A SLAHP in the face of DLL Search Order Hijacking - Service IntEgration and netwoRk Administration
Conference Papers Year : 2023

A SLAHP in the face of DLL Search Order Hijacking

Abstract

DLL Search Order Hijacking (also known as DLL Hijacking or DLL planting) is a problem that is generally overlooked by software developers even though its existence has been known for over a decade. While Microsoft has designed and implemented mitigations to reduce the feasibility and the impact of DLL Search Order Hijacking, this issue is worth being brought back up due to the recent adoption of user-writable directories as potential, and sometimes default, software installation paths (in lieu of directories like "Program Files" which require administration privileges by default) in order to improve installation success rates. We conducted a study on 48 different software programs (Top software on Sourceforge across 4 different categories and the 4 major web browsers) and found that more than 88% of them were vulnerable to some form of DLL Search Order Hijacking. To alleviate this issue, we propose SLAHP, a novel way of preventing DLL Search Order Hijacking exploitation in the form of a proof-of-concept implementation that is both easy to integrate with new and existing products by software developers and users. It is invisible to end users while still allowing the usage of previously insecure installation locations. To further demonstrate the usability of our solution, we conducted performance tests and found that its impact is mostly negligible.
Fichier principal
Vignette du fichier
Article_SLAHP.pdf (381.87 Ko) Télécharger le fichier
Origin Files produced by the author(s)
licence

Dates and versions

hal-04278110 , version 1 (19-03-2024)

Licence

Identifiers

Cite

Antonin Verdier, Romain Laborde, Mohamed Ali Kandi, Abdelmalek Benzekri. A SLAHP in the face of DLL Search Order Hijacking. 3rd International Conference on Ubiquitous Security (UbiSec 2023), Nov 2023, Exeter, United Kingdom. pp.177--190, ⟨10.1007/978-981-97-1274-8_12⟩. ⟨hal-04278110⟩
275 View
1 Download

Altmetric

Share

More