结构体随机化技术研究
摘要
随着信息世界的快速发展,rootkit、后门、木马等各种恶意程序以及基于这些恶意程序代码衍生出来的变种所带来的威胁日益严重。多年来,信息安全研究人员与恶意攻击者之间无时无刻不在进行着恶意代码的检测与反检测的游戏,一定程度上又可以说是针对程序中特定信息的逆向与反逆向的游戏。安全研究人员从这些特定信息中提取出恶意程序的特征签名并用来辅助检测malware,恶意攻击者也可以利用这些逆向出的特定信息来发现漏洞或开发新的变种。因而无论是安全研究人员还是恶意攻击者,采取合适的技术来保护自己的代码避免被逆向利用是非常必要的。目前用于保护程序信息主要手段有加密、混淆或随机化、可信代码隔离等等。本论文从随机化技术入手,首先分析了现有几种随机化技术的原理,并从其随机化强度、粒度、针对问题等角度讨论了他们的一些特点与不足,在此基础上我们研究对程序中数据结构体进行随机化的技术。根据针对问题场景的不同我们从两个角度对开展了这项工作。一方面站在安全研究人员的角度,在拥有源代码的情形下,我们讨论了不同类型的数据结构体的可随机化性,相应的设计实现了基于编译器的随机化工具,并将该工具应用到操作系统内核上以验证其对内核rootkit的防御效果。另外一方面,考虑在没有源代码的情形下,我们实现了二进制级的数据结构随机化技术,在保证程序正常运行的基础上隐藏程序中的数据结构信息,我们将该技术设计为一个程序多态变换工具,并将其应用到恶意程序上,使得恶意程序在程序传播、运行过程中动态的改变数据结构,从而躲避基于数据结构信息的恶意代码检测软件的检测。
With the rapid growth of the information world, malwares such as rootkits, back-door, trojan and their variants have being threatening the cyber world more and more seriously. For so many years, the security researchers have being playing the malware detection and anti-detection games with the malicious attackers. So it also could say that they are playing games of reversing and anti-reversing some specific information. The security researchers want to extract signatures representing the characteristics of malwares. While the malicious code writers could also make use of the information re-versed from the security programs. Since now, there have been some common methods to protect the program information, such as encryption, obfuscation, randomization, trust code isolation and so on. This thesis starts from the randomization or obfuscation technology. First, we analyze the principle of the commonly used randomization tech-nologies and discuss their shortages form the perspective of strengths、granularities and applications of the randomization. Then, we do some research on the data struc-ture based randomization. On the one hand, suppose we have got the source codes, we first analyze the possibility of data structures to be randomized, and then design and implement a compiler-based tool to randomize them. Besides, we apply it to the Linux kernel and test its effectiveness by running some LKM rootkits on the random-ized kernel. On the other hand, suppose we just got the binary code, we discuss how to randomize data structures in the binary level. Under the premise of keep the orig-inal program safety, we design and implement a dynamic and tiny tool, which could be attached to every program, such as malwares, and randomize data structures within these programs every time it running or replicating. At last, malwares with their data structures randomized would have a dynamically changed data structure layouts.
With the rapid growth of the information world, malwares such as rootkits, back-door, trojan and their variants have being threatening the cyber world more and more seriously. For so many years, the security researchers have being playing the malware detection and anti-detection games with the malicious attackers. So it also could say that they are playing games of reversing and anti-reversing some specific information. The security researchers want to extract signatures representing the characteristics of malwares. While the malicious code writers could also make use of the information re-versed from the security programs. Since now, there have been some common methods to protect the program information, such as encryption, obfuscation, randomization, trust code isolation and so on. This thesis starts from the randomization or obfuscation technology. First, we analyze the principle of the commonly used randomization tech-nologies and discuss their shortages form the perspective of strengths、granularities and applications of the randomization. Then, we do some research on the data struc-ture based randomization. On the one hand, suppose we have got the source codes, we first analyze the possibility of data structures to be randomized, and then design and implement a compiler-based tool to randomize them. Besides, we apply it to the Linux kernel and test its effectiveness by running some LKM rootkits on the random-ized kernel. On the other hand, suppose we just got the binary code, we discuss how to randomize data structures in the binary level. Under the premise of keep the orig-inal program safety, we design and implement a dynamic and tiny tool, which could be attached to every program, such as malwares, and randomize data structures within these programs every time it running or replicating. At last, malwares with their data structures randomized would have a dynamically changed data structure layouts.
引文
[1]Masahiro Mambo, Keisuke Usuda, and Eiji Okamoto. Proxy signatures for dele-gating signing operation. In Proceedings of the 3rd ACM conference on Comput-er and communications security, CCS'96, pages 48-57, New York, NY, USA, 1996. ACM.
[2]Carey Nachenberg. Computer virus-antivirus coevolution. Communications of the ACM.,40(1):46-51, January 1997.
[3]Eep Bhatkar, Daniel C. Duvarney, and R. Sekar. Address obfuscation:an effi-cient approach to combat a broad range of memory error exploits. In In Pro-ceedings of the 12th USENIX Security Symposium, pages 105-120,2003.
[4]David Wagner and Paolo Soto. Mimicry attacks on host-based intrusion de-tection systems. In Proceedings of the 9th ACM conference on Computer and communications security, CCS'02, pages 255-264, New York, NY, USA, 2002. ACM.
[5]Xiang Guangli and Cai Zheng. The code obfuscation technology based on class combination. In Distributed Computing and Applications to Business Engineer-ing and Science (DCABES), 2010 Ninth International Symposium on, pages 479-483, aug. 2010.
