Automatic inference and enforcement of kernel data structure invariants

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2008, Pages 77-86

  Baliga, Arati ^a   Ganapathy, Vinod ^a   Iftode, Liviu ^a  

^a RUTGERS UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATIC INFERENCES; CONTROL DATUM; DETECTION TECHNIQUES; FALSE POSITIVE RATES; FUNCTION POINTERS; GIBRALTARS; ROOTKITS; STRUCTURE INTEGRITIES; SYSTEM CALLS; SYSTEM SECURITIES;

COMPUTER APPLICATIONS; INTRUSION DETECTION; SECURITY SYSTEMS; SPECIFICATIONS;

DATA STRUCTURES;

EID: 60649106745     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2008.29     Document Type: Conference Paper

References (36)

1. Anti rootkit software, news, articles and forums. http://antirootkit.com/ .
2. Chkrootkit - rootkit detection tool. http://www.chkrootkit.org/.
3. Fu rootkit. http://www.rootkit.com/project.php?id=12.
4. Myricom: Pioneering high performance computing. http://www.myri.com.
5. Packet storm. http://packetstormsecurity.org/UNIX/penetration/rootkits/.
6. Rootkit revealer, rootkit detection tool by microsoft. http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx.
7. Sophos anti-rootkit. http://www.sophos.com/products/free-tools/sophos- anti-rootkit.html.
8. Rootkits, part 1 of 3: A growing threat, April 2006. MacAfee AVERT Labs Whitepaper.
9. Jeffrey Brian Arnold. Ksplice: An automatic system for rebootless linux kernel security updates. http://web.mit.edu/ksplice/doc/ksplice.pdf.
10. Arati Baliga, Pandurang Kamat, and Liviu Iftode. Lurking in the shadows: Identifying systemic threats to kernel data. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, 2007.
11. Doug Beck, Binh Vo, and Chad Verbowski. Detecting stealth software with strider ghostbuster. In DSN '05: Proceedings of the 2005 International Conference on Dependable Systems and Networks, 2005.
12. Haibo Chen, Rong Chen, Fengzhe Zhang, Binyu Zang, and Pen-Chung Yew. Live updating operating systems using virtualization. In VEE '06: Proceedings of the 2nd international conference on Virtual execution environments, 2006.
13. Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, and Roy H. Campbell. Cloaker: Hardware Supported Rootkit Concealment. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.
14. Michael D. Ernst, Jeff H. Perkins, Philip J. Guo, Stephen McCamant, Carlos Pacheco, Matthew S. Tschantz, and Chen Xiao. The Daikon system for dynamic detection of likely invariants. Science of Computer Programming, 2006.
15. Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A virtual machine-based platform for trusted computing. In SOSP03: ACM Symposium on Operating System Principles, October 2003.
16. Tal Garfinkel and Mendel Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, 2003.
17. Nick L. Petroni Jr., Timothy Fraser, Jesus Molina, and William A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In Security '04: Proceedings of the USENIX Security Symposium, 2004.
18. Gene H. Kim and Eugene H. Spafford. The design and implementation of tripwire: a file system integrity checker. In CCS '94: Proceedings of the 2nd ACM Conference on Computer and communications security, 1994.
19. Samuel King, Peter Chen, Yi-Min Wang, Chad Verblowski, Helen J. Wang, and Jacob R. Lorch. Subvirt: Implementing malware with virtual machines. In SP06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.
20. Christopher Kruegel, William Robertson, and Giovanni Vigna. Detecting kernel-level rootkits through binary analysis. In ACSAC '04: Proceedings of the 20th Annual Computer Security Applications Conference, 2004.
21. Lionel Litty and David Lie. Manitou: a layer-below approach to fighting malware. In ASID, 2006.
22. John D. McCalpin. Memory bandwidth and machine balance in current high performance computers. In IEEE Technical Committee on Computer Architecture newsletter, December 1995.
23. Larry McVoy and Carl Staelin. lmbench: portable tools for performance analysis. In ATEC '96: Proceedings of the USENIX Annual Technical Conference, May 1996.
24. George C. Necula, Scott McPeak, Shree Prakash Rahul, and Westley Weimer. Cil: Intermediate language and tools for analysis and transformation of c programs. In CC '02: Proceedings of the 11th International Conference on Compiler Construction, 2002.
25. Jr. Nick L. Petroni, Timothy Fraser, AAron Walters, and William A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Security '06: Proceedings of the USENIX Security Symposium, 2006.
26. Jr. Nick L. Petroni and Michael Hicks. Automated detection of persistent kernel control-flow attacks. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, 2007.
27. W. Norcott. Iozone benchmark. http://www.iozone.org, 2001.
28. Joanna Rutkowska. Defeating hardware based ram acquisition. In Blackhat Conference, 2007.
29. Reiner Sailer, Trent Jaeger, Xiaolan Zhang, and Leendert van Doorn. Attestation-based policy enforcement for remote access. In ACM Conference on Computer and Communications Security, October 2004.
30. Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. Design and implementation of a tcg-based integrity measurement architecture. In Security04: Proceedings of the 2004 USENIX Security Symposium, August 2004.
31. Arvind Seshadri, Mark Luk, Elaine Shi, Adrian Perrig, Leendert van Doorn, and Pradeep K. Khosla. Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In SOSP '05: 20th ACM Symposium on Operating System Principles, 2005.
32. Elaine Shi, Adrian Perrig, and Leendert van Doorn. Bind: A fine-grained attestation service for secure distributed systems. In SP '05: IEEE Symposium on Security and Privacy, 2005.
33. Shellcode Security Research Team. Registration weakness in linux kernel's binary formats. http://goodfellas.shellcode.com.ar/own/binfmt-en.pdf, September 2006.
34. Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, Ming-Wei Wu, Yennun Huang, and Sy-Yen Kuo. Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware management. In LISA '04: Proceedings of the 18th USENIX conference on System administration, 2004.
35. Jeffrey Wilhelm and Tzi cker Chiueh. A forced sampled execution approach to kernel rootkit identification. In RAID, 2007.
36. Xiaolan Zhang, Leendert van Doorn, Trent Jaeger, Ronald Perez, and Reiner Sailer. Secure coprocessor-based intrusion detection. In EW10: Proceedings of the 10th workshop on ACM SIGOPS European workshop: beyond the PC, 2002.