Operating System Interface Obfuscation And The Revealing Of Hidden Operations
DIMVA'11: Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment(2011)
摘要
Many software security solutions including malware analyzers, information flow tracking systems, auditing utilities, and host-based intrusion detectors rely on knowledge of standard system call interfaces to reason about process execution behavior. In this work, we show how a rootkit can obfuscate a commodity kernel's system call interfaces to degrade the effectiveness of these tools. Our attack, called Illusion, allows user-level malware to invoke privileged kernel operations without requiring the malware to call the actual system calls corresponding to the operations. The Illusion interface hides system operations from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion alters neither static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory. We then consider the problem of Illusion attacks and augment system call data with kernel-level execution information to expose the hidden kernel operations. We present a Xen-based monitoring system, Sherlock, that adds kernel execution watchpoints to the stream of system calls. Sherlock automatically adapts its sensitivity based on security requirements to remain performant on desktop systems: in normal execution, it adds 1% to 10% overhead to a variety of workloads.
更多查看译文
关键词
Illusion interface hides system,Xen-based monitoring system,actual system,commodity kernel,desktop system,hidden kernel operation,kernel execution watchpoints,kernel memory,privileged kernel operation,standard system call interface,hidden operation,system interface obfuscation
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要