Code Injection Attacks Research Articles

Enhancing Linux System Security: A Kernel-Based Approach to Fileless Malware Detection and Mitigation

In the late 20th century, computer viruses emerged as powerful malware that resides permanently in target hosts. For a virus to function, it must load into memory from persistent storage, such as a file on a hard drive. Due to the significant destructive potential of viruses, numerous defense measures have been developed to protect computer systems. Among these, antivirus software is one of the most recognized and widely used. Typically, antivirus solutions rely on static analysis (signature-based) technologies to detect infections in files stored on permanent storage devices, such as hard drives or USB (Universal Serial Bus) flash drives. However, a new breed of malware, fileless malware, has been designed to evade detection and enhance durability. Fileless malware resides solely in the memory of the target hosts, circumventing traditional antivirus software, which cannot access or analyze processes executed directly from memory. This study proposes the Check-on-Execution (CoE) kernel-based approach to detect fileless malware on Linux systems. CoE intervenes by suspending code execution before a program executes code from a process’s writable and executable memory area. To prevent the execution of fileless malware, CoE extracts the code from memory, packages it with an ELF (Executable and Linkable Format) header to create an ELF file, and uses VirusTotal for analysis. Experimental results demonstrate that CoE significantly enhances a Linux system’s ability to defend against fileless malware. Additionally, CoE effectively protects against shell code injection attacks, including buffer and memory overflows, and can handle packed malware. However, it is important to note that this study focuses exclusively on fileless malware, and further research is needed to address other types of malware.

Cyber Security Incident Response

In response to the growing cyber-attack threat, incident response teams have become a critical component of an organization's cybersecurity strategy. These teams are responsible for detecting, analyzing, and responding to security incidents promptly and effectively. However, detecting code injection attacks can be particularly challenging, as they can be difficult to detect and often go unnoticed until it is too late. Cybersecurity professionals use detection tools to detect and respond to DLL injection attacks that monitor system activity and detect unusual behavior. A large portion of the related literature focuses on the use of commercial DLL injection tools. In contrast, little attention has been paid to the effectiveness of using open-source DLL injection detection tools. Thus, this research project aims to evaluate the effectiveness of three widely used open-source tools, VirusTotal, Sysinternals, and Yara, in detecting DLL injection incidents. This study's findings highlight each tool's strengths and limitations, which in turn enables cybersecurity professionals to make informed decisions when selecting the most suitable tool for DLL injection detection. Furthermore, the study emphasizes the importance of continuous tool development and updates to keep pace with evolving malware techniques and emerging threats. By highlighting the effectiveness of the tools, this research enhances the overall security posture of organizations and individuals, empowering them to mitigate the risks associated with DLL injection attacks proactively. The outcomes of this research project also underscore the significance of leveraging advanced tools to fortify cybersecurity defenses and safeguard critical systems and data.

Detection of Malicious Threats Exploiting Clock-Gating Hardware Using Machine Learning

Embedded system technologies are increasingly being incorporated into manufacturing, smart grid, industrial control systems, and transportation systems. However, the vast majority of today’s embedded platforms lack the support of built-in security features which makes such systems highly vulnerable to a wide range of cyber-attacks. Specifically, they are vulnerable to malware injection code that targets the power distribution system of an ARM Cortex-M-based microcontroller chipset (ARM, Cambridge, UK). Through hardware exploitation of the clock-gating distribution system, an attacker is capable of disabling/activating various subsystems on the chip, compromising the reliability of the system during normal operation. This paper proposes the development of an Intrusion Detection System (IDS) capable of detecting clock-gating malware deployed on ARM Cortex-M-based embedded systems. To enhance the robustness and effectiveness of our approach, we fully implemented, tested, and compared six IDSs, each employing different methodologies. These include IDSs based on K-Nearest Classifier, Random Forest, Logistic Regression, Decision Tree, Naive Bayes, and Stochastic Gradient Descent. Each of these IDSs was designed to identify and categorize various variants of clock-gating malware deployed on the system. We have analyzed the performance of these IDSs in terms of detection accuracy against various types of clock-gating malware injection code. Power consumption data collected from the chipset during normal operation and malware code injection attacks were used for models’ training and validation. Our simulation results showed that the proposed IDSs, particularly those based on K-Nearest Classifier and Logistic Regression, were capable of achieving high detection rates, with some reaching a detection rate of 0.99. These results underscore the effectiveness of our IDSs in protecting ARM Cortex-M-based embedded systems against clock-gating malware.

Distributed Denial of Service Attack Detection in Network Traffic Using Deep Learning Algorithm.

