Information Technology Reference
In-Depth Information
Table 5. Modern stealth attacks on kernel data (Shellcode, 2006), (Baliga, 2007). This table shows the
data structure modified by the attack, the type of invariant violated and the template that the invariant
conforms to.
Attack Name
Data Structures Affected
Invariant Type
Template
Disable Firewall
struct nf_hooks[]
Object
Membership (constant)
Resource Wastage
struct zone_struct
Object
Membership (constant)
Entropy Pool Contamination
struct poolinfo
Collection
Membership
Disable PRNG
struct random_state_ops
Object
Membership (constant)
Adding Binary Format
formats list
Collection
Length
Detecting modern stealth attacks.
We used
five stealth attacks developed by us and those
discussed in prior work (Shellcode, 2006), (Baliga,
2007) to test Gibraltar. Table 5 summarizes these
attacks, and shows the data structures modified by
the attack, the invariant type (collection/object)
violated, and the template that classifies the invari-
ant. Each of the invariants that was violated was a
persistent invariant, which survives a reboot of the
target machine. We discuss the invariants violated
by each attack in detail below. The details of the
first four attacks mentioned below are described
earlier in this chapter (Section 2).
rity. In fact, function pointer invariants inferred
by Gibraltar implicitly determine a control flow
integrity policy that is equivalent to SBCFI.
Resource Wastage Attack
Gibraltar identifies the invariants shown in Figure
12 for the three watermarks, manipulated by the
resource wastage attack. These values are initial-
ized upon system startup, and typically do not
change in an uncompromised kernel. The attack
sets the pages min, pages low and pages high
watermarks to 210,000, 215,000 and 220,000
respectively. The values of these watermarks are
close to 225,280, which is the total number of
pages available on our system. Gibraltar detects
this attack because the invariants shown in Figure
12 are violated.
Disable Firewall Attack
Gibraltar inferred the invariant shown in Figure 11
on the
netfilter
framework for the disable firewall
attack. This attack overwrites the hook with the at-
tack function, thereby violating the invariant, which
states that the function pointer
nf_hooks[2][1].next.
hook
is a constant. Because this attack modifies
kernel function pointers, it can also be detected
by SBCFI (Petroni, 2007), which automatically
extracts and enforces kernel control flow integ-
Entropy Pool Contamination Attack
Figure 13 shows the invariants that Gibraltar
identifies for the coefficients of the polynomial
that is used to stir entropy pools in an uncompro-
mised kernel (the
poolinfo
data structure shown
Figure 11. An invariant inferred on the netfilter hook. Firewalls are disabled by modifying the function
pointer, thereby violating the invariant.
Search WWH ::
Custom Search