[6]Amir Herzberg and Shlomit S. Pinter. Public protection of software. ACM Trans. Comput. Syst.,5(4):371-393, October 1987.
[7]Uwe Wilhelm. Increasing privacy in mobile communication systems using cryp-tographically protected objects.
[8]Cristian Cadar, Jean-Phillipe Martin, Periklis Akritidis, Manuel Costa, and Miguel Castro. Data randomization.
[9]Sandeep Bhatkar and R. Sekar. Data space randomization. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'08, pages 1-22, Berlin, Heidelberg, 2008. Springer-Verlag.
[10]PAX Team. Pax address space layout randomization (aslr). http://pax.grsecurity,net/docs/aslr.txt.
[11]Jun Xu, Z. Kalbarczyk, and R.K. Iyer. Transparent runtime randomization for security. In Reliable Distributed Systems, 2003. Proceedings.22nd International Symposium on, pages 260-269, oct. 2003.
[12]Elena Gabriela Barrantes, Trek S. Palmer, David H. Ackley, Darko Stefanovi?, Stephanie Forrest, and Dino Dai Zovi. Randomized instruction set emulation to disrupt binary code injection attacks,2003.
[13]Ana Nora Sovarel, David Evans, and Nathanael Paul. Where's the feeb? the effectiveness of instruction set randomization. In Proceedings of the 14th con-ference on USENIX Security Symposium - Volume 14, SSYM'05, pages 10-10, Berkeley, CA, USA, 2005. USENIX Association.
[14]Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM conference on Computer and communications security, CCS'03, pages 272-280, New York, NY, USA,2003. ACM.
[15]Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. Pointguardtm: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 7-7, Berkeley, CA, USA, 2003. USENIX Association.
[16]Cristian Cadar, Jean-Phillipe Martin, Periklis Akritidis, Manuel Costa, and Miguel Castro. Data randomization.
[17]Sandeep Bhatkar and R. Sekar. Data space randomization. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'08, pages 1-22, Berlin, Heidelberg, 2008. Springer-Verlag.
[18]Xuxian Jiang, Helen J. Wangz, Dongyan Xu, and Yi-Min Wang. Randsys: Thwarting code injection attacks with system service interface randomization. In Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems, SRDS'07, pages 209-218, Washington, DC, USA, 2007. IEEE Com-puter Society.
[19]Monica Chew and Dawn Song. Mitigating buffer overflows by operating system randomization. Technical report, 2002.
[20]Eep Bhatkar, Daniel C. Duvarney, and R. Sekar. Address obfuscation:an effi-cient approach to combat a broad range of memory error exploits. In In Pro-ceedings of the 12th USENIX Security Symposium, pages 105-120, 2003.
[21]Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In Pro-ceedings of the 11th ACM conference on Computer and communications secu-rity, CCS'04, pages 298-307, New York, NY, USA, 2004. ACM.
[22]Tyler Durden. Bypassing pax aslr protection. Phrack,(59), (59), February 2002.
[23]Michel Kaempf. Vudo malloc tricks. Phrack, 11(57),, August 2001.
[24]Anonymous. Once upon a free (). Phrack, 11(57),, August 2001.
[25]Nergal. The advanced return-into-lib(c) exploits. Phrack,(58),(58), (58), December 2001.
[26]scut. Exploting format string vulnerabilities. March 2001. http://www.team-teso.net/articles/formatstring.
[27]T. Detristan, T. Ulenspiegel, Y. Malcom, and M. S. von Underduk. Polymor-phic shellcode engine using spectrum analysis. Phrack,11(61), Aug. 2003. http://www.phrack.org (last accessed on Jan. 16, 2004).
[28]Cert vulnerability note vu#282403. September 2002. http://www.kb.cert,org/vuls/id/282403.
[29]Jonathan Pincus and Brandon Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4):20-27, July 2004.
[30]jp. Advanced doug lea's malloc exploits. Phrack,(61),(61), September 2003.
[31]bulba and kil3r. Bypassing stackguard and stackshield. Phrack 56,11(56), May 2000.
[32]Periklis Akritidis. Cling: A memory allocator to mitigate dangling pointers. In Proceedings of the 19th USENIX conference on Security, USENIX Security'10, pages 12-12, Berkeley, CA, USA, 2010. USENIX Association.
[33]Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Cas-tro. Preventing memory error exploits with wit. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP'08, pages 263-277, Washington, DC, USA, 2008. IEEE Computer Society.
[34]Yoav Weiss and Elena Gabriela Barrantes. Known/chosen key attacks against software instruction set randomization. In Proceedings of the 22nd Annual Com-puter Security Applications Conference, ACSAC'06, pages 349-360, Washing-ton, DC, USA, 2006. IEEE Computer Society.
[35]McAfee. Rootkits, part 1 of 3:The growing threat. Technical report, Apr. 2006.
[36]Myers Michael and Youndt Stephen. An introduction to hardware-assisted vir-tual machine (hvm) rootkits, 2007/08/07,2007.
[37]Ralf Hund, Thorsten Holz, and Felix C. Freiling. Returnoriented rootkits:By-passing kernel code integrity protection mechanisms. In Proceedings of Usenix Security 2009. USENIX, 2009.
[38]Dino Dai Zovi. Kernel rootkits. http://www.theta44.org/lkr.pdf.
[39]pragmatic. (nearly) complete linux loadable kernel modules. http://www.pimmel.com/articles/lkm-hacking.html.
[40]Chuvakin and Anton. An overview of unix rootkits. iDEF'03,2003. http://www.megasecurity.org/papers/Rootkits.pdf.
