ModuleGuard: A Gatekeeper for Dynamic Module Loading Against Malware
DING Shuang1,2, FU Jianming1,2,3†, PENG Bichen1,2 1. School of Computer, Wuhan University, Wuhan 430072, Hubei, China; 2. State Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry Education, Wuhan 430072, Hubei, China; 3. State Key Laboratory of Software Engineering, Wuhan University, Wuhan 430072, Hubei, China
We analyze the attack steps of malware and focus on the malware loading. Our assumption is that a malware contains no less than one module, so monitoring module loading is indispensable to defeat malware. Moreover, we design security policies and employ these policies when a module is loaded by the operating system. These policies depend on properties of module, the connection to created modules, and the link to user intention. The properties of module and this connection can improve the accuracy of malware detection. User intention can be helpful to handle unknown module and enhances the flexibility of policy. Finally, ModuleGuard, a gatekeeper for dynamic module loading against malware, has been designed and implemented, which integrates these security policies. Our experimental results have shown the feasibility and effectiveness of our method.
Key words: module; user intention; security polices; malware
 Cui Weidong, Katz Randy H, Tan Waitian. Design and im- plementation of an extrusion-based break-in detector for personal computers [C]// 21st Annual Computer Security Applications Conference (ACSAC). Tucson: IEEE Press, 2005.
 Lu Long, Vinod Y, Phillip P, et al. BLADE: An at- tack-agnostic approach for preventing drive-by malware in- fections [C]// ACM Conference on Computer and Commu-
nications Security, CCS 2010. Chicago: ACM Press, 2010.
 Xu Kui, Yao Danfeng, Ma Qiang, et al. User-Behavior Based Detection of Infection Onset [R]. Virginia: Technical Report TR-10-09.
 Mircosoft Co. Stuxnet Analysis Report [EB/OL]. [2013-03- 25] http://www.eset.com/resources/white-papers/Stuxnet_Under_ the_Microscope.pdf.
 Nanda S, Li W, Lam L C et al. Foreign code detection on the Windows/X86 platform [C]// The 22nd Annual Computer Security Applications Conference(ACSAC). Miami Beach: IEEE Press, 2006.  Litty L, Lagar-Cavilla H A, Lie D. Hypervisor support for identifying covertly executing binaries [C]//Proceedings of the 17th USENIX Security Symposium. Berkeley: USENIX, 2008.
 Gilbert B, Kemmerer R, Kruegel C, et al. Dymo: Tracking dynamic code identity [C]// The 14th International Sympo- sium on Recent Advances in Intrusion Detection(RAID). California: Springer-Verlag, 2011.
 Tavallaee M, Stakhanova N, Ghorbani A A. Toward credible evaluation of anomaly-based intrusion- detection methods [J]. IEEE Transactions on Systems, Man, and Cybernetics, 2010, 40(5): 516-524.
 Andrea L Z, Christopher K. AccessMiner: Using system- centric models for malware protection [C]// ACM Confer- ence on Computer and Communications Security, CCS 2010. Chicago: ACM Press, 2010.
 Wagner D, Soto P. Mimicry attacks on host based intrusion detection systems [C]//9th ACM Conference on Computer and Communications Security, CCS 2002. Washington D C: ACM Press.
 Parno B, Jonathan M. Perrig M A. Bootstrapping trust in commodity computers [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.
 Sailer R, Zhang X, Jaeger T, et al. Design and implementation of a TCG-based integrity measurement architecture [C]//Pro- ceedings of the 13th Conference on USENIX Security Sym- posium. Berkeley: USENIX, 2004.
 Sadeghi A R, Stüble C. Property-based attestation for comput- ing patforms: Caring about properties, not mechanisms [C]// Proceedings of the Workshop on New Security Paradigms. New York: ACM Press, 2004.
 Bhatkar S, DuVarney D, Sekar R. Address obfuscation: An efficient approach to combat a broad range of memory error exploits [C]//Proceedings of 12th USENIX Security Sympo- sium. Washington D C: USENIX, 2003.
 Kc G S, Keromytis A D, Prevelakis V. Countering code- injection attacks with instruction-set randomization [C]// 10th ACM International Conference Computer and Commu- nication Security. Chicago: ACM Press, 2003.
 Bhatkar S, Sekar R. Data space randomization [C]//5th Con- ference on Detection of Intrusions and Malware & Vulner- ability Assessment. Paris: Springer-Verlag, 2008.
 Abadi M, Budiu M, Erlingsson U, et al. Control-flow integ- rity [C]//Proceedings of the Conference on Computer and Communications Security, CCS 2005. Alexandria: ACM Press.  Castro M, Costa M, Harris T. Securing software by enforcing data-flow integrity [C]// the 7th Symposium on Operating Systems Design and Implementation. Berkeley: USENIX, 2006.
 Fu Jianming, Peng Bichen, Du Hao. Dynamic detection of a component loading vulnerability [J]. Journal of Tsinghua University (Science and Technology), 2012, 52(10): 1356- 1363(Ch).
 Ronda T, Saroiu S, Wolman A. iTrustPage: A user-assisted anti-phishing tool [C]// Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Sys- tems (EuroSys). Washington D C: ACM Press, 2003.
 Shirley J, Evans D. The user is not the enemy: Fighting malware by tracking user intentions[C]// Proceedings of New Security Paradigms Workshop (NSPW). Lake Tahoe: ACM Press, 2008.
 He Hongjun, Luo Li, Dong Liming, et al. The formal defini- tion of generalized virus and recognition algorithms [J]. Chinese Journal of Computers, 2010, 33(3): 562-568(Ch).
 Provos N, McNamee D, Mavrommatis P, et al. The ghost in the browser analysis of web-based malware [C]// Proceed- ings of the First Conference on First Workshop on Hot Top- ics in Understanding Botnets. Berkeley: USENIX, 2007.
 Stone-Gross B, Cova M, Cavallaro L, et al. Your botnet is my botnet: analysis of a botnet takeover[C]//14th ACM Con- ference on Computer and Communications Security. Chi- cago: ACM Press, 2009.
 PAX Team. Memory Protection Technologies [EB/OL]. [2013-01-21]. http://pax.grsecurity.net/.
 Wang Zhi, Jiang Xuxian. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity [C]// IEEE Symposium on Security and Privacy. Oakland: IEEE Press, 2010.
 Microsoft Corporation. Microsoft high-risk extensions [EB/OL]. [2013-03-19]. http://support. microsoft.com/kb/ 883260.
 Bassov A. Hooking the native API and controlling process creation on a system-wide basis [EB/OL]. [2013-03-19]. http://www.codeproject.com/KB/system/soviet_protector.aspx.