Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Buchtitelbild

2016 | OriginalPaper | Buchkapitel

Subverting Operating System Properties Through Evolutionary DKOM Attacks

verfasst von : Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Modern rootkits have moved their focus on the exploitation of dynamic memory structures, which allows them to tamper with the behavior of the system without modifying or injecting any additional code.
In this paper we discuss a new class of Direct Kernel Object Manipulation (DKOM) attacks that we call Evolutionary DKOM (E-DKOM). The goal of this attack is to alter the way some data structures “evolve” over time. As case study, we designed and implemented an instance of Evolutionary DKOM attack that targets the OS scheduler for both userspace programs and kernel threads. Moreover, we discuss the implementation of a hypervisor-based data protection system that mimics the behavior of an OS component (in our case the scheduling system) and detect any unauthorized modification. We finally discuss the challenges related to the design of a general detection system for this class of attacks.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Nächstes Kapitel DeepFuzz: Triggering Vulnerabilities Deeply Hidden in Binaries
Literatur
1.
2.
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 340–353 (2005)
3.
Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC 2008, pp. 77–86 (2008)
4.
Baliga, A., Kamat, P., Iftode, L.: Lurking in the shadows: identifying systemic threats to kernel data. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 246–251(2007)
5.
Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 555–565. ACM, New York (2009)
6.
Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, HOTOS (2001)
7.
Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2), 63–81 (2011)CrossRef
8.
Cui, W., Peinado, M., Xu, Z., and Chan, E. Tracking rootkit footprints with a practical memory analysis system. In: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 601–615. USENIX, Bellevue (2012)
9.
Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2011
10.
Fattori, A., Lanzi, A., Balzarotti, D., Kirda, E.: Hypervisor-based malware protection with accessminer. Comput. Secur. 52, 33–50 (2015)CrossRef
11.
Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the 25\(^{th}\) International Conference on Automated Software Engineering (ASE), Antwerp, Belgium, September 2010. https://​code.​google.​com/​p/​hyperdbg/​
12.
Fedler, R., Kulicke, M., Schtte, J.: An antivirus api for android malware recognition. In: MALWARE (2013)
13.
Garfinkel, T.: Traps and pitfalls: practical problems in in system call interposition based security tools. In: Proceedings of the Network and Distributed Systems Security Symposium, February 2003
14.
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed Systems Security Symposium, pp. 191–206 (2003)
15.
Grill, B., Platzer, C., Eckel, J.: A practical approach for generic bootkit detection and prevention. In: EuroSec (2014)
16.
Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22(4), 36–38 (1988)CrossRef
17.
Haukli, L.: Exposing bootkits with bios emulation. In: Blackhat US, August 2014
18.
Hofmann, O., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ASPLOS (2011)
19.
Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)
20.
Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Presented as Part of the 18th USENIX Security Symposium (USENIX Security 2009). USENIX, Montreal (2009)
21.
Jang, D., Lee, H., Kim, M., Kim, D., Kim, D., Kang, B.B.: Atra: address translation redirection attack against hardware-based external monitors. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 167–178. ACM, New York (2014)
22.
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2007)
23.
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the USENIX 2006 Annual Technical Conference, USENIX 2006, Boston, MA, June 2006
24.
Kim, G.H., Spafford, E.H.: The design, implementation of tripwire: a file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, CCS 1994, pp. 18–29 (1994)
25.
Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security, EuroSec, Prague, Czech Republic, April 2013
26.
Lee, H., Moon, H., Jang, D., Kim, K., Lee, J., Paek, Y., Kang, B.B.: Ki-mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: Presented as Part of the 22nd USENIX Security Symposium, pp. 511–526. USENIX, Washington, D.C. (2013)
27.
Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Usenix Security Symposium, San Jose, CA, July 2008
28.
29.
30.
Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 28–37. ACM, New York (2012)
31.
32.
Petroni, J., Fraser, T., Molina, J., Arbaugh, W. A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium - vol. 13, SSYM 2004, p. 13. USENIX Association, San Diego (2004)
33.
Petroni, Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 103–115, October 2007
34.
Petroni Jr., N.L., Fraser, T., Walters, A.A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th Conference on USENIX Security Symposium, p. 20 (2006)
35.
Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2009), Fukuoka, Japan, March 2009
36.
Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178–197. Springer, Heidelberg (2010)CrossRef
37.
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)CrossRef
38.
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to guarantee lifetime kernel code integrity for commodity oses. In: Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), October 2007
39.
Seshadri, A., Perrig, A., Doorn, L.V., Khosla, P.: Swatt: software-based attestation for embedded devices. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)
40.
Srivastava, A., Giffin, J.: Efficient protection of kernel data structures via object partitioning. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 429–438 (2012)
41.
Srivastava, A., Lanzi, A., Giffin, J.T.: System call API obfuscation (extended abstract). In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 421–422. Springer, Heidelberg (2008)CrossRef
42.
Srivastava, A., Lanzi, A., Giffin, J., Balzarotti, D.: Operating system interface obfuscation and the revealing of hidden operations. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 214–233. Springer, Heidelberg (2011)CrossRef
43.
Vogl, S., Gawlik, R., Garmany, B., Kittel, T., Pfoh, J., Eckert, C., Holz, T.: Dynamic hooks: hiding control flow changes within non-control data. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 813–328. USENIX Association, San Diego, August 2014
44.
Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS), February 2014
45.
46.
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 545–554 (2009)
47.
Wei, J., Payne, B. D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: ACSAC (2008)
48.
Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure coprocessor-based intrusion detection. In: Proceedings of the Tenth ACM SIGOPS European Workshop, September 2002
Metadaten
Titel
Subverting Operating System Properties Through Evolutionary DKOM Attacks
verfasst von
Mariano Graziano
Lorenzo Flore
Andrea Lanzi
Davide Balzarotti
Copyright-Jahr
2016
Buch
Detection of Intrusions and Malware, and Vulnerability Assessment

Print ISBN: 978-3-319-40666-4

Electronic ISBN: 978-3-319-40667-1

Copyright-Jahr: 2016

DOI
https://doi.org/10.1007/978-3-319-40667-1_1

Premium Partner

    Bildnachweise