Top

Published in:

2016 | OriginalPaper | Chapter

Subverting Operating System Properties Through Evolutionary DKOM Attacks

Authors : Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Modern rootkits have moved their focus on the exploitation of dynamic memory structures, which allows them to tamper with the behavior of the system without modifying or injecting any additional code.

In this paper we discuss a new class of Direct Kernel Object Manipulation (DKOM) attacks that we call Evolutionary DKOM (E-DKOM). The goal of this attack is to alter the way some data structures “evolve” over time. As case study, we designed and implemented an instance of Evolutionary DKOM attack that targets the OS scheduler for both userspace programs and kernel threads. Moreover, we discuss the implementation of a hypervisor-based data protection system that mimics the behavior of an OS component (in our case the scheduling system) and detect any unauthorized modification. We finally discuss the challenges related to the design of a general detection system for this class of attacks.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

next chapter DeepFuzz: Triggering Vulnerabilities Deeply Hidden in Binaries

Tripwire. http://www.tripwire.com/

Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 340–353 (2005)

Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC 2008, pp. 77–86 (2008)

Baliga, A., Kamat, P., Iftode, L.: Lurking in the shadows: identifying systemic threats to kernel data. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 246–251(2007)

Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 555–565. ACM, New York (2009)

Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, HOTOS (2001)

Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2), 63–81 (2011)CrossRef

Cui, W., Peinado, M., Xu, Z., and Chan, E. Tracking rootkit footprints with a practical memory analysis system. In: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 601–615. USENIX, Bellevue (2012)

Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2011

10.

Fattori, A., Lanzi, A., Balzarotti, D., Kirda, E.: Hypervisor-based malware protection with accessminer. Comput. Secur. 52, 33–50 (2015)CrossRef

11.

Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the 25\(^{th}\) International Conference on Automated Software Engineering (ASE), Antwerp, Belgium, September 2010. https://code.google.com/p/hyperdbg/

12.

Fedler, R., Kulicke, M., Schtte, J.: An antivirus api for android malware recognition. In: MALWARE (2013)

13.

Garfinkel, T.: Traps and pitfalls: practical problems in in system call interposition based security tools. In: Proceedings of the Network and Distributed Systems Security Symposium, February 2003

14.

Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed Systems Security Symposium, pp. 191–206 (2003)

15.

Grill, B., Platzer, C., Eckel, J.: A practical approach for generic bootkit detection and prevention. In: EuroSec (2014)

16.

Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22(4), 36–38 (1988)CrossRef

17.

Haukli, L.: Exposing bootkits with bios emulation. In: Blackhat US, August 2014

18.

Hofmann, O., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ASPLOS (2011)

19.

Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)

20.

Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Presented as Part of the 18th USENIX Security Symposium (USENIX Security 2009). USENIX, Montreal (2009)

21.

Jang, D., Lee, H., Kim, M., Kim, D., Kim, D., Kang, B.B.: Atra: address translation redirection attack against hardware-based external monitors. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 167–178. ACM, New York (2014)

22.

Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2007)

23.

Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the USENIX 2006 Annual Technical Conference, USENIX 2006, Boston, MA, June 2006

24.

Kim, G.H., Spafford, E.H.: The design, implementation of tripwire: a file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, CCS 1994, pp. 18–29 (1994)

25.

Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security, EuroSec, Prague, Czech Republic, April 2013

26.

Lee, H., Moon, H., Jang, D., Kim, K., Lee, J., Paek, Y., Kang, B.B.: Ki-mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: Presented as Part of the 22nd USENIX Security Symposium, pp. 511–526. USENIX, Washington, D.C. (2013)

27.

Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Usenix Security Symposium, San Jose, CA, July 2008

28.

Love, R.: intro to inotify. http://www.linuxjournal.com/article/8478

29.

Microsoft. PatchGuard - Kernel Patch Protection. https://technet.microsoft.com/en-us/library/cc759759

30.

Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 28–37. ACM, New York (2012)

31.

Peter Silberman and C.H.A.O.S. FUTo. http://uninformed.org/index.cgi?v=3&a=7&p=7

32.

Petroni, J., Fraser, T., Molina, J., Arbaugh, W. A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium - vol. 13, SSYM 2004, p. 13. USENIX Association, San Diego (2004)

33.

Petroni, Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 103–115, October 2007

34.

Petroni Jr., N.L., Fraser, T., Walters, A.A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th Conference on USENIX Security Symposium, p. 20 (2006)

35.

Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2009), Fukuoka, Japan, March 2009

36.

Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178–197. Springer, Heidelberg (2010)CrossRef

37.

Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)CrossRef

38.

Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to guarantee lifetime kernel code integrity for commodity oses. In: Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), October 2007

39.

Seshadri, A., Perrig, A., Doorn, L.V., Khosla, P.: Swatt: software-based attestation for embedded devices. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)

40.

Srivastava, A., Giffin, J.: Efficient protection of kernel data structures via object partitioning. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 429–438 (2012)

41.

Srivastava, A., Lanzi, A., Giffin, J.T.: System call API obfuscation (extended abstract). In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 421–422. Springer, Heidelberg (2008)CrossRef

42.

Srivastava, A., Lanzi, A., Giffin, J., Balzarotti, D.: Operating system interface obfuscation and the revealing of hidden operations. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 214–233. Springer, Heidelberg (2011)CrossRef

43.

Vogl, S., Gawlik, R., Garmany, B., Kittel, T., Pfoh, J., Eckert, C., Holz, T.: Dynamic hooks: hiding control flow changes within non-control data. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 813–328. USENIX Association, San Diego, August 2014

44.

Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS), February 2014

45.

Volatility Foundation. psxview Volatility command. https://github.com/volatilityfoundation/volatility/wiki/Command

46.

Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 545–554 (2009)

47.

Wei, J., Payne, B. D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: ACSAC (2008)

48.

Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure coprocessor-based intrusion detection. In: Proceedings of the Tenth ACM SIGOPS European Workshop, September 2002

Title: Subverting Operating System Properties Through Evolutionary DKOM Attacks
Authors: Mariano Graziano
Lorenzo Flore
Andrea Lanzi
Davide Balzarotti
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-319-40666-4

Electronic ISBN: 978-3-319-40667-1

Copyright Year: 2016
DOI: https://doi.org/10.1007/978-3-319-40667-1_1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner