Title :
Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense
Author :
Wei, Jinpeng ; Payne, Bryan D. ; Giffin, Jonathon ; Pu, Calton
Author_Institution :
Sch. of Comput. Sci., Georgia Inst. of Technol., Atlanta, GA
Abstract :
A new class of stealthy kernel-level malware, called transient kernel control flow attacks, uses dynamic soft timers to achieve significant work while avoiding any persistent changes to kernel code or data. We demonstrate that soft timers can be used to implement attacks such as a stealthy key logger and a CPU cycle stealer. To defend against these attacks, we propose an approach based on static analysis of the entire kernel, which identifies and catalogs all legitimate soft timer interrupt requests (STIR) in a database. At run-time, a reference monitor in a trusted virtual machine compares each STIR with the database, only allowing the execution of known good STIRs. Our defensive technique has no false negatives because it mediates every STIR execution and prevents execution of all unknown, illegitimate STIRs, and no false positives because the relevant kernel code analyzed was unambiguous. The overhead for this additional security is less than 7% for each of our benchmarks.
Keywords :
interrupts; invasive software; operating system kernels; program diagnostics; virtual machines; CPU cycle stealer; defensive technique; illegitimate STIR; soft timer interrupt requests; static analysis; stealthy kernel-level malware; transient kernel control flow attack; virtual machine; Computer crime; Computer security; Condition monitoring; Databases; Information security; Kernel; Protection; Runtime; Virtual machine monitors; Virtual machining;
Conference_Titel :
Computer Security Applications Conference, 2008. ACSAC 2008. Annual
Conference_Location :
Anaheim, CA
Print_ISBN :
978-0-7695-3447-3
DOI :
10.1109/ACSAC.2008.40
