Automated detection of persistent kernel control-flow attacks

Petroni, Nick L.; Hicks, Michael

doi:10.1145/1315245.1315260

Cited by 218 publications

(148 citation statements)

References 26 publications

Supporting

Mentioning

144

Contrasting

Unclassified

Order By: Relevance

“…In other words, an attacker could possibly launch a "return-into-libc" style attack or the so-called return-oriented attack [10,16,37] within the kernel by leveraging only the existing authenticated kernel code. Fortunately, solutions exist for protecting control flows [6,15,30,42] and data flow integrity [11] for user-level applications, which could be potentially extended to complement our system for kernel protection. Second, as with existing systems for kernel code integrity, our current implementation does not support self-modifying kernel code.…”

Section: Discussionmentioning

confidence: 99%

“…As running inside a compromised operating system is dangerous, Copilot [28] copies operating system memory onto a PCI card for analysis by a dedicated coprocessor. Further extensions allow it to detect breaches of kernel data semantic integrity [29] and state-based control flow integrity [30]. Strider GhostBuster [40] and VMwatcher [17] aim to look for discrepancies between an internal and external view of a system to detect the hiding behavior from rootkits.…”

Section: Related Workmentioning

confidence: 99%

“…For example, Copilot [28] uses a special PCI card to grab a memory image of the kernel and then scans for any possible manipulation of kernel code or system-critical data structures. The follow-up efforts [29,30] extend it to detect any violation from semantic specifications of static and dynamic kernel data or deviation from the normal kernel control flow graph. However, these systems by design are all based on detecting rootkits after they have already installed themselves in the kernel.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

Grace

Wang

Srinivasan

et al. 2010

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Kernel rootkits are among the most insidious threats to computer security today. By employing various code injection techniques, they are able to maintain an omnipotent presence in the compromised OS kernels. Existing preventive countermeasures typically employ virtualization technology as part of their solutions. However, they are still limited in either (1) requiring modifying the OS kernel source code for the protection or (2) leveraging software-based virtualization techniques such as binary translation with a high overhead to implement a Harvard architecture (which is robust to various code injection techniques used by kernel rootkits). In this paper, we introduce hvmHarvard, a hardware virtualization-based Harvard architecture that transparently protects commodity OS kernels from kernel rootkit attacks and significantly reduces the performance overhead. Our evaluation with a Xen-based prototype shows that it can transparently protect legacy OS kernels with rootkit resistance while introducing < 5% performance overhead.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

Grace

Wang

Srinivasan

et al. 2010

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

show abstract

“…Virtual machine introspection (VMI). LIVEWIRE [12] demonstrated the concept of VMI and there is a significant amount of works that improve VMI for better practicality, automation, and wider applications such as VMWATCHER [15], SBCFI [28],VIR-TUOSO [13] and VMST [14]. The difference with SIGPATH is that these systems focus on kernel level introspection, whereas SIGPATH focuses on user level data introspection.…”

Section: Related Workmentioning

confidence: 99%

SigPath: A Memory Graph Based Approach for Program Data Introspection and Modification

Urbina

Caballero

et al. 2014

Computer Security - ESORICS 2014

View full text Add to dashboard Cite

Abstract. Examining and modifying data of interest in the memory of a target program is an important capability for security applications such as memory forensics, rootkit detection, game hacking, and virtual machine introspection. In this paper we present a novel memory graph based approach for program data introspection and modification, which does not require source code, debugging symbols, or any API in the target program. It takes as input a sequence of memory snapshots taken while the program executes, and produces a path signature, which can be used in different executions of the program to efficiently locate and traverse the in-memory data structures where the data of interest is stored. We have implemented our approach in a tool called SIGPATH. We have applied SIG-PATH to game hacking, building cheats for 10 popular real-time and turn-based games, and for memory forensics, recovering from snapshots the contacts a user has stored in four IM applications including Skype and Yahoo Messenger.

show abstract

“…A number of malware protection proposals ( [10,16,23,25,31,40]) address the issue by using virtualization, creating a trusted zone from which their monitoring programs can operate and relying on a hypervisor to moderate between the host system and the monitor. These proposals, however, fail to take the inherent resource constraints of embedded control systems into account.…”

Section: The Problem With Virtualizationmentioning

confidence: 99%

Lightweight Intrusion Detection for Resource-Constrained Embedded Control Systems

Reeves

Ramaswamy

Locasto

et al. 2011

Critical Infrastructure Protection V

View full text Add to dashboard Cite

Today's power grid depends on embedded control systems to function properly. Securing these systems presents a unique challenge, since on top of the resource restrictions inherent to embedded devices, SCADA systems must accommodate strict timing requirements that are nonnegotiable, and their massive scale greatly amplifies costs such as power consumption. Together, these constraints make the conventional approach to host intrusion detection-namely, using a hypervisor to create a safe environment from which a monitoring entity can operate-too costly or impractical for embedded control systems in such critical infrastructure.In this paper, we introduce Autoscopy, an experimental host intrusion detection mechanism that operates from within the kernel and leverages its built-in tracing framework to look for control-flow anomalies, which are most often caused by rootkits hijacking kernel hooks. In initial testing on a standard laptop system, our prototype was able to detect a representative selection of control-flow hijacking rootkit techniques while imposing less than 5% performance overhead for the majority of our benchmark tests. We argue that its design and effectiveness make it both feasible for and uniquely suited to intrusion detection for SCADA systems, and are currently porting Autoscopy to actual power hardware to test our hypothesis. Being situated in the kernel, Autoscopy needs some hardware (e.g., memory immutability) or software protection (i.e., kernel hardening) measures in place for its own protection; however, such protective measures would cost less than full-blown reference monitor isolation via hardware virtualization at the core of hypervisor-based proposals.

show abstract

Automated detection of persistent kernel control-flow attacks

Cited by 218 publications

References 26 publications

Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

Transparent Protection of Commodity OS Kernels Using Hardware Virtualization

SigPath: A Memory Graph Based Approach for Program Data Introspection and Modification

Lightweight Intrusion Detection for Resource-Constrained Embedded Control Systems

Contact Info

Product

Resources

About