[41]Butler Jamie and Hoglund. Greg. Direct kernel object manipulation. 2006. In http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf.
[42]James Butler and Sherri Sparks. Windows rootkits of 2005, part one. Securi-ty Focus, November 2005. http://www.symantec.com/connect/articles/windows-rootkits-2005-part-two.
[43]Symantec. Windows rootkits overview. White Paper: Symantec Security Response. http://www.symantec.com/avcenler/reference/windows.rootkit.overview.pdf.
[44]corbet. A new adore rootkit. March 2004. lwn.net/Articles/75990.
[45]Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and commu-nications security, CCS'07, pages 116-127, New York, NY, USA, 2007. ACM.
[46]Heng Yin, Zhenkai Liang, and Dawn Song. Hookfinder: Identifying and under-standing malware hooking behaviors.2008.
[47]Zhi Wang, Xuxian Jiang, Weidong Cui, and Xinyuan Wang. Countering per-sistent kernel rootkits through systematic hook discovery. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, RAID '08, pages 21-38, Berlin, Heidelberg, 2008. Springer-Verlag.
[48]Andrea Lanzi, Monirul I. Sharif, and Wenke Lee. K-tracer:A system for ex-tracting kernel malware behavior. In NDSS. The Internet Society, 2009.
[49]Nick L. Petroni, Jr. Timothy, Fraser Jesus, Molina William, and A. Arbaugh. Copilot-a coprocessor-based kernel runtime integrity monitor. In In Proceedings of the 13th USENIX Security Symposium, pages 179-194, 2004.
[50]Nick L. Petroni, Jr., and Michael Hicks. Automated detection of persistent kernel control-flow attacks,2007.
[51]Tal Garfinkel and Mendel Rosenblum. A virtual machine introspection based architecture for intrusion detection. In In Proc. Network and Distributed Systems Security Symposium, pages 191-206,2003.
[52]Joanna Rutkowska. System virginity verifier, hack in the box, Security Confer-ence, September. 2005. Kuala Lumpur, Malaysia.
[53]Xiaolan Zhang, Leendert van Doom, Trent Jaeger, Ronald Perez, and Reiner Sailer. Secure coprocessor-based intrusion detection. In Proceedings of the 10th workshop on ACM SIGOPS European workshop, EW 10, pages 239-242, New York, NY, USA, 2002. ACM.
[54]Nick L. Petroni, Jr., Timothy Fraser, AAron Walters, and William A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.
[55]Arati Baliga, Vinod Ganapathy, and Liviu Iftode. Automatic inference and en-forcement of kernel data structure invariants. In Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC'08, pages 77-86, Wash-ington, DC, USA, 2008. IEEE Computer Society.
[56]Lionel Litty, H. Andres Lagar-Cavilla, and David Lie. Hypervisor support for i-dentifying covertly executing binaries. In Proceedings of the 17th conference on Security symposium, SS'08, pages 243-258, Berkeley, CA, USA, 2008. USENIX Association.
[57]Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. Secvisor: a tiny hy-pervisor to provide lifetime kernel code integrity for commodity oses. SIGOPS Oper. Syst. Rev.,41(6):335-350, October 2007.
[58]B.D. Payne, M. Carbone, M. Sharif, and Wenke Lee. Lares:An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP'2008. IEEE Symposium on, pages 233 -247, may 2008.
[59]Ryan Riley, Xuxian Jiang, and Dongyan Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, RAID'08, pages 1-20, Berlin, Heidelberg, 2008. Springer-Verlag.
[60]Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM con-ference on Computer and communications security, CCS'09, pages 545-554, New York, NY, USA, 2009. ACM.
[61]Toby Miller. Analysis of the knark rootkit. 2004. http://www. ossec. net/rootkits/studies/knark.txt.
[62]C. Kruegel, W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary analysis. In Computer Security Applications Conference, 2004. 20th Annual, pages 91 - 100, dec.2004.
[63]Jeffrey Wilhelm and Tzi-cker Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proceedings of the 10th international conference on Recent advances in intrusion detection, RAID'07, pages 219-235, Berlin, Heidelberg, 2007. Springer-Verlag.
[64]ubra. hiding processes (understanding the linux scheduler). Phrack, 63, 01/08/2005.
[65]Peter Loscocco and Stephen Smalley. Integrating flexible support for security policies into the linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pages 29-42, Berkeley, CA, USA, 2001. USENIX Association.
[66]A. Baliga, P. Kamat, and L. Iftode. Lurking in the shadows:Identifying systemic threats to kernel data. In Security and Privacy, 2007. SP'07. IEEE Symposium on., pages 246-251, may 2007.
[67]Unixbench.
[68]F. Cohen. Computer viruses:theory and experiments. Comput. Secur.,6(1):22-35, February 1987.
[69]David M. Chess and Steve R. White. An undetectable computer virus. http://www. research,ibm.com/antivirus/SciPapers/VB2000DC.htm. Hawthorne, New York, USA.
[70]John Leyden. Pc virus celebrates 20th birthday. The Register.,01/19/2006. http://www.theregister.co.uk/2006/01/19/pc-virus_at_20/.
[71]Nwokedi Idika and Aditya P. Mathur. A survey of malware detection techniques. 02/02/2007. http://www.serc.net/system/files/SERC-TR-286.pdf.
[72]Kent Griffin, Scott Schneider, Xin Hu, and Tzi-Cker Chiueh. Automatic gener-ation of string signatures for malware detection. In Proceedings of the 12th In-ternational Symposium on Recent Advances in Intrusion Detection, RAID'09, pages 101-120, Berlin, Heidelberg, 2009. Springer-Verlag.
[73]String encryption, http://www.allatori.com/features/string-encryption.html.
[74]PEiD. http://www.peid.info.
[75]Variable obfuscation. http://files.zend.com/help/Zend-Cuard/obfuscation_basic.htm.
[76]Name obfuscation. http://www.allatori.com/features/name-obfuscation.html.
[77]ProGuard. http://proguard.sourceforge.net/.
[78]Mihai Christodorescu and Somesh Jha. Testing malware detectors. SIGSOFT Softw. Eng. Notes, 29(4):34-44, July 2004.
[79]Peter Szor. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, 2005.
[80]DataRescue. Inc. The IDA Pro. Disassembler., 2006. www. datarescue. com/idabase.
[81]Richard Wang. Flash in the pan? Virus Bulletin.,07/1998. Virus Analysis Library.
[82]V. Sai Sathyanarayan, Pankaj Kohli, and Bezawada Bruhadeshwar. Signature generation and detection of malware families. In Proceedings of the 13th Aus-tralasian conference on Information Security and Privacy, ACISP'08, pages 336-349, Berlin, Heidelberg, 2008. Springer-Verlag.
[83]J. Bergeron, M. Debbabi, J. Desharnais, M. M. Erhioui, Y. Lavoie, and N. Tawbi. Static detection of malicious code in executable programs. Int. J. of Req. Eng, 2001.
[84]Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. Mining specifica-tions of malicious behavior. In Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, ESEC-FSE'07, pages 5-14, New York, NY, USA, 2007. ACM.
[85]J-Y. Xu, A. H. Sung, P. Chavez, and S. Mukkamala. Polymorphic malicious executable scanner by api sequence analysis. In Proceedings of the Fourth In-ternational Conference on Hybrid Intelligent Systems, HIS'04, pages 378-383, Washington, DC, USA, 2004. IEEE Computer Society.
[86]Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. J. Comput. Secur., 6(3):151-180, August 1998.
[87]Mihai Christodorescu and Somesh Jha. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 12-12, Berkeley, CA, USA, 2003. USENIX Association.
[88]M. Jordan. Dealing with metamorphism. Virus Bulletin., pages 4-6, Oct.2002.
[89]Da Lin and Mark Stamp. Hunting for undetectable metamorphic viruses. J. Comput. Virol.,7(3):201-214, August 2011.
[90]zOmbie. Real permutating engine, (last accessed on Sep.29, 2006). Published online at http://vx.netlux.org/vx.php?id=er05.
[91]M. Christodorescu, S. Jha, S.A. Seshia, D. Song, and R.E. Bryant. Semantics-aware malware detection. In Security and Privacy, 2005 IEEE Symposium on, pages 32 - 46, may 2005.
[92]Rajaat. Polymorphism. 29A Magazine, 1(3).,1999.
[93]Johannes Kinder, Stefan Katzenbeisser, Christian Schallhart, Helmut Veith, and Technische Universit?t Munchen. Detecting malicious code by model checking. In Proceedings of the 2nd International Conference on Intrusion and Malware Detection and Vulnerability Assessment (DIMVA' 05), volume 3548 of Lecture Notes in Computer Science, pages 174-187. Springer Berlin, 2005.
[94]S. S. Anju, P. Harmya, Noopa Jagadeesh, and R. Darsana. Malware detection using assembly code and control flow graph optimization. In Proceedings of the 1st Amrita ACM-W Celebration on Women in Computing in India, A2CWiC '10, pages 65:1-65:4, New York, NY, USA, 2010. ACM.
[95]Xinran Wang, Yoon-Chan Jhi, Sencun Zhu, and Peng Liu. Behavior based soft-ware theft detection. In Proceedings of the 16th ACM conference on Computer and communications security, CCS'09, pages 280-290, New York, NY, USA, 2009. ACM.
[96]Hu Xin, Chiueh Tzi-cker, and Shin Kang G. Large-scale malware indexing using function-call graphs. In Proceedings of the 16th ACM conference on Computer and communications security, CCS'09, pages 611-620, New York, NY, USA, 2009. ACM.
[97]I. Briones and A. Gomez. Graphs, entropy and grid computing:Automatic comparison of malware. In Proceedings of the 2004 Virus Bulletin Conference, 2004.
[98]Ero Carrera and Gergely Erdelyi. Digital genome mapping - advanced binary malware analysis. In Proceedings of the 2004 Virus Bulletin Conference.,2004.
[99]Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Gio-vanni Vigna. Polymorphic worm detection using structural information of ex-ecutables. In Proceedings of the 8th international conference on Recent Ad-vances in Intrusion Detection, RAID'05, pages 207-226, Berlin, Heidelberg, 2006. Springer-Verlag.
[100]Brendan D. McKay. Practical graph isomorphism, 1981.
[101]J. R. Ullmann. An algorithm for subgraph isomorphism. J. ACM, 23(1):31-42, January 1976.
[102]L.P. Cordella, P. Foggia, C. Sansone, and M. Vento. Performance evaluation of the vf graph matching algorithm. In Image Analysis and Processing, 1999. Proceedings. International Conference on, pages 1172-1177, 1999.
[103]Nisha Lalwani, M.B.Chandak, and R.V.Dharaskar. Split personality malware: A security threat. IJCA Proceedings on National Conference on Innovative Paradigms in Engineering and Technology (NCIPET 2012), ncipet(14):23-26, March 2012. Published by Foundation of Computer Science, New York, USA.
[104]Davide Balzarotti, Marco Cova, Christoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. Efficient detection of split personalities in malware. In 17th Annual Network and Distributed System Security Symposium (NDSS 2010), 2 2010.
