Eudaemon: Involuntary and on-demand emulation against zero-day exploits

Georgios Portokalidis, Herbert Bos

Research output: Contribution to journalConference articlepeer-review

6 Scopus citations

Abstract

Eudaemon is a technique that aims to blur the borders between protected and unprotected applications, and brings together honeypot technology and end-user intrusion detection and prevention. Eudaemon is able to attach to any running process, and redirect execution to a user-space emulator that will dynamically instrument the binary by means of taint analysis. Any attempts to subvert control flow, or to inject malicious code will be detected and averted. When desired Eudaemon can reattach itself to the emulated process, and return execution to the native binary. Selective emulation has been investigated before as a mean to heal an attacked program or to generate a vaccine after an attack is detected, by applying intensive instrumentation to the vulnerable region of the program. Eudaemon can move an application between protected and native mode at will, e.g., when spare cycles are available, when a system policy ordains it, or when it is explicitly requested. The transition is performed transparently and in very little time, thus incurring minimal disturbance to an actively used system Systems offering constant protection against similar attacks have also been proposed, but require access to source code or explicit operating system support, and often induce significant performance penalties We believe that Eudaemon offers a flexible mechanism to detect a series of attacks in end-user systems with acceptable overhead. Moreover, we require no modification to the running system and/or installation of a hypervisor, with an eye on putting taint analysis within reach of the average user.

Original languageEnglish
Pages (from-to)287-299
Number of pages13
JournalOperating Systems Review (ACM)
Volume42
Issue number4
DOIs
StatePublished - 25 Apr 2008
Event3rd ACM European Conference on Computer Systems, EuroSys'08 - Glasgow, United Kingdom
Duration: 31 Mar 20084 Apr 2008

Keywords

  • Honeypots
  • Operating systems
  • Security

Fingerprint

Dive into the research topics of 'Eudaemon: Involuntary and on-demand emulation against zero-day exploits'. Together they form a unique fingerprint.

Cite this