A Static Over-Approximate Detection Tool for At-Risk DLLs

A Static Over-Approximate Detection Tool for At-Risk DLLs

연구 분야: Strategies

학회: World Congress in Computer Science, Computer Engineering & Applied Computing

Dynamic Link Libraries(DLLs) are important components in the Windows operating system, which allows code modularity, rescue, and efficient resource management across different applications. This dynamic nature of DLLs also introduces security vulnerabilities, most known as injections. DLL injections can cause huge damage to the target Windows devices, for instance, the insertion of malicious code in the DLL address space allows attackers to manipulate or even compromise system behaviors. One way to prevent DLL injections is to detect potentially risky DLLs used in the Windows system early and frequently so more security checks can be performed on those risky DLLs when adversaries attempt to inject any malicious code into these DLLs. To this end, we design a static detection tool for risky DLLs that performs file integrity checks on DLLS of user-specified applications on Windows devices. Our tool maintains a list of DLLs in the past of those apps for reference and provides a list of “potentially risky” DLLs by comparing the referenced DLL list with the current DLL list of the specified app using our detection algorithm. We define the semantic of “potentially risky” by the fact that DLLs are usually stored in the expected directory and one DLL found in the expected directory in a new version of an application while not found in the expected directory in its older version can be regarded as potential tampering or injection introduced along with the update of this application. Based on this, our tool can be extended as part of antivirus software to frequently give a warning of those “potentially risky” DLLs introduced by auto-updating applications on Windows systems.