[105]Igor V. Popov, Saumya K. Debray, and Gregory R. Andrews. Binary obfus-cation using signals. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS'07, pages 19:1-19:16, Berkeley, CA, USA, 2007. USENIX Association.
[106]Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee. Impeding mal-ware analysis using conditional code obfuscation.
[107]Xin Zhi, Chen Huiyu, Wang Xinche, Liu Peng, Zhu Sencun, Mao Bing, and Xie Li. Replacement attacks on behavior based software birthmark. In Proceedings of the 14th international conference on Information security, ISC'11, pages 1-16, Berlin Heidelberg, 2011. Springer-Verlag.
[108]Niklaus Wirth. Algorithms + Data Structures = Programs. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1978.
[109]Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King. Digging for data structures. In Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI'08, pages 255-266, Berkeley, CA, USA,2008. USENIX Association.
[110]Zhiqiang Lin, Ryan D. Riley, and Dongyan Xu. Polymorphing software by randomizing data structure layout. In Proceedings of the 6th International Con-ference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'09, pages 107-126, Berlin, Heidelberg, 2009. Springer-Verlag.
[111]Zhi Xin, Huiyu Chen, Hao Han, Bing Mao, and Li Xie. Misleading malware similarities analysis by automatic data structure obfuscation. In Proceedings of the 13th international conference on Information security, ISC'10, pages 181-195, Berlin, Heidelberg, 2011. Springer-Verlag.
[112]Michael D. Crawford. Writing cross-platform software: Getting started. 2002.
[113]Gogul Balakrishnan and Thomas Reps. Wysinwyx:What you see is not what y-ou execute. ACM Trans. Program. Lang. Syst.,32(6):23:1-23:84, August 2010.
[114]zOmbie. http://zOmbie.daemonlab.org/ade32.
[115]Zeljko Vrba. Elf inside-out. http://zvrba.net/writings/elf-itu2007.pdf.
[116]Raise. enyelkm-3.1.02/26/2009. http://www.enye-sec.org/.
[117]Noah, taskigt-a lkm that gives root to a process that read a special file in/proc. 2005.
[118]Spaceork. Kdb is a nice little backdoor that allows root access.2005.
[119]Berserker. Synapsis.10/25/2006. http://www.neural-collapse.org.
[120]kad. Handling interrupt descriptor table for fun and profile. 08/17/2002.
[2]Carey Nachenberg. Computer virus-antivirus coevolution. Communications of the ACM.,40(1):46-51, January 1997.
[3]Eep Bhatkar, Daniel C. Duvarney, and R. Sekar. Address obfuscation:an effi-cient approach to combat a broad range of memory error exploits. In In Pro-ceedings of the 12th USENIX Security Symposium, pages 105-120,2003.
[4]David Wagner and Paolo Soto. Mimicry attacks on host-based intrusion de-tection systems. In Proceedings of the 9th ACM conference on Computer and communications security, CCS'02, pages 255-264, New York, NY, USA, 2002. ACM.
[5]Xiang Guangli and Cai Zheng. The code obfuscation technology based on class combination. In Distributed Computing and Applications to Business Engineer-ing and Science (DCABES), 2010 Ninth International Symposium on, pages 479-483, aug. 2010.
[6]Amir Herzberg and Shlomit S. Pinter. Public protection of software. ACM Trans. Comput. Syst.,5(4):371-393, October 1987.
[7]Uwe Wilhelm. Increasing privacy in mobile communication systems using cryp-tographically protected objects.
[8]Cristian Cadar, Jean-Phillipe Martin, Periklis Akritidis, Manuel Costa, and Miguel Castro. Data randomization.
[9]Sandeep Bhatkar and R. Sekar. Data space randomization. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'08, pages 1-22, Berlin, Heidelberg, 2008. Springer-Verlag.
[10]PAX Team. Pax address space layout randomization (aslr). http://pax.grsecurity,net/docs/aslr.txt.
[11]Jun Xu, Z. Kalbarczyk, and R.K. Iyer. Transparent runtime randomization for security. In Reliable Distributed Systems, 2003. Proceedings.22nd International Symposium on, pages 260-269, oct. 2003.
[12]Elena Gabriela Barrantes, Trek S. Palmer, David H. Ackley, Darko Stefanovi?, Stephanie Forrest, and Dino Dai Zovi. Randomized instruction set emulation to disrupt binary code injection attacks,2003.
[13]Ana Nora Sovarel, David Evans, and Nathanael Paul. Where's the feeb? the effectiveness of instruction set randomization. In Proceedings of the 14th con-ference on USENIX Security Symposium - Volume 14, SSYM'05, pages 10-10, Berkeley, CA, USA, 2005. USENIX Association.
[14]Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM conference on Computer and communications security, CCS'03, pages 272-280, New York, NY, USA,2003. ACM.
[15]Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. Pointguardtm: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 7-7, Berkeley, CA, USA, 2003. USENIX Association.
[16]Cristian Cadar, Jean-Phillipe Martin, Periklis Akritidis, Manuel Costa, and Miguel Castro. Data randomization.
[17]Sandeep Bhatkar and R. Sekar. Data space randomization. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'08, pages 1-22, Berlin, Heidelberg, 2008. Springer-Verlag.
[18]Xuxian Jiang, Helen J. Wangz, Dongyan Xu, and Yi-Min Wang. Randsys: Thwarting code injection attacks with system service interface randomization. In Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems, SRDS'07, pages 209-218, Washington, DC, USA, 2007. IEEE Com-puter Society.
[19]Monica Chew and Dawn Song. Mitigating buffer overflows by operating system randomization. Technical report, 2002.
