ABSTRACT
Increasing demands for reliability and dependability clash with the reality of escalating security compromises and vulnerability discoveries. Improvements in attack methodologies such as polymorphic viruses, tampering of source code repositories, and automation of distributed strikes are no match for the untimely detection and manual recovery practices used today. We present a run-time method to automate recovery from kernel level system compromises. It is capable of returning modified system call table addresses back to their original values, terminating hidden processes, removing hidden files, and blocking attacker traffic to hidden connections. Self-healing mechanisms such as this can be employed to create more reliable intrusion tolerant operating systems and applications. A working prototype has been implemented as a loadable kernel module on Linux, and can be easily enhanced for other operating systems.
- Adore rootkit- http://www.t-teso.net/releases/adore-0.42.tgzGoogle Scholar
- Avizienis, A., et al, The STAR (self testing and repairing) computer, an investigation of the theory and practice of fault tolerant computer design. IEEE Transactions on Comput., 20(11) 1971, 1312--1321.Google ScholarDigital Library
- Chkrootkit. Signature based rootkit detection implementation. http://www.chkrootkit.org.Google Scholar
- {Esponda, F., Forrest, S., and Helman, P., A Formal Framework for Positive and Negative Detection Schemes. IEEE Transactions on System, Man, and Cybernetics, 34(1) 2004, 357--373. Google ScholarDigital Library
- Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T., A Sense of Self for Unix Processes, In Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996, 120. Google ScholarDigital Library
- Garlan, D., Schmerl, B., Model-based Adaptation for Self-Healing Systems, In ACM SIGSOFT Workshop on Self-Managed Systems, 2002, 27--32. Google ScholarDigital Library
- Harrison, W., Heuston, G., Mocas, S., Morrissey, M., Richardson, J., High-tech forensics, Communications of the ACM, 47(7) 2004, 48--52. Google ScholarDigital Library
- Knight, J., Heimbigner, D., Wolf, A., Carzaniga, A., Hill, J., Devanbu, P., Gertz, M., The Willow Survivability Architecture, In Proceedings of the Fourth Information Survivability Workshop (ISW-2001), 2002, 18--20Google Scholar
- Lewandowski, S., Van Hook, D., O'Leary, G., Haines, J., Rossey, L., SARA: Survivable Autonomic Response Architecture. DARPA Information Survivability Conference and Exposition, 1, 2001, 77--88Google ScholarCross Ref
- Liu, P., ITDB: An Attack Self-Healing Database System Prototype, In Proceedings of the DARPA Information Survivability Conference and Exposition, 2 2003, 131--133.Google Scholar
- Ammann, P., Jajodia, S., Liu, Peng., Recovery from Malicious Transactions, In IEEE Transactions on Knowledge and Data Engineering, 14(5), 2002, 1167--1185. Google ScholarDigital Library
- Ring, S., Cole, E., Detecting and Dealing with New Rootkits. Sys Admin Magazine. September 2003.Google Scholar
- Ring, S., Cole, E., Taking a Lesson From Stealthy Rootkits, IEEE Security & Privacy, 1(4), 2004, 38--45 Google ScholarDigital Library
- Ring, S., Cole, E., Volatile Memory Forensics to Detect Kernel Level Compromise, to appear in ICICS 2004. Lecture Notes in Computer Science. Springer-Verlag, Berlin, Germany.Google Scholar
- Somayaji, A., Hofmeyr, S., Forrest, S., Principles of a Computer Immune System, ACM New Security Paradigms Workshop, Charlottesville, VA, 1998, 75--82. Google ScholarDigital Library
- Tripwire. Change detection based rootkit identification implementation. http://www.tripwire.com.Google Scholar
- Understanding the Immune System. http://www.niaid.nih.gov/publications/immune/the_immune_system.pdf.Google Scholar
- Wu, T., A Passive Protected Self-Healing Mesh Network Architecture and Applications. IEEE/ACM Trans. on Networking, 2, 1 (Feb 1994), 49--52. Google ScholarDigital Library
Index Terms
- Self-healing mechanisms for kernel system compromises
Recommendations
Application-defined scheduling in Ada
IRTAW '02: Proceedings of the 11th international workshop on Real-time Ada workshopThis paper presents an application program interface (API) that enables Ada applications to use application-defined scheduling algorithms in a way compatible with the scheduling model of the Ada 95 Real-Time Systems Annex. Several application-defined ...
Self-healing hardware systems: A review
AbstractSelf-healing is increasingly becoming a promising approach to designing reliable digital systems, and it refers to the ability of a system to detect faults or failures and fix them through healing or repairing. Digital systems with ...
Self-healing systems - survey and synthesis
As modern software-based systems and applications gain in versatility and functionality, the ability to manage inconsistent resources and service disparate user requirements becomes increasingly imperative. Furthermore, as systems increase in complexity,...
Comments