Monitoring how a program utilizes userland APIs is behind much dependability and security research. To intercept and study their invocations, the established practice targets the prologue of API implementations for inserting hooks. This paper questions the validity of this design for security uses by examining completeness and correctness attacks to it. We first show how evasions that jump across the hook instrumentation are practical and can reach places much deeper than those we currently find in executables in the wild. Next, we propose and demonstrate TOCTTOU attacks that lead monitoring systems to observe false indicators for the argument values that a program uses for API calls. To mitigate both threats, we design a static analysis to identify vantage points for effective hook placement in API code, supporting both reliable call recording and accurate argument extraction. We use this analysis to implement an open-source prototype API monitor, TOXOTIDAE, that we evaluate against adversarial and benign executables for Windows.
Evading Userland API Hooking, Again: Novel Attacks and a Principled Defense Method / Assaiante, Cristian; Nicchi, Simone; D'Elia, Daniele Cono; Querzoni, Leonardo. - 14828 LNCS:(2024), pp. 150-173. (Intervento presentato al convegno Detection of Intrusions and Malware, and Vulnerability Assessment tenutosi a Lausanne; Switzerland) [10.1007/978-3-031-64171-8_8].
Evading Userland API Hooking, Again: Novel Attacks and a Principled Defense Method
Assaiante, Cristian
;Nicchi, Simone;D'Elia, Daniele Cono;Querzoni, Leonardo
2024
Abstract
Monitoring how a program utilizes userland APIs is behind much dependability and security research. To intercept and study their invocations, the established practice targets the prologue of API implementations for inserting hooks. This paper questions the validity of this design for security uses by examining completeness and correctness attacks to it. We first show how evasions that jump across the hook instrumentation are practical and can reach places much deeper than those we currently find in executables in the wild. Next, we propose and demonstrate TOCTTOU attacks that lead monitoring systems to observe false indicators for the argument values that a program uses for API calls. To mitigate both threats, we design a static analysis to identify vantage points for effective hook placement in API code, supporting both reliable call recording and accurate argument extraction. We use this analysis to implement an open-source prototype API monitor, TOXOTIDAE, that we evaluate against adversarial and benign executables for Windows.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