[20]Eep Bhatkar, Daniel C. Duvarney, and R. Sekar. Address obfuscation:an effi-cient approach to combat a broad range of memory error exploits. In In Pro-ceedings of the 12th USENIX Security Symposium, pages 105-120, 2003.
[21]Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In Pro-ceedings of the 11th ACM conference on Computer and communications secu-rity, CCS'04, pages 298-307, New York, NY, USA, 2004. ACM.
[22]Tyler Durden. Bypassing pax aslr protection. Phrack,(59), (59), February 2002.
[23]Michel Kaempf. Vudo malloc tricks. Phrack, 11(57),, August 2001.
[24]Anonymous. Once upon a free (). Phrack, 11(57),, August 2001.
[25]Nergal. The advanced return-into-lib(c) exploits. Phrack,(58),(58), (58), December 2001.
[26]scut. Exploting format string vulnerabilities. March 2001. http://www.team-teso.net/articles/formatstring.
[27]T. Detristan, T. Ulenspiegel, Y. Malcom, and M. S. von Underduk. Polymor-phic shellcode engine using spectrum analysis. Phrack,11(61), Aug. 2003. http://www.phrack.org (last accessed on Jan. 16, 2004).
[28]Cert vulnerability note vu#282403. September 2002. http://www.kb.cert,org/vuls/id/282403.
[29]Jonathan Pincus and Brandon Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4):20-27, July 2004.
[30]jp. Advanced doug lea's malloc exploits. Phrack,(61),(61), September 2003.
[31]bulba and kil3r. Bypassing stackguard and stackshield. Phrack 56,11(56), May 2000.
[32]Periklis Akritidis. Cling: A memory allocator to mitigate dangling pointers. In Proceedings of the 19th USENIX conference on Security, USENIX Security'10, pages 12-12, Berkeley, CA, USA, 2010. USENIX Association.
[33]Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Cas-tro. Preventing memory error exploits with wit. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP'08, pages 263-277, Washington, DC, USA, 2008. IEEE Computer Society.
[34]Yoav Weiss and Elena Gabriela Barrantes. Known/chosen key attacks against software instruction set randomization. In Proceedings of the 22nd Annual Com-puter Security Applications Conference, ACSAC'06, pages 349-360, Washing-ton, DC, USA, 2006. IEEE Computer Society.
[35]McAfee. Rootkits, part 1 of 3:The growing threat. Technical report, Apr. 2006.
[36]Myers Michael and Youndt Stephen. An introduction to hardware-assisted vir-tual machine (hvm) rootkits, 2007/08/07,2007.
[37]Ralf Hund, Thorsten Holz, and Felix C. Freiling. Returnoriented rootkits:By-passing kernel code integrity protection mechanisms. In Proceedings of Usenix Security 2009. USENIX, 2009.
[38]Dino Dai Zovi. Kernel rootkits. http://www.theta44.org/lkr.pdf.
[39]pragmatic. (nearly) complete linux loadable kernel modules. http://www.pimmel.com/articles/lkm-hacking.html.
[40]Chuvakin and Anton. An overview of unix rootkits. iDEF'03,2003. http://www.megasecurity.org/papers/Rootkits.pdf.
[41]Butler Jamie and Hoglund. Greg. Direct kernel object manipulation. 2006. In http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf.
[42]James Butler and Sherri Sparks. Windows rootkits of 2005, part one. Securi-ty Focus, November 2005. http://www.symantec.com/connect/articles/windows-rootkits-2005-part-two.
[43]Symantec. Windows rootkits overview. White Paper: Symantec Security Response. http://www.symantec.com/avcenler/reference/windows.rootkit.overview.pdf.
[44]corbet. A new adore rootkit. March 2004. lwn.net/Articles/75990.
[45]Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and commu-nications security, CCS'07, pages 116-127, New York, NY, USA, 2007. ACM.
[46]Heng Yin, Zhenkai Liang, and Dawn Song. Hookfinder: Identifying and under-standing malware hooking behaviors.2008.
[47]Zhi Wang, Xuxian Jiang, Weidong Cui, and Xinyuan Wang. Countering per-sistent kernel rootkits through systematic hook discovery. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, RAID '08, pages 21-38, Berlin, Heidelberg, 2008. Springer-Verlag.
[48]Andrea Lanzi, Monirul I. Sharif, and Wenke Lee. K-tracer:A system for ex-tracting kernel malware behavior. In NDSS. The Internet Society, 2009.
[49]Nick L. Petroni, Jr. Timothy, Fraser Jesus, Molina William, and A. Arbaugh. Copilot-a coprocessor-based kernel runtime integrity monitor. In In Proceedings of the 13th USENIX Security Symposium, pages 179-194, 2004.
[50]Nick L. Petroni, Jr., and Michael Hicks. Automated detection of persistent kernel control-flow attacks,2007.
[51]Tal Garfinkel and Mendel Rosenblum. A virtual machine introspection based architecture for intrusion detection. In In Proc. Network and Distributed Systems Security Symposium, pages 191-206,2003.
[52]Joanna Rutkowska. System virginity verifier, hack in the box, Security Confer-ence, September. 2005. Kuala Lumpur, Malaysia.
[53]Xiaolan Zhang, Leendert van Doom, Trent Jaeger, Ronald Perez, and Reiner Sailer. Secure coprocessor-based intrusion detection. In Proceedings of the 10th workshop on ACM SIGOPS European workshop, EW 10, pages 239-242, New York, NY, USA, 2002. ACM.
[54]Nick L. Petroni, Jr., Timothy Fraser, AAron Walters, and William A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.
