FAROS: Illuminating In-memory injection attacks via Provenance-Based Whole-System dynamic information flow tracking

Meisam Navaki Arefi, Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira, Jedidiah R. Crandall

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

In-memory injection attacks are extremely challenging to reverse engineer because they operate stealthily without leaving artifacts in the system or in any easily observable events from outside of a virtual machine. Because these attacks perform their actions in memory only, current malware analysis solutions cannot expose their behavior. This paper introduces FAROS1 a reverse engineering tool for Windows malware analysis based on dynamic information flow tracking (DIFT), which can flag stealthy in-memory-only malware injection attacks by leveraging the synergy of: (i) whole-system taint analysis; (ii) per security policy-based handling of the challenge of indirect flows via the application of tags of different types, and (iii) the use of tags with fine-grained provenance information. We evaluated FAROS with six advanced in-memory-injecting malware and it flagged the attacks for all samples. We also analyzed FAROS' false positive rate with 90 non-injecting malware samples and 14 benign software from various categories. FAROS presented a very low false positive rate of 2%, which shows its potential towards practical solutions against advanced in-memory-only anti-reverse-engineering attacks.

Original languageEnglish (US)
Title of host publicationProceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages231-242
Number of pages12
ISBN (Electronic)9781538655955
DOIs
StatePublished - Jul 19 2018
Externally publishedYes
Event48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018 - Luxembourg City, Luxembourg
Duration: Jun 25 2018Jun 28 2018

Publication series

NameProceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018

Conference

Conference48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
Country/TerritoryLuxembourg
CityLuxembourg City
Period6/25/186/28/18

Keywords

  • Dynamic Information Flow Tracking
  • In memory Injection
  • Malware Analysis

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications
  • Hardware and Architecture
  • Energy Engineering and Power Technology

Fingerprint

Dive into the research topics of 'FAROS: Illuminating In-memory injection attacks via Provenance-Based Whole-System dynamic information flow tracking'. Together they form a unique fingerprint.

Cite this