lorenz.stechauner/BSc-Thesis
1
0
Fork 0
Code Activity

thesis: Add more Relaed Work

Browse Source
This commit is contained in:
Lorenz Stechauner
2025-09-03 16:11:33 +02:00
parent 5fa52a198b
commit 632913638c
3 changed files with 148 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
thesis/src/02.related-work.tex
View File

@@ -6,16 +6,80 @@ See also Section~\ref{sec:methods-for-intercepting}.
Some relevant methods will be discussed there in more detail. Some relevant methods will be discussed there in more detail.
\section{Function Call Interception}\label{sec:function-call-interception} \section{System and Function Call Hooking in Literature}\label{sec:call-hooking-in-literature}
All related work regarding function call interception is mentioned in the aforementioned Section. The following subsections explore some applications of system and function call hooking.
There are possibly many other use-cases, but the following were deemed most important.
\subsection{Classification of Hooking Techniques}\label{subsec:classification}
Lopez et al. \cite{lopez2017} classify subroutine hooking techniques as follows:
\begin{itemize}
\setlength\itemsep{0em}
\item Subroutine Type: Function / System call.
\item Hook Insertion: Static (before execution) / Dynamic (during execution).
\item Instrumentation Type: Active (``manipulation'') / Passive (``interception'').
\item Hooking Location: On-device / Off-device (most used for mobile devices).
\item Hooking Scope: Inner Functions / Exported Functions (e.g.,\ libraries).
\item OS Modification: Required / Not Required.
\item Availability of Source Code: Open-source / Closed-source.
\item Pricing Model: Free / Paid.
\end{itemize}
The technique developed in this work would be classified as follows:
Function, Static, Active+Passive, On-device, Exported Functions, OS Modification Not Required, target program may be Closed-source, Free.
\subsection{Windows Systems}\label{subsec:windows-systems}
Hunt and Brubacher \cite{detours} developed Detours, a library for instrumenting arbitrary Win32 functions on x86 machines.
Detours intercepts Win32 functions by re-writing target function images.
\subsection{Security Applications}\label{subsec:security-applications}
Fraser et al. \cite{fraser2000} introduced a general mechanism for securing unmodified commercial software by wrapping system calls at the library interface.
They hook system calls by replacing the standard library entry points with wrapper functions, similar to \texttt{LD\_PRELOAD}.
The wrapper functions are able to perform security checks or other security measures.
Garfinkel et al. \cite{ostia} developed Ostia, a sandboxing system, which uses system call hooking to secure applications.
They implemented their own ELF binary loader to load their emulation library into memory before the sandboxed program starts.
To communicate between this library and their \textit{agent}, they use Unix domain sockets.
The \textit{agent} then responds, according to its policies.
This is a similar approach to the one of this work (see Chapter~\ref{ch:manipulating-function-calls}).
Sze and Sekar \cite{spif} introduced Spif, an approach that defends against malware by tracking code and data origin on Windows systems.
They use Detours \cite{detours} to intercept low-level Windows API calls.
Kern \cite{kern2023} discusses the use of \texttt{LD\_PRELOAD} in cloud environments for HTTP deception.
This is done to analyze malware or other adversaries in real environments without their knowledge and without any risk of danger.
Examples are to override the \texttt{send} and \texttt{recv} functions of libc.
\subsection{Software Distribution}\label{subsec:software-distribution}
Guo and Engler \cite{guo2011cde} use system call hooking for creating portable software.
They developed CDE, which logs all files a program accesses during execution, including shared libraries.
All accessed files and the environment are bundled together and may now be executed on any other system having a compatible kernel without having to install any dependencies.
\subsection{Rapid Prototyping}\label{subsec:rapid-prototyping}
Spillane et al. \cite{spillane2007} use \texttt{ptrace} to hook system calls of another process to simulate these calls using a user-space program.
This is useful for rapid prototyping (e.g., file systems) because they may be developed as user-space program first, and only later on inside the kernel.
\section{Function Call Hooking}\label{sec:function-call-hooking}
All underlying techniques for function call interception on Linux systems are mentioned in Section~\ref{sec:methods-for-intercepting}.
See \texttt{ltrace} (Subsection~\ref{subsec:ltrace}), wrapper functions (Subsection~\ref{subsec:wrapper-functions}), and \texttt{LD\_PRELOAD} (Subsection~\ref{subsec:preloading}). See \texttt{ltrace} (Subsection~\ref{subsec:ltrace}), wrapper functions (Subsection~\ref{subsec:wrapper-functions}), and \texttt{LD\_PRELOAD} (Subsection~\ref{subsec:preloading}).
\section{System Call Interception}\label{sec:system-call-interception} \section{System Call Hooking}\label{sec:system-call-hooking}
This section discusses further related work regarding system call interception. This section discusses further techniques regarding system call interception.
This excludes techniques already discussed in Section~\ref{sec:methods-for-intercepting}, This excludes techniques discussed in Section~\ref{sec:methods-for-intercepting},
like \texttt{ptrace} (Subsection~\ref{subsec:ptrace}), and \texttt{strace} (Subsection~\ref{subsec:strace}). like \texttt{ptrace} (Subsection~\ref{subsec:ptrace}), and \texttt{strace} (Subsection~\ref{subsec:strace}).
Almost all following methods use binary rewriting to replace system calls with other instructions (except SUD, Subsection~\ref{subsec:syscall-user-dispatch}). Almost all following methods use binary rewriting to replace system calls with other instructions (except SUD, Subsection~\ref{subsec:syscall-user-dispatch}).
This is one of the reasons why they are not mentioned in Section~\ref{sec:methods-for-intercepting}. This is one of the reasons why they are not mentioned in Section~\ref{sec:methods-for-intercepting}.

