Foreign Code Detection on theWindows/X86 Platform

[Nytro]

Foreign Code Detection on theWindows/X86 Platform

Susanta Nanda Wei Li Lap-Chung Lam Tzi-cker Chiueh

{susanta,weili,lclam,chiueh}@cs.sunysb.edu

Department of Computer Science

SUNY at Stony Brook

Stony Brook, NY 11794-4400

Abstract

As new attacks againstWindows-based machines emerge

almost on a daily basis, there is an increasing need to

“lock down” individual users’ desktop machines in corporate

computing environments. One particular way to lock

down a user computer is to guarantee that only authorized

binary programs are allowed to run on that computer. A

major advantage of this approach is that binaries downloaded

without the user’s knowledge, such as spyware, adware,

or code entering through buffer overflow attacks, can

never run on computers that are locked down this way. This

paper presents the design, implementation and evaluation

of FOOD, a foreign code detection system specifically for

the Windows/X86 platform, where foreign code is defined as

any binary programs that do not go through an authorized

installation procedure. FOOD verifies the legitimacy of binary

images involved in process creation and library loading

to ensure that only authorized binaries are used in these

operations. In addition, FOOD checks the target address

of every indirect branch instruction in Windows binaries to

prevent illegitimate control transfers to either dynamically

injected mobile code or pre-existing library functions that

are potentially damaging. Combined together, these techniques

strictly prevent the execution of any foreign code.

Experiments with a fully working FOOD prototype show

that it can indeed stop all spyware and buffer overflow attacks

we tested, and its worst-case run-time performance

overhead associated with foreign code detection is less than

35%.

Download:

www.acsac.org/2006/papers/86.pdf