Monitoring how a program utilizes userland APIs is behind much dependability and security research. To intercept and study their invocations, the established practice targets the prologue of API implementations for inserting hooks. This paper questions the validity of this design for security uses by examining completeness and correctness attacks to it. We first show how evasions that jump across the hook instrumentation are practical and can reach places much deeper than those we currently find in executables in the wild. Next, we propose and demonstrate TOCTTOU attacks that lead monitoring systems to observe false indicators for the argument values that a program uses for API calls. To mitigate both threats, we design a static analysis to identify vantage points for effective hook placement in API code, supporting both reliable call recording and accurate argument extraction. We use this analysis to implement an open-source prototype API monitor, TOXOTIDAE, that we evaluate against adversarial and benign executables for Windows.
Dettaglio pubblicazione
2024, Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2024. Lecture Notes in Computer Science, Pages 150-173 (volume: 14828 LNCS)
Evading Userland API Hooking, Again: Novel Attacks and a Principled Defense Method (04b Atto di convegno in volume)
Assaiante Cristian, Nicchi Simone, D'Elia Daniele Cono, Querzoni Leonardo
ISBN: 9783031641701; 9783031641718
keywords