Information Technology Reference
In-Depth Information
in memory, or by the presence of certain files on
disk. This approach does not protect the system
against newer unknown rootkits. Rootkits could
thwart such detectors by using polymorphic and
metamorphic techniques for code obfuscation,
traditionally used by viruses to escape detection
from anti-virus programs.
To escape detection from disk based integrity
checkers, rootkits have evolved to make modi-
fications to kernel code and certain well known
immutable data structures in the kernel, such as
the system call table, to achieve the same goals.
These rootkits are known as kernel-level rootkits
because they modify the kernel. Modifications
to the kernel make the rootkit powerful enough
to control all application level views. For ex-
ample, intercepting the file related system calls,
allows the rootkit to control all files accesses by
all applications on the system. The rootkit can
intercept these accesses and perform the neces-
sary filtering to hide its malicious objects. Since
the rootkit manipulates the kernel, which is the
trusted computing base of the system, it can also
manipulate any user level applications on the
system. Such applications include the rootkit
detection tools that run in user space. Therefore,
researchers proposed isolating the rootkit detec-
tors from the operating system by either moving
them onto a secure co-processor that does not rely
on the operating system (Petroni, 2004), (Zhang,
2002) or isolating them using the virtualization
architecture where the detector is run in a sepa-
rate virtual machine (Garfinkel, 2003), (Payne,
2008). The rootkit detectors, built to detect the
kernel level rootkits, use a checksum/secure hash
based method to detect corruption of the kernel
code or other well known immutable data struc-
tures in the kernel, such as the system call table.
The hashes are pre-computed over the memory
locations of a clean system, where the code and
data structures are stored. They are periodically
recomputed and compared with the stored hashes
to detect code or data structure corruption (Petroni,
2004),(Garfinkel, 2003).
To further thwart detection tools, rootkit au-
thors have adopted stealthier techniques. Since
detection tools solely checked the integrity of the
kernel code and some well known data structures,
such as the system call table, rootkits delved
deeper into the kernel and altered data structures
that were less known. For example, instead of
modifying file related system calls in the system
call table, rootkits modified hooks in the virtual
file system layer instead. For a while, the arms
race continued where the rootkit explored a new
data structure that it could exploit, while the detec-
tor had to incorporate the newly discovered data
structure in its verification list. Most of the data
that the rootkits modified was immutable control
data i.e. function pointers used by various layers
in the kernel. An automated approach was later
developed to uniformly check for manipulation of
all control data in the kernel, by validating every
function pointer against a valid kernel function
address (Petroni, 2007).
Since the integrity of mostly immutable control
data can be verified, rootkit authors have advanced
another step and have built innovative attacks
that work by solely manipulating data structures
that are mutable (Butler, 2005). This defeats the
existing integrity checking mechanism of storing
checksums and performing periodic comparisons
because these data structures are also modified by
authentic kernel code. We demonstrated some at-
tacks that work by modifying relatively immutable
non-control data (Baliga, 2007), (Baliga, 2009).
These attacks modify variable values to alter the
behavior of kernel algorithms. They escape de-
tection because they manipulate non-control data
within data structures not typically monitored by
rootkit detectors. Detection approach was built
to detect these advanced attacks using manual
specifications, as long as the attack obeys some
constraint (Petroni, 2006). This approach is effec-
tive as long as a manual security expert is capable
of analyzing, anticipating and specifying the
constraints on data structures that might become
the target of future attacks.
Search WWH ::




Custom Search