English Shell Code Could Make Security Harder

An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."

This is

[Anrego]

quite terrifying :(

If hackers convert arbitrary x86 shell code into sentences that read like spam, but are natively executable .. we're all screwed :(

We'll either need to tighten up how architectures execute instructions to make it harder to execute shell code in the first place.. or come up with sophisticated AI to help filter out the shell code. Of course, as soon as we do that, hackers will develop AIs which can write convincing (and even compelling) shell code.. and THEN what the hell do we do.

Now where I live you can get a pretty decent hair cut for $17 (they even trim up the beard). You can't get anything fancy.. but a decent, professional-ish type haircut is definitely no problem.

My employer is giving us a pretty generous Christmas vacation.. really looking forward to that!!

Also this time of year is great cause CHRISTMAS is everywhere :D

Oh great - that love letter from the IRS

[rcpitt]

just formatted my hard disk and installed Windows 7 - how low can you get :(

Re:This is

[BradleyUffner]

I beleive you missed the virus he just sent you. :)

This very comment

[ewg]

Why, this very comment prints a list of prime numbers less than one hundred!

OMG!

[mhajicek]

Now your brain can catch a virus just by reading!!!1

Re:OMG!

[Nethead]

Leave the bible out of this!

Re:This very comment

[The MAZZTer]

Where do the numbers print out I don't see325072$OGO^%$#G@!!)%@^)&@!^%$$36PEER TIMEOUT

oblig

[Anonymous Coward]

Has anyone really been far even as decided to use even go want to do look more like?

Re:In other news...

[mysidia]

FAIL. It cannot be an assembler if the input is not assembly.

It's a translator.

Re:This is

[mysidia]

I propose the x86 instruction set be altered to add an additional byte to every instruction, a NUL byte or NUL word, so every instruction will have an additional 2 to 8 bytes of overhead, at least 1 must be set to all bits 0, and the following byte must be set to all bits 1.

Since the NUL byte cannot be expressed in a sentence and commonly causes I/O to terminate (i.e. delineates the end of the string), x86 code can then not be disguised as a sentence.

Also, the following byte being all bits 1, assures that the instruction cannot be transmitted over protocols that do not provide 8-bit support.

Further, the all-bits 1 sequence should be removed from ASCII and banned from use by any network protocol: to transmit such bits, you must encode in Base64.

Antelope museum

[beej]

Consume more trains, Elvis! He, and snorkels, drink elephant's sock puppet master. Steamed cabbage can reverse big piles of ducks. Additionally, cheese log cabin nightmare.

You're screwed now, x86 suckas!

Re:OMG!

[Nethead]

So now that you've explained my joke, do you get it?

Linux version

[noidentity]

They also came up with a Linux version, which even works on non-x86 architectures, all the while looking like plain English:

"Please type the following on your command-line:

rm -rf *

Thank you."

Re:In other news...BAN THE PARENT

[Ethanol-fueled]

At least the /b/ spammers are polite enough to do their homework and know the demographic (all /b/ spams are porn). Air Jordans and POLO hoodies for Slashdot? And handbags and UGG boots, even though there are no women on Slashdot. At least try to sell us motherboards and shit...

You have...

[slimjim8094]

You have
a virus
Didn't you know?
You shouldn't be
running Windows
Burma Shave

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:OMG!

[Concerned Onlooker]

Yes, its' a simple head code. Any English schoolboy could catch it.

English Shell Code...?

[kirill.s]

unzip; strip; touch; finger; grep; mount; fsck; more; yes; fsck; fsck; fsck; umount; sleep;

Re:Linux version

[maxume]

I thought all you Linux types like to make fun of Windows for having names like "My Documents" and what not?