Michalis Polychronakis

From Shellcode to Return-Oriented Programming: Detecting Malicious Code using Code Emulation

The exploitation of memory corruption vulnerabilities in server and client applications has been one of the prevalent means of system compromise and malware infection. Identifying the malicious code that is part of the attack vector is an effective approach for the detection of zero-day code injection attacks. In this talk I will present how dynamic code analysis can be used for the generic detection of shellcode and ROP payloads in arbitrary inputs. Our prototype attack detection system, called Nemu, uses a CPU emulator to dynamically analyze valid instruction sequences found in the inspected input, or speculatively drive the execution of code that already exists in a targeted process according to the scanned input data. Based on a set of runtime heuristics, this allows the identification of shellcode or ROP payloads that are part of previously unknown attacks without relying on any exploit or vulnerability specific signatures. At the same time, the actual execution of the malicious code on a CPU emulator makes the detector robust to evasion techniques and allows for high detection accuracy with virtually no false positives.


Michalis Polychronakis is a postdoctoral researcher in the Computer Science Department at Columbia University. He received the B.Sc. ('03), M.Sc. ('05), and Ph.D. ('09) degrees in Computer Science from the University of Crete, Greece, while working as a research assistant in the Distributed Computing Systems Lab at FORTH-ICS. In 2010, he received a Marie Curie International Outgoing Fellowship granted by the European Commission. His main research interests are in the areas of network and system security, and network monitoring and measurement.