance overhead of less than 5%.
security-sensitive serviceunintended execution attacklockdown-protectionmonitoring program behaviorattack prevention
NETL
NSTL
万方数据
