Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data Stream
Theodore W. Manikas
Round 1
Reviewer 1 Report
The paper developed Horus, a real-time framework that enables effective and reliable detection of code-reuse exploits hidden in the data streams. The work topic is sure of interest, and the amount of work done and information provided are defining the work contributions.
The structure of the article is well done. The authors explained the contributions made in the paper very well, as well as the structure of other sections.
Conclusion and future work are promising.
Author Response
We would like to thank the reviewer for the comment. We do some checks and improve the English language.
Reviewer 2 Report
Lines 25 – 27:
“Although various protection mechanisms have been proposed, such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) make it more difficult to exploit vulnerabilities, they can still be bypassed by carefully-crafted code-reuse attacks.”
Suggest revising to the following:
“Although various protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) make it more difficult to exploit vulnerabilities, they can still be bypassed by carefully-crafted code-reuse attacks.”
Lines 63-65:
“Second, massive static detection systems solely provide detection results without necessary explanations, especially the black-box property of learning-based method, cause an interpretable and readable problem, which hinders the further analysis on located suspicious bytes.”
Suggest revising to the following:
“Second, massive static detection systems solely provide detection results without necessary explanations, especially the black-box property of learning-based method. This approach causes an interpretable and readable problem, which hinders the further analysis on located suspicious bytes.”
Line 66: Change “Besides” to “Third”
Lines 74-75: Change “And an interpreter” to “In addition, an interpreter”
Lines 120-121: Change “ASLR (Address space layout randomization)” to “ASLR (Address Space Layout Randomization)”
Line 263: “which hinders the piratical application of dynamic methods”
“piratical” means piracy – is this what the authors intended?
Line 302: Change “we regard the const parameters as noises” to “we regard the const parameters as noise”
Lines 331-332: “the sizes of over windows 90% DLLs is smaller than 1MB, while the sizes of over Linux 90%” not sure what this means
Figure 4: Blocks labeled “Offect” should be labeled “Offset”
Author Response
We would like to thank you for the valuable feedback. We improve the sentences and correct some typos according to the suggestions.
Comment: Lines 25 – 27: “Although various protection mechanisms have been proposed, such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) make it more difficult to exploit vulnerabilities, they can still be bypassed by carefully-crafted code-reuse attacks.”
Suggest revising to the following: “Although various protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) make it more difficult to exploit vulnerabilities, they can still be bypassed by carefully-crafted code-reuse attacks.”.
Answer: We would like to thank the reviewer for the comment. We improve the sentence writing according to the suggestion.
Comment: Lines 63-65: “Second, massive static detection systems solely provide detection results without necessary explanations, especially the black-box property of learning-based method, cause an interpretable and readable problem, which hinders the further analysis on located suspicious bytes.”
Suggest revising to the following: “Second, massive static detection systems solely provide detection results without necessary explanations, especially the black-box property of learning-based method. This approach causes an interpretable and readable problem, which hinders the further analysis on located suspicious bytes.”
Answer: We completely agree with the reviewer. We revise the sentence according to the suggestion.
Comment: Line 66: Change “Besides” to “Third”.
Answer: We would like to thank the reviewer for the comment. We improve the wording according to the suggestion.
Comment: Lines 74-75: Change “And an interpreter” to “In addition, an interpreter”.
Answer: We agree with the comment. We do the change according to the suggestion.
Comment: Lines 120-121: Change “ASLR (Address space layout randomization)” to “ASLR (Address Space Layout Randomization)”.
Answer: We would like to thank the reviewer for the comment. I replace the corresponding lowercase letters with uppercase letters.
Comment: Line 263: “which hinders the piratical application of dynamic methods”
“piratical” means piracy – is this what the authors intended?
Answer: We would like to thank the reviewer for the careful review. The “piratical” is a typos, and we change it into the correct form “practical”.
Comment: Line 302: Change “we regard the const parameters as noises” to “we regard the const parameters as noise”.
Answer: We agree with the comment. We do the change according to the suggestion.
Comment: Lines 331-332: “the sizes of over windows 90% DLLs is smaller than 1MB, while the sizes of over Linux 90%” not sure what this means.
Answer: We would like to thank the reviewer for pointing out this problem. We revise the sentence into “over 90% of dynamic library files on Window or Linux platform are less than 1 MB or 128 KB in size, respectively”.
Comment: Figure 4: Blocks labeled “Offect” should be labeled “Offset”.
Answer: We would like to thank the reviewer for the careful review. We do the corresponding change in the graph according to the suggestion.
