|
|||||
|
|
A Heuristic Search for Identifying Required Application Libraries Supporting a Run-Time Security Policy |
|
| Authors: | R Kelly Rainer Jr PhD Thomas E Marshall PhD Kenneth J Knapp PhD Gina H Montgomery PhD |
| Affiliation: | 1. Department of Management , College of Business, Auburn University , Auburn, AL, USA;2. Air Force Academy , Colorado Springs, CO, USA;3. College of Business, Auburn University , Auburn, AL, USA |
| Abstract: | On a Windows platform it is possible to inject a DLL into a running process creating a new thread of execution within an authorized process. Security tools monitoring or examining DLLs loaded into the memory space of a given process rely on policies to determine the validity of the library. Two approaches to the policy specification include “all or nothing” and “per executable” rules also referred to as a run-time security policy. Developing the run-time policy requires the running of every executable for a period of time to train the system. An alternative to the training method of the run-time approach is to determine ahead of time which DLL should be loaded before execution. A tool called LibMon was developed to monitor loading of libraries by running applications. A heuristic search algorithm was created based on the analysis of the data collected with LibMon. |
| Keywords: | heuristic search security policy run-time DLL injection |
