CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

ZHOU Hu-sheng,WEN Wei-ping,YIN Liang,FU Jun

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.014

2011-01-01

Abstract:GS Stack Protection,SafeSEH,Heap Protection,DEP,ASLR are five key technologies for the memory protection mechanism of Windows 7,these technologies significantly contribute to mitigate buffer overflow attacks.Based on the analysis of these technologies,we also tested the possibility of bypassing the protection mechanisms in Windows 7.Evaluating the effect of resisting buffer overflow of Windows 7,we pointed out that Windows 7 couldn't resist the buffer overflow attacks absolutely.Finally several measures were introduced to improve system security more comprehensively.

Mengchen Cao,Xiantong Hou,Tao Wang,Hunter Qu,Yajin Zhou,Xiaolong Bai,Fuwei Wang

DOI: https://doi.org/10.1145/3319535.3345654

2019-01-01

Abstract:The use of uninitialized variables is a common issue. It could cause kernel information leak, which defeats the widely deployed security defense, i.e., kernel address space layout randomization (KASLR). Though a recent system called Bochspwn Reloaded reported multiple memory leaks in Windows kernels, how to effectively detect this issue is still largely behind.

Denis Pogonin,Igor Korkin

DOI: https://doi.org/10.48550/arXiv.2210.02821

2022-10-06

Abstract:Windows OS is facing a huge rise in kernel attacks. An overview of popular techniques that result in loading kernel drivers will be presented. One of the key targets of modern threats is disabling and blinding Microsoft Defender, a default Windows AV. The analysis of recent driver-based attacks will be given, the challenge is to block them. The survey of user- and kernel-level attacks on Microsoft Defender will be given. One of the recently published attackers techniques abuses Mandatory Integrity Control (MIC) and Security Reference Monitor (SRM) by modifying Integrity Level and Debug Privileges for the Microsoft Defender via syscalls. However, this user-mode attack can be blocked via the Windows 'trust labels' mechanism. The presented paper discovered the internals of MIC and SRM, including the analysis of Microsoft Defender during malware detection. We show how attackers can attack Microsoft Defender using a kernel-mode driver. This driver modifies the fields of the Token structure allocated for the Microsoft Defender application. The presented attack resulted in disabling Microsoft Defender, without terminating any of its processes and without triggering any Windows security features, such as PatchGuard. The customized hypervisor-based solution named MemoryRanger was used to protect the Windows Defender kernel structures. The experiments show that MemoryRanger successfully restricts access to the sensitive kernel data from illegal access attempts with affordable performance degradation.

Cryptography and Security,Operating Systems

Igor Korkin

DOI: https://doi.org/10.48550/arXiv.1805.11847

2018-05-30

Abstract:One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users' private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.

Cryptography and Security

MA Jian-kun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.024

2011-01-01

Computer Science

Abstract:The message flow of Windows operating system was introduced and the potential threats was analyzed.A solution based on hardware-assisted virtualization was developed to defend against the software key logger.A virtual machine monitor was implemented using Intel virtual technology.When the protected thread is reading keyboard input,the keyboard interrupt is handled in the virtual machine monitor.By reading scan code of the keyboard in the virtual machine monitor,the keyboard input can be safely sent to the protected thread.

Tao ZHANG,Ying-nan JIAO,Li-jie LU,Wei-ping WEN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.02.008

2014-01-01

Abstract:The study of suspicious sample collection system with the rule-based scanning and procedures behavior analysis based on Windows kernel driver will greatly enhance the comprehensiveness and accuracy of sample collection, and it has important signiifcance to accelerate the discovery of the virus and the virus database updates. Firstly, this paper analyzes the architecture of Windows operating system and then gives the overall system architecture of the suspicious sample collection system based on Windows kernel drivers. Finally, according to the system architecture, the paper detailed designs and implements of each module, and gives examples and the results of a test. The experiment shows that the system is capable of accurately and efifciently collect samples of suspicious information.

陶照平,黄皓

2012-01-01

Abstract:Through analysis of the data management of windows operating system and the technology of hardware assist virtualization,a data protection model is developed to protect the sensitive data of the application program.Then a sensitive data protection system based on hypervisor is developed.The attacks for static data are effectively blocked by pretreatment encryption technology and the physical page frame encryption technology.Hiding the plaintext of the application is achieved by double shadow page table and data execution protection technology.The system monitors the access control of page table to prevent protected area of application to be maliciously modified.

WANG Pingli,ZHANG Gongxuan,WANG Nanlin

DOI: https://doi.org/10.3778/j.issn.1673-9418.2008.05.009

2008-01-01

Abstract:This paper proposes a secure solution which is based on a Dual-Core framework. The research and implementation of the communication mechanism is mainly discussed between primary-subordinate core and the Windows network driver of subordinate core. Dual-Core-Based Secure Windows terminal runs network security protection module on an embedded system, which can prevent hackers from attacking Windows system using system bugs. For development of Windows driver program, some developing tools are used which are Visual C++6.0, Windows Driver Development Kit and DriverStudio3.2. The experimentation indicates that this network secure solution can analyze network packages and achieve the aim of network security protection.

