Information Technology Reference
In-Depth Information
More recent trends have shown rookits that
operate below the operating system layer. Re-
searchers have demonstrated rootkits that use the
virtual machine technology to subvert the system
(King, 2006), (Rutkowska, 2006) and rootkits
that work independently of the operating system
without requesting its services or affecting its state
(David, 2008). While these indicate a new trend
in the development of rootkits, they are likely to
be unpopular because they are highly platform
specific and depend on specific hardware features
for their deployment. The operating system is still
an attractive target because kernel level rootkits
work independent of the hardware and can there-
fore be easily ported across different platforms.
The kernel also provides a large code base and
numerous amounts of complex data structures,
providing the rootkit authors with several avenues
for building stealthy innovative attacks.
process and network connections. These rootkits
can be easily detected by tools that use the hid-
ing behavior as a symptom for detection. In fact,
tools such as Strider Ghostbuster (Wang, 2005)
detect the presence of rootkits, merely from their
attempt to hide.
In this chapter, we demonstrate a new class
of attacks and also present a novel automated
technique to detect them. The attacks do not ex-
plicitly exhibit hiding behavior but are stealthy by
design. They do not rely on user space programs
to provide malicious functionality but achieve the
same by simply manipulating kernel data. These
attacks are symbolic of a larger systemic problem
within the kernel, thus requiring comprehensive
analysis. Our novel rootkit detection technique
based on automatic inference of data structure
invariants, which can automatically detect such
advanced stealth attacks on the kernel. We have
built a prototype Gibraltar, which evaluates our
approach. Gibraltar has automatically detected all
publicly known rootkits as well as other stealth
attacks discussed by us and proposed in other
research literature.
our contribution
The focus of this chapter is on attacks that alter
code and data structure in the operating system
kernel. Conventionally, rootkits provide all ma-
licious functionality as user space programs. To
conceal their presence, rootkits tamper with the
kernel. This involves modifying kernel code or
data structures in the system call paths that are
capable of affecting the user's view of the system.
Typically, rootkits intercept control by installing
hooks within the system call control path, which
provide them with the capability of filtering
requests and responses. The most common data
structure manipulated by rootkits for this purpose
is the system call table. As detection techniques
matured to monitor the well known data structures
targeted by rootkits, rootkits evolved to modify
other less known data structures for control in-
terception. Others evolved to modify non-control
data to achieve similar goals.
While the data structures that are tampered have
changed over the years, the intent of tampering is
still the same, namely to hide the malicious files,
attacKS
In this section, we present four stealth attacks that
we designed and one designed by another research
group (Shellcode, 2006), all of which achieve
their malicious objectives by solely changing
kernel data. None of them explicitly exhibit hid-
ing behavior and therefore cannot be detected by
tools that use hiding behavior as a symptom for
detection. These attacks span different subsystems
in the kernel and are indicative of a more systemic
threat posed by future rootkits.
disable firewall
This attack hooks into the
netfilter
framework
of the Linux kernel and stealthily disables the
firewall installed on the system. The user cannot
Search WWH ::
Custom Search