[55]Arati Baliga, Vinod Ganapathy, and Liviu Iftode. Automatic inference and en-forcement of kernel data structure invariants. In Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC'08, pages 77-86, Wash-ington, DC, USA, 2008. IEEE Computer Society.
[56]Lionel Litty, H. Andres Lagar-Cavilla, and David Lie. Hypervisor support for i-dentifying covertly executing binaries. In Proceedings of the 17th conference on Security symposium, SS'08, pages 243-258, Berkeley, CA, USA, 2008. USENIX Association.
[57]Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. Secvisor: a tiny hy-pervisor to provide lifetime kernel code integrity for commodity oses. SIGOPS Oper. Syst. Rev.,41(6):335-350, October 2007.
[58]B.D. Payne, M. Carbone, M. Sharif, and Wenke Lee. Lares:An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP'2008. IEEE Symposium on, pages 233 -247, may 2008.
[59]Ryan Riley, Xuxian Jiang, and Dongyan Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, RAID'08, pages 1-20, Berlin, Heidelberg, 2008. Springer-Verlag.
[60]Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM con-ference on Computer and communications security, CCS'09, pages 545-554, New York, NY, USA, 2009. ACM.
[61]Toby Miller. Analysis of the knark rootkit. 2004. http://www. ossec. net/rootkits/studies/knark.txt.
[62]C. Kruegel, W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary analysis. In Computer Security Applications Conference, 2004. 20th Annual, pages 91 - 100, dec.2004.
[63]Jeffrey Wilhelm and Tzi-cker Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proceedings of the 10th international conference on Recent advances in intrusion detection, RAID'07, pages 219-235, Berlin, Heidelberg, 2007. Springer-Verlag.
[64]ubra. hiding processes (understanding the linux scheduler). Phrack, 63, 01/08/2005.
[65]Peter Loscocco and Stephen Smalley. Integrating flexible support for security policies into the linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pages 29-42, Berkeley, CA, USA, 2001. USENIX Association.
[66]A. Baliga, P. Kamat, and L. Iftode. Lurking in the shadows:Identifying systemic threats to kernel data. In Security and Privacy, 2007. SP'07. IEEE Symposium on., pages 246-251, may 2007.
[67]Unixbench.
[68]F. Cohen. Computer viruses:theory and experiments. Comput. Secur.,6(1):22-35, February 1987.
[69]David M. Chess and Steve R. White. An undetectable computer virus. http://www. research,ibm.com/antivirus/SciPapers/VB2000DC.htm. Hawthorne, New York, USA.
[70]John Leyden. Pc virus celebrates 20th birthday. The Register.,01/19/2006. http://www.theregister.co.uk/2006/01/19/pc-virus_at_20/.
[71]Nwokedi Idika and Aditya P. Mathur. A survey of malware detection techniques. 02/02/2007. http://www.serc.net/system/files/SERC-TR-286.pdf.
[72]Kent Griffin, Scott Schneider, Xin Hu, and Tzi-Cker Chiueh. Automatic gener-ation of string signatures for malware detection. In Proceedings of the 12th In-ternational Symposium on Recent Advances in Intrusion Detection, RAID'09, pages 101-120, Berlin, Heidelberg, 2009. Springer-Verlag.
[73]String encryption, http://www.allatori.com/features/string-encryption.html.
[74]PEiD. http://www.peid.info.
[75]Variable obfuscation. http://files.zend.com/help/Zend-Cuard/obfuscation_basic.htm.
[76]Name obfuscation. http://www.allatori.com/features/name-obfuscation.html.
[77]ProGuard. http://proguard.sourceforge.net/.
[78]Mihai Christodorescu and Somesh Jha. Testing malware detectors. SIGSOFT Softw. Eng. Notes, 29(4):34-44, July 2004.
[79]Peter Szor. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, 2005.
[80]DataRescue. Inc. The IDA Pro. Disassembler., 2006. www. datarescue. com/idabase.
[81]Richard Wang. Flash in the pan? Virus Bulletin.,07/1998. Virus Analysis Library.
[82]V. Sai Sathyanarayan, Pankaj Kohli, and Bezawada Bruhadeshwar. Signature generation and detection of malware families. In Proceedings of the 13th Aus-tralasian conference on Information Security and Privacy, ACISP'08, pages 336-349, Berlin, Heidelberg, 2008. Springer-Verlag.
[83]J. Bergeron, M. Debbabi, J. Desharnais, M. M. Erhioui, Y. Lavoie, and N. Tawbi. Static detection of malicious code in executable programs. Int. J. of Req. Eng, 2001.
[84]Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. Mining specifica-tions of malicious behavior. In Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, ESEC-FSE'07, pages 5-14, New York, NY, USA, 2007. ACM.
[85]J-Y. Xu, A. H. Sung, P. Chavez, and S. Mukkamala. Polymorphic malicious executable scanner by api sequence analysis. In Proceedings of the Fourth In-ternational Conference on Hybrid Intelligent Systems, HIS'04, pages 378-383, Washington, DC, USA, 2004. IEEE Computer Society.
[86]Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. J. Comput. Secur., 6(3):151-180, August 1998.
[87]Mihai Christodorescu and Somesh Jha. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 12-12, Berkeley, CA, USA, 2003. USENIX Association.
[88]M. Jordan. Dealing with metamorphism. Virus Bulletin., pages 4-6, Oct.2002.
[89]Da Lin and Mark Stamp. Hunting for undetectable metamorphic viruses. J. Comput. Virol.,7(3):201-214, August 2011.
