Tappan Zee (north) bridge: Mining memory accesses for introspection

Brendan Dolan-Gavitt, Tim Leek, Josh Hodosh, Wenke Lee

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    The ability to introspect into the behavior of software at runtime is crucial for many security-related tasks, such as virtual machine-based intrusion detection and low-artifact malware analysis. Although some progress has been made in this task by automatically creating programs that can passively retrieve kernel-level information, two key challenges remain. First, it is currently difficult to extract useful information from user-level applications, such as web browsers. Second, discovering points within the OS and applications to hook for active monitoring is still an entirely manual process. In this paper we propose a set of techniques to mine the memory accesses made by an operating system and its applications to locate useful places to deploy active monitoring, which we call tap points. We demonstrate the efficacy of our techniques by finding tap points for useful introspection tasks such as finding SSL keys and monitoring web browser activity on five different operating systems (Windows 7, Linux, FreeBSD, Minix and Haiku) and two processor architectures (ARM and x86).

    Original languageEnglish (US)
    Title of host publicationCCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security
    Pages839-850
    Number of pages12
    DOIs
    StatePublished - 2013
    Event2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany
    Duration: Nov 4 2013Nov 8 2013

    Publication series

    NameProceedings of the ACM Conference on Computer and Communications Security
    ISSN (Print)1543-7221

    Other

    Other2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
    Country/TerritoryGermany
    CityBerlin
    Period11/4/1311/8/13

    Keywords

    • active monitoring
    • introspection
    • reverse engineering

    ASJC Scopus subject areas

    • Software
    • Computer Networks and Communications

    Fingerprint

    Dive into the research topics of 'Tappan Zee (north) bridge: Mining memory accesses for introspection'. Together they form a unique fingerprint.

    Cite this