STILL: Exploit code detection via static taint and initialization analyses

Xinran Wang, Yoon Chan Jhi, Sencun Zhu, Peng Liu

Research output: Contribution to journalConference article

32 Citations (Scopus)

Abstract

We propose STILL, a generic defense based on Static Taint and InitiaLization anaLyses, to detect exploit code embedded in data streams/requests targeting at various Internet services such as Web services. STILL first blindly disassembles each request, generates a (probably partial) control flow graph, and then uses novel static taint and initialization analysis algorithms to determine if strong evidence of self-modifying (including polymorphism) and/or indirect jump code obfuscation behavior can be collected. If such evidence exists, STILL will raise an alarm and block the request; otherwise, STILL will perform another form of static taint analysis to check whether unobfuscated or other types of obfuscated exploit code (e.g., metamorphism, etc) is embedded in the request. To the best of our knowledge, compared with existing static analysis approaches developed for the same purpose, STILL is (a) the first one that can detect self-modifying code and indirect jump, and (b) a more comprehensive static analysis solution in defending against anti-signature, anti-static-analysis and anti-emulation code obfuscation (for all the code obfuscation techniques we are aware of, STILL is robust to all but one).

Original languageEnglish (US)
Article number4721566
Pages (from-to)289-298
Number of pages10
JournalProceedings - Annual Computer Security Applications Conference, ACSAC
DOIs
StatePublished - Dec 1 2008
Event24th Annual Computer Security Applications Conference, ACSAC 2008 - Anaheim, CA, United States
Duration: Dec 8 2008Dec 12 2008

Fingerprint

Static analysis
Flow graphs
Polymorphism
Web services
Internet

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Cite this

@article{3acb07a230b74524809e43625aacb6d5,
title = "STILL: Exploit code detection via static taint and initialization analyses",
abstract = "We propose STILL, a generic defense based on Static Taint and InitiaLization anaLyses, to detect exploit code embedded in data streams/requests targeting at various Internet services such as Web services. STILL first blindly disassembles each request, generates a (probably partial) control flow graph, and then uses novel static taint and initialization analysis algorithms to determine if strong evidence of self-modifying (including polymorphism) and/or indirect jump code obfuscation behavior can be collected. If such evidence exists, STILL will raise an alarm and block the request; otherwise, STILL will perform another form of static taint analysis to check whether unobfuscated or other types of obfuscated exploit code (e.g., metamorphism, etc) is embedded in the request. To the best of our knowledge, compared with existing static analysis approaches developed for the same purpose, STILL is (a) the first one that can detect self-modifying code and indirect jump, and (b) a more comprehensive static analysis solution in defending against anti-signature, anti-static-analysis and anti-emulation code obfuscation (for all the code obfuscation techniques we are aware of, STILL is robust to all but one).",
author = "Xinran Wang and Jhi, {Yoon Chan} and Sencun Zhu and Peng Liu",
year = "2008",
month = "12",
day = "1",
doi = "10.1109/ACSAC.2008.37",
language = "English (US)",
pages = "289--298",
journal = "Proceedings - Annual Computer Security Applications Conference, ACSAC",
issn = "1063-9527",

}

STILL : Exploit code detection via static taint and initialization analyses. / Wang, Xinran; Jhi, Yoon Chan; Zhu, Sencun; Liu, Peng.

In: Proceedings - Annual Computer Security Applications Conference, ACSAC, 01.12.2008, p. 289-298.

Research output: Contribution to journalConference article

TY - JOUR

T1 - STILL

T2 - Exploit code detection via static taint and initialization analyses

AU - Wang, Xinran

AU - Jhi, Yoon Chan

AU - Zhu, Sencun

AU - Liu, Peng

PY - 2008/12/1

Y1 - 2008/12/1

N2 - We propose STILL, a generic defense based on Static Taint and InitiaLization anaLyses, to detect exploit code embedded in data streams/requests targeting at various Internet services such as Web services. STILL first blindly disassembles each request, generates a (probably partial) control flow graph, and then uses novel static taint and initialization analysis algorithms to determine if strong evidence of self-modifying (including polymorphism) and/or indirect jump code obfuscation behavior can be collected. If such evidence exists, STILL will raise an alarm and block the request; otherwise, STILL will perform another form of static taint analysis to check whether unobfuscated or other types of obfuscated exploit code (e.g., metamorphism, etc) is embedded in the request. To the best of our knowledge, compared with existing static analysis approaches developed for the same purpose, STILL is (a) the first one that can detect self-modifying code and indirect jump, and (b) a more comprehensive static analysis solution in defending against anti-signature, anti-static-analysis and anti-emulation code obfuscation (for all the code obfuscation techniques we are aware of, STILL is robust to all but one).

AB - We propose STILL, a generic defense based on Static Taint and InitiaLization anaLyses, to detect exploit code embedded in data streams/requests targeting at various Internet services such as Web services. STILL first blindly disassembles each request, generates a (probably partial) control flow graph, and then uses novel static taint and initialization analysis algorithms to determine if strong evidence of self-modifying (including polymorphism) and/or indirect jump code obfuscation behavior can be collected. If such evidence exists, STILL will raise an alarm and block the request; otherwise, STILL will perform another form of static taint analysis to check whether unobfuscated or other types of obfuscated exploit code (e.g., metamorphism, etc) is embedded in the request. To the best of our knowledge, compared with existing static analysis approaches developed for the same purpose, STILL is (a) the first one that can detect self-modifying code and indirect jump, and (b) a more comprehensive static analysis solution in defending against anti-signature, anti-static-analysis and anti-emulation code obfuscation (for all the code obfuscation techniques we are aware of, STILL is robust to all but one).

UR - http://www.scopus.com/inward/record.url?scp=60649104827&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=60649104827&partnerID=8YFLogxK

U2 - 10.1109/ACSAC.2008.37

DO - 10.1109/ACSAC.2008.37

M3 - Conference article

AN - SCOPUS:60649104827

SP - 289

EP - 298

JO - Proceedings - Annual Computer Security Applications Conference, ACSAC

JF - Proceedings - Annual Computer Security Applications Conference, ACSAC

SN - 1063-9527

M1 - 4721566

ER -