HE Jin,FAN Ming-yu,WANG Guang-wei

DOI: https://doi.org/10.3969/j.issn.1001-0548.2014.04.020

2014-01-01

Abstract:Kernel-level rootkits pose a fatal threat to kernel integrity, so kernel-level rootkits detection and protection has become a hot topic. However, there are some drawbacks in these existing efforts:either focusing on rootkits protection, or focusing on rootkits detection, without the combination of both to ensure kernel integrity. In view of this situation, this paper designs a complete automatic interactive mechanism based on the detection and protection of kernel-level rootkits, thus forming an integrated detection and protection system (ADPos) to guarantee kernel integrity. The experiments show that the ADPos system can not only automatically detect and protect kernel integrity, but also does not sacrifice the system performance for the price. Moreover, the system is compatible with a variety of OS systems and against zero-day attacks.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.1109/ncis.2011.62

2011-01-01

Abstract:Aiming at the principles how root kit malicious action by hooking System Service Dispatch Table and utilizing inline function patching, this paper presents a method of integrity detection and restoration based on kernel file, which is proved to ensure correct implementation of the kernel function.

Xie Jun,Huang Hao,Zhang Jia

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.005

2006-01-01

Abstract:In traditional monolithic kernel operating systems,all kernel codes run within a common and shared address space,and any vulnerabilities in kernel or any untrusted modules loaded in kernel would compromise the whole system's security.From the point of security,this paper describs a isolation mechanism for kernel modules,in which the most insecure parts of kernel are loaded as protection modules and are isolated from other parts of kernel by hardware protection mechanism.This mechanism can be used to strengthen existing monolithic kernel's reliability and security and provides a more credible platform for secuirty application softewares.

Min Zheng,Xiaolong Bai,Yajin Zhou,Chao Zhang,Fuping Qu

DOI: https://doi.org/10.14722/ndss.2021.23126

2021-01-01

Abstract:Apple devices (e.g., iPhone, MacBook, iPad, and Apple Watch) are high value targets for attackers. Although these devices use different operating systems (e.g., iOS, macOS, iPadOS, watchOS, and tvOS), they are all based on a hybrid kernel called XNU. Existing attacks demonstrated that vulnerabilities in XNU could be exploited to escalate privileges and jailbreak devices. To mitigate these threats, multiple security mechanisms have been deployed in latest systems. In this paper, we first perform a systematic assessment of deployed mitigations by Apple, and demonstrate that most of them can be bypassed through corrupting a special type of kernel objects, i.e., Mach port objects. We summarize this type of attack as (Mach) Port Object-Oriented Programming (POP). Accordingly, we define multiple attack primitives to launch the attack and demonstrate realistic scenarios to achieve full memory manipulation on recently released systems (i.e., iOS 13 and macOS 10.15). To defend against POP, we propose the Port UltraSHield (PUSH) system to reduce the number of unprotected Mach port objects. Specifically, PUSH automatically locates potential POP primitives and instruments related system calls to enforce the integrity of Mach port kernel objects. It does not require system modifications and only introduces 2% runtime overhead. The PUSH framework has been deployed on more than 40,000 macOS devices in a leading company. The evaluation of 18 public exploits and one zero-day exploit detected by our system demonstrated the effectiveness of PUSH. We believe that the proposed framework will facilitate the design and implementation of a more secure XNU kernel.

Mohammad Nadim,Wonjun Lee,David Akopian

2023-04-02

Abstract:One of the most elusive types of malware in recent times that pose significant challenges in the computer security system is the kernel-level rootkits. The kernel-level rootkits can hide its presence and malicious activities by modifying the kernel control flow, by hooking in the kernel space, or by manipulating the kernel objects. As kernel-level rootkits change the kernel, it is difficult for user-level security tools to detect the kernel-level rootkits. In the past few years, many approaches have been proposed to detect kernel-level rootkits. It is not much difficult for an attacker to evade the signature-based kernel-level rootkit detection system by slightly modifying the existing signature. To detect the evolving kernel-level rootkits, researchers have proposed and experimented with many detection systems. In this paper, we survey traditional kernel-level rootkit detection mechanisms in literature and propose a structured kernel-level rootkit detection taxonomy. We have discussed the strength and weaknesses or challenges of each detection approach. The prevention techniques and profiling kernel-level rootkit behavior affiliated literature are also included in this survey. The paper ends with future research directions for kernel-level rootkit detection.

