Yataglass: Network-level code emulation for analyzing memory-scanning attacks

Makoto Shimamura; Kenji Kono

doi:10.1007/978-3-642-02918-9_5

Yataglass: Network-level code emulation for analyzing memory-scanning attacks

Makoto Shimamura, Kenji Kono

Department of Information and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Citations (Scopus)

Abstract

Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze injected code (often called shellcode), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emulators, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incorporated memory-scanning attacks.

Original language	English
Title of host publication	Detection of Intrusions and Malware, and Vulnerability Assessment - 6th International Conference, DIMVA 2009, Proceedings
Pages	68-87
Number of pages	20
DOIs	https://doi.org/10.1007/978-3-642-02918-9_5
Publication status	Published - 2009
Event	6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2009 - Como, Italy Duration: 2009 Jul 9 → 2009 Jul 10

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5587 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2009
Country/Territory	Italy
City	Como
Period	09/7/9 → 09/7/10

Keywords

Code-injection attack
Intrusion analysis
Intrusion detection
Memory-scanning attack
Network-level code emulation

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-642-02918-9_5

Cite this

Shimamura, M., & Kono, K. (2009). Yataglass: Network-level code emulation for analyzing memory-scanning attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment - 6th International Conference, DIMVA 2009, Proceedings (pp. 68-87). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5587 LNCS). https://doi.org/10.1007/978-3-642-02918-9_5

Yataglass: Network-level code emulation for analyzing memory-scanning attacks. / Shimamura, Makoto; Kono, Kenji.
Detection of Intrusions and Malware, and Vulnerability Assessment - 6th International Conference, DIMVA 2009, Proceedings. 2009. p. 68-87 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5587 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Shimamura, M & Kono, K 2009, Yataglass: Network-level code emulation for analyzing memory-scanning attacks. in Detection of Intrusions and Malware, and Vulnerability Assessment - 6th International Conference, DIMVA 2009, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5587 LNCS, pp. 68-87, 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2009, Como, Italy, 09/7/9. https://doi.org/10.1007/978-3-642-02918-9_5

Shimamura M, Kono K. Yataglass: Network-level code emulation for analyzing memory-scanning attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment - 6th International Conference, DIMVA 2009, Proceedings. 2009. p. 68-87. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-02918-9_5

Shimamura, Makoto ; Kono, Kenji. / Yataglass : Network-level code emulation for analyzing memory-scanning attacks. Detection of Intrusions and Malware, and Vulnerability Assessment - 6th International Conference, DIMVA 2009, Proceedings. 2009. pp. 68-87 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{21743a3fdaee4429a7bb289968a6f427,

title = "Yataglass: Network-level code emulation for analyzing memory-scanning attacks",

abstract = "Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze injected code (often called shellcode), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emulators, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incorporated memory-scanning attacks.",

keywords = "Code-injection attack, Intrusion analysis, Intrusion detection, Memory-scanning attack, Network-level code emulation",

author = "Makoto Shimamura and Kenji Kono",

year = "2009",

doi = "10.1007/978-3-642-02918-9_5",

language = "English",

isbn = "3642029175",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "68--87",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 6th International Conference, DIMVA 2009, Proceedings",

note = "6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2009 ; Conference date: 09-07-2009 Through 10-07-2009",

}

TY - GEN

T1 - Yataglass

T2 - 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2009

AU - Shimamura, Makoto

AU - Kono, Kenji

PY - 2009

Y1 - 2009

N2 - Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze injected code (often called shellcode), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emulators, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incorporated memory-scanning attacks.

AB - Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze injected code (often called shellcode), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emulators, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incorporated memory-scanning attacks.

KW - Code-injection attack

KW - Intrusion analysis

KW - Intrusion detection

KW - Memory-scanning attack

KW - Network-level code emulation

UR - http://www.scopus.com/inward/record.url?scp=70350658277&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70350658277&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-02918-9_5

DO - 10.1007/978-3-642-02918-9_5

M3 - Conference contribution

AN - SCOPUS:70350658277

SN - 3642029175

SN - 9783642029172

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 68

EP - 87

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 6th International Conference, DIMVA 2009, Proceedings

Y2 - 9 July 2009 through 10 July 2009

ER -

Yataglass: Network-level code emulation for analyzing memory-scanning attacks

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this