Jump to content
Sign in to follow this  

Foreign Code Detection on theWindows/X86 Platform

Recommended Posts

Foreign Code Detection on theWindows/X86 Platform

Susanta Nanda Wei Li Lap-Chung Lam Tzi-cker Chiueh


Department of Computer Science

SUNY at Stony Brook

Stony Brook, NY 11794-4400


As new attacks againstWindows-based machines emerge

almost on a daily basis, there is an increasing need to

“lock down” individual users’ desktop machines in corporate

computing environments. One particular way to lock

down a user computer is to guarantee that only authorized

binary programs are allowed to run on that computer. A

major advantage of this approach is that binaries downloaded

without the user’s knowledge, such as spyware, adware,

or code entering through buffer overflow attacks, can

never run on computers that are locked down this way. This

paper presents the design, implementation and evaluation

of FOOD, a foreign code detection system specifically for

the Windows/X86 platform, where foreign code is defined as

any binary programs that do not go through an authorized

installation procedure. FOOD verifies the legitimacy of binary

images involved in process creation and library loading

to ensure that only authorized binaries are used in these

operations. In addition, FOOD checks the target address

of every indirect branch instruction in Windows binaries to

prevent illegitimate control transfers to either dynamically

injected mobile code or pre-existing library functions that

are potentially damaging. Combined together, these techniques

strictly prevent the execution of any foreign code.

Experiments with a fully working FOOD prototype show

that it can indeed stop all spyware and buffer overflow attacks

we tested, and its worst-case run-time performance

overhead associated with foreign code detection is less than




Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...