程式控制流程劫持反制措施

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：83

、訪客IP：3.147.27.140

姓名

陳立函(Li-Han Chen) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

程式控制流程劫持反制措施
(Program Control Hijacking Countermeasures)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

程式設計師撰寫程式時會把程式執行流程設計妥當，執行時就依據原先設計好的流程，但攻擊者可以使用程式的漏洞去改變原先的流程，跳脫出程式設計師原先沒有考慮到的執行流程，進而達到執行攻擊者想要的行為，在此論文中，我們把這種行為稱為「程式執行流程劫持」。程式執行流程劫持發生時，程式本身大多無法自行處理，攻擊者通常會將執行流程導向攻擊者注入的程式碼或是攻擊者希望執行的程式碼，如此一來，一般作業系統並無法得知流程劫持，因此本篇論文便是要改進作業系統在這些程式執行流程劫持的反制措施。
因此在此篇論文中，我們將探討程式執行流程劫持在三種平台上的處理機制，包括：一般電腦平台的緩衝區溢位弱點偵測、網路平台的蠕蟲偵測與處理、與行動裝置上Android 平台的元件間通訊異常偵測與紀錄。
緩衝區溢位攻擊的歷史久遠，許多有名的攻擊和網路蠕蟲，都是透過緩衝區溢位漏洞，因此我們雙管齊下，一方面在開發流程中加入安全測試來找出緩衝區溢位弱點，以減少可能的漏洞；另一方面則在作業系統執行sys_read() 相關系統呼叫時，檢查是否為緩衝區溢位攻擊，若為攻擊就嘗試治療發起攻擊的電腦，以減緩網路蠕蟲散佈的速度。另外智慧型手機中市占率最高的Android 作業系統，在設
計時使用了很多元件間通訊來重複使用其他應用程式已經實做的功能，因此若應用程式沒有保護好自己的基礎元件，就很可能被惡意程式觸發執行執行流程，且被惡意使用原先設計的功能，因此我們在Android 作業系統分派元件間通訊的時候，檢查接收者列表，通知使用者可能的惡意元件間通訊攔截與相關惡意行為，並紀錄這些通訊內容，以供之後分析參考。

摘要(英)

The original control flow of a program is designed by developers, but the attackers may change the control flow via the vulnerabilities in the program. So, the control flow is redirected to the code which the attackers intend to execute, called “abnormal control hijacking” in this
dissertation. When abnormal control flow hijacking occurs, the program itself cannot handle the abnormality. General operating systems are just able to deal with normal exceptions or errors. However, control flow hijacking attack redirects program’s control flow to the injected
code or the intended code. Therefore, general operating systems could not detect the abnormality. In this dissertation, we try to improve the abnormal control flow hijacking countermeasures in general operating
systems.
In this dissertation, we discuss three kinds of countermeasures towards abnormal control flow hijacking. For software testing, ARMORY is proposed to uncover program buffer overflow defects. For network, Serum System is a scanning worm detection mechanism and countermeasure. For mobile devices, ICCDroid inspects the abnormal intercomponents communication hijacking in Android operation system.
Many famous worms and attacks exploit buffer overflow defects to compromise the victim hosts. As a result, on one hand, we apply security testing to uncover program buffer overflow defects and to reduce the possible defects, and on the other hand, we enforce checks to the sys_read-related system calls whether a input string is a buffer overflow attack string or not. If the input string is detected as a buffer overflow attack string, we would try to cure the attacking hosts. Besides, the most popular smartphone operating system, Android, heavily uses inter-component communications (ICCs) in order to reuse the functionality
of other applications’ components. If applications do not protect their basic components and the ICC properly, malicious applications may trigger the execution flow of the vulnerable applications or hijack the content of the communications. Therefore, we enforce additional security checks to look over the receivers list and notify users of the possible ICC hijacking and the malicious behaviors. In addition, ICCDroid records all the communications between components for further analysis.