ZHANG Li

DOI: https://doi.org/10.3969/j.issn.1674-7720.2009.12.004

2009-01-01

Abstract:This paper analyses the methods of Rootkits detections of nowdays,brings a method of kernel modules compared,checks memory sections integration and hidden driver detection.This method can detect most application layer Rootkits and kernel Rootkits.

Ting Liu,Xiaohong Guan,Qinghua Zheng,Ke Lu,Yuanfeng Song,Weizhang Zhang

DOI: https://doi.org/10.1109/CCNC.2009.4785028

2010-01-01

Abstract:This paper presents a novel Trojan detection and defense system. The prototype searches the important files which contain users' confidential information on the disk. And then, these files will be monitored to find which processes will access them by capturing and analyzing the IRPs (I/O Request Packets). The processes of Trojans will be distinguished from regular ones by evaluating their API-calls with several machine-learning models, rather than traditional signature-based mechanism. Testing results show that this prototype could detect and defend the unknown Trojans quickly and accurately.

杨彦,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.12.053

2008-01-01

Abstract:Rootkit is a program set which malicious software uses to conceal itself and other specific resources and actions.This paper analyzes and researches on the concealment technologies which representative rootkits on Windows platform commonly use,and classifies them into two categories: modifying kernel object data structures and changing execution paths.The technical principles are described and compared in detail.The future development directions are discussed.

Hai-Yun Peng,Wen-Gang Zhou

DOI: https://doi.org/10.14257/ijsia.2014.8.2.26

2014-01-01

International Journal of Security and Its Applications

Abstract:It is a tough problem to pretect computer data in the public environment. In order to prevent hard disk data from virus infection, malice destory and deleting by mistake, this paper illustrates the design and implementation of a disk immunity system based WDM filtered driver. This system can effectively protect hard disk data. Benchmark results show that this system has a few effects for the disk I/O performance.

Ashvini A Kulshrestha,Guanqun Song,Ting Zhu

DOI: https://doi.org/10.48550/arXiv.2312.15150

2023-12-23

Abstract:The year 2022 saw a significant increase in Microsoft vulnerabilities, reaching an all-time high in the past decade. With new vulnerabilities constantly emerging, there is an urgent need for proactive approaches to harden systems and protect them from potential cyber threats. This project aims to investigate the vulnerabilities of the Windows Operating System and explore the effectiveness of key security features such as BitLocker, Microsoft Defender, and Windows Firewall in addressing these threats. To achieve this, various security threats are simulated in controlled environments using coded examples, allowing for a thorough evaluation of the security solutions' effectiveness. Based on the results, this study will provide recommendations for mitigation strategies to enhance system security and strengthen the protection provided by Windows security features. By identifying potential weaknesses and areas of improvement in the Windows security infrastructure, this project will contribute to the development of more robust and resilient security solutions that can better safeguard systems against emerging cyber threats.

Cryptography and Security

MAO Ning-xiang,WEN Wei-ping,FU Jun

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.010

2011-01-01

Abstract:The harm caused by software vulnerabilities is increasing.To increase the difficulty of the attack launched by attacker,Windows gradually supports DEP and ASLR and other security mechanisms at the system level.Other software can apply these mechanisms easily.So IE browser can also apply these mechanisms to increase its security.However,there are still many methods which can bypass these mechanisms in IE browser.This paper provides details about DEP and ASLR protection mechanisms and also gives examples which demonstrate how Heap Spray and ROP attack happen.

Chen Dong,Yi Xu,Ximeng Liu,Fan Zhang,Guorong He,Yuzhong Chen

DOI: https://doi.org/10.3390/s20185165

IF: 3.9

2020-01-01

Sensors

Abstract:Diverse and wide-range applications of integrated circuits (ICs) and the development of Cyber Physical System (CPS), more and more third-party manufacturers are involved in the manufacturing of ICs. Unfortunately, like software, hardware can also be subjected to malicious attacks. Untrusted outsourced manufacturing tools and intellectual property (IP) cores may bring enormous risks from highly integrated. Attributed to this manufacturing model, the malicious circuits (known as Hardware Trojans, HTs) can be implanted during the most designing and manufacturing stages of the ICs, causing a change of functionality, leakage of information, even a denial of services (DoS), and so on. In this paper, a survey of HTs is presented, which shows the threatens of chips, and the state-of-the-art preventing and detecting techniques. Starting from the introduction of HT structures, the recent researches in the academic community about HTs is compiled and comprehensive classification of HTs is proposed. The state-of-the-art HT protection techniques with their advantages and disadvantages are further analyzed. Finally, the development trends in hardware security are highlighted.