7
thesis/src/04.manipulate.tex
View File

@@ -4,12 +4,13 @@
This chapter discusses how to manipulate function calls and how this may be used to test programs. This chapter discusses how to manipulate function calls and how this may be used to test programs.
How function calls may be intercepted at all has been discussed in Chapter~\ref{ch:intercepting-function-calls}. How function calls may be intercepted at all has been discussed in Chapter~\ref{ch:intercepting-function-calls}.
This chapter builds on the basis of the previous one and expands its functions. This chapter builds on the basis of the previous one and expands its functions.
In this context, ``manipulation'' means changing the arguments of a function, before calling it with the modified arguments, or skipping the execution of the real function completely and simply returning a given value (``mocking''). In this context, ``manipulation'' means changing the arguments of a function before calling it with the modified arguments, or skipping the execution of the real function completely and simply returning a given value (``mocking'').
These techniques allow in-depth testing of programs. These techniques allow in-depth testing of programs.
In contrast to simply recording and logging function calls, which may be controlled via environment variables, manipulation of such function calls requires some other process to indicate how to handle each call. In contrast to simply recording and logging function calls, which may be controlled via environment variables, manipulation of such function calls requires some other process to indicate how to handle each call.
This work uses simple sockets to communicate between the process of the program to be tested, and a ``server'', which decides what action to perform for each function call. This work uses simple Unix domain sockets to communicate between the process of the program to be tested, and a ``server'', which decides what action to perform for each function call.
Currently, only communication over Unix sockets is implemented, but communication over TCP sockets is also easily possible. Currently, only communication over Unix domain sockets is implemented, but communication over TCP sockets is also easily possible.
This approach is similar to the one used in \cite{ostia} to communicate with the \textit{agent}.
Figure~\ref{fig:control-flow} illustrates the control flow for manipulating function calls. Figure~\ref{fig:control-flow} illustrates the control flow for manipulating function calls.

76
thesis/src/99.intercept.bib
View File

@@ -96,5 +96,79 @@
month = jun, month = jun,
articleno = {ISSTA005}, articleno = {ISSTA005},
numpages = {21}, numpages = {21},
keywords = {DataHook, Hooking technique, Software analysis, Software debugging, System call} keywords = {DataHook, Hooking technique, Software analysis, Software debugging, System call},
}
@article{lopez2017,
title={A survey on function and system call hooking approaches},
author={Lopez, Juan and Babun, Leonardo and Aksu, Hidayet and Uluagac, A. Selcuk},
journal={Journal of Hardware and Systems Security},
volume={1},
number={2},
pages={114--136},
year={2017},
publisher={Springer},
}
@masterthesis{kern2023,
author = {Patrick Kern},
title = {Injecting Shared Libraries with LD\_PRELOAD for Cyber Deception},
school = {TU Wien},
year = {2023},
}
@inproceedings{guo2011cde,
title={CDE: Using system call interposition to automatically create portable software packages},
author={Guo, Philip J. and Engler, Dawson},
booktitle={2011 USENIX Annual Technical Conference (USENIX ATC 11)},
year={2011},
}
@inproceedings{detours,
title={Detours: Binary interception of Win32 functions},
author={Galen Hunt and Doug Brubacher},
booktitle={Windows NT 3rd symposium},
year={1999},
}
@inproceedings{spillane2007,
author = {Spillane, Richard P. and Wright, Charles P. and Sivathanu, Gopalan and Zadok, Erez},
title = {Rapid file system development using ptrace},
year = {2007},
isbn = {9781595937513},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/1281700.1281722},
doi = {10.1145/1281700.1281722},
booktitle = {Proceedings of the 2007 Workshop on Experimental Computer Science},
pages = {22es},
keywords = {rapid prototyping, monitors},
location = {San Diego, California},
series = {ExpCS '07},
}
@inproceedings{spif,
author = {Sze, Wai Kit and Sekar, R.},
title = {Provenance-based Integrity Protection for Windows},
year = {2015},
isbn = {9781450336826},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/2818000.2818011},
doi = {10.1145/2818000.2818011},
booktitle = {Proceedings of the 31st Annual Computer Security Applications Conference},
pages = {211220},
numpages = {10},
location = {Los Angeles, CA, USA},
series = {ACSAC '15},
}
@inproceedings{ostia,
title={Ostia: A Delegating Architecture for Secure System Call Interposition},
author={Garfinkel, Tal and Pfaff, Ben and Rosenblum, Mendel},
booktitle={NDSS},
year={2004},
}
@inproceedings{fraser2000,
author={Fraser, T. and Badger, L. and Feldman, M.},
booktitle={Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00},
title={Hardening COTS software with generic software wrappers},
year={2000},
volume={2},
number={},
pages={323-337 vol.2},
doi={10.1109/DISCEX.2000.821530},
} }