Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring
作者: Junghwan Rhee , Ryan Riley , Dongyan Xu , Xuxian Jiang
关键词:
摘要: Targeting the operating system kernel, core of trust in a system, kernel rootkits are able to compromise entire placing it under malicious control, while eluding detection efforts. Within realm rootkits, dynamic data particularly elusive due fact that they attack only targets. Dynamic avoid code injection and instead use existing manipulate data. Because do not execute any new code, complete their attacks without violating integrity. We propose prevention solution blocks rootkit by monitoring memory access using virtual machine monitor (VMM) policies. Although VMM is an external monitor, our preemptively detects changes monitored states enables fine-grained inspection accesses on dynamically changing In addition, readable writable can be protected exposing illegal rootkits.We have implemented prototype QEMU VMM. Our experiments show successfully defeats synthesized real-time, demonstrating its effectiveness practicality.
kernelhacking.com 参考文章(11)
Ravishankar K. Iyer, Emre C. Sezer, Shuo Chen, Prachi Gauriar, Jun Xu, Non-control-data attacks are realistic threats usenix security symposium. pp. 12- 12 ,(2005)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, AAron Walters, An architecture for specification-based detection of semantic integrity violations in kernel dynamic data usenix security symposium. pp. 20- ,(2006)
Ryan Riley, Xuxian Jiang, Dongyan Xu, Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing recent advances in intrusion detection. pp. 1- 20 ,(2008) , 10.1007/978-3-540-87403-4_1
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, Jesus Molina, Copilot - a coprocessor-based kernel runtime integrity monitor usenix security symposium. pp. 13- 13 ,(2004)
Tal Garfinkel, Mendel Rosenblum, A Virtual Machine Introspection Based Architecture for Intrusion Detection. network and distributed system security symposium. ,(2003)
P.M. Chen, B.D. Noble, When virtual is better than real [operating system relocation to virtual machines] Proceedings Eighth Workshop on Hot Topics in Operating Systems. pp. 133- 138 ,(2001) , 10.1109/HOTOS.2001.990073
Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig, SecVisor Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles - SOSP '07. ,vol. 41, pp. 335- 350 ,(2007) , 10.1145/1294261.1294294
Bryan D. Payne, Martim Carbone, Monirul Sharif, Wenke Lee, Lares: An Architecture for Secure Active Monitoring Using Virtualization ieee symposium on security and privacy. pp. 233- 247 ,(2008) , 10.1109/SP.2008.24
Nick L. Petroni, Michael Hicks, Automated detection of persistent kernel control-flow attacks computer and communications security. pp. 103- 115 ,(2007) , 10.1145/1315245.1315260
Emre C. Sezer, Peng Ning, Chongkyung Kil, Jun Xu, Memsherlock: an automated debugger for unknown memory corruption vulnerabilities computer and communications security. pp. 562- 572 ,(2007) , 10.1145/1315245.1315314