research-article

Booby trapping software

Authors:

Stefan Brunthaler,

Michael FranzAuthors Info & Claims

NSPW '13: Proceedings of the 2013 New Security Paradigms Workshop

Pages 95 - 106

https://doi.org/10.1145/2535813.2535824

Published: 09 September 2013 Publication History

Abstract

Cyber warfare is asymmetric in the current paradigm, with attackers having the high ground over defenders. This asymmetry stems from the situation that attackers have the initiative, while defenders concentrate on passive fortifications. Defenders are constantly patching the newest hole in their defenses and creating taller and thicker walls, without placing guards on those walls to watch for the enemy and react to attacks. Current passive cyber security defenses such as intrusion detection, anti-virus, and hardened software are not sufficient to repel attackers. In fact, in conventional warfare this passivity would be entirely nonsensical, given the available active strategies, such as counterattacks and deception.

Based on this observation, we have identified the technique of booby trapping software. This extends the arsenal of weaponry available to defenders with an active technique for directly reacting to attacks. Ultimately, we believe this approach will restore some of the much sought after equilibrium between attackers and defenders in the digital domain.

References

[1]

Metasploit Penetration Testing Software. http://www.metasploit.com/.

[2]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information System Security (TISSEC), 13:4:1--4:40, 2009.

Digital Library

[3]

R. Anderson. Why information security is hard - an economic perspective. In Proceedings of the 17th Annual Computer Security Applications Conference, ACSAC '01. ACM, 2001.

Digital Library

[4]

J. Ansel, P. Marchenko, U. Erlingsson, E. Taylor, B. Chen, D. L. Schuff, D. Sehr, C. L. Biffle, and B. Yee. Language-independent sandboxing of just-in-time compilation and self-modifying code. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '11, pages 355--366. ACM, 2011.

Digital Library

[5]

N. B. Anuar, M. Papadaki, S. Furnell, and N. Clarke. An investigation and survey of response options for intrusion response systems (IRSs). In Proceedings of the 10th Annual Information Security for South Africa Conference, ISSA '10, 2010.

[6]

I. Balepin, S. Maltsev, J. Rowe, and K. Levitt. Using specification-based intrusion detection for automated response. In Proceedings of the 6th Interntional Symposium on Recent Advances in Intrusion Detection, RAID '03, pages 136--154. Springer Berlin Heidelberg, 2003.

[7]

E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanović. Randomized Instruction Set Emulation. ACM Transactions on Information and System Security (TISSEC), 8(1):3--40, 2005.

Digital Library

[8]

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 30--40. ACM, 2011.

Digital Library

[9]

B. M. Bowen, S. Hershkop, A. D. Keromytis, and S. J. Stolfo. Baiting inside attackers using decoy documents. In Y. Chen, T. D. Dimitriou, and J. Zhou, editors, Security and Privacy in Communication Networks, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Springer Berlin Heidelberg, 2009.

[10]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 27--38. ACM, 2008.

Digital Library

[11]

C. Carver, J. M. Hill, J. R. Surdu, and U. W. Pooch. A methodology for using intelligent agents to provide automated intrusion response. In Proceedings of the IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, West Point, NY, pages 110--116, 2000.

[12]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-Oriented Programming without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 559--72. ACM Press, 2010.

Digital Library

[13]

S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC Advantage. In Proceedings of the 4th Electronic Voting Technology Workshop/Workshop on Trustworthy Elections. USENIX Association, 2009.

Digital Library

[14]

P. Chen, X. Xing, H. Han, B. Mao, and L. Xie. Efficient Detection of the Return-oriented Programming Malicious Code. In Proceedings of the 6th International Conference on Information Systems Security, ICISS '10, pages 140--155. Springer Berlin Heidelberg, 2010.

Digital Library

[15]

F. Cohen. Operating system protection through program evolution. Computers and Security, 12(6):565--584, Oct. 1993.

Digital Library

[16]

F. Cohen. A note on the role of deception in information protection. Computers & Security, 17(6):483--506, 1998.

Digital Library

[17]

C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78. USENIX Association, 1998.

Digital Library

[18]

A. Cui, J. Kataria, and S. J. Stolfo. From prey to hunter: transforming legacy embedded devices into exploitation sensor grids. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 393--402. ACM, 2011.

Digital Library

[19]

B. Demsky and M. Rinard. Automatic detection and repair of errors in data structures. In Proceedings of the 18th annual ACM SIGPLAN conference on Object-oriented programing, systems, languages, and applications, OOPSLA '03, page 78--95. ACM, 2003.

Digital Library

[20]

D. Dittrich and K. E. Himma. Active response to computer intrusions. In The Handbook of Information Security, volume III. 2005.

[21]

S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Proceedings of the Workshop on Hot Topics in Operating Systems, pages 67--72. IEEE Computer Society, 1997.

