Information Technology Reference
In-Depth Information
Table 4. Conventional rootkits for Linux, publicly available and found in research literature (Petroni,
2006). This table shows the data structures modified by the rootkit. Gibraltar successfully detects all
the rootkits.
Attack Name
Data Structures Affected
Rootkits from Packet Storm [5].
Adore-0.42, All-root, Kbd, Kis 0.9, Linspy2, Modhide, Phide, Rial, Rkit 1.01,
Shtroj2, Synapsys-0.4, THC Backdoor
System call table
Adore-ng
Vfs hooks, udp recvmsg
Knark 2.4.3
System call table, proc hooks
Rootkits from research literature [19].
Hiding Process Attack
all-tasks list
benchmarks measure bandwidth and latency for
common operations performed by applications,
such as copying to memory, reading cached files,
context switching, networking, file system opera-
tions, process creation, signal handling and IPC
operations. This benchmark therefore exercises
several kernel subsystems and modifies several
kernel data structures as it executes.
by the data structure
init_tasks->next task
). This
list contains process descriptors headed by the
first process created on the system. The all-tasks
list is used by process accounting utilities. In
contrast, the scheduler uses a second linked list,
called the
run-list
(represented in the kernel by
run_queue_head->next
), to schedule processes
for execution. This rootkit removes the process
descriptor of a malicious user-space process from
the
all-tasks
list (but not from the
run-list
). This
ensures that the process is not visible to process
accounting utilities, but that it will still be sched-
uled for execution. This technique is also used by
the Windows rootkit named
fu
(Butler, 2005).
Table 4 summarizes the list of the conventional
rootkits that we used in our experiments. Gibraltar
successfully detects all the above rootkits. Each
of these rootkits violated a persistent invariant.
All rootkits, except for the process hiding attack,
violated a object invariant conforming to the
template
var == constant,
where var is a function
pointer within the data structures modified by the
rootkit and constant is the value of the function
pointer. The process hiding attack violates the sub-
set invariant,
run-list TODO-SUBSET all-tasks
,
which states that each element in the
run-list
is
also an element of the
all-tasks
list. The process
hiding attack violates this invariant by removing
an entry from the all-tasks list and is therefore
detected by Gibraltar.
detection accuracy
We report the results obtained in the use of the
inferred invariants to detect conventional root-
kits and modern stealth attacks proposed by us
and other research literature (Shellcode, 2006),
(Baliga, 2007), (Petroni, 2007).
Detecting conventional rootkits.
We used
fourteen publicly-available rootkits (Packetstorm,
n.d.) that modify kernel data structures to test the
effectiveness of Gibraltar. Most of these rootkits
hide user level objects by modifying function
pointers in the kernel. We also included one root-
kit proposed in the research literature (Petroni,
2006); this rootkit hides malicious processes by
altering non-control data. This rootkit relies on
the fact that process accounting utilities, such as
ps
, and the kernel's task scheduler consult differ-
ent process lists. The process descriptors of all
tasks running on a system belong to a linked list
called the
all-tasks
list (represented in the kernel
Search WWH ::
Custom Search