Operating system interface obfuscation and the revealing of hidden operations
作者: Abhinav Srivastava , Andrea Lanzi , Jonathon Giffin , Davide Balzarotti
DOI: 10.1007/978-3-642-22424-9_13
关键词: Kernel (statistics) 、 System call 、 Rootkit 、 Malware 、 Software security assurance 、 Intrusion detection system 、 Virtual machine 、 Operating system 、 Hypervisor 、 Computer science
摘要: Many software security solutions--including malware analyzers, information flow tracking systems, auditing utilities, and host-based intrusion detectors--rely on knowledge of standard system call interfaces to reason about process execution behavior. In this work, we show how a rootkit can obfuscate commodity kernel's degrade the effectiveness these tools. Our attack, called Illusion, allows user-level invoke privileged kernel operations without requiring actual calls corresponding operations. The Illusion interface hides from user-, kernel-, hypervisor-level monitors mediating conventional system-call interface. alters neither static code nor read-only dispatch tables, remaining elusive tools protecting memory. We then consider problem attacks augment data with kernel-level expose hidden present Xen-based monitoring system, Sherlock, that adds watchpoints stream calls. Sherlock automatically adapts its sensitivity based requirements remain performant desktop systems: in normal execution, it 1% 10% overhead variety workloads.
springer.com
iseclab.org参考文章(56)
Ravishankar K. Iyer, Emre C. Sezer, Shuo Chen, Prachi Gauriar, Jun Xu, Non-control-data attacks are realistic threats usenix security symposium. pp. 12- 12 ,(2005)
Kymie M. C. Tan, Kevin S. Killourhy, Roy A. Maxion, Undermining an anomaly-based intrusion detection system using common exploits recent advances in intrusion detection. pp. 54- 73 ,(2002) , 10.1007/3-540-36084-0_4
Remzi H. Arpaci-Dusseau, Andrea C. Arpaci-Dusseau, Stephen T. Jones, Antfarm: tracking processes in a virtual machine environment usenix annual technical conference. pp. 1- 1 ,(2006)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, AAron Walters, An architecture for specification-based detection of semantic integrity violations in kernel dynamic data usenix security symposium. pp. 20- ,(2006)
Andrew Whitaker, Richard S. Cox, Steven D. Grible, Marianne Shaw, Constructing services with interposable virtual hardware networked systems design and implementation. pp. 13- 13 ,(2004)
Ryan Riley, Xuxian Jiang, Dongyan Xu, Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing recent advances in intrusion detection. pp. 1- 20 ,(2008) , 10.1007/978-3-540-87403-4_1
Barton P. Miller, Somesh Jha, Jonathon T. Giffin, Efficient Context-Sensitive Intrusion Detection. network and distributed system security symposium. ,(2004)
Jonathon Giffin, Kapil Singh, Wenke Lee, Monirul Sharif, Understanding precision in host based intrusion detection: formal analysis and practical models recent advances in intrusion detection. pp. 21- 41 ,(2007)
Dan Boneh, Tal Garfinkel, Mendel Rosenblum, Flexible OS support and applications for trusted computing hot topics in operating systems. pp. 25- 25 ,(2003)
Haizhi Xu, Wenliang Du, Steve J. Chapin, Context Sensitive Anomaly Monitoring of Process Control Flow To Detect Mimicry Attacks and Impossible Paths recent advances in intrusion detection. pp. 21- 38 ,(2004) , 10.1007/978-3-540-30143-1_2