Internet security is a major concern these days due to the increasing demand for information technology (IT)-based platforms and cloud computing. With its expansion, the Internet has been facing various types of attacks. Viruses, denial of service (DoS) attacks, distributed DoS (DDoS) attacks, code injection attacks, and spoofing are the most common types of attacks in the modern era. Due to the expansion of IT, the volume and severity of network attacks have been increasing lately. DoS and DDoS are the most frequently reported network traffic attacks. Traditional solutions such as intrusion detection systems and firewalls cannot detect complex DDoS and DoS attacks. With the integration of artificial intelligence-based machine learning and deep learning methods, several novel approaches have been presented for DoS and DDoS detection. In particular, deep learning models have played a crucial role in detecting DDoS attacks due to their exceptional performance. This study adopts deep learning models including recurrent neural network (RNN), long short-term memory (LSTM), and gradient recurrent unit (GRU) to detect DDoS attacks on the most recent dataset, CICDDoS2019, and a comparative analysis is conducted with the CICIDS2017 dataset. The comparative analysis contributes to the development of a competent and accurate method for detecting DDoS attacks with reduced execution time and complexity. The experimental results demonstrate that models perform equally well on the CICDDoS2019 dataset with an accuracy score of 0.99, but there is a difference in execution time, with GRU showing less execution time than those of RNN and LSTM.

Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations.

The Internet of Things (IoT) has transformed various domains in our lives by enabling seamless communication and data exchange between interconnected devices, necessitating robust networking infrastructure. This paper presents a comprehensive analysis of code injection attacks in IoT, focusing on the wireless domain. Code injection attacks exploit security weaknesses in applications or software and can have severe consequences, such as data breaches, financial losses, and denial of service. This paper discusses vulnerabilities in IoT systems and examines how wireless frames in state-of-the-art wireless technologies, which serve IoT applications, are exposed to such attacks. To demonstrate the severity of these threats, we introduce a comprehensive framework illustrating code injection attacks in the wireless domain. Several code injection attacks are performed on Wireless Fidelity (Wi-Fi) devices operating on an embedded system commonly used in IoT applications. Our proof of concept reveals that the victims' devices become further exposed to a full range of cyber-attacks following a successful severe code injection attack. We also demonstrate three scenarios where malicious codes had been detected inside the firmware of wireless devices used in IoT applications by performing reverse engineering techniques. Criticality analysis is conducted for the implemented and demonstrated attacks using Intrusion Modes and Criticality Analysis (IMECA). By understanding the vulnerabilities and potential consequences of code injection attacks on IoT networks and devices, researchers and practitioners can develop more secure IoT systems and better protect against these emerging threats.

Analysis Of the Behavior of Cyberattacks on Online Services Using the Cyber Threat Classification

The paper contains a study of the dynamics of attacks on online services using the categorization of cyber threats by type in the corporate network of the Krasnoyarsk Scientific Center of the Siberian Branch of the Russian Academy of Sciences. The study was conducted using online service logs and allows solving pressing issues related to ensuring the built-in security of web services, such as: identifying both current and future cybersecurity risks. A summary of the most important logging and analysis techniques is provided. The authors describe the nature and content of the data sources and the software used. The extensive observation period of the study is one of its outstanding features. The structure of the processing system is provided and software tools for attack analysis and categorization are created. The paper shows that using categorized sampling allows for the detection of periodicity and the identification of patterns in specific types of attacks. A correlation matrix was created based on the type of attack. Except for Command Injection, Directory Browsing, and Java Code Injection attacks, which can be aggregated, the research found that most attack types had poor correlation. Based on the classification of cyber threats, the authors proposed a heuristic technique of risk comparison.

SGXDump: A Repeatable Code-Reuse Attack for Extracting SGX Enclave Memory

Intel SGX (Software Guard Extensions) is a hardware-based security solution that provides a trusted computing environment. SGX creates an isolated memory area called enclave and prevents any illegal access from outside of the enclave. SGX only allows executables already linked statically to the enclave when compiling executables to access its memory, so code injection attacks to SGX are not effective. However, as a previous study has demonstrated, Return-Oriented Programming (ROP) attacks can overcome this defense mechanism by injecting a series of addresses of executable codes inside the enclave. In this study, we propose a novel ROP attack, called SGXDump, which can repeat the attack payload. SGXDump consists only of gadgets in the enclave and unlike previous ROP attacks, the SGXDump attack can repeat the attack payload, communicate with other channels, and implement conditional statements. We successfully attacked two well-known SGX projects, mbedTLS-SGX and Graphene-SGX. Based on our attack experiences, it seems highly probable that an SGXDump attack can leak the entire enclave memory if there is an exploitable memory corruption vulnerability in the target SGX application.

