This paper presents DOME, a host-based technique for detecting several general classes of malicious code in software executables. DOME uses static analysis to identify the locations (virtual addresses) of system calls within the software executables, and then monitors the executables at runtime to verify that every observed system call is made from a location identified using static analysis. The power of this technique is that it is simple, practical, applicable to real-world software, and highly effective against injected, dynamically generated, and obfuscated malicious code. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification – Model checking; D.4.6 [Operating Systems]: Security and Protection – Invasive software (e.g., viruses, worms, Trojan horses), Authentication; K.6.5 [Management Of Computing And Information Systems]: Security and Protection – Invasive software (e.g., viruses, worms, Trojan horses), Authentication. General Terms...
Jesse C. Rabek, Roger I. Khazan, Scott M. Lewandow