S. Shukla,Anand Handa,Nitesh Kumar

DOI: https://doi.org/10.1145/3488932.3527289

2022-05-30

Abstract:There are several security tools available to tackle cyber threats, but the sophistication of attacks leads to the failure of defense mechanisms. Among such tools, endpoint security agents are much prominent to safeguard organizations from potential threats. To monitor and investigate systems for unpredictable modifications and proof of tactics, techniques, and procedures (TTP) used by malware writers. In this work, we develop a real-time system behavior monitoring solution. We use three modules - monitoring, analysis, and mapping to counter the threats based on attack patterns. All three modules have their unique mechanism and are interconnected. The monitoring agent is developed for the Windows platform using the C++ programming language, which captures Windows kernel-level system events in a multi-threaded form. It captures critical information such as - network activity, registry, file, accessed paths, processes, etc. The monitoring agent ships the collected events to the analysis module. In the analysis module, we perform analysis in three phases: rule-based, machine learning (ML)-based, and risk-assessment. Rule-based mechanism finds the Indicator of Compromises (IoCs) from the system events related to exploits, web shell, malicious documents, etc. The ML-based analysis gives an overall understanding of normal vs. suspicious behavior. The risk-assessment analysis uses rule-based and ML-based analysis outputs, to provide the risk-score based on the number of IoCs detected and the suspicious behavior predicted. In the mapping phase, we offer an interactive dashboard to the end-user for visualizing all the activities and the analysis outcomes like running processes, suspicious processes, network activities, port accessed, suspicious paths accessed by a single process, etc., using Kibana. The designed tool monitors the system events in near real-time and reports any suspicious activity that helps in mitigating the threats posed to the user. Hence, it acts as a comprehensive security solution with multi-dimensional capabilities.

Computer Science

Laszlo Szekeres,Mathias Payer,Tao Wei,Dawn Song

DOI: https://doi.org/10.1109/sp.2013.13

2013-01-01

Abstract:Memory corruption bugs in software written in low-level languages like C or C++ are one of the oldest problems in computer security. The lack of safety in these languages allows attackers to alter the program's behavior or take full control over it by hijacking its control flow. This problem has existed for more than 30 years and a vast number of potential solutions have been proposed, yet memory corruption attacks continue to pose a serious threat. Real world exploits show that all currently deployed protections can be defeated. This paper sheds light on the primary reasons for this by describing attacks that succeed on today's systems. We systematize the current knowledge about various protection techniques by setting up a general model for memory corruption attacks. Using this model we show what policies can stop which attacks. The model identifies weaknesses of currently deployed techniques, as well as other proposed protections enforcing stricter policies. We analyze the reasons why protection mechanisms implementing stricter polices are not deployed. To achieve wide adoption, protection mechanisms must support a multitude of features and must satisfy a host of requirements. Especially important is performance, as experience shows that only solutions whose overhead is in reasonable bounds get deployed. A comparison of different enforceable policies helps designers of new protection mechanisms in finding the balance between effectiveness (security) and efficiency. We identify some open research problems, and provide suggestions on improving the adoption of newer techniques.

HU Yu-ji,HUANG Hao

DOI: https://doi.org/10.16208/j.issn1000-7024.2010.21.037

2010-01-01

Abstract:Traditional I/O-oriented information protection technique has some disadvantages.An information protection model based on process isolation is developed as an improvement.Under this model,the usability of information maintains while protection is improved.The key factor in its implementation is the isolation of process information accesses.By analyzing potential information leakage threats in the Windows operating system,an information isolation zone is constructed to realize the isolation of process information access,which features filter driver and program component verification.

Hung-Min Sun,Yue-Hsun Lin,Ming-Fung Wu

DOI: https://doi.org/10.1007/11780656_14

2006-01-01

Abstract:Worms and Exploits attacks are currently the most prevalent security problems; they are responsible for over half of the CERT advisories issued in the last three years. To initiate an infection or intrusion, both of them inject a small piece of malicious code (ShellCode) into software through buffer or heap overflow vulnerabilities. Unlike Unix-like operating systems, ShellCodes for Microsoft Windows system need more complex steps to acquire Win32 API calls from DLL file (Dynamic Load Library) in Microsoft Windows. In this paper, we proposed an effective API monitoring system to get rid of worms and exploits attacks for the Microsoft Windows without hardware support. We address the problem by noticing that ShellCodes need the extra complex steps in accessing Win32 API calls. Through the API monitoring system we purposed, we can successfully stop the attacks made by worms and exploits. Moreover, the efficiency of Win32 API Calls hooking and monitoring system can be improved. Incapability to disassemble and analysis the protected software processes are overcome as well.