ConvXSS: A deep learning-based smart ICT framework against code injection attacks for HTML5 web applications in sustainable smart city infrastructure

In this paper we propose ConvXSS, a novel deep learning approach for the detection of XSS and code injection attacks, followed by context-based sanitization of the malicious code if the model detects any malicious code in the application. Firstly, we briefly discuss XSS and code injection attacks that might pose threat to sustainable smart cities. Along with this, we discuss various approaches proposed previously for the detection and alleviation of these attacks followed by their respective limitations. Then we propose our deep learning model adopting whose novelty is based on the approach followed for Data Pre-Processing. Then we finally propose Context-based Sanitization to replace the malicious part of the code with sanitized code. Numerical experiments conducted on various datasets have shown various results out of which the best model has an accuracy of 99.42%, a precision of 99.81% and a recall of 99.35%. When compared with other state of the art techniques in this domain, our approach shows at par or in the best case, better results in terms of detection speed and accuracy of CSS attacks.

Moving target defense for the security and resilience of mixed time and event triggered cyber–physical systems

Memory corruption attacks such as code injection, code reuse, and non-control data attacks have become widely popular for compromising safety-critical Cyber–Physical Systems (CPS). Moving target defense (MTD) techniques such as instruction set randomization (ISR), address space randomization (ASR), and data space randomization (DSR) can be used to protect systems against such attacks. CPS often use time-triggered architectures to guarantee predictable and reliable operation. MTD techniques can cause time delays with unpredictable behavior. To protect CPS against memory corruption attacks, MTD techniques can be implemented in a mixed time and event-triggered architecture that provides capabilities for maintaining safety and availability during an attack. This paper presents a mixed time and event-triggered MTD security approach based on the ARINC 653 architecture that provides predictable and reliable operation during normal operation and rapid detection and reconfiguration upon detection of attacks. We leverage a hardware-in-the-loop testbed and an advanced emergency braking system (AEBS) case study to show the effectiveness of our approach.

Research on Internet Security Situation Awareness Prediction Technology Based on Improved RBF Neural Network Algorithm

With the increasing scale and complexity of the network, the network attack technology is also changing, such as malicious program attack, Trojan horse, distributed denial of service attack, worm, virus, web code injection, botnet, and other new network attack tools emerge in large numbers. As the core hotspot of network information security, network security situational awareness has received more and more attention. The traditional way of network security situational awareness prediction is relatively single. Usually, only one algorithm is used for perception and prediction, and its prediction accuracy is limited. To explore the application effect of intelligent learning algorithm, this study takes radial basis function (RBF) neural network as the main research object, optimizes RBF by simulated annealing (SA) algorithm and hybrid hierarchy genetic algorithm (HHGA), constructs RBF neural network prediction model based on SA–HHGA optimization, and carries out relevant experiments. The results show that the predicted situation value of the optimized RBF neural network in 15 samples is very close to the actual situation value. The neural network has good prediction effect and can provide assistance for the maintenance of network security.

Cross Channel Scripting and Code Injection Attacks on Web and Cloud-Based Applications: A Comprehensive Review.

Cross channel scripting (XCS) is a common web application vulnerability, which is a variant of a cross-site scripting (XSS) attack. An XCS attack vector can be injected through network protocol and smart devices that have web interfaces such as routers, photo frames, and cameras. In this attack scenario, the network devices allow the web administrator to carry out various functions related to accessing the web content from the server. After the injection of malicious code into web interfaces, XCS attack vectors can be exploited in the client browser. In addition, scripted content can be injected into the networked devices through various protocols, such as network file system, file transfer protocol (FTP), and simple mail transfer protocol. In this paper, various computational techniques deployed at the client and server sides for XCS detection and mitigation are analyzed. Various web application scanners have been discussed along with specific features. Various computational tools and approaches with their respective characteristics are also discussed. Finally, shortcomings and future directions related to the existing computational techniques for XCS are presented.