關鍵字(中)

★ 緩衝區溢位
★ 網路蠕蟲
★ 安卓
★ 程式流程

關鍵字(英)

★ Buffer overflow
★ Scanning worm
★ Android
★ Program control flow

論文目次

頁次
中文摘要i
Abstract ii
誌謝iv
Contents v
List of Figures vii
List of Tables ix
1 Introduction 1
1.1 Program Buffer Overflow Defects . . . . . . . . . . . . . . 2
1.2 Scanning Worm . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Android Component Hijacking Attacks . . . . . . . . . . 6
2 ARMORY: Buffer Overflow Defect Detection Mechanism 8
2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 PBOD Types . . . . . . . . . . . . . . . . . . . . 8
2.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 ARMORY System Design . . . . . . . . . . . . . . . . . . 12
2.3.1 PBOD Test String . . . . . . . . . . . . . . . . . . 12
2.3.2 PBOD Test String Creation Mechanism . . . . . . 13
2.3.3 Structure of ARMORY . . . . . . . . . . . . . . . 15
2.4 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4.1 PBOD Test Procedure . . . . . . . . . . . . . . . 19
2.4.2 False Negatives . . . . . . . . . . . . . . . . . . . 20
2.4.3 False Positives . . . . . . . . . . . . . . . . . . . . 21
2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 Serum System: An Automatic Defense System against Scanning Worms 23
3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.1 Worm Modeling . . . . . . . . . . . . . . . . . . . 24
3.2.2 Worm Containment . . . . . . . . . . . . . . . . . 25
3.2.3 Anti-worm Mechanisms . . . . . . . . . . . . . . . 25
3.3 Serum System Design . . . . . . . . . . . . . . . . . . . . 26
3.3.1 System Components . . . . . . . . . . . . . . . . . 26
3.3.2 Workflow of SSS and SSC . . . . . . . . . . . . . . 27
3.3.3 Dataflow of SSC and SSS . . . . . . . . . . . . . . 28
3.3.4 Merging Sanitizers . . . . . . . . . . . . . . . . . . 29
3.4 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.4.1 Effectiveness . . . . . . . . . . . . . . . . . . . . . 30
3.4.2 Performance Overhead . . . . . . . . . . . . . . . 36
3.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.5.1 Design Issues . . . . . . . . . . . . . . . . . . . . . 41
3.5.2 Future work . . . . . . . . . . . . . . . . . . . . . 45
3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4 ICCDroid: Android Component Hijacking Detection and Monitoring 47
4.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.1.1 Android Basic Components . . . . . . . . . . . . . 47
4.1.2 Android Application Security . . . . . . . . . . . . 48
4.2 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2.1 Intent Theft . . . . . . . . . . . . . . . . . . . . . 52
4.2.2 Intent Manipulation . . . . . . . . . . . . . . . . . 56
4.2.3 Result Manipulation . . . . . . . . . . . . . . . . . 56
4.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . 57
4.3.1 Privacy Leakage . . . . . . . . . . . . . . . . . . . 57
4.3.2 Components Hijacking . . . . . . . . . . . . . . . 58
4.4 ICCDroid System Design . . . . . . . . . . . . . . . . . . 58
4.4.1 Inter-component Communication Handlers in Android Framework . . . . . . . . . . . . . . . . . . 59
4.4.2 System Architecture . . . . . . . . . . . . . . . . . 63
4.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.5.1 Performance Macro Benchmark . . . . . . . . . . . 67
4.5.2 Performance Micro Benchmark . . . . . . . . . . . 67
4.5.3 False Positives . . . . . . . . . . . . . . . . . . . . 67
4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5 Conclusion 69
5.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . 69
5.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 70
Bibliography . . . . . . . . . . . . . . . . . . . . . . . .71

