Access Restriction

Author Prakash, A. ♦ Venkataramani, E. ♦ Heng Yin ♦ Zhiqiang Lin
Sponsorship IEEE Comput. Soc.
Source IEEE Xplore Digital Library
Content type Text
Publisher Institute of Electrical and Electronics Engineers, Inc. (IEEE)
File Format PDF
Copyright Year ©2013
Language English
Subject Domain (in DDC) Computer science, information & general works ♦ Data processing & computer science
Subject Keyword Semantics ♦ Kernel ♦ Testing ♦ Heuristic algorithms ♦ Data structures ♦ Security ♦ Support vector machines
Abstract Semantic values in kernel data structures are critical to many security applications, such as virtual machine introspection, malware analysis, and memory forensics. However, malware, or more specifically a kernel rootkit, can often directly tamper with the raw kernel data structures, known as DKOM (Direct Kernel Object Manipulation) attacks, thereby significantly thwarting security analysis. In addition to manipulating pointer fields to hide certain kernel objects, DKOM attacks may also mutate semantic values, which are data values with important semantic meanings. Prior research efforts have been made to defeat pointer manipulation attacks and thus identify hidden kernel objects. However, the space and severity of Semantic Value Manipulation (SVM) attacks have not received sufficient understanding. In this paper, we take a first step to systematically assess this attack space. To this end, we devise a new fuzz testing technique, namely - duplicate-value directed semantic field fuzzing, and implement a prototype called MOSS. Using MOSS, we evaluate two widely used operating systems: Windows XP and Ubuntu 10.04. Our experimental results show that the space of SVM attacks is vast for both OSes. Our proof-of-concept kernel rootkit further demonstrates that it can successfully evade all the security tools tested in our experiments, including recently proposed robust signature schemes. Moreover, our duplicate value analysis implies the challenges in defeating SVM attacks, such as an intuitive cross checking approach on duplicate values can only provide marginal detection improvement. Our study motivates revisiting of existing security solutions and calls for more effective defense against kernel threats.
Description Author affiliation: Dept. of EECS, Syracuse Univ., Syracuse, NY, USA (Prakash, A.; Venkataramani, E.; Heng Yin) || Dept. of Comput. Sci., Univ. of Texas at Dallas, Dallas, TX, USA (Zhiqiang Lin)
ISBN 9781467364713
ISSN 15300889
Educational Role Student ♦ Teacher
Age Range above 22 year
Educational Use Research ♦ Reading
Education Level UG and PG
Learning Resource Type Article
Publisher Date 2013-06-24
Publisher Place Hungary
Rights Holder Institute of Electrical and Electronics Engineers, Inc. (IEEE)
e-ISBN 9781467364720
Size (in Bytes) 391.67 kB
Page Count 12
Starting Page 1
Ending Page 12

Source: IEEE Xplore Digital Library