Digital Library

[22]

M. Franz. E unibus pluram: Massive-Scale Software Diversity as a Defense Mechanism. In Proceedings of the 2010 New Security Paradigms Workshop, NSPW '10, pages 7--16. ACM, 2010.

Digital Library

[23]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In Proceedings of the 21st USENIX Security Symposium, pages 475--490, 2012.

Digital Library

[24]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In Proceedings of the 33rd IEEE Symposium on Security and Privacy, S&P '12, pages 571--585, 2012.

Digital Library

[25]

A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz. Profile-guided automated software diversity. In Proceedings of the 11th International Symposium on Code Generation and Optimization, CGO '13. ACM, 2013.

Digital Library

[26]

A. Homescu, M. Stewart, P. Larsen, S. Brunthaler, and M. Franz. Microgadgets: size does matter in turing-complete return-oriented programming. In Proceedings of the 6th USENIX Workshop on Offensive Technologies, WOOT '12. USENIX Association, 2012.

Digital Library

[27]

R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium, pages 383--398. USENIX Association, 2009.

Digital Library

[28]

M. Jacob, M. Jakubowski, P. Naldurg, C. Saw, and R. Venkatesan. The superdiversifier: Peephole individualization for software protection. In Proceedings of the Third International Workshop on Security, volume 5312 of Lecture Notes in Computer Science, pages 100--120. Springer Berlin Heidelberg, 2008.

Digital Library

[29]

V. Jayaswal, W. Yurcik, and D. Doss. Internet hack back: counter attacks as self-defense or vigilantism? In Proceedings of the 2002 International Symposium on Technology and Society, ISTAS '02, pages 380 -- 386, 2002.

[30]

G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks with Instruction-Set Randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS '03, pages 272--280. ACM Press, 2003.

Digital Library

[31]

J. Li, Z. Wang, X. Jiang, M. C. Grace, and S. Bahram. Defeating Return-oriented Rootkits with "Return-Less" Kernels. In Proceedings of the 5th European Conference on Computer Systems, EuroSys '10, pages 195--208. ACM, 2010.

Digital Library

[32]

H. Massalin. Superoptimizer: a look at the smallest program. In Proceedings of the Second International Conference on Architectual Support for Programming Languages and Operating Systems, ASPLOS-II, pages 122--126. IEEE Computer Society, 1987.

Digital Library

[33]

A. Matrosov, E. Rodionov, D. Harley, and J. Malcho. Stuxnet Under the Microscope, 2010. http://go.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf. Accessed 04/09/2013.

[34]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In Proceedings of the 15th USENIX Security Symposium. USENIX Association, 2006.

Digital Library

[35]

Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, Issue 58, 2001.

[36]

K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, pages 49--58. ACM, 2010.

Digital Library

[37]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, S&P '12, pages 601--615, 2012.

Digital Library

[38]

PaX. Homepage of The PaX Team, 2009. http://pax.grsecurity.net.

[39]

E. J. Schwartz, T. Avgerinos, and D. Brumley. Q: Exploit Hardening Made Easy. In Proceedings of the 20th USENIX Security Symposium. USENIX Association, 2011.

Digital Library

[40]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS '07, pages 552--561. ACM Press, 2007.

Digital Library

[41]

S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. Keromytis. Building a reactive immune system for software services. Proceedings of the general track, 2005 USENIX annual technical conference: April 10 - 15, 2005, Anaheim, CA, USA, pages 149--161, 2005.

Digital Library

[42]

N. Sovarel, D. Evans, and N. Paul. Where's the FEEB?: The Effectiveness of Instruction Set Randomization. In Proceedings of the 14th USENIX Security Symposium, pages 145--160. USENIX Association, 2005.

Digital Library

[43]

L. Spitzner. The honeynet project: trapping the hackers. IEEE Security Privacy, 1(2):15--23, 2003.

Digital Library

[44]

Vendicator. StackShield: A "stack smashing" Technique Protection Tool for Linux, 2000. http://www.angelfire.com/sk/stackshield/.

[45]

X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill. Sleepy watermark tracing: An active network-based intrusion response framework. In Proceedings of the 16th International Information Security Conference, pages 369--384, 2001.

Digital Library

[46]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS '12, pages 157--168, 2012.

Digital Library

[47]

D. W. Williams, W. Hu, J. W. Davidson, J. Hiser, J. C. Knight, and A. Nguyen-Tuong. Security through diversity: Leveraging virtual machine technology. IEEE Security & Privacy, 7(1):26--33, 2009.

Digital Library

[48]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy, S&P '09, pages 79--93. IEEE Computer Society, 2009.

