TY - GEN
T1 - Tappan Zee (north) bridge
T2 - 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
AU - Dolan-Gavitt, Brendan
AU - Leek, Tim
AU - Hodosh, Josh
AU - Lee, Wenke
PY - 2013
Y1 - 2013
N2 - The ability to introspect into the behavior of software at runtime is crucial for many security-related tasks, such as virtual machine-based intrusion detection and low-artifact malware analysis. Although some progress has been made in this task by automatically creating programs that can passively retrieve kernel-level information, two key challenges remain. First, it is currently difficult to extract useful information from user-level applications, such as web browsers. Second, discovering points within the OS and applications to hook for active monitoring is still an entirely manual process. In this paper we propose a set of techniques to mine the memory accesses made by an operating system and its applications to locate useful places to deploy active monitoring, which we call tap points. We demonstrate the efficacy of our techniques by finding tap points for useful introspection tasks such as finding SSL keys and monitoring web browser activity on five different operating systems (Windows 7, Linux, FreeBSD, Minix and Haiku) and two processor architectures (ARM and x86).
AB - The ability to introspect into the behavior of software at runtime is crucial for many security-related tasks, such as virtual machine-based intrusion detection and low-artifact malware analysis. Although some progress has been made in this task by automatically creating programs that can passively retrieve kernel-level information, two key challenges remain. First, it is currently difficult to extract useful information from user-level applications, such as web browsers. Second, discovering points within the OS and applications to hook for active monitoring is still an entirely manual process. In this paper we propose a set of techniques to mine the memory accesses made by an operating system and its applications to locate useful places to deploy active monitoring, which we call tap points. We demonstrate the efficacy of our techniques by finding tap points for useful introspection tasks such as finding SSL keys and monitoring web browser activity on five different operating systems (Windows 7, Linux, FreeBSD, Minix and Haiku) and two processor architectures (ARM and x86).
KW - active monitoring
KW - introspection
KW - reverse engineering
UR - http://www.scopus.com/inward/record.url?scp=84888989480&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84888989480&partnerID=8YFLogxK
U2 - 10.1145/2508859.2516697
DO - 10.1145/2508859.2516697
M3 - Conference contribution
AN - SCOPUS:84888989480
SN - 9781450324779
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 839
EP - 850
BT - CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security
Y2 - 4 November 2013 through 8 November 2013
ER -