[90]zOmbie. Real permutating engine, (last accessed on Sep.29, 2006). Published online at http://vx.netlux.org/vx.php?id=er05.
[91]M. Christodorescu, S. Jha, S.A. Seshia, D. Song, and R.E. Bryant. Semantics-aware malware detection. In Security and Privacy, 2005 IEEE Symposium on, pages 32 - 46, may 2005.
[92]Rajaat. Polymorphism. 29A Magazine, 1(3).,1999.
[93]Johannes Kinder, Stefan Katzenbeisser, Christian Schallhart, Helmut Veith, and Technische Universit?t Munchen. Detecting malicious code by model checking. In Proceedings of the 2nd International Conference on Intrusion and Malware Detection and Vulnerability Assessment (DIMVA' 05), volume 3548 of Lecture Notes in Computer Science, pages 174-187. Springer Berlin, 2005.
[94]S. S. Anju, P. Harmya, Noopa Jagadeesh, and R. Darsana. Malware detection using assembly code and control flow graph optimization. In Proceedings of the 1st Amrita ACM-W Celebration on Women in Computing in India, A2CWiC '10, pages 65:1-65:4, New York, NY, USA, 2010. ACM.
[95]Xinran Wang, Yoon-Chan Jhi, Sencun Zhu, and Peng Liu. Behavior based soft-ware theft detection. In Proceedings of the 16th ACM conference on Computer and communications security, CCS'09, pages 280-290, New York, NY, USA, 2009. ACM.
[96]Hu Xin, Chiueh Tzi-cker, and Shin Kang G. Large-scale malware indexing using function-call graphs. In Proceedings of the 16th ACM conference on Computer and communications security, CCS'09, pages 611-620, New York, NY, USA, 2009. ACM.
[97]I. Briones and A. Gomez. Graphs, entropy and grid computing:Automatic comparison of malware. In Proceedings of the 2004 Virus Bulletin Conference, 2004.
[98]Ero Carrera and Gergely Erdelyi. Digital genome mapping - advanced binary malware analysis. In Proceedings of the 2004 Virus Bulletin Conference.,2004.
[99]Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Gio-vanni Vigna. Polymorphic worm detection using structural information of ex-ecutables. In Proceedings of the 8th international conference on Recent Ad-vances in Intrusion Detection, RAID'05, pages 207-226, Berlin, Heidelberg, 2006. Springer-Verlag.
[100]Brendan D. McKay. Practical graph isomorphism, 1981.
[101]J. R. Ullmann. An algorithm for subgraph isomorphism. J. ACM, 23(1):31-42, January 1976.
[102]L.P. Cordella, P. Foggia, C. Sansone, and M. Vento. Performance evaluation of the vf graph matching algorithm. In Image Analysis and Processing, 1999. Proceedings. International Conference on, pages 1172-1177, 1999.
[103]Nisha Lalwani, M.B.Chandak, and R.V.Dharaskar. Split personality malware: A security threat. IJCA Proceedings on National Conference on Innovative Paradigms in Engineering and Technology (NCIPET 2012), ncipet(14):23-26, March 2012. Published by Foundation of Computer Science, New York, USA.
[104]Davide Balzarotti, Marco Cova, Christoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. Efficient detection of split personalities in malware. In 17th Annual Network and Distributed System Security Symposium (NDSS 2010), 2 2010.
[105]Igor V. Popov, Saumya K. Debray, and Gregory R. Andrews. Binary obfus-cation using signals. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS'07, pages 19:1-19:16, Berkeley, CA, USA, 2007. USENIX Association.
[106]Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee. Impeding mal-ware analysis using conditional code obfuscation.
[107]Xin Zhi, Chen Huiyu, Wang Xinche, Liu Peng, Zhu Sencun, Mao Bing, and Xie Li. Replacement attacks on behavior based software birthmark. In Proceedings of the 14th international conference on Information security, ISC'11, pages 1-16, Berlin Heidelberg, 2011. Springer-Verlag.
[108]Niklaus Wirth. Algorithms + Data Structures = Programs. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1978.
[109]Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King. Digging for data structures. In Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI'08, pages 255-266, Berkeley, CA, USA,2008. USENIX Association.
[110]Zhiqiang Lin, Ryan D. Riley, and Dongyan Xu. Polymorphing software by randomizing data structure layout. In Proceedings of the 6th International Con-ference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'09, pages 107-126, Berlin, Heidelberg, 2009. Springer-Verlag.
[111]Zhi Xin, Huiyu Chen, Hao Han, Bing Mao, and Li Xie. Misleading malware similarities analysis by automatic data structure obfuscation. In Proceedings of the 13th international conference on Information security, ISC'10, pages 181-195, Berlin, Heidelberg, 2011. Springer-Verlag.
[112]Michael D. Crawford. Writing cross-platform software: Getting started. 2002.
[113]Gogul Balakrishnan and Thomas Reps. Wysinwyx:What you see is not what y-ou execute. ACM Trans. Program. Lang. Syst.,32(6):23:1-23:84, August 2010.
[114]zOmbie. http://zOmbie.daemonlab.org/ade32.
[115]Zeljko Vrba. Elf inside-out. http://zvrba.net/writings/elf-itu2007.pdf.
[116]Raise. enyelkm-3.1.02/26/2009. http://www.enye-sec.org/.
[117]Noah, taskigt-a lkm that gives root to a process that read a special file in/proc. 2005.
[118]Spaceork. Kdb is a nice little backdoor that allows root access.2005.
[119]Berserker. Synapsis.10/25/2006. http://www.neural-collapse.org.
[120]kad. Handling interrupt descriptor table for fun and profile. 08/17/2002.