Pendeteksian Keamanan Website SMA Greenschool Menggunakan Metode Owasp dengan Pengujian XSS

Information security is an important thing that must be considered for every individual and agency, because if information can accessed by unauthorized people then accuracy of the information can be doubted, becoming misleading information and even various problems will be found. Such problems can be malware attacks, exploits, or database injections. In this study, the mechanism of risk assessment methods was carried out on the website information system of greenschool high school. As the name implies XSS or stands for Cross Site Scripting is one form of interference in the form of Code Injection Attack or code injection attack. Where attackers or outsiders insert malicious code that is usually in the form of Javascript. This’s because the main purpose of using XSS is to retrieve important data and send a program that can damage the user but as if the cause is from the web itself. Web security solutions from hacker interference or attacks can be done by means of self-test, namely testing conducted on the web legally with activities such as hackers. Therefore, an analysis of the vulnerability of system that refers to the standardization of open web application security project (OWASP) security with combination of several security tools.

Root-Of-Trust for Continuous Integration and Continuous Deployment Pipeline in Cloud Computing

Cloud computing has gained significant use over the last decade due to its several benefits, including cost savings associated with setup, deployments, delivery, physical resource sharing across virtual machines, and availability of on-demand cloud services. However, in addition to usual threats in almost every computing environment, cloud computing has also introduced a set of new threats as consumers share physical resources due to the physical co-location paradigm. Furthermore, since there are a growing number of attacks directed at cloud environments (including dictionary attacks, replay code attacks, denial of service attacks, rootkit attacks, code injection attacks, etc.), customers require additional assurances before adopting cloud services. Moreover, the continuous integration and continuous deployment of the code fragments have made cloud services more prone to security breaches. In this study, the model based on the root of trust for continuous integration and continuous deployment is proposed, instead of only relying on a single sign-on authentication method that typically uses only id and password. The underlying study opted hardware security module by utilizing the Trusted Platform Module (TPM), which is commonly available as a cryptoprocessor on the motherboards of the personal computers and data center servers. The preliminary proof of concept demonstrated that the TPM features can be utilized through RESTful services to establish the root of trust for continuous integration and continuous deployment pipeline and can additionally be integrated as a secure microservice feature in the cloud computing environment.

Wisecr: Secure Simultaneous Code Dissemination to Many Batteryless Computational RFID Devices

Emerging ultra-low-power tiny scale computing devices run on harvested energy, are intermittently powered, have limited computational capability, and perform sensing and actuation functions under the control of a dedicated firmware operating without the supervisory control of an operating system. Wirelessly updating or patching firmware of such devices is inevitable. We consider the challenging problem of simultaneous and secure firmware updates or patching for a typical class of such devicesComputational Radio Frequency Identification (CRFID) devices. We propose Wisecr, the first secure and simultaneous wireless code dissemination mechanism to multiple devices that prevents malicious code injection attacks and intellectual property (IP) theft, whilst enabling remote attestation of code installation. Importantly, Wisecr is engineered to comply with existing ISO compliant communication protocol standards employed by CRFID devices and systems. We comprehensively evaluate Wisecr's overhead, demonstrate its implementation over standards compliant protocols, analyze its security, implement an end-to-end realization with popular CRFID devices and open-source the complete software package on GitHub.

Обнаружение аномалий в составных объектах в формате JSON

In this paper, we address the problem of intrusion detection for modern web applications and mobile applications with the cloud-based server side, using malicious content detection in JSON data, which is currently one of the most popular data serialization and exchange formats between client and server parts of an application. We propose a method for building a JSON model for the given set of JSON objects capable of detection of structure and type anomalies. The model is based on the models for basic data types inside JSON collection objects and schema model that generalizes objects’ structure in the collection. We performed experiments using modifications of objects’ structures and insertions of code injection attack vectors such as SQL injections, OS command injections, and JavaScript/HTML injections. The analysis showed statistical significance between the model’s predictions and the presence of anomalies in the data gathered from the real web applications’ traffic. The quality of the model’s predictions was measured using the Matthews correlation coefficient (MCC). The MCC values computed on the data were close to one which indicates the model’s high efficiency in solving the problem of anomaly detection in JSON objects.

A survey on the application of deep learning for code injection detection

Code injection is one of the top cyber security attack vectors in the modern world. To overcome the limitations of conventional signature-based detection techniques, and to complement them when appropriate, multiple machine learning approaches have been proposed. While analysing these approaches, the surveys focus predominantly on the general intrusion detection, which can be further applied to specific vulnerabilities. In addition, among the machine learning steps, data preprocessing, being highly critical in the data analysis process, appears to be the least researched in the context of Network Intrusion Detection, namely in code injection. The goal of this survey is to fill in the gap through analysing and classifying the existing machine learning techniques applied to the code injection attack detection, with special attention to Deep Learning. Our analysis reveals that the way the input data is preprocessed considerably impacts the performance and attack detection rate. The proposed full preprocessing cycle demonstrates how various machine-learning-based approaches for detection of code injection attacks take advantage of different input data preprocessing techniques. The most used machine learning methods and preprocessing stages have been also identified.

Smart Payment Application Security Optimization from Cross-Site Scripting (XSS) Attacks Based on Blockchain Technology

The digital era is an era everyone has used technology and they are connected to each other very easily. The Smart Payment application is one of the applications that is developing in the digital era. This application is not equipped with security, so there is a concern that hackers will try to change user or even change user data. One of the possible attacks on this application is a cross-site attack (XSS). It is a code injection attack on the user side. Security in the Smart Payment application needs to be improved so that data integrity is maintained. In this research, security optimization is carried out by implementing blockchain. Blockchain has the advantage in terms of security with the concept of decentralization by utilizing a consensus algorithm that can eliminate and make improvements to data changes made by hackers. The result obtained from this study is the implementation of blockchain to maintain the security of payment transaction data on the Smart Payment application from XSS attacks. It is proven by the results of the vulnerability before and after blockchain implementation. Before the implementation of the vulnerability is found, 1 XSS vulnerability had a high level of overall risk. Meanwhile, the result of the vulnerability after blockchain implementation was not found from XSS attacks (the XSS vulnerability was 0 or not found).

Analysis of Website Security of SMKN 1 Pangandaran Against SQL Injection Attack Using OWASP Method

Every technological development is usually accompanied by an increase in security on a digital platform that is widely used by a large audience. However, with the rapid development of information technology, some of the security gaps found can be used as loopholes to commit crimes where these actions can harm others. These actions are often carried out by irresponsible people to benefit from the actions taken. Some of the gaps that are often found on digital platforms, especially on websites are SQL Injection where from BSSN data from January to April 2019, 73% of the vulnerability reports received are SQL Injection vulnerabilities. In addition, SQL Injection is also the number one threat to the security of a website application, where this SQL Injection attack is a code injection attack technique that is carried out by exploiting the security gaps that exist in the database layer of a website. In this study, taking the theme of SQL Injection which aims to conduct security analysis from the website of the school agency SMKN 1 Pangandaran, using OWASP which is used to carry out the analysis process. The result of testing the system on the website is where the attacker can perform injection using SQL payload to enter the database. Where the results of system analysis and testing will be recommended to close gaps on existing websites.

SAPEM: Secure Attestation of Program Execution and Program Memory for IoT Applications

Security is one of the major challenges that devices connected to the Internet of Things (IoT) face today. Remote attestation is used to measure these devices’ trustworthiness on the network by measuring the device platform’s integrity. Several software-based attestation mechanisms have been proposed, but none of them can detect runtime attacks. Although some researchers have attempted to tackle these attacks, the proposed techniques require additional secured hardware parts to be integrated with the attested devices to achieve their aim. These solutions are expensive and not suitable in many cases. This paper proposes a dual attestation process, SAPEM, with two phases: static and dynamic. The static attestation phase examines the program memory of the attested device. The dynamic program flow attestation examines the execution correctness of the application code. It can detect code injection and runtime attacks that hijack the control-flow, including data attacks that affect the program control-flow. The main aim is to minimize attestation overhead while maintaining our ability to detect the specified attacks. We validated SAPEM by implementing it on Raspberry Pi using its TrustZone extension. We attested it against the specified attacks and compared its performance with the related work in the literature. The results show that SAPEM significantly minimizes performance overhead while reliably detecting runtime attacks at the binary level.

An Efficient Hybrid Webshell Detection Method for Webserver of Marine Transportation Systems

An increase in the number of Maritime Intelligent Transport Systems (MITSs) also means an increase in the number of information security risks. Usually, the administration and operation of MITSs are done through web servers that are frequently targeted by hackers. In marine transportation industry, malicious code injection attacks (webshell) has been widely exploited by hackers to take full control of Web servers. Traditional webshell detection methods based on pattern matching that are no longer effective against new types of webshell. This motivates us to investigate the problem of detecting obfuscation or unknown webshells, termed OUW problem. In this work, we propose a pattern-matching-deep-learning hybrid ASP.NET webshell detection method (H-DLPMWD) to address the OUW problem. H-DLPMWD is based on Yara-based pattern matching to clean dataset; modeling ASP.NET code files as an operation code index (OCI) vectors; and applying CNN method to train and predict webshell in OCI vectors. To validate H-DLPMWD, our rigorous experimentation demonstrates that H-DLPMWD achieves an excellent accuracy of 98.49%, F1-score of 99.01%, and a low false positive rate of 1.75%.