JITScanner: Just-in-Time Executable Page Check in the Linux Operating System †
<p>Common existing solutions (top picture) vs. JITScanner (bottom picture).</p> "> Figure 2
<p>System architecture.</p> "> Figure 3
<p>Shadow state machine for WX permissions.</p> "> Figure 4
<p>Execution time of common command-line utilities.</p> "> Figure 5
<p>Execution time of JIT benchmarks.</p> "> Figure 6
<p>Memory usage of JITScanner.</p> ">
Abstract
:1. Introduction
2. Related Work
3. The JITScanner System
3.1. Baseline Concepts and Methodology
3.2. Architectural Hints
- (1)
- It intercepts the first access to an executable page (or an updated executable page—this is the case of WX pages), which is carried out via an instruction fetch by the CPU;
- (2)
- While handling the interception of the instruction fetch, and after the kernel materialized the target page in RAM, we perform critical checks on the page content which might lead to the forced termination of the application.
3.3. Executable-Page Access Interception
- Clear the XD bit, to allow the user to execute the page from now on;
- Clear the W bit, to disable writes on the page;
- Suppress the SIGSEGV signal generated by the invalid access to prevent the kernel from terminating the user program or making it run an SIGSEGV handler.
Listing 1. The hook on handle_mm_fault(). |
Listing 2. The hook on force_sig_fault(). |
3.4. Protection Against DoS
4. Assessment
4.1. Effectiveness
- Measuring the “signature flexibility” of JITScanner, which is the extent to which signatures from plain malware remain effective for a variant in the same family;
- Measuring the “signature retention” of JITScanner, which is the extent to which signatures from plain malware remain effective for their packed counterparts.
4.2. Performance
- In the absence of the synchronous check, no test exhibited a slowdown exceeding 5%, and in some instances, no discernible slowdown was observed at all;
- With the synchronous check enabled, the majority of tests experienced a slowdown of less than 10%, with some exceptions noted for the PHP language-based tests.
4.3. Memory Usage
- From second 0 to second 60, our user was interacting with the web browser, checking their Facebook notifications, then moving to YouTube to start watching a video—for the rest of the test, the video kept playing in the background, while the user continued with their normal/foreground activity;
- From second 60 to 80, the user played a game of Mine Sweeper;
- From second 80 to 100, the user modified and saved a LibreOffice document;
- From second 100 to 130, the user opened Gimp and tested various options.
5. Usage Models and Potential Extensions
5.1. Flexibility and Performance Trade-Offs
5.2. Process Management Strategies
6. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Matos, D.R.; Pardal, M.L.; Correia, M. Sanare: Pluggable Intrusion Recovery for Web Applications. IEEE Trans. Dependable Secur. Comput. 2023, 20, 590–605. [Google Scholar] [CrossRef]
- Elkhail, A.A.; Lachtar, N.; Ibdah, D.; Aslam, R.; Khan, H.; Bacha, A.; Malik, H. Seamlessly Safeguarding Data Against Ransomware Attacks. IEEE Trans. Dependable Secur. Comput. 2023, 20, 1–16. [Google Scholar] [CrossRef]
- Carnà, S.; Ferracci, S.; Quaglia, F.; Pellegrini, A. Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-Channel Attacks Using Performance Counters. ACM Digit. Threat. Res. Pract. 2023, 4, 1–24. [Google Scholar] [CrossRef]
- Afianian, A.; Niksefat, S.; Sadeghiyan, B.; Baptiste, D. Malware dynamic analysis evasion techniques: A survey. ACM Comput. Surv. (CSUR) 2019, 52, 1–28. [Google Scholar] [CrossRef]
- Apostolopoulos, T.; Katos, V.; Choo, K.K.R.; Patsakis, C. Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks. Future Gener. Comput. Syst. 2021, 116, 393–405. [Google Scholar] [CrossRef]
- Yokoyama, A.; Ishii, K.; Tanabe, R.; Papa, Y.; Yoshioka, K.; Matsumoto, T.; Kasama, T.; Inoue, D.; Brengel, M.; Backes, M.; et al. Sandprint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In Proceedings of the Research in Attacks, Intrusions, and Defenses: 19th International Symposium, RAID 2016, Paris, France, 19–21 September 2016; Proceedings 19. Springer: Berlin/Heidelberg, Germany, 2016; pp. 165–187. [Google Scholar]
- Miramirkhani, N.; Appini, M.P.; Nikiforakis, N.; Polychronakis, M. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2017; IEEE: Piscataway, NJ, USA, 2017; pp. 1009–1024. [Google Scholar]
- IBM. The JIT Compiler. 1993. Available online: https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=reference-jit-compiler (accessed on 20 February 2024).
