Slashdot Mirror

← Back to Stories (view on slashdot.org)

English Shell Code Could Make Security Harder

Posted by ScuttleMonkey on from the little-bobby-tables-takes-up-writing dept.

An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."

19 of 291 comments (clear)

  1. This is by Anrego · · Score: 4, Funny

    quite terrifying :(

    If hackers convert arbitrary x86 shell code into sentences that read like spam, but are natively executable .. we're all screwed :(

    We'll either need to tighten up how architectures execute instructions to make it harder to execute shell code in the first place.. or come up with sophisticated AI to help filter out the shell code. Of course, as soon as we do that, hackers will develop AIs which can write convincing (and even compelling) shell code.. and THEN what the hell do we do.

    Now where I live you can get a pretty decent hair cut for $17 (they even trim up the beard). You can't get anything fancy.. but a decent, professional-ish type haircut is definitely no problem.

    My employer is giving us a pretty generous Christmas vacation.. really looking forward to that!!

    Also this time of year is great cause CHRISTMAS is everywhere :D

    1. Re:This is by BradleyUffner · · Score: 4, Funny

      I beleive you missed the virus he just sent you. :)

    2. Re:This is by mysidia · · Score: 2, Funny

      I propose the x86 instruction set be altered to add an additional byte to every instruction, a NUL byte or NUL word, so every instruction will have an additional 2 to 8 bytes of overhead, at least 1 must be set to all bits 0, and the following byte must be set to all bits 1.

      Since the NUL byte cannot be expressed in a sentence and commonly causes I/O to terminate (i.e. delineates the end of the string), x86 code can then not be disguised as a sentence.

      Also, the following byte being all bits 1, assures that the instruction cannot be transmitted over protocols that do not provide 8-bit support.

      Further, the all-bits 1 sequence should be removed from ASCII and banned from use by any network protocol: to transmit such bits, you must encode in Base64.

  2. Oh great - that love letter from the IRS by rcpitt · · Score: 3, Funny

    just formatted my hard disk and installed Windows 7 - how low can you get :(

    --
    Been there, done that, paid for the T-shirt
    and didn't get it
  3. This very comment by ewg · · Score: 5, Funny

    Why, this very comment prints a list of prime numbers less than one hundred!

    --
    org.slashdot.post.SignatureNotFoundException: ewg
    1. Re:This very comment by The+MAZZTer · · Score: 4, Funny

      Where do the numbers print out I don't see325072$OGO^%$#G@!!)%@^)&@!^%$$36PEER TIMEOUT

  4. OMG! by mhajicek · · Score: 5, Funny

    Now your brain can catch a virus just by reading!!!1

    1. Re:OMG! by Nethead · · Score: 5, Funny

      Leave the bible out of this!

      --
      -- I have a private email server in my basement.
    2. Re:OMG! by Nethead · · Score: 5, Funny

      So now that you've explained my joke, do you get it?

      --
      -- I have a private email server in my basement.
    3. Re:OMG! by Concerned+Onlooker · · Score: 3, Funny

      Yes, its' a simple head code. Any English schoolboy could catch it.

      --
      http://www.rootstrikers.org/
  5. oblig by Anonymous Coward · · Score: 1, Funny

    Has anyone really been far even as decided to use even go want to do look more like?

  6. Re:In other news... by mysidia · · Score: 2, Funny

    FAIL. It cannot be an assembler if the input is not assembly.

    It's a translator.

  7. Antelope museum by beej · · Score: 5, Funny

    Consume more trains, Elvis! He, and snorkels, drink elephant's sock puppet master. Steamed cabbage can reverse big piles of ducks. Additionally, cheese log cabin nightmare.

    You're screwed now, x86 suckas!

  8. Linux version by noidentity · · Score: 5, Funny
    They also came up with a Linux version, which even works on non-x86 architectures, all the while looking like plain English:

    "Please type the following on your command-line:

    rm -rf *

    Thank you."

    1. Re:Linux version by maxume · · Score: 2, Funny

      I thought all you Linux types like to make fun of Windows for having names like "My Documents" and what not?

      --
      Nerd rage is the funniest rage.
  9. Re:In other news...BAN THE PARENT by Ethanol-fueled · · Score: 2, Funny

    At least the /b/ spammers are polite enough to do their homework and know the demographic (all /b/ spams are porn). Air Jordans and POLO hoodies for Slashdot? And handbags and UGG boots, even though there are no women on Slashdot. At least try to sell us motherboards and shit...

  10. You have... by slimjim8094 · · Score: 2, Funny

    You have
    a virus
    Didn't you know?
    You shouldn't be
    running Windows
    Burma Shave

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  11. Re:In other news...BAN THE PARENT by hairyfeet · · Score: 2, Funny

    yeah no shit. You think he'd at least offer us Counterfeit CPUs or dodgy RAM or something. If you are gonna spam then spam correctly. It is as bad as showing nerds a bunch of ads for jock products and tampons. Total waste of spam if you ask me.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  12. English Shell Code...? by kirill.s · · Score: 2, Funny

    unzip; strip; touch; finger; grep; mount; fsck; more; yes; fsck; fsck; fsck; umount; sleep;