Many software security solutions—including malware analyzers, information flow tracking systems, auditing utilities, and host-based intrusion detectors—rely on knowledge of standard system call interfaces to reason about process execution behavior. In this work, we show how a rootkit can obfuscate a commodity kernel’s system call interfaces to degrade the effectiveness of these tools. Our attack, called Illusion, allows user-level malware to invoke privileged kernel operations without requiring the malware to call the actual system calls corresponding to the operations. The Illusion interface hides system operations from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion alters neither static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory. We then consider the problem of Illusion attacks and augment system call data with kernel-level execution information to expose the hidden kernel operations. We present a Xen-based monitoring system, Sherlock, that adds kernel execution watchpoints to the stream of system calls. Sherlock automatically adapts its sensitivity based on security requirements to remain performant on desktop systems: in normal execution, it adds 1% to 10% overhead to a variety of workloads.

Operating system interface obfuscation and the revealing of hidden operations / A. Srivastava, A. Lanzi, J. Giffin, D. Balzarotti (LECTURE NOTES IN COMPUTER SCIENCE). - In: Detection of intrusions and malware, and vulnerability assessment / [a cura di] T. Holz, H. Bos. - Berlin : Springer, 2011 Jul. - ISBN 9783642224232. - pp. 214-233 (( Intervento presentato al 8. convegno International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) tenutosi a Amsterdam nel 2011 [10.1007/978-3-642-22424-9_13].

Operating system interface obfuscation and the revealing of hidden operations

A. Lanzi
Secondo
;
2011

Abstract

Many software security solutions—including malware analyzers, information flow tracking systems, auditing utilities, and host-based intrusion detectors—rely on knowledge of standard system call interfaces to reason about process execution behavior. In this work, we show how a rootkit can obfuscate a commodity kernel’s system call interfaces to degrade the effectiveness of these tools. Our attack, called Illusion, allows user-level malware to invoke privileged kernel operations without requiring the malware to call the actual system calls corresponding to the operations. The Illusion interface hides system operations from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion alters neither static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory. We then consider the problem of Illusion attacks and augment system call data with kernel-level execution information to expose the hidden kernel operations. We present a Xen-based monitoring system, Sherlock, that adds kernel execution watchpoints to the stream of system calls. Sherlock automatically adapts its sensitivity based on security requirements to remain performant on desktop systems: in normal execution, it adds 1% to 10% overhead to a variety of workloads.
context
Settore INF/01 - Informatica
lug-2011
Book Part (author)
File in questo prodotto:
File Dimensione Formato  
chp%3A10.1007%2F978-3-642-22424-9_13.pdf

accesso riservato

Tipologia: Publisher's version/PDF
Dimensione 441.89 kB
Formato Adobe PDF
441.89 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/233473
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 16
  • ???jsp.display-item.citation.isi??? 7
social impact