參考文獻

[1] K. Teeraruangchaisri, “Code Red and Code Red II: Double dragons,” http://www.sans.org/reading_room/whitepapers/malicious/code-red-code-red-ii-double-dragons_88, Sep. 2001, accessed: 2013-05-20.
[2] S. Krishnan and Y. Kim, “Passive identification of conficker nodes on the internet,” University of Minnesota, Tech. Rep., 2009.
[3] Symantec, “The Downadup Codex: A comprehensive guide to
the threat’s mechanics edition 2.0,” http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf, Jun. 2009, accessed: 2013-05-20.
[4] Z. Chen and C. Ji, “Intelligent worms: Searching for preys,” http://www.ams.org/samplings/math-awareness-month/06-Chen-Ji.pdf, 2006, accessed: 2013-05-20.
[5] E. J. Aronne, “The Nimda worm: An overview,”
http://www.sans.org/reading_room/whitepapers/malicious/nimda-worm-overview_95, Oct. 2001, accessed: 2013-05-20.
[6] Y. Namestnikov, “Kaspersky security bulletin. statistics 2011 - securelist,” http://www.securelist.com/en/analysis/204792216/Kaspersky_Security_Bulletin_Statistics_2011, 2011, accessed: 06/07/2012.
[7] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and
D. R. Engler, “EXE: automatically generating inputs of death,” in Proceedings of the 13th ACM conference on Computer and communications security, ser. CCS ’06. New York, NY, USA: ACM, 2006, pp. 322–335. [Online]. Available:
http://doi.acm.org/10.1145/1455518.1455522
[8] R.-G. Xu, P. Godefroid, and R. Majumdar, “Testing for buffer overflows with length abstraction,” in Proceedings of the 2008 international symposium on Software testing and analysis, ser. ISSTA ’08. New York, NY, USA: ACM, 2008, pp. 27–38. [Online]. Available: http://doi.acm.org/10.1145/1390630.1390636
[9] S. Waterman, “Analysis: Who cyber smacked estonia?” http://www.upi.com/Business_News/Security-Industry/2007/06/11/Analysis-Who-cyber-smacked-Estonia/UPI-26831181580439/,
Jun. 2007, accessed: 2013-05-20.
[10] M. Landler, “Digital fears emerge after data siege in estonia,” http://www.nytimes.com/2007/05/29/technology/29estonia.html?pagewanted=all, May 2007, accessed: 2013-04-22.
[11] L. J. Janczewski and A. M. Colarik, Cyber Warfare and Cyber Terrorism, 1st ed. Hershey, PA, USA: IGI Publishing, 2007.
[12] “Georgia DDoS attacks - a quick summary of observations,” https://en.wikipedia.org/wiki/Cyberattacks_during_the_Russia%E2%80%93Georgia_war, Aug. 2008, accessed: 2013-04-22.
[13] Kaspersky Lab, “Kaspersky lab provides its insights on stuxnet worm,” http://www.kaspersky.com/about/news/virus/2010/ Kaspersky_Lab_provides_its_insights_on_Stuxnet_worm, Sep. 2010, accessed: 2012-03-28.
[14] Kaspersky Lab, “Analyses new version of kido (conficker),” http://www.kaspersky.com/news?id=207575791, Apr. 2009, accessed: 2013-05-20.
[15] J.Gibish, Warfare in the 21st century: a selected bibliography. U.S. Army War College Library, 2001.
[16] P. Cornish, D. Livingstone, D. Clemente, and C. York, “On cyber warfare,” http://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/r1110_cyberwarfare.pdf, Sep. 2010, accessed: 2013-05-20.
[17] “OS statistics,” http://www.w3schools.com/browsers/browsers_os.asp, Feb. 2012, accessed: 2012-03-10.
[18] AppBrain, “Number of available Android applications -App-Brain,” http://www.appbrain.com/stats/number-of-android-apps, accessed: 2014-07-04.
[19] “Chart of the day: Android activations hit 1 billion-business insider,” http://www.businessinsider.com/chart-of-the-day-android-activations-hit-1-billion-2013-9, accessed: 2014-07-04.
[20] “Mobile threat report Q4 2012 -F-Secure,” http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q4%202012.pdf, accessed: 2013-05-29.
