Information Technology Reference
In-Depth Information
future worK
the monitor is limited to external asynchronous
memory based scans. It is unable to acquire locks
from the operating system that is concurrently
executing and modifying the data structures that
are monitored. Repairing data structures requires
the monitor to be able to make modifications to
kernel data structures without affecting the cor-
rectness of kernel code. This also requires the
invention of better mechanisms for realizing inline
data structure repairs.
Research over the past few years has made sig-
nificant strides in the development of stealth at-
tacks and tools and techniques for monitoring the
integrity of the kernel. Numerous novel research
challenges have also emerged that show promise
towards building more robust and comprehensive
kernel integrity monitors. Below, we discuss
some interesting directions for future work in
this area.
mining complex invariants
data Structure repair
Complex invariants that express conjunction
or disjunction between simple invariants might
express interesting properties. It is also possible
to mine more complex invariants that express re-
lationships between different data structure fields
or between different data structures altogether. In-
variants might also be mined using more complex
invariant templates. Verifying a large number of
invariants has performance implications for the
monitor. Therefore a careful study of the kind of
invariants that are more likely to be violated by
attacks will provide some insight into the type of
invariants that are more interesting than others.
Detection of rootkits that tamper with the kernel
data structures has received a lot of attention over
the past five years. Detection techniques are able
to identify the data structures that are modified
by the attack. While some work has been done in
containment of ongoing attacks (Baliga, 2008),
the commonly employed approach in the face
of such attacks is to format the disk and install
a new operating system image. The current re-
sponse procedure besides being tedious and time
consuming does not scale with the current attack
growth rate.
Kernel integrity monitors such as Gibraltar
discussed in this chapter monitor invariants ex-
hibited by kernel data. These are used as integrity
specifications and are checked during runtime. The
monitor can therefore, identify the data structure
and the invariant that is violated when an alert is
raised by the system. In such cases, repair of the
data structure comprises of restoring the invariant
that is violated. For example, if a data structure
exhibits the constancy invariant, then a violation
occurs when the rootkit replaces this value with
a different one. The repair action comprises of
restoring the old value. While restoring other more
complex invariants might require sophisticated
methods, we believe that data structure repair is
a promising research direction.
To secure the monitor, current approaches iso-
late it from the system that it monitors. As a result,
referenceS
Anti rootkit software, news, articles and forums.
(n.d.) Retrieved from
http://antirootkit.com/.
Arnold, J. B. (2008).
Ksplice: An automatic sys-
tem for rebootless linux kernel security updates
.
Retrieved from http://web.mit.edu/ksplice/doc/
ksplice.pdf.
Baliga, A. (2009).
Automated Detection and
Containment of Stealth Attacks on the Operat-
ing System Kernel
. Ph. D Thesis, Department of
Computer Science, Rutgers University.
Search WWH ::
Custom Search