Information Technology Reference
In-Depth Information
Chapter 3
Identifying Systemic
Threats to Kernel Data:
Attacks and Defense Techniques
Arati Baliga
Rutgers University, USA
Pandurang Kamat
Rutgers University, USA
Vinod Ganapathy
Rutgers University, USA
Liviu Iftode
Rutgers University, USA
abStract
The authors demonstrate a new class of attacks and also present a novel automated technique to detect
them. The attacks do not explicitly exhibit hiding behavior but are stealthy by design. They do not rely
on user space programs to provide malicious functionality but achieve the same by simply manipulating
kernel data. These attacks are symbolic of a larger systemic problem within the kernel, thus requiring
comprehensive analysis. The author's novel rootkit detection technique based on automatic inference of
data structure invariants, which can automatically detect such advanced stealth attacks on the kernel.
introduction
would help conceal his presence on the compromised
system. The rootkit was typically installed after the
attacker obtained “root” level control and attempted
to hide the malicious objects belonging to him, such
as files, processes and network connections.
A rootkit infested system can be exploited by
remote attackers stealthily, such as exfiltration of
sensitive information or system involvement in
fraudulent or malicious activities without the user's
knowledge or permission. The lack of appropriate
Integrity of the operating system kernel is critical
to the security of all applications and data on the
computer system. Tampering with the kernel is tra-
ditionally performed by malware, commonly known
as rootkits. The term “rootkit” was originally used
to refer to a toolkit developed by the attacker, which
Search WWH ::
Custom Search