- Bernardinetti, G.; Cristofaro, D.D.; Bianchi, G. PEzoNG: Advanced Packer For Automated Evasion On Windows. J. Comput. Virol. Hacking Tech. 2022, 18, 315–331. [Google Scholar] [CrossRef]
- Salehi, Z.; Sami, A.; Ghiasi, M. MAAR: Robust features to detect malicious activity based on API calls, their arguments and return values. Eng. Appl. Artif. Intell. 2017, 59, 93–102. [Google Scholar] [CrossRef]
- Landman, T.; Nissim, N. Deep-Hook: A trusted deep learning-based framework for unknown malware detection and classification in Linux cloud environments. Neural Netw. 2021, 144, 648–685. [Google Scholar] [CrossRef] [PubMed]
- Kumara, M.A.; Jaidhar, C.D. Execution Time Measurement of Virtual Machine Volatile Artifacts Analyzers. In Proceedings of the 21st IEEE International Conference on Parallel and Distributed Systems, ICPADS 2015, Melbourne, Australia, 14–17 December 2015; IEEE Computer Society: Washington, DC, USA, 2015; pp. 314–319. [Google Scholar] [CrossRef]
- Xie, X.; Wang, W. Rootkit detection on virtual machines through deep information extraction at hypervisor-level. In Proceedings of the 2013 IEEE Conference on Communications and Network Security (CNS), National Harbor, MD, USA, 14–16 October 2013; pp. 498–503. [Google Scholar] [CrossRef]
- ClamAV. 2004–2024. Available online: https://www.clamav.net/ (accessed on 20 February 2024).
- Koret, J.; Bachaalany, E. The Antivirus Hacker’s Handbook; John Wiley & Sons: Hoboken, NJ, USA, 2015; Chapter 9. [Google Scholar]
- Acquasecurity. 2020–2023. Available online: https://aquasecurity.github.io/tracee/v0.6.4/ (accessed on 20 February 2024).
- Sysdig. The Falco Project. 2016–2023. Available online: https://falco.org/ (accessed on 20 February 2024).
- Page Table Isolation (PTI). 2017. Available online: https://docs.kernel.org/x86/pti.html (accessed on 20 February 2024).
- Santoro, A.; Quaglia, F. Transparent optimistic synchronization in the high-level architecture via time-management conversion. ACM Trans. Model. Comput. Simul. 2012, 22, 21:1–21:26. [Google Scholar] [CrossRef]
- Principe, M.; Tocci, T.; di Sanzo, P.; Quaglia, F.; Pellegrini, A. A Distributed Shared Memory Middleware for Speculative Parallel Discrete Event Simulation. ACM Trans. Model. Comput. Simul. 2020, 30, 11:1–11:26. [Google Scholar] [CrossRef]
- Martignoni, L.; Christodorescu, M.; Jha, S. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In Proceedings of the Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, USA, 10–14 December 2007; pp. 431–441. [Google Scholar] [CrossRef]
- Willems, C.; Freiling, F.C.; Holz, T. Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis. In Proceedings of the 28th Annual Computer Security Applications Conference ACSAC ’12, Orlando, FL, USA, 3–7 December 2012; pp. 179–188. [Google Scholar] [CrossRef]
- Bulazel, A.; Yener, B. A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web. In Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, Vienna, Austria, 16–17 November 2017; pp. 1–21. [Google Scholar] [CrossRef]
- Caporaso, P.; Bianchi, G.; Quaglia, F. JITScanner: Just-in-Time Executable Page Check in the Linux Operating System. In Proceedings of the 18th International Conference on Availability, Reliability and Security, Benevento, Italy, 29 August–1 September 2023. ARES ’23. [Google Scholar] [CrossRef]
- VirusTotal. Yara Rules. 2014–2023. Available online: https://virustotal.github.io/yara/ (accessed on 20 February 2024).
- Virus_share. 2020. Available online: https://virusshare.com/torrents (accessed on 20 February 2024).
