Modern rootkits have moved their focus on the exploitation of dynamic memory structures, which allows them to tamper with the behavior of the system without modifying or injecting any additional code. In this paper we discuss a new class of Direct Kernel Object Manipulation (DKOM) attacks that we call Evolutionary DKOM (E-DKOM). The goal of this attack is to alter the way some data structures “evolve” over time. As case study, we designed and implemented an instance of Evolutionary DKOM attack that targets the OS scheduler for both userspace programs and kernel threads. Moreover, we discuss the implementation of a hypervisor-based data protection system that mimics the behavior of an OS component (in our case the scheduling system) and detect any unauthorized modification. We finally discuss the challenges related to the design of a general detection system for this class of attacks.
Subverting operating system properties through evolutionary DKOM attacks / M. Graziano, L. Flore, A. Lanzi, D. Balzarotti (LECTURE NOTES IN COMPUTER SCIENCE). - In: Detection of Intrusions and Malware, and Vulnerability Assessment / [a cura di] J. Caballero, U. Zurutuza, R.J. Rodríguez. - [s.l] : Springer Verlag, 2016. - ISBN 9783319406664. - pp. 3-24 (( Intervento presentato al 13. convegno DIMVA tenutosi a San Sebastian nel 2016 [10.1007/978-3-319-40667-1_1].
Subverting operating system properties through evolutionary DKOM attacks
A. LanziPenultimo
;
2016
Abstract
Modern rootkits have moved their focus on the exploitation of dynamic memory structures, which allows them to tamper with the behavior of the system without modifying or injecting any additional code. In this paper we discuss a new class of Direct Kernel Object Manipulation (DKOM) attacks that we call Evolutionary DKOM (E-DKOM). The goal of this attack is to alter the way some data structures “evolve” over time. As case study, we designed and implemented an instance of Evolutionary DKOM attack that targets the OS scheduler for both userspace programs and kernel threads. Moreover, we discuss the implementation of a hypervisor-based data protection system that mimics the behavior of an OS component (in our case the scheduling system) and detect any unauthorized modification. We finally discuss the challenges related to the design of a general detection system for this class of attacks.
| File | Dimensione | Formato | |
|---|---|---|---|
|
chp%3A10.1007%2F978-3-319-40667-1_1.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
420.77 kB
Formato
Adobe PDF
|
420.77 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
