Efficient protection of kernel data structures via object partitioning

ACM International Conference Proceeding Series

Volumn , Issue , 2012, Pages 429-438

  Srivastava, Abhinav ^a   Giffin, Jonathon ^b  

^a AT AND T LABS RESEARCH   (United States)

^b HP Fortify ^*  (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL POLICIES; COMMODITY OPERATING SYSTEMS; EFFICIENT PROTECTIONS; KERNEL COMPONENTS; KERNEL MEMORY; MALICIOUS SOFTWARE; MALWARES; MEMORY ADDRESS SPACE; MEMORY PAGES; POLICY ENFORCEMENT; RUNTIMES; STRUCTURE ELEMENTS; VIRTUAL MEMORY MANAGEMENT;

ACCESS CONTROL; COMPUTER CRIME; DATA STRUCTURES; EMBEDDED SYSTEMS; SECURITY SYSTEMS;

INFORMATION MANAGEMENT;

EID: 84872102802     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2420950.2421012     Document Type: Conference Paper

References (43)

1. Branch Tracing with Intel MSR Registers. http://www.openrce.org/blog/ view/535/Branch-Tracing-with-Intel-MSR-Registers. Last Accessed Sep. 15, 2012.
2. New for Kernel-Mode Driver Architecture. http://msdn.microsoft.com/en-us/ library/windows/hardware/hh439748%28v=vs.85%29.aspx. Last Accessed Sep. 15, 2012.
3. Windows 8 Security: What's New. http://www.pcworld.com/article/255776/ windows-8-security-whats-new.html. Last Accessed Sep. 15, 2012.
4. Windows ISV Software Security Defenses. http://msdn.microsoft.com/en-us/ library/bb430720. Last Accessed Sep. 15, 2012.
5. K. Adams and O. Agesen. A comparison of software and hardware techniques for x86 virtualization. In ASPLOS, San Jose, CA, Oct. 2006.
6. A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structures invariants. In ACSAC, Anaheim, CA, Dec. 2008.
7. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In ACM SOSP, Bolton Landing, NY, Oct. 2003.
8. M. Ben-Yahuda, M. D. Day, Z. Dubitsky, M. Factor, N. Har'El, A. Gordon, A. Liguori, O. Wasserman, and B. Yassour. The Turtles project: Design and implementation of nested virtualization. In OSDI, 2010.
9. K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre, Apr. 1977.
10. J. Bonwick. The slab allocator: An object-caching kernel memory allocator. In USENIX, Boston, MA, June 1994.
11. M. Castro, M. Costa, J.-P. Martin, M. Peinado, P. Akritidis, A. Donnelly, P. Barham, and R. Black. Fast byte-granularity software fault isolation. In ACM SOSP, Big Sky, Montana, Oct. 2009.
12. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. In ACM SOSP, Stevenson, WA, Oct. 2007.
13. F. Corbato and V. Vyssotsky. Introduction and overview of the Multics system. In Fall Joint Computer Conference, Las Vegas, NV, Nov. 1965.
14. A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware analysis via hardware virtualization extensions. In ACM CCS, Alexandria, VA, Oct. 2008.
15. U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, Seattle, WA, Nov. 2006.
16. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In ACM SOSP, Bolton Landing, NY, Oct. 2003.
17. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In NDSS, San Diego, CA, Feb. 2003.
18. Intel. System Programming Guide: Part 2. Intel 64 and IA-32 Architectures Software Developer's Manual, 2004.
19. X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based 'out-of-the-box' semantic view. In ACM CCS, Alexandria, VA, Nov. 2007.
20. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. VMM-based hidden process detection and identification using Lycosid. In ACM VEE, Seattle, WA, Mar. 2008.
21. S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. SubVirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2006.
22. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In USENIX Security Symposium, San Jose, CA, Aug. 2008.
23. Microsoft. PatchGuard. http://blogs.msdn.com/windowsvistasecurity/ archive/2006/08/11/695993.aspx. Last accessed Sep. 15, 2012.
24. G. C. Necula, S. McPeak, S. Rahul, and W. Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In Conference on Compiler Construction (CC), Grenoble, France, Apr. 2002.
25. Packet Storm. All-root. http://packetstormsecurity.org/UNIX/penetration/ rootkits/all-root.c. Last accessed Sep. 15, 2012.
26. B. D. Payne, M. Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In ACSAC, Miami, FL, Dec. 2007.
27. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.
28. N. L. Petroni, Jr., T. Fraser, A. Walters, and W. A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In USENIX Security Symposium, Vancouver, BC, Canada, Aug. 2006.
29. N. L. Petroni, Jr. and M. Hicks. Automated detection of persistent kernel control-flow attacks. In ACM CCS, Alexandria, VA, Nov. 2007.
30. R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In RAID, Boston, MA, Sept. 2008.
31. J. Rutkowska. Subverting Vista kernel for fun and profit. In Black Hat USA, 2006.
32. R. Sailer, T. Jaeger, E. Valdez, R. Caceres, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn. Building a MAC-based security architecture for the Xen open-source hypervisor. In ACSAC, Tucson, AZ, Dec. 2005.
33. A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In ACM SOSP, Stevenson, WA, Oct. 2007.
34. M. L. Soffa, K. R. Walcott, and J. Mars. Exploiting hardware advances for software testing and debugging. In ICSE, Honolulu, HI, May 2011.
35. A. Srivastava and J. Giffin. Tamper-resistant, application-aware blocking of malicious network connections. In RAID, Boston, MA, Sept. 2008.
36. A. Srivastava and J. Giffin. Automatic discovery of parasitic malware. In RAID, Ottawa, Canada, Sept. 2010.
37. A. Srivastava and J. Giffin. Efficient monitoring of untrusted kernel-mode execution. In NDSS, San Diego, California, Feb. 2011.
38. A. Srivastava, A. Lanzi, J. Giffin, and D. Balzarotti. Operating system interface obfuscation and the revealing of hidden operations. In DIMVA, Netherlands, July 2011.
39. Symantec. Windows rootkit overview. http://www.symantec.com/avcenter/ reference/windows.rootkit.overview.pdf. Last accessed Sep. 15, 2012.
40. ubra. Process hiding and the Linux scheduler. Phrack, 11(63), Jan. 2005.
41. Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In ACM CCS, Chicago, IL, Nov. 2009.
42. E. Witchel, J. Cates, and K. Asanovic. Mondrian memory protection. In ASPLOS, San Jose, CA, Oct. 2002.
43. X. Xiong, D. Tian, and P. Liu. Practical protection of kernel integrity for commodity os from untrusted extensions. In NDSS, San Diego, California, Feb. 2011.