[21] “Android and security-offical Google mobile blog,” http://googlemobile.blogspot.tw/2012/02/android-and-security.html, accessed: 2013-05-28.
[22] “Black Hat USA 2012 | briefings,” http://www.blackhat.com/usa/bh-us-12-briefings.html, accessed: 2013-05-28.
[23] “Dalviktechnicalinformation,” http://source.android.com/devices/tech/dalvik/index.html, accessed: 2014-06-20.
[24] “The GNU C library,” http://www.gnu.org/software/libc/libc.html, accessed: 2014-06-20.
[25] “Bionic (software),” http://en.wikipedia.org/wiki/Bionic_%28software%29, accessed: 2014-06-20.
[26] “JDK 6 Java native interface-related APIs & developer guides,” http://docs.oracle.com/javase/6/docs/technotes/guides/jni/, accessed: 2014-06-20.
[27] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Controlflow integrity,” in Proceedings of the 12th ACM conference on Computer and communications security, ser. CCS ’05. New York, NY, USA: ACM, 2005, pp. 340–353. [Online]. Available: http://doi.acm.org/10.1145/1102120.1102165
[28] P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro, “Preventing memory error exploits with WIT,” in Proceedings of the 2008 IEEE Symposium on Security and Privacy, ser. SP ’08. Washington, DC, USA: IEEE Computer Society, 2008, pp. 263–277. [Online]. Available: http://dx.doi.org/10.1109/SP.2008.30
[29] S. Bhatkar, D. C. DuVarney, and R. Sekar, “Address obfuscation: an efficient approach to combat a board range of memory error exploits,” in Proceedings of the 12th conference on USENIX Security Symposium -Volume 12, ser. SSYM’03. Berkeley, CA, USA: USENIX Association, 2003, pp. 105–120. [Online]. Available: https://www.usenix.org/legacy/events/sec03/tech/full_papers/bhatkar/bhatkar.pdf
[30] C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks,” in Proceedings of the 7th conference on USENIX Security Symposium, vol. 7. USENIX Association, Jan. 1998, pp. 63–78. [Online]. Available: http://static.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf
[31] J. Newsome and D. X. Song, “Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software,” in Proceedings of the Network and Distributed System Security Symposium, 2005. [Online]. Available: http://www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/taintcheck.pdf
[32] “ASLR - of PaX,” https://pax.grsecurity.net/docs/aslr.txt, accessed: 2014-07-39.
[33] X. Wang, C.-C. Pan, P. Liu, and S. Zhu, “SigFree: a signature-free buffer overflow attack blocker,” in Proceedings of the 15th conference on USENIX Security Symposium -Volume 15, ser. USENIX-SS’06. Berkeley, CA, USA: USENIX Association, 2006, pp. 225–240. [Online]. Available: http://static.usenix.org/event/sec06/tech/full_papers/wang/wang_html/
[34] M. Castro, M. Costa, and T. Harris, “Securing software by enforcing data-flow integrity,” in Proceedings of the 7th symposium on Operating systems design and implementation, ser. OSDI ’06. Berkeley, CA, USA: USENIX Association, 2006, pp. 147–160. [Online]. Available: https://www.usenix.org/legacy/event/osdi06/tech/full_papers/castro/castro.pdf
[35] L.-H. Chen, F.-H. Hsu, C.-H. Huang, C.-W. Ou, C.-J. Lin, and S.-C. Liu, “A robust kernel-based solution to control-hijacking buffer overflow attacks,” Journal of Information Science and Engineering, vol. 27, no. 3, pp. 869–890, 2011. [Online]. Available: http://www.iis.sinica.edu.tw/page/jise/2011/201105_05.pdf
[36] F.-H. Hsu, C.-H. Huang, C.-H. Hsu, C.-W. Ou, L.-H. Chen, and P.-C. Chiu, “HSP: A solution against heap sprays,” Journal of Systems and Software, vol. 83, no. 11, pp. 2227–2236, 2010. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0164121210001767
