Efficient Monitoring of Untrusted Kernel-Mode Execution

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2011

Volumn , Issue , 2011, Pages

  Srivastava, Abhinav ^a   Giffin, Jonathon ^a  

^a Georgia Institute of Technology   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

APPLICATION PROGRAMMING INTERFACES (API); GATEWAYS (COMPUTER NETWORKS); NETWORK SECURITY;

ADDRESS SPACE; EFFICIENT MONITORING; HOST-BASED; INTRUSION DETECTORS; KERNEL MODE; MALWARES; SECURITY SOLUTIONS; SOFTWARE SECURITY; SYSTEM CALL MONITORING; USER LEVELS;

MALWARE;

EID: 84867864575     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (51)

1. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control flow integrity principles, implementations, and applications. In ACM CCS, Alexandria, Virginia, Nov. 2005.
2. Alexander Tereshkin. Rootkits: Attacking personal firewalls. www.blackhat.com/presentations/bh-usa-06/BH-US-06-Tereshkin.pdf. Last accessed Aug. 05, 2010.
3. A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structures invariants. In ACSAC, Anaheim, CA, Dec. 2008.
4. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In ACM SOSP, Bolton Landing, NY, Oct. 2003.
5. M. Becher, M. Dornseif, and C. Klein. Firewire all your memory are belong to us. In CanSecWest, 2005.
6. M. Castro, M. Costa, J. Martin, M. Peinado, P. Akritidis, A. Donnelly, P. Barham, and R. Black. Fast byte-granularity software fault isolation. In ACM SOSP, Big Sky, Montana, Oct. 2009.
7. A. Chakrabarti. An introduction to Linux kernel backdoors. http://www.infosecwriters.com/hhworld/hh9/lvtes.txt. Last accessed Aug. 05, 2010.
8. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In USENIX Security, Baltimore, MD, Aug. 2005.
9. X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In ASPLOS, Seattle, WA, Mar. 2008.
10. T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In ICDSC, Mesa, AZ, Apr. 2001.
11. J. Criswell, N. Geoffray, and V. Adve. Memory safety for low-level software/hardware interactions. In Usenix Security, Montreal, Canada, Aug 2009.
12. G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In OSDI, Boston, MA, Dec. 2002.
13. Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, Seattle, WA, Nov. 2006.
14. B. Ford and R. Cox. Vx32: Lightweight user-level sand-boxing on the x86. In USENIX ATC, Boston, MA, June 2008.
15. M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In USENIX Security, Washington, D.C., Aug. 2001.
16. V. Ganapathy, M. J. Renzelmann, A. Balakrishnan, M. M. Swift, and S. Jha. The design and implementation of microdrivers. In ASPLOS, Seattle, WA, Mar. 2008.
17. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In NDSS, San Diego, CA, Feb. 2003.
18. R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkis: Bypassing kernel code integrity protection mechanisms. In Usenix Security, Montreal, Canada, Aug 2009.
19. Intel. System Programming Guide: Part 2. Intel 64 and IA-32 Architectures Software Developer’s Manual, 2004.
20. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking processes in a virtual machine environment. In USENIX ATC, Boston, MA, June 2006.
21. K. Kasslin. Evolution of kernel-mode malware. http://igloo.engineeringforfun.com/malwares/Kimmo_Kasslin_Evolution_of_ kernel_mode_malware_v2.pdf. Last accessed Aug. 05, 2010.
22. J. Keniston, A. Mavinakayanahalli, P. Panchamukhi, and V. Prasad. Ptrace, utrace, uprobes: Lightweight, dynamic tracing of user apps. In Linux Symposium, Ottawa, Canada, June 2007.
23. Kimmo Kasslin. Kernel malware: The attack from within. www.f-secure.com/weblog/archives/kasslin_AVAR2006_ KernelMalware_paper.pdf. Last accessed Aug. 05, 2010.
24. S. T. King, P. M. Chen, Y. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. SubVirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2006.
25. V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In USENIX Security, San Francisco, CA, Aug 2002.
26. Larry McVoy and Carl Staelin. lmbench. http://www.bitmover.com/lmbench/. Last accessed Aug. 05, 2010.
27. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In USENIX Security, San Jose, CA, Aug. 2008.
28. A. Mavinakayanahalli, P. Panchamukhi, J. Keniston, A. Keshavamurthy, and M. Hiramatsu. Probing the guts of kprobes. In Linux Symposium, Ottawa, Canada, July 2006.
29. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.
30. N. L. Petroni, Jr., T. Fraser, A. Walters, and W. A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In USENIX Security, Vancouver, BC, Canada, Aug. 2006.
31. N. L. Petroni, Jr. and M. Hicks. Automated detection of persistent kernel control-flow attacks. In ACM CCS, Alexandria, VA, Nov. 2007.
32. A. Ramaswamy. Autoscopy: Detecting pattern-searching rootkits via control flow tracing. In Technical Report TR2009-644, Dartmouth Computer Science, 2009.
33. R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In RAID, Boston, MA, Sept. 2008.
34. J. Rutkowska. Subverting Vista kernel for fun and profit. In Black Hat USA, 2006.
35. M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In OSDI, Seattle, WA, Oct 1996.
36. A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In ACM SOSP, Stevenson, WA, Oct. 2007.
37. M. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure in-vm monitoring using hardware virtualization. In ACM CCS, Chicago, IL, Nov. 2009.
38. T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Oyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. BitVisor: A thin hypervisor for enforcing I/O device security. In ACM VEE, Washington, DC, Mar. 2009.
39. Sourceforge. Iperf. http://sourceforge.net/projects/iperf/. Last accessed Aug. 05, 2010.
40. A. Srivastava, I. Erete, and J. Giffin. Kernel data integrity protection via memory access control. In Technical Report GT-CS-09-05, Georgia Institute of Technology, Atlanta, GA, 2009.
41. A. Srivastava and J. Giffin. Tamper-resistant, application-aware blocking of malicious network connections. In RAID, Boston, MA, Sept. 2008.
42. A. Srivastava and J. Giffin. Automatic discovery of parasitic malware. In RAID, Ottawa, Canada, Sept. 2010.
43. Sun Microsystem. Dtrace. http://wikis.sun.com/display/DTrace/DTrace. Last accessed Aug. 05, 2010.
44. M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. In ACM SOSP, Bolton Landing, NY, Oct. 2003.
45. Symantec. Spam from the kernel: Full-kernel malware installed by mpack. http://www.symantec.com/connect/blogs/ spam-kernel-full-kernel-malware-installed-mpack. Last accessed Aug. 05, 2010.
46. Tim Bray. Bonnie. http://www.garloff.de/kurt/linux/bonnie. Last accessed Aug. 05, 2010.
47. Uwe F. Mayer. BYTEmark. http://www.tux.org/mayer/linux/bmark.html. Last accessed Aug. 05, 2010.
48. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In ACM SOSP, Asheville, NC, Dec. 1994.
49. Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In ACM CCS, Chicago, IL, Nov. 2009.
50. D. Williams, P. Reynolds, K. Walsh, E. G. Sirer, and F. B. Schneider. Device driver safety through a reference validation mechanism. In OSDI, San Diego, CA, Dec. 2008.
51. B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2009.