Title :
Data Interception through Broken Concurrency in Kernel Land
Author :
Rrushi, Julian L.
Author_Institution :
Centre for Cybersecurity, British Columbia Inst. of Technol., Burnaby, BC, Canada
Abstract :
We present a kernel data interception technique that is undetectable by existing approaches to malware detection, and propose practical methods to detect it. The technique is based on breaking concurrency in a way that enables the attack code to take over the synchronization established by target kernel modules. That level of control allows the attack code to interpose between those modules, and thus intercept sensitive data. We illustrate the overall technique as applied to intercepting keystrokes from a computer keyboard on Windows 7, and demonstrate it in practice through an attack kernel driver that we dubbed kbdinterceptor. The technique has no reliance on function hooking, machine code replacement, direct access to I/O bus, or attachment to any device driver stack whatsoever. In the paper, we capture the salient characteristics of the attack technique to devise a defensive approach that can accurately detect the corresponding attack code through dynamic analysis.
Keywords :
computer crime; concurrency control; invasive software; system monitoring; Windows 7; attack code detection; attack kernel driver; attack technique; broken concurrency; computer keyboard; data Interception; defensive approach; kbdinterceptor; kernel data interception technique; kernel land; keylogger; keystrokes interception; malware detection; synchronization; target kernel modules; Concurrent computing; Data structures; Kernel; Keyboards; Reactive power; Registers; Synchronization; Keylogger; Windows kernel; concurrency;
Conference_Titel :
High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security, 2014 IEEE 11th Intl Conf on Embedded Software and Syst (HPCC,CSS,ICESS), 2014 IEEE Intl Conf on
Print_ISBN :
978-1-4799-6122-1
DOI :
10.1109/HPCC.2014.131
