
Shellcode detection using CPU emulation and syscall blacklisting - luu
https://rainbow.cs.unipi.gr/projects/seduce
======
nickpsecurity
I had an idea a while back for a HIDS or at least post-infection analysis. You
record incoming data and files onto storage. Have a separate machine running
it which is instrumented to check all jumps, etc against a whitelist generated
when compiling same system. It would eventually spot the compromise plus be
able to show the exact sequence of data & instructions that caused it. Which
would aid patching it.

Stayed on prevention instead. Thought it would be fun building & optimizing
it, though.

~~~
munin
this is control flow integrity, it's in windows 10 now as a technology called
"control flow guard".

~~~
NickHaflinger
"Bypass control flow guard" :)

[https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-
By...](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-
Control-Flow-Guard-Comprehensively-wp.pdf)

~~~
nickpsecurity
Doesn't surprise me. There's been few breaks in prior SFI/CFI's. That's why
I'm not relying on CPI until strong peer review happens. There's added risk
since CFI concept is really a cheat to try to avoid full data or memory
safety. They think they'll get security and great performance with the cheat.
They usually get the performance. ;)

