Many software security solutions—including malware analyzers, information flow tracking systems, auditing utilities, and host-based intrusion detectors—rely on knowledge of standard system call interfaces to reason about process execution behavior. In this work, we show how a rootkit can obfuscate a commodity kernel’s system call interfaces to degrade the effectiveness of these tools. Our attack, called Illusion, allows user-level malware to invoke privileged kernel operations without requiring the malware to call the actual system calls corresponding to the operations. The Illusion interface hides system operations from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion alters neither static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory. We then consider the problem of Illusion attacks and augment system call data with kernel-level execution information to expose the hidden kernel operations. We present a Xen-based monitoring system, Sherlock, that adds kernel execution watchpoints to the stream of system calls. Sherlock automatically adapts its sensitivity based on security requirements to remain performant on desktop systems: in normal execution, it adds 1% to 10% overhead to a variety of workloads.
Operating system interface obfuscation and the revealing of hidden operations / A. Srivastava, A. Lanzi, J. Giffin, D. Balzarotti (LECTURE NOTES IN COMPUTER SCIENCE). - In: Detection of intrusions and malware, and vulnerability assessment / [a cura di] T. Holz, H. Bos. - Berlin : Springer, 2011 Jul. - ISBN 9783642224232. - pp. 214-233 (( Intervento presentato al 8. convegno International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) tenutosi a Amsterdam nel 2011 [10.1007/978-3-642-22424-9_13].
Operating system interface obfuscation and the revealing of hidden operations
A. LanziSecondo
;
2011
Abstract
Many software security solutions—including malware analyzers, information flow tracking systems, auditing utilities, and host-based intrusion detectors—rely on knowledge of standard system call interfaces to reason about process execution behavior. In this work, we show how a rootkit can obfuscate a commodity kernel’s system call interfaces to degrade the effectiveness of these tools. Our attack, called Illusion, allows user-level malware to invoke privileged kernel operations without requiring the malware to call the actual system calls corresponding to the operations. The Illusion interface hides system operations from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion alters neither static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory. We then consider the problem of Illusion attacks and augment system call data with kernel-level execution information to expose the hidden kernel operations. We present a Xen-based monitoring system, Sherlock, that adds kernel execution watchpoints to the stream of system calls. Sherlock automatically adapts its sensitivity based on security requirements to remain performant on desktop systems: in normal execution, it adds 1% to 10% overhead to a variety of workloads.File | Dimensione | Formato | |
---|---|---|---|
chp%3A10.1007%2F978-3-642-22424-9_13.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
441.89 kB
Formato
Adobe PDF
|
441.89 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.