[37] R. Rugina and M. C. Rinard, “Symbolic bounds analysis of pointers, array indices, and accessed memory regions,” ACM Transactions on Programming Language and Systems, vol. 27, no. 2, pp. 185–235, Mar. 2005. [Online]. Available: http://doi.acm.org/10.1145/1057387.1057388
[38] B. Chess, “Improving computer security using extended static checking,” in Proceedings of the 2002 IEEE Symposium on Security and Privacy, ser. SP ’02. Washington, DC, USA: IEEE Computer Society, 2002, pp. 160–173. [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1004369&tag=1
[39] D. Larochelle and D. Evans, “Statically detecting likely buffer overflow vulnerabilities,” in Proceedings of the 10th conference on USENIX Security Symposium -Volume 10, ser. SSYM’01. Berkeley, CA, USA: USENIX Association, 2001, pp. 177–190. [Online]. Available: https://www.usenix.org/legacy/events/sec01/full_papers/larochelle/larochelle.pdf
[40] E. C. Sezer, P. Ning, C. Kil, and J. Xu, “MemSherlock: an automated debugger for unknown memory corruption vulnerabilities,” in Proceedings of the 14th ACM conference on Computer and communications security, ser. CCS ’07. New York, NY, USA: ACM, 2007, pp. 562–572. [Online]. Available: http://doi.acm.org/10.1145/1315245.1315314
[41] M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao, “The Daikon system for dynamic detection of likely invariants,” Science of Computer Programming, vol. 69, no. 1-3, pp. 35–45, Dec. 2007.
[42] S. Hangal and M. S. Lam, “Tracking down software bugs using automatic anomaly detection,” in Proceedings of the 24th International Conference on Software Engineering, ser. ICSE ’02. New York, NY, USA: ACM, 2002, pp. 291–301.
[43] P. Zhou, W. Liu, L. Fei, S. Lu, F. Qin, Y. Zhou, S. Midkiff, and J. Torrellas, “AccMon: Automatically detecting memory-related bugs via program counter-based invariants,” in Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture, ser. MICRO 37. Washington, DC, USA: IEEE Computer Society, 2004, pp. 269–280.
[44] C.Kil, E.Sezer, P. Ning, and X.Zhang, “Automatedsecuritydebugging using program structural constraints,” in Proceedings of 23rd Annual Computer Security Applications Conference, 2007. ACSAC 2007., ser. ACSAC ’07, dec. 2007, pp. 453–462.
[45] P. Godefroid, M.Y.Levin, andD.A.Molnar, “Automated whitebox fuzz testing,” in Proceedings of the Network and Distributed System Security Symposium. The Internet Society, 2008.
[46] C. Del Grosso, G. Antoniol, E. Merlo, and P. Galinier, “Detecting buffer overflow via automatic test input data generation,” Computers & Opertions Research, vol. 35, no. 10, pp. 3125–3143, Oct. 2008. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0305054807000305
[47] K. Sen, D. Marinov, and G. Agha, “CUTE: A concolic unit testing engine for C,” in Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ser.ESEC/FSE-13. NewYork,NY,USA:ACM,2005,pp.263–272. [Online]. Available: http://doi.acm.org/10.1145/1081706.1081750
[48] H. Shahriar and M. Zulkernine, “Mutation-based testing of buffer overflow vulnerabilities,” in Proceedings of the 2008 32nd Annual IEEE International Computer Software and Applications Conference, ser. COMPSAC ’08. Washington, DC, USA: IEEE Computer Society, 2008, pp. 979–984.
[49] K. J. Kratkiewicz, “Evaluating static analysis tools for detecting buffer overflows in C code,” Master’s thesis, Harvard University, March 2005.
[50] H. W. Hethcote, “The mathematics of infectious diseases,” SIAM Reiew, vol. 42, no. 4, pp. 599–653, Dec. 2000. [Online]. Available: http://epubs.siam.org/doi/pdf/10.1137/S0036144500371907
