Skip to main content
SpringerLink
Log in

A SLAHP in the Face of DLL Search Order Hijacking

  • Conference paper
  • First Online:
Ubiquitous Security (UbiSec 2023)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 2034))

Included in the following conference series:

  • 63 Accesses

Abstract

DLL Search Order Hijacking (also known as DLL Hijacking or DLL planting) is a problem that is generally overlooked by software developers even though its existence has been known for over a decade. While Microsoft has designed and implemented mitigations to reduce the feasibility and the impact of DLL Search Order Hijacking, this issue is worth being brought back up due to the recent adoption of user-writable directories as potential, and sometimes default, software installation paths (in lieu of directories like “Program Files" which require administration privileges by default) in order to improve installation success rates. We conducted a study on 48 different software programs (Top software on Sourceforge across 4 different categories and the 4 major web browsers) and found that more than 88% of them were vulnerable to some form of DLL Search Order Hijacking. To alleviate this issue, we propose SLAHP, a novel way of preventing DLL Search Order Hijacking exploitation in the form of a proof-of-concept implementation that is both easy to integrate with new and existing products by software developers and users. It is invisible to end users while still allowing the usage of previously insecure installation locations. To further demonstrate the usability of our solution, we conducted performance tests and found that its impact is mostly negligible.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/lacaulac/SLAHP.

  2. 2.

    https://youtu.be/sb-lZN37tCg.

References

  1. Chromium Docs - Chrome Security FAQ. https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md

  2. CrowdStrike: 2020 Global threat report (2020). https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

  3. Faou, M.: Turla crutch: keeping the “back door” open (2020). https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

  4. Galvan, A., Nagaraju, S.S.: Triaging a DLL planting vulnerability \(|\) MSRC blog \(|\) microsoft security response center. https://msrc.microsoft.com/blog/2018/04/triaging-a-dll-planting-vulnerability/

  5. Gates, C., Li, N., Chen, J., Proctor, R.: CodeShield: towards personalized application whitelisting. In: Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC 2012, p. 279. ACM Press, Orlando, Florida (2012)

    Google Scholar 

  6. Gatlan, S.: Realtek Fixes DLL Hijacking Flaw in HD Audio Driver for Windows (2020). https://www.bleepingcomputer.com/news/security/realtek-fixes-dll-hijacking-flaw-in-hd-audio-driver-for-windows/

  7. Halim, F., Ramnath, R., Sufatrio, Wu, Y., Yap, R.H.C.: A lightweight binary authentication system for windows. In: Karabulut, Y., Mitchell, J., Herrmann, P., Jensen, C.D. (eds.) Trust Management II, vol. 263, pp. 295–310. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-09428-1_19

  8. Hunt, G., Brubacher, D.: Detours: Binary interception of win32 functions. In: Third USENIX Windows NT Symposium. p. 8. USENIX (1999). https://www.microsoft.com/en-us/research/publication/detours-binary-interception-of-win32-functions/

  9. Karantzas, G., Patsakis, C.: An empirical assessment of endpoint detection and response systems against advanced persistent threats attack vectors. J. Cybersecur. Privacy 1(3), 387–421 (2021)

    Article  Google Scholar 

  10. Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015)

    Google Scholar 

  11. Lechtik, M., Rascagnères, P., Kayal, A.: LuminousMoth APT: Sweeping attacks for the chosen few. https://securelist.com/apt-luminousmoth/103332/

  12. Malura, M.: Dll proxy generator. https://github.com/maluramichael/dll-proxy-generator. original-date: 2018-09-29T20:51:52Z

  13. Microsoft: Windows 2000 security hardening guide: Security configuration. https://web.archive.org/web/20080323071041/https://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/05sconfg.mspx#E6JBG

  14. Min, B., Varadharajan, V.: Rethinking software component security: software component level integrity and cross verification. Comput. J. 59(11), 1735–1748 (2016)

    Article  Google Scholar 

  15. MITRE: Hijack Execution Flow: DLL Search Order Hijacking, Sub-technique T1574.001 - Enterprise \(|\) MITRE ATT &CK®. https://attack.mitre.org/techniques/T1574/001/

  16. MITRE: Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 - Enterprise \(|\) MITRE ATT &CK®. https://attack.mitre.org/techniques/T1574/002/

  17. National Vulnerability Database: NVD - CVE-2010-3129. https://nvd.nist.gov/vuln/detail/CVE-2010-3129

  18. National Vulnerability Database: NVD - CVE-2010-3139. https://nvd.nist.gov/vuln/detail/CVE-2010-3139

  19. Oliveira, D., Rosenthal, M., Morin, N., Yeh, K.C., Cappos, J., Zhuang, Y.: It’s the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer’s blind spots. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 296–305. ACM (2014)

    Google Scholar 

  20. Richter, J.: Load your 32 bit dll into another process’s address space using injlib. Microsoft Syst. J. US Ed. 13–40 (1994)

    Google Scholar 

  21. Wheeler, S., Sherer, T.: Set-ProcessMitigation (ProcessMitigations). https://learn.microsoft.com/en-us/powershell/module/processmitigations/set-processmitigation

  22. Whitney, T., et al.: Linker support for delay-loaded DLLs. https://learn.microsoft.com/en-us/cpp/build/reference/linker-support-for-delay-loaded-dlls

  23. Wu, Y., Yap, R.H.C.: Simple and practical integrity models for binaries and files. In: Damsgaard Jensen, C., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) Trust Management IX. IFIPAICT, vol. 454, pp. 30–46. Springer, Cham (2015)

    Chapter  Google Scholar 

Download references

Acknowledgments

This work was partially supported by the European research projects H2020 CyberSec4Europe (GA 830929), LeaDS (GA 956562), Horizon Europe DUCA (GA 101086308), and CNRS EU-CHECK.

Author information

Authors and Affiliations

  1. IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, Toulouse, France

    Antonin Verdier, Romain Laborde, Mohamed Ali Kandi & Abdelmalek Benzekri

Authors
  1. Antonin Verdier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Romain Laborde
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohamed Ali Kandi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Abdelmalek Benzekri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Antonin Verdier .

Editor information

Editors and Affiliations

  1. School of Computer Science and Cyber Engineering, Guangzhou University, Guangzhou, China

    Guojun Wang

  2. Department of Computer Science, University of Exeter, Exeter, UK

    Haozhe Wang

  3. Department of Computer Science, University of Exeter, Exeter, UK

    Geyong Min

  4. Applied Research Department, British Telecom, London, UK

    Nektarios Georgalas

  5. Department of Applied Mathematics and Computer Science, University of Denmark, Copenhagen, Denmark

    Weizhi Meng

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Verdier, A., Laborde, R., Kandi, M.A., Benzekri, A. (2024). A SLAHP in the Face of DLL Search Order Hijacking. In: Wang, G., Wang, H., Min, G., Georgalas, N., Meng, W. (eds) Ubiquitous Security. UbiSec 2023. Communications in Computer and Information Science, vol 2034. Springer, Singapore. https://doi.org/10.1007/978-981-97-1274-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-981-97-1274-8_12

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-97-1273-1

  • Online ISBN: 978-981-97-1274-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation