Abstract
DLL Search Order Hijacking (also known as DLL Hijacking or DLL planting) is a problem that is generally overlooked by software developers even though its existence has been known for over a decade. While Microsoft has designed and implemented mitigations to reduce the feasibility and the impact of DLL Search Order Hijacking, this issue is worth being brought back up due to the recent adoption of user-writable directories as potential, and sometimes default, software installation paths (in lieu of directories like “Program Files" which require administration privileges by default) in order to improve installation success rates. We conducted a study on 48 different software programs (Top software on Sourceforge across 4 different categories and the 4 major web browsers) and found that more than 88% of them were vulnerable to some form of DLL Search Order Hijacking. To alleviate this issue, we propose SLAHP, a novel way of preventing DLL Search Order Hijacking exploitation in the form of a proof-of-concept implementation that is both easy to integrate with new and existing products by software developers and users. It is invisible to end users while still allowing the usage of previously insecure installation locations. To further demonstrate the usability of our solution, we conducted performance tests and found that its impact is mostly negligible.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chromium Docs - Chrome Security FAQ. https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md
CrowdStrike: 2020 Global threat report (2020). https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
Faou, M.: Turla crutch: keeping the “back door” open (2020). https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
Galvan, A., Nagaraju, S.S.: Triaging a DLL planting vulnerability \(|\) MSRC blog \(|\) microsoft security response center. https://msrc.microsoft.com/blog/2018/04/triaging-a-dll-planting-vulnerability/
Gates, C., Li, N., Chen, J., Proctor, R.: CodeShield: towards personalized application whitelisting. In: Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC 2012, p. 279. ACM Press, Orlando, Florida (2012)
Gatlan, S.: Realtek Fixes DLL Hijacking Flaw in HD Audio Driver for Windows (2020). https://www.bleepingcomputer.com/news/security/realtek-fixes-dll-hijacking-flaw-in-hd-audio-driver-for-windows/
Halim, F., Ramnath, R., Sufatrio, Wu, Y., Yap, R.H.C.: A lightweight binary authentication system for windows. In: Karabulut, Y., Mitchell, J., Herrmann, P., Jensen, C.D. (eds.) Trust Management II, vol. 263, pp. 295–310. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-09428-1_19
Hunt, G., Brubacher, D.: Detours: Binary interception of win32 functions. In: Third USENIX Windows NT Symposium. p. 8. USENIX (1999). https://www.microsoft.com/en-us/research/publication/detours-binary-interception-of-win32-functions/
Karantzas, G., Patsakis, C.: An empirical assessment of endpoint detection and response systems against advanced persistent threats attack vectors. J. Cybersecur. Privacy 1(3), 387–421 (2021)
Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015)
Lechtik, M., Rascagnères, P., Kayal, A.: LuminousMoth APT: Sweeping attacks for the chosen few. https://securelist.com/apt-luminousmoth/103332/
Malura, M.: Dll proxy generator. https://github.com/maluramichael/dll-proxy-generator. original-date: 2018-09-29T20:51:52Z
Microsoft: Windows 2000 security hardening guide: Security configuration. https://web.archive.org/web/20080323071041/https://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/05sconfg.mspx#E6JBG
Min, B., Varadharajan, V.: Rethinking software component security: software component level integrity and cross verification. Comput. J. 59(11), 1735–1748 (2016)
MITRE: Hijack Execution Flow: DLL Search Order Hijacking, Sub-technique T1574.001 - Enterprise \(|\) MITRE ATT &CK®. https://attack.mitre.org/techniques/T1574/001/
MITRE: Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 - Enterprise \(|\) MITRE ATT &CK®. https://attack.mitre.org/techniques/T1574/002/
National Vulnerability Database: NVD - CVE-2010-3129. https://nvd.nist.gov/vuln/detail/CVE-2010-3129
National Vulnerability Database: NVD - CVE-2010-3139. https://nvd.nist.gov/vuln/detail/CVE-2010-3139
Oliveira, D., Rosenthal, M., Morin, N., Yeh, K.C., Cappos, J., Zhuang, Y.: It’s the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer’s blind spots. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 296–305. ACM (2014)
Richter, J.: Load your 32 bit dll into another process’s address space using injlib. Microsoft Syst. J. US Ed. 13–40 (1994)
Wheeler, S., Sherer, T.: Set-ProcessMitigation (ProcessMitigations). https://learn.microsoft.com/en-us/powershell/module/processmitigations/set-processmitigation
Whitney, T., et al.: Linker support for delay-loaded DLLs. https://learn.microsoft.com/en-us/cpp/build/reference/linker-support-for-delay-loaded-dlls
Wu, Y., Yap, R.H.C.: Simple and practical integrity models for binaries and files. In: Damsgaard Jensen, C., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) Trust Management IX. IFIPAICT, vol. 454, pp. 30–46. Springer, Cham (2015)
Acknowledgments
This work was partially supported by the European research projects H2020 CyberSec4Europe (GA 830929), LeaDS (GA 956562), Horizon Europe DUCA (GA 101086308), and CNRS EU-CHECK.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Verdier, A., Laborde, R., Kandi, M.A., Benzekri, A. (2024). A SLAHP in the Face of DLL Search Order Hijacking. In: Wang, G., Wang, H., Min, G., Georgalas, N., Meng, W. (eds) Ubiquitous Security. UbiSec 2023. Communications in Computer and Information Science, vol 2034. Springer, Singapore. https://doi.org/10.1007/978-981-97-1274-8_12
Download citation
DOI: https://doi.org/10.1007/978-981-97-1274-8_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-1273-1
Online ISBN: 978-981-97-1274-8
eBook Packages: Computer ScienceComputer Science (R0)