- Cyberfined. Cryptor ELF Loader. 2018. Available online: https://github.com/cyberfined/cryptor (accessed on 20 February 2024).
- Bernardinetti, G.; Caporaso, P.; Di Cristofaro, D.; Quaglia, F.; Bianchi, G. PHOENIX: A Cloud-based Framework for Ensemble Malware Detection. In Proceedings of the 2023 21st Mediterranean Communication and Computer Networking Conference (MedComNet), Island of Ponza, Italy, 13–15 June 2023; IEEE: Piscataway, NJ, USA, 2023; pp. 11–14. [Google Scholar]
- Kostya. 2023. Available online: https://github.com/kostya/jit-benchmarks (accessed on 20 February 2024).
JITS | MAAR [10] | ClamAV [14] | Tracee [16] | Deep-Hook [11] | Falco [17] | Will. et al. [22] | |
---|---|---|---|---|---|---|---|
Can be used on non-virtualized environment | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
Allows for dynamic analysis | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
Remains effective against packed malware | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ | ✓ |
Uses signatures check | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ | ✓ |
Reduces memory search ranges | ✓ | na | ✗ | na | ✗ | na | ✗ |
Allows monitoring of multiple memory writes on executable pages | ✓ | na | ✗ | na | ✗ | na | ✗ |
Family Name | Malware Type | Number of Samples |
---|---|---|
Emotet | Trojan | 2 |
Mirai | Botnet | 52 |
Tsunami | Botnet | 71 |
Gafgyt | Trojan | 320 |
XMRIG Miner | Coin-miner | 21 |
Family | Detected Plain | Total Samples | Signature Flexibility | |
---|---|---|---|---|
JITScanner | Emotet | 2 | 2 | 100% |
ClamAV | Emotet | 1 | 2 | 50% |
JITScanner | Tsunami | 57 | 71 | 80.2% |
ClamAV | Tsunami | 33 | 71 | 46.47% |
JITScanner | XMRIG_Miner | 13 | 21 | 61.90% |
ClamAV | XMRIG_Miner | 8 | 21 | 38.09% |
JITScanner | Gafgyt | 76 | 320 | 23.75% |
ClamAV | Gafgyt | 238 | 320 | 74.75% |
JITScanner | Mirai | 15 | 52 | 28.84% |
ClamAV | Mirai | 8 | 52 | 15.38% |
Sign. in Plain | Sign. in Packed | Total Samples | Signature Retention | |
---|---|---|---|---|
ClamAV | 515 | 0 | 515 | 0% |
JITScanner | 515 | 391 | 515 | 75.91% |
Application Name | Slowdown |
---|---|
cat | 7.46% |
ls | 10.57% |
touch | 9.95% |
diff | 13.90% |
stat | 11.06% |
Language | Benchmark Name | No Sync Slowdown | Sync Slowdown |
---|---|---|---|
C | spectralnorm | ||
C | fannkuchredux | ||
C | matmul | ||
C | binarytrees | ||
C | fasta | ||
LuaJit | spectralnorm | ||
LuaJit | fannkuchredux | ||
LuaJit | matmul | ||
LuaJit | binarytrees | ||
LuaJit | fasta | ||
PHP | spectralnorm | ||
PHP | fannkuchredux | ||
PHP | binarytrees | ||
PHP | fasta | ||
Ruby2 | spectralnorm | ||
Ruby2 | fannkuchredux | ||
Ruby2 | matmul | ||
Ruby2 | binarytrees | ||
Ruby2 | fasta |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Caporaso, P.; Bianchi, G.; Quaglia, F. JITScanner: Just-in-Time Executable Page Check in the Linux Operating System. Appl. Sci. 2024, 14, 1912. https://doi.org/10.3390/app14051912
Caporaso P, Bianchi G, Quaglia F. JITScanner: Just-in-Time Executable Page Check in the Linux Operating System. Applied Sciences. 2024; 14(5):1912. https://doi.org/10.3390/app14051912
Chicago/Turabian StyleCaporaso, Pasquale, Giuseppe Bianchi, and Francesco Quaglia. 2024. "JITScanner: Just-in-Time Executable Page Check in the Linux Operating System" Applied Sciences 14, no. 5: 1912. https://doi.org/10.3390/app14051912