Digital Library

Cited By

Prabhaker NBopche GMishra AArock M(2024)Generation of Believable Fake Logic Circuits for Cyber Deception2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS59351.2024.10426938(13-18)Online publication date: 3-Jan-2024
https://doi.org/10.1109/COMSNETS59351.2024.10426938
Berlakovich FBrunthaler SFedorova ANarayanan DDi Luna GQuerzoni L(2023)R2C: AOCR-Resilient Diversity with Reactive and Reflective CamouflageProceedings of the Eighteenth European Conference on Computer Systems10.1145/3552326.3587439(488-504)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3552326.3587439
Hsu JFalco G(2023)Space Booby Traps: Hacking Back and Assured Cyber Deterrence in Space2023 IEEE International Conference on Assured Autonomy (ICAA)10.1109/ICAA58325.2023.00024(115-118)Online publication date: Jun-2023
https://doi.org/10.1109/ICAA58325.2023.00024
Show More Cited By

Index Terms

Booby trapping software
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Code-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus ...
Traceback-based Bloomfilter IPS in defending SYN flooding attack
WiCOM'09: Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing

Recently, the key of network security is turning from passive detection to active defense. However, most works focused on how fast it can detect the DDoS attack and start defence, and existing methods for differentiating DDoS attack packets, especially ...
DG-Based Active Defense Strategy to Defend against DDoS
MUE '08: Proceedings of the 2008 International Conference on Multimedia and Ubiquitous Engineering

In this paper, it is advocated that defenders should take active action to stop DDoS attacks. We propose a new model based on Differential Games theory. Four main actors are included, Attacker, Defender, Victim, and Botnet. It is our belief that Victims ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '13: Proceedings of the 2013 New Security Paradigms Workshop

December 2013

132 pages

ISBN:9781450325820

DOI:10.1145/2535813

General Chairs:
Mary Ellen Zurko
Cisco Systems, USA
,
Konstantin Beznosov
University of British Columbia, Canada
,
Program Chairs:
Tara Whalen
Carleton University, Canada
,
Tom Longstaff
NSA, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 September 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

NSPW '13

Sponsor:

ACSA

NSPW '13: New Security Paradigms Workshop

September 9 - 12, 2013

Alberta, Banff, Canada

Acceptance Rates

NSPW '13 Paper Acceptance Rate 11 of 32 submissions, 34%;

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
464
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)1

Reflects downloads up to 16 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Prabhaker NBopche GMishra AArock M(2024)Generation of Believable Fake Logic Circuits for Cyber Deception2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS59351.2024.10426938(13-18)Online publication date: 3-Jan-2024
https://doi.org/10.1109/COMSNETS59351.2024.10426938
Berlakovich FBrunthaler SFedorova ANarayanan DDi Luna GQuerzoni L(2023)R2C: AOCR-Resilient Diversity with Reactive and Reflective CamouflageProceedings of the Eighteenth European Conference on Computer Systems10.1145/3552326.3587439(488-504)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3552326.3587439
Hsu JFalco G(2023)Space Booby Traps: Hacking Back and Assured Cyber Deterrence in Space2023 IEEE International Conference on Assured Autonomy (ICAA)10.1109/ICAA58325.2023.00024(115-118)Online publication date: Jun-2023
https://doi.org/10.1109/ICAA58325.2023.00024
Zhang HRen MLei YMing JFalsafi BFerdman MLu SWenisch T(2022)One size does not fit all: security hardening of MIPS embedded systems via static binary debloating for shared librariesProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507768(255-270)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507768
Wang ZWu CZhang YTang BYew PXie MLai YKang YCheng YShi Z(2022)Making Information Hiding Effective AgainIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.306408619:4(2576-2594)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2021.3064086
Zeng QLuo LQian ZDu XLi ZHuang CFarkas C(2021)Resilient User-Side Android Application Repackaging and Tampering Detection Using Cryptographically Obfuscated Logic BombsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.295778718:6(2582-2600)Online publication date: 1-Nov-2021
https://doi.org/10.1109/TDSC.2019.2957787
Zhang LThing V(2021)Three decades of deception techniques in active cyber defense - Retrospect and outlookComputers and Security10.1016/j.cose.2021.102288106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102288
Araujo FTaylor TDevanbu PCohen MZimmermann T(2020)Improving cybersecurity hygiene through JIT patchingProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3368089.3417056(1421-1432)Online publication date: 8-Nov-2020
https://doi.org/10.1145/3368089.3417056
Huang XYan FZhang LWang K(2020)HoneyGadget: A Deception Based Approach for Detecting Code Reuse AttacksInformation Systems Frontiers10.1007/s10796-020-10014-7Online publication date: 4-May-2020
https://doi.org/10.1007/s10796-020-10014-7
Tsantekidis MPrevelakis V(2020)Software System Exploration Using Library Call AnalysisModel-driven Simulation and Training Environments for Cybersecurity10.1007/978-3-030-62433-0_8(125-139)Online publication date: 7-Nov-2020
https://doi.org/10.1007/978-3-030-62433-0_8
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten