research-article

Towards reducing the attack surface of software backdoors

Authors:

Felix Schuster,

Thorsten HolzAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 851 - 862

https://doi.org/10.1145/2508859.2516716

Published: 04 November 2013 Publication History

Abstract

Backdoors in software systems probably exist since the very first access control mechanisms were implemented and they are a well-known security problem. Despite a wave of public discoveries of such backdoors over the last few years, this threat has only rarely been tackled so far.

In this paper, we present an approach to reduce the attack surface for this kind of attacks and we strive for an automated identification and elimination of backdoors in binary applications. We limit our focus on the examination of server applications within a client-server model. At the core, we apply variations of the delta debugging technique and introduce several novel heuristics for the identification of those regions in binary application that backdoors are typically installed in (i.e., authentication and command processing functions). We demonstrate the practical feasibility of our approach on several real-world backdoors found in modified versions of the popular software tools ProFTPD and OpenSSH. Furthermore, we evaluate our implementation not only on common instruction set architectures such as x86-64, but also on commercial off-the-shelf embedded devices powered by a MIPS32 processor.

References

[1]

GDB Remote Serial Protocol.http://sourceware:org/gdb/onlinedocs/gdb/Remote-Protocol:html.

[2]

ProFTPD Backdoor Unauthorized Access Vulnerability, 2010. http://www:securityfocus:com/bid/45150.

[3]

Backdoor Found In Arcadyan-based Wi-Fi Routers, 2012. http://it:slashdot:org/story/12/04/26/1411229/backdoor-found-in-arcadyan-based-wi-fi-routers.

[4]

RuggedCom - Backdoor Accounts in my SCADA network -- You don't say..., 2012. http://seclists:org/fulldisclosure/2012/Apr/277.

[5]

Samsung printers contain hidden, hard-coded management account, 2012. http://www:zdnet:com/samsung-printers-contain-hidden-hard-coded-management-account-7000007928/.

[6]

D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, and B. Sunar. Trojan Detection using IC Fingerprinting. In IEEE Symposium on Security and Privacy, 2007.

Digital Library

[7]

D. Aitel. An Introduction to SPIKE, the Fuzzer Creation Kit. www:blackhat:com/presentations/bh-usa-02/bh-us-02-aitel-spike:ppt, 2002. Presented at Black Hat US.

[8]

P. Amini and A. Portnoy. Fuzzing Sucks! Introducing Sulley Fuzzing Framework. pentest:cryptocity:net/files/fuzzing/sulley/introducing_sulley:pdf, 2007. Presented at Black Hat US.

[9]

A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: Splitting Applications into Reduced-privilege Compartments. In USENIX Symposium on Networked Systems Design and Implementation, 2008.

Digital Library

[10]

D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. X. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In W. Lee, C. Wang, and D. Dagon, editors, Botnet Detection, volume 36 of Advances in Information Security, pages 65--88. Springer, 2008.

[11]

D. Brumley and D. Song. Privtrans: automatically partitioning programs for privilege separation. In USENIX Security Symposium, 2004.

Digital Library

[12]

S. Dai, T. Wei, C. Zhang, T. Wang, Y. Ding, Z. Liang, and W. Zou. A framework to eliminate backdoors from response-computable authentication. In IEEE Symposium on Security and Privacy, 2012.

Digital Library

[13]

M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: preventing authentication & access controlvulnerabilities in web applications. In USENIX Security Symposium, 2009.

Digital Library

[14]

L. Duflot. CPU Bugs, CPU Backdoors and Consequences on Security. In European Symposium on Research in Computer Security (ESORICS), 2008.

Digital Library

[15]

S. Duquette. Linux/SSHDoor.A Backdoored SSH daemon that steals passwords, jan 2013. http://www:welivesecurity:com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/.

[16]

H. Flake. Structural comparison of executable objects. In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2004.

[17]

D. Gao, M. K. Reiter, and D. Song. Binhunt: Automatically finding semantic differences in binary programs. In Information and Communications Security, pages 238{255. Springer, 2008.

Digital Library

[18]

D. Geneiatakis, G. Portokalidis, V. P. Kemerlis, and A. D. Keromytis. Adaptive defenses for commodity software through virtual application partitioning. In ACM Conference on Computer and Communications Security (CCS), 2012.

Digital Library

[19]

Y. L. Gwon, H. T. Kung, and D. Vlah. DISTROY: detecting integrated circuit Trojans with compressive measurements. In USENIX Workshop on Hot Topics in Security, 2011.

Digital Library

[20]

J. S. Havrilla. Borland/Inprise Interbase SQL database server contains backdoor superuser account with known password, 2001. http://www:kb:cert:org/vuls/id/247371.

[21]

M. Hicks, M. Finnicum, S. T. King, M. M. K. Martin, and J. M. Smith. Overcoming an untrusted computing base: Detecting and removing malicious hardware automatically. In IEEE Symposium on Security and Privacy, 2010.

Digital Library

[22]

D. Kilpatrick. Privman: A library for partitioning applications. In USENIX Annual Technical Conference, FREENIX Track, 2003.

[23]

J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385--394, 1976.

Digital Library

[24]

S. T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang, and Y. Zhou. Designing and implementing malicious hardware. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008.

Digital Library

[25]

J. Lee, T. Avgerinos, and D. Brumley. Tie: Principled reverse engineering of types in binary programs. In Symposium on Network and Distributed System Security (NDSS), 2011.

[26]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2005.

Digital Library

[27]

H. D. Moore. Shiny Old VxWorks Vulnerabilities, 2010. https://community:rapid7:com/community/metasploit/blog/2010/08/02/shiny-old-vxworks- vulnerabilities.

[28]

D. G. Murray and S. Hand. Privilege separation made easy: trusting small libraries not big processes. In European Workshop on System Security (EuroSec), 2008.

Digital Library

[29]

J. Postel and J. Reynolds. File Transfer Protocol. RFC 959 (INTERNET STANDARD), Oct. 1985. Updated by RFCs 2228, 2640, 2773, 3659, 5797.

Digital Library

[30]

N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In USENIX Security Symposium, 2003.

Digital Library

[31]

A. Slowinska, T. Stancescu, and H. Bos. Howard: A dynamic excavator for reverse engineering data structures. In Symposium on Network and Distributed System Security (NDSS), 2011.

[32]

S. Sparks, S. Embleton, and C. C. Zou. A chipset level network backdoor: bypassing host-based firewall & ids. In ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2009.

Digital Library

[33]

C. Sturton, M. Hicks, D. Wagner, and S. T. King. Defeating UCI: Building Stealthy and Malicious Hardware. In IEEE Symposium on Security and Privacy, 2011.

Digital Library

[34]

M. Tehranipoor and F. Koushanfar. A Survey of Hardware Trojan Taxonomy and Detection. IEEE Design & Test of Computers, 27(1), 2010.

Digital Library

[35]

K. Thompson. Reflections on trusting trust. Commun. ACM, 27(8), Aug. 1984.

Digital Library

[36]

A. Waksman and S. Sethumadhavan. Silencing hardware backdoors. In IEEE Symposium on Security and Privacy, 2011.

Digital Library

[37]

C. Wysopal, C. Eng, and T. Shields. Static detection of application backdoors - detecting both malicious software behavior and malicious indicators from the static analysis of executable code. Datenschutz und Datensicherheit, 34(3):149--155, 2010.

[38]

T. Ylonen and C. Lonvick. The Secure Shell (SSH) Authentication Protocol. RFC 4252 (Proposed Standard), Jan. 2006.

[39]

S. Zdancewic, L. Zheng, N. Nystrom, and A. C. Myers. Secure program partitioning. ACM Trans. Comput. Syst., 20(3):283--328, Aug. 2002.

Digital Library

[40]

A. Zeller. Isolating cause-effect chains from computer programs. In ACM SIGSOFT Symposium on Foundations of Software Engineering, 2002.

Digital Library

Cited By

Arshad IAlsamhi SQiao YLee BYe Y(2024)IOTM: Iterative Optimization Trigger Method—A Runtime Data-Free Backdoor Attacks on Deep Neural NetworksIEEE Transactions on Artificial Intelligence10.1109/TAI.2024.33849385:9(4562-4573)Online publication date: Sep-2024
https://doi.org/10.1109/TAI.2024.3384938
Brechelmacher ONičković DNießen TSallinger SWeissenbacher G(2024)Differential Property Monitoring for Backdoor DetectionFormal Methods and Software Engineering10.1007/978-981-96-0617-7_13(216-236)Online publication date: 29-Nov-2024
https://doi.org/10.1007/978-981-96-0617-7_13
Yue GXiao HChen J(2023)Backdoor Detection Based on Static Code Analysis and Software Component AnalysisProceedings of the 2023 3rd International Conference on Big Data, Artificial Intelligence and Risk Management10.1145/3656766.3656967(1120-1124)Online publication date: 24-Nov-2023
https://dl.acm.org/doi/10.1145/3656766.3656967
Show More Cited By

