Master of Science (MS)
executable hash functions tamper detection
A checksum (i.e., a cryptographic hash) of a file can be used as an integrity check, if an attacker tries to change the code in an executable file, a checksum can be used to detect the tampering. While it is easy to compute a checksum for any static file, it is possible for an attacker to tamper with an executable file as it is being loaded into memory, or after it has been loaded. Therefore, it would be more useful to checksum an executable file dynamically only after the file has been loaded into memory. However, checksumming dynamic code is much more challenging than dealing with static code – the code can be loaded into different locations in memory, and parts of the code will change depending on where the code resides in memory (addresses, labels, etc.).
Windows Vista and later versions of Windows include a new technology known as Address Space Layout Randomization (ASLR). ASLR, which serves as a defense against buffer overflow attacks, causes the executable file to be loaded at a randomly-selected location in memory. The goal of this project is to develop a robust and efficient technique for computing the cryptographic hash of a dynamic executable in the presence of ASLR.
Sharma, Ashish, "Dynamic Code Checksum Generator" (2011). Master's Projects. 181.