• DocumentCode
    2756146
  • Title

    Lurking in the Shadows: Identifying Systemic Threats to Kernel Data

  • Author

    Baliga, Arati ; Kamat, Pandurang ; Iftode, Liviu

  • Author_Institution
    Dept. of Comput. Sci., Rutgers Univ., New Brunswick, NJ
  • fYear
    2007
  • fDate
    20-23 May 2007
  • Firstpage
    246
  • Lastpage
    251
  • Abstract
    The integrity of kernel code and data is fundamental to the integrity of the computer system. Tampering with the kernel data is an attractive venue for rootkit writers since malicious modifications in the kernel are harder to identify compared to their user-level counterparts. So far however, the pattern followed for tampering is limited to hiding malicious objects in user-space. This involves manipulating a subset of kernel data structures that are related to intercepting user requests or affecting the user´s view of the system. Hence, defense techniques are built around detecting such hiding behavior. The contribution of this paper is to demonstrate a new class of stealthy attacks that only exist in kernel space and do not employ any hiding techniques traditionally used by rootkits. These attacks are stealthy because the damage done to the system is not apparent to the user or intrusion detection systems installed on the system and are symbolic of a more systemic problem present throughout the kernel. Our goal in building these attack prototypes was to show that such attacks are not only realistic, but worse; they cannot be detected by the current generation of kernel integrity monitors, without prior knowledge of the attack signature.
  • Keywords
    data integrity; data structures; invasive software; operating system kernels; attack signature; kernel code; kernel data structures; malicious modifications; stealthy attacks; systemic threats; Computer architecture; Computer science; Control systems; Data structures; Detectors; File systems; Intrusion detection; Kernel; Monitoring; Prototypes;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Security and Privacy, 2007. SP '07. IEEE Symposium on
  • Conference_Location
    Berkeley, CA
  • ISSN
    1081-6011
  • Print_ISBN
    0-7695-2848-1
  • Type

    conf

  • DOI
    10.1109/SP.2007.25
  • Filename
    4223229