[51] C. C. Zou, W. Gong, and D. Towsley, “Code red worm propagation modeling and analysis,” in Proceedings of the 9th ACM conference on Computer and communications security, ser. CCS ’02. New York, NY, USA: ACM, 2002, pp. 138–147. [Online]. Available: http://doi.acm.org/10.1145/586110.586130
[52] Z. Chen, L. Gao, and K. Kwiat, “Modeling the spread of active worms,” in INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies, vol. 3, march-3 april 2003, pp. 1890–1900. [Online]. Available: http://infocom2003.ieee-infocom.org/papers/46_03.pdf
[53] G. Gu, M. Sharif, X. Qin, D. Dagon, W. Lee, and G. Riley, “Worm detection, early warning and response based on local victim information,” in Proceedings of the 20th Annual Computer Security Applications Conference, ser. ACSAC ’04. Washington, DC, USA: IEEE Computer Society, 2004, pp. 136–145. [Online]. Available: http://www.acsac.org/2004/papers/145.pdf
[54] M. A. Rajab, F. Monrose, and A. Terzis, “On the effectiveness of distributed worm monitoring,” in Proceedings of the 14th conference on USENIX Security Symposium -Volume 14, ser. SSYM’05. Berkeley, CA, USA: USENIX Association, 2005, pp. 225–237. [Online]. Available: https://www.usenix.org/legacy/publications/library/proceedings/sec05/tech/full_papers/rajab/rajab.pdf
[55] C. C. Zou, W. Gong, and D. Towsley, “Worm propagation modeling and analysis under dynamic quarantine defense,” in Proceedings of the 2003 ACM workshop on Rapid malcode, ser. WORM ’03. New York, NY, USA: ACM, 2003, pp. 51–60. [Online]. Available: http://doi.acm.org/10.1145/948187.948197
[56] M. Williamson, “Throttling viruses: Restricting propagation to defeat malicious mobile code,” in Proceedings of the 18th Annual Computer Security Applications Conference, ser. ACSAC ’02, Washington, DC, USA, 2002, pp. 61–68. [Online]. Available: https://www.acsac.org/2002/papers/97.pdf
[57] N. Weaver, S. Staniford, and V. Paxson, “Very fast containment of scanning worms,” in Proceedings of the 13th conference on USENIX Security Symposium -Volume 13, ser. SSYM’04. Berkeley, CA, USA: USENIX Association, 2004, pp. 29–44. [Online]. Available: http://static.usenix.org/event/sec04/tech/full_papers/home/staff/alex/export/weaver/weaver_html/containment.pdf
[58] M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham, “Vigilante: End-to-end containment of internet worms,” in Proceedings of the twentieth ACM symposium on Operating systems principles, ser. SOSP ’05. New York, NY, USA: ACM, 2005, pp. 133–147. [Online]. Available: http://doi.acm.org/10.1145/1095810.1095824
[59] D. Moore, C. Shannon, G. Voelker, and S. Savage, “Internet quarantine: Requirements for containing self-propagating code,” in INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies, vol. 3, Apr 2003, pp. 1901–1910. [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1209212
[60] S. Sidiroglou and A. D. Keromytis, “Countering network worms through automatic patch generation,” IEEE Security and Privacy, vol. 3, no. 6, pp. 41–49, Nov. 2005.
[61] A. Smirnov and T.-C. Chiueh, “Automatic patch generation for buffer overflow attacks,” in Proceedings of the Third International Symposium on Information Assurance and Security. Los Alamitos, CA, USA: IEEE Computer Society, Aug 2007, pp. 165–170.
[62] K. Kleiner, “Viral cure could ‘immunise‘ the internet,” http://www.newscientist.com/article/dn8403-viral-cure-could-immunise-the-internet.html, Dec. 2005, accessed: 2013-05-20.
[63] B. Schneier, “Benevolent worms,” http://www.schneier.com/blog/archives/2005/12/benevolent_worm.html, May 2005, accessed: 2013-05-20.
[64] F. Castaneda, E. C. Sezer, and J. Xu, “Worm vs. worm: preliminary study of an active counter-attack mechanism,” in Proceedings of the 2004 ACM workshop on Rapid malcode, ser. WORM ’04. New York, NY, USA: ACM, 2004, pp. 83–93.