Index Terms

Towards reducing the attack surface of software backdoors
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Dynamic binary analyzer for scanning vulnerabilities with taint analysis

In this paper, we introduce an overview of a dynamic binary analyzer for scanning vulnerabilities by performing taint analysis. People have been using the traditional security programs of pattern matching technique such as anti-virus and anti-spyware to ...
Improving software security with a C pointer analysis
ICSE '05: Proceedings of the 27th international conference on Software engineering

This paper presents a context-sensitive, inclusion-based, field-sensitive points-to analysis for C and uses the analysis to detect and prevent security vulnerabilities in programs. In addition to a conservative analysis, we propose an optimistic ...
Vulnerability-Based Backdoors: Threats from Two-step Trojans
SERE '13: Proceedings of the 2013 IEEE 7th International Conference on Software Security and Reliability

Attackers like to install trojans in a target system to control it. However, it becomes more and more difficult to deceive a user into installing such trojans. One reason is that antivirus software uses more strict policies on the first run of unknown ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
1,000
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)5

Reflects downloads up to 14 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Arshad IAlsamhi SQiao YLee BYe Y(2024)IOTM: Iterative Optimization Trigger Method—A Runtime Data-Free Backdoor Attacks on Deep Neural NetworksIEEE Transactions on Artificial Intelligence10.1109/TAI.2024.33849385:9(4562-4573)Online publication date: Sep-2024
https://doi.org/10.1109/TAI.2024.3384938
Brechelmacher ONičković DNießen TSallinger SWeissenbacher G(2024)Differential Property Monitoring for Backdoor DetectionFormal Methods and Software Engineering10.1007/978-981-96-0617-7_13(216-236)Online publication date: 29-Nov-2024
https://doi.org/10.1007/978-981-96-0617-7_13
Yue GXiao HChen J(2023)Backdoor Detection Based on Static Code Analysis and Software Component AnalysisProceedings of the 2023 3rd International Conference on Big Data, Artificial Intelligence and Risk Management10.1145/3656766.3656967(1120-1124)Online publication date: 24-Nov-2023
https://dl.acm.org/doi/10.1145/3656766.3656967
Ganz TAshraf IHärterich MRieck KShehab MFernandez MLi N(2023)Detecting Backdoors in Collaboration Graphs of Software RepositoriesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583657(189-200)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583657
He DGao YLiu XChan SCheng YLiu XZhao BGuizani N(2021)Design of Attack and Defense Framework for 1553B-based Integrated Electronic SystemsIEEE Network10.1109/MNET.011.200051735:4(234-240)Online publication date: Jul-2021
https://doi.org/10.1109/MNET.011.2000517
Jacobsen RMarandi A(2021)Security Threats Analysis of the Unmanned Aerial Vehicle SystemMILCOM 2021 - 2021 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM52596.2021.9652900(316-322)Online publication date: 29-Nov-2021
https://doi.org/10.1109/MILCOM52596.2021.9652900
Zhang TKoltermann KEvtyushkin DLarus JCeze LStrauss K(2020)Exploring Branch Predictors for Constructing Transient Execution TrojansProceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3373376.3378526(667-682)Online publication date: 9-Mar-2020
https://dl.acm.org/doi/10.1145/3373376.3378526
He DQiao QGao JChan SZheng KGuizani N(2020)Simulation Design for Security Testing of Integrated Electronic SystemsIEEE Network10.1109/MNET.2019.190019634:1(159-165)Online publication date: Jan-2020
https://doi.org/10.1109/MNET.2019.1900196
Razaque AAmsaad FJaro Khan MHariri SChen SSiting CJi X(2019)Survey: Cybersecurity Vulnerabilities, Attacks and Solutions in the Medical DomainIEEE Access10.1109/ACCESS.2019.29508497(168774-168797)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2950849
Tien CTsai TChen IKuo S(2018)UFO - Hidden Backdoor Discovery and Security Verification in IoT Device Firmware2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW.2018.00-37(18-23)Online publication date: Oct-2018
https://doi.org/10.1109/ISSREW.2018.00-37
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten