Using page offsets for detecting control-flow anomalies

Varan, Engincan and Hanifi Rüstem, Khadija and Erdemli, Ayşegül Rana and Ünal, Musa Sadık and Tat, Yunus Emre and Tekinoğlu, Dilara Nur and Çetin, Orçun and Fuladi, Ramin and Yılmaz, Cemal (2024) Using page offsets for detecting control-flow anomalies. In: 16th International Conference on Innovative Security Solutions for Information Technology and Communications, SecITC 2023, Bucharest, Romania

Full text not available from this repository. (Request a copy)


In this study, we introduce an approach that leverages memory-page offsets as an abstraction mechanism for real-time detection of control-flow-affecting cyberattacks. We, in particular, leverage page offsets for a number of reasons. First, being a part of the memory addresses, they can efficiently be monitored by using some of the features directly supported by modern CPUs, such as Intel Processor Trace (intel PT). Second, they are not affected by the presence or absence of address space layout randomization (ASLR). Finally, they can be extracted from the system binaries statically without the need for historical program executions for analysis. At runtime, we monitor the sequences of page offsets being processed, mark the “suspicious” sequences, and raise alarms as needed. In the experiments, which we carried out on real-life, document-based malware instances for Adobe PDF Reader and MS Word, the proposed approach successfully detected the malicious executions with F-measures of 0.9903 and 0.9771, respectively.
Item Type: Papers in Conference Proceedings
Uncontrolled Keywords: control-flow hijacking attacks; dynamic program analysis; malware; runtime detection of cybersecurity attacks
Divisions: Faculty of Engineering and Natural Sciences
Depositing User: Orçun Çetin
Date Deposited: 11 Jun 2024 11:51
Last Modified: 11 Jun 2024 15:14

Actions (login required)

View Item
View Item