[65] L.-H. Chen, F.-H. Hsu, C.-H. Huang, C.-W. Ou, C.-J. Lin, and S.C. Liu, “A robust kernel-based solution to control-hijacking buffer overflow attacks,” Journal of Information Science and Engineering, vol. 27, no. 3, pp. 869–890, 2011.
[66] P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis, “STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis,” in Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC), June 2005.
[67] McAfee, “W32/conficker.worm,” http://vil.nai.com/vil/content/v_153464.htm, Nov. 2008, accessed: 2013-05-20.
[68] Militan, “linux/x86 connect back, download a file and execute 149 bytes,” http://www.exploit-db.com/exploits/13337/, Aug. 2008, accessed: 2013-05-20.
[69] Google, “Manifest.permission | Android developers,” http://developer.android.com/reference/android/Manifest.permission.html, accessed: 2013-06-24.
[70] E. Chin, A. P. Felt, K. Greenwood, and D. Wagner, “Analyzing inter-application communication in Android,” in Proceedings of the 9th international conference on Mobile
systems, applications, and services, ser. MobiSys ’11. New York, NY, USA: ACM, 2011, pp. 239–252. [Online]. Available: http://doi.acm.org/10.1145/1999995.2000018
[71] “National vulnerability database (CVE-2011-3975),” http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3975, accessed: 2013-10-1.
[72] W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone application certification,” in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS ’09. New York, NY, USA: ACM, 2009, pp. 235–245. [Online]. Available: http://doi.acm.org/10.1145/1653662.1653691
[73] M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel, “Semantically rich application-centric security in Android,” in Proceedings of the 25th Annual Computer Security Applications Conference, ser. ACSAC ’09. Washington, DC, USA: IEEE Computer Society, 2009, pp. 340–349. [Online]. Available: http://dx.doi.org/10.1109/ACSAC.2009.39
[74] S. Smalley and R. Craig, “Security enhanced (SE) Android: Bringing flexible MAC to Android,” in Proceedings of Annual Network & Distributed System Security Symposium, Apr. 2013.
[75] G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos, “Paranoid Android: versatile protection for smartphones,” in Proceedings of the 26th Annual Computer Security Applications Conference, ser. ACSAC ’10. New York, NY, USA: ACM, 2010, pp. 347–356. [Online]. Available: http://doi.acm.org/10.1145/1920261.1920313
[76] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones,” in Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, ser. OSDI’10. Berkeley, CA, USA: USENIX Association, 2010, pp. 1–6. [Online]. Available: http://dl.acm.org/citation.cfm?id=1924943.1924971
[77] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A study of Android application security,” in Proceedings of the 20th USENIX Conference on Security, ser. SEC’11. Berkeley, CA, USA: USENIX Association, 2011, pp. 21–21. [Online]. Available: http://dl.acm.org/citation.cfm?id=2028067.2028088
[78] M. Grace, Y. Zhou, Z. Wang, and X. Jiang, “Systematic detection of capability leaks in stock Android smartphones,” in Proceedings of the 19th Network and Distributed System Security Symposium (NDSS), Feb. 2012. [Online]. Available: http://www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf
[79] A. Maji, F. Arshad, S. Bagchi, and J. Rellermeyer, “An empirical study of the robustness of inter-component communication in Android,” in 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2012, pp. 1–12.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2015-7-21

推文