• PDF / 430,871 Bytes
• 22 Pages / 439.37 x 666.142 pts Page_size
• 100 Downloads / 151 Views

DOWNLOAD

REPORT

2

Eurecom, Biot, France [email protected] Universit` a degli Studi di Milano, Milan, Italy 3 Cisco Systems, Inc., San Jose, CA, USA

Abstract. Modern rootkits have moved their focus on the exploitation of dynamic memory structures, which allows them to tamper with the behavior of the system without modifying or injecting any additional code. In this paper we discuss a new class of Direct Kernel Object Manipulation (DKOM) attacks that we call Evolutionary DKOM (E-DKOM). The goal of this attack is to alter the way some data structures “evolve” over time. As case study, we designed and implemented an instance of Evolutionary DKOM attack that targets the OS scheduler for both userspace programs and kernel threads. Moreover, we discuss the implementation of a hypervisor-based data protection system that mimics the behavior of an OS component (in our case the scheduling system) and detect any unauthorized modification. We finally discuss the challenges related to the design of a general detection system for this class of attacks.

1

Introduction

Rootkits are a particular type of malicious software designed to maintain a hidden access to a compromised machine by targeting the running kernel. To mitigate this severe threat, several defense techniques for code protection and attestation have been proposed in the literature [27,37,39,46]. These mechanisms try to protect the applications and the kernel code against any illicit modification of its instructions. This also prevents hooking techniques that attempt to divert the control flow to a routine controlled by the attacker. However, while the code of the kernel is easy to protect, its dynamic data structures often remain outside the boundaries of traditional defenses. Left unprotected, they quickly became one of the main targets of modern rootkits, that manipulates their values to tamper with the behavior of the system without the need to modify the existing code. Even though these attacks are simple to understand and relatively easy to perform, protecting the dynamic memory structures of an operating system is a very difficult task. For instance, the classic example of Direct Kernel Object Manipulation (or DKOM) attack consists of hiding a running process by simply removing its corresponding element from the c Springer International Publishing Switzerland 2016  J. Caballero et al. (Eds.): DIMVA 2016, LNCS 9721, pp. 3–24, 2016. DOI: 10.1007/978-3-319-40667-1 1

4

M. Graziano et al.

processes list (e.g., the EPROCESS structure in Microsoft Windows). Detecting DKOM attacks often rely on the assumption that even though some information can be modified, the original value can still be present in other OS context. For example, even if an element is deleted from the EPROCESS linked-list, in order to be executed the process still needs to be present in the scheduling queue. Consequently, a common technique to detect DKOM attacks consists in crosschecking different sources of information to verify if their values are consistent. For instance, this is the approach adopted by the ps

Recommend Documents

Installing an Operating System

201 92 1MB

Tamper-proof Operating System

171 85 47MB

A Generic Operating System Kernel

184 44 408KB

A Quantum Computer Operating System

240 94 63MB

Secure Biometric Token Operating System

194 52 47MB

An Efficient Hybrid Evolutionary Approach for Identification of Zero-Day Attacks on Wired/Wireless Network System

150 34 2MB

Understanding Disruptive Innovation Through Evolutionary Computation Principles

144 7 162KB

Embryomorphic Engineering: Emergent Innovation Through Evolutionary Development

152 18 2MB

A Training System for Operating Medical Equipment

173 75 58MB

ROS Rescue: Fault Tolerance System for Robot Operating System

170 65 13MB

Detecting WSN Attacks Through HMAC and SCH Formation

164 87 17MB

Vulnerability Analysis of FPGA Through Side-Channel Attacks in Cloud

163 91 43MB