Information Technology Reference
In-Depth Information
in parallel with the execution of the workload to
produce more snapshots. As more snapshots are
produced, Daikon can incrementally refine the
set of invariants. We leave this enhancement for
future work.
Detection time.
We measure the detection
time as the interval between the installation of the
rootkit and Gibraltar detecting that an invariant has
been violated. Because Gibraltar traverses the data
structures in a snapshot and checks invariants over
each data structure, detection time is proportional
to the number of objects in each snapshot and the
order in which they are encountered by the traversal
algorithm. Gibraltar's detection time varied from
a minimum of fifteen seconds (when there were
41,254 objects in the snapshot) to a maximum of
132 seconds (when there were 150,000 objects in
the snapshot). On average, we observed a detec-
tion time of approximately 20 seconds.
Monitoring overhead.
The Myrinet PCI card
fetches raw physical memory pages from the target
using DMA; because DMA increases contention
on the memory bus, the target's performance will
potentially be affected. We measured this overhead
using the Stream benchmark (McCalpin, 1995),
a synthetic benchmark that measures sustainable
memory bandwidth. Measurement is performed
over four vector operations, namely, copy, scale,
add and triad and averaged over 100 executions.
The vectors are chosen so that they clear the
last-level cache in the system, forcing data to be
fetched from main memory. Gibraltar imposes a
negligible overhead of 0.49% on the operation of
the target system.
longing to the attacker. Since user space programs
can access or modify user space objects using
system calls, the rootkit is limited to manipulating
code or data structures that are reachable from the
system call paths alone.
We demonstrated a new class of stealth attacks
that do not employ the traditional hiding behavior
used by rootkits but are stealthy by design. They
manipulate data within several different sub-
systems in the kernel to achieve their malicious
objectives. They are based upon the observation
that kernel rootkits need not necessarily be limited
to manipulation of data structures that lie within
the system call paths. Other subsystems within the
kernel are also vulnerable to such attacks. To dem-
onstrate this threat, we built several new attacks.
We have designed attack prototypes to demonstrate
that such attacks are realistic and indicative of a
more systemic problem in the kernel.
Previously proposed rootkit detection tech-
niques largely detect attacks that modify kernel
control data; techniques that detect non-control
data attacks, especially on dynamically-allocated
data structures, require specifications of data
structure integrity to be supplied manually. In this
chapter, we presented a novel rootkit detection
technique that detects rootkits uniformly across
control and non-control data. The approach is
based on the hypothesis that several invariants
are exhibited by kernel data structures at runtime
during its correct operation. A rootkit that modi-
fies the behavior of the kernel algorithms violates
some of these invariants. We presented a prototype
Gibraltar, a tool that automatically infers and
enforces specifications of kernel data structure
integrity. Gibraltar infers invariants uniformly
across control and non-control kernel data, and
enforces these invariants as specifications of data
structure integrity. Our experiments showed that
Gibraltar successfully detects rootkits that modify
both control and non-control data structures, and
does so with a low false positive rate and negligible
performance overhead.
concluSion
Conventionally, rootkits tamper with the kernel
to achieve stealth, while most of the malicious
functionality is provided by accompanying user
space programs. Therefore, stealth is achieved by
trying to hide the objects, such as files, processes
and network connections present in user space be-
Search WWH ::
Custom Search