Cryptography and Security

Xie Jun

2005-01-01

Abstract:Many secure operating systems have some privileged processes or trusted processes which are always at risk of being hijacked by various attacks such as the buffer overflow attack.Once they are hijacked,the security of the whole system would be damaged.In this paper,a multi-protection domains process model is described which provides fine-grained kernel level protection for codes and data within process address space.The fine-grained internal protection of process can effectively prevent attackers from hijacking the whole process by damaging the process's data or codes.This paper offers two designs for this model and a prototype implementation of one of them.

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

杨彦,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.12.053

2008-01-01

Abstract:Rootkit is a program set which malicious software uses to conceal itself and other specific resources and actions.This paper analyzes and researches on the concealment technologies which representative rootkits on Windows platform commonly use,and classifies them into two categories: modifying kernel object data structures and changing execution paths.The technical principles are described and compared in detail.The future development directions are discussed.

Ahmed M. Azab,Peng Ning,Jitesh Shah,Quan Chen,Rohan Bhutkar,Guruprasad Ganesh,Jia Ma,Wenbo Shen

DOI: https://doi.org/10.1145/2660267.2660350

2014-01-01

Abstract:TrustZone-based Real-time Kernel Protection (TZ-RKP) is a novel system that provides real-time protection of the OS kernel using the ARM TrustZone secure world. TZ-RKP is more secure than current approaches that use hypervisors to host kernel protection tools. Although hypervisors provide privilege and isolation, they face fundamental security challenges due to their growing complexity and code size. TZ-RKP puts its security monitor, which represents its entire Trusted Computing Base (TCB), in the TrustZone secure world; a safe isolated environment that is dedicated to security services. Hence, the security monitor is safe from attacks that can potentially compromise the kernel, which runs in the normal world. Using the secure world for kernel protection has been crippled by the lack of control over targets that run in the normal world. TZ-RKP solves this prominent challenge using novel techniques that deprive the normal world from the ability to control certain privileged system functions. These functions are forced to route through the secure world for inspection and approval before being executed. TZ-RKP's control of the normal world is non-bypassable. It can effectively stop attacks that aim at modifying or injecting kernel binaries. It can also stop attacks that involve modifying the system memory layout, e.g, through memory double mapping. This paper presents the implementation and evaluation of TZ-RKP, which has gone through rigorous and thorough evaluation of effectiveness and performance. It is currently deployed on the latest models of the Samsung Galaxy series smart phones and tablets, which clearly demonstrates that it is a practical real-world system.

Abhinav Srivastava,Jonathon Giffin

DOI: https://doi.org/10.1145/2420950.2421012

2012-01-01

Abstract:Commodity operating system kernels isolate applications via separate memory address spaces provided by virtual memory management hardware. However, kernel memory is unified and mixes core kernel code with driver components of different provenance. Kernel-level malicious software exploits this lack of isolation between the kernel and its modules by illicitly modifying security-critical kernel data structures. In this paper, we design an access control policy and enforcement system that prevents kernel components with low trust from altering security-critical data used by the kernel to manage its own execution. Our policies are at the granularity of kernel variables and structure elements, and they can protect data structures dynamically allocated at runtime. Our hypervisor-based design uses memory page protection bits as part of its policy enforcement. The granularity difference between page-level protection and variable-level policies challenges the system's ability to remain performant. We develop kernel data-layout partitioning and reorganization techniques to maintain kernel performance in the presence of our protections. We show that our system can prevent malicious modifications to security-critical kernel data with small overhead. By offering protection for critical kernel data structures, we can detect unknown kernel-level malware and guarantee that security utilities relying on the integrity of kernel-level state remain accurate.

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

Liu Wei,Li Xun,Huang Wei,Huang Hao,Zhixian Chen

DOI: https://doi.org/10.1109/CSSS.2011.5973957

2011-01-01

Abstract:Kernel-level attacks can compromise the security of an operating system by tampering with key data and control flow in the kernel. Current approaches defend against these attacks by applying data integrity or control flow integrity control methods. However, they focus on only a certain aspect and cannot give a complete integrity monitoring solution. This paper tries our best to find out all resorts that violate the kernel integrity of operating system by analyzing what objects an action of the kernel relies on and affects. Then we examine all these objects to avoid them from being tamped with and also monitor whether the effect of an action of the kernel is the same as the semantics specified by the original design. Our operating system integrity surveillance system (OSISS) is implemented in a virtual machine monitor (VMM) and it can detect abnormity of an action by monitoring the data integrity and control flow integrity with acceptable performance loss. © 2011 IEEE.

Lianying Zhao,Mohammad Mannan

DOI: https://doi.org/10.14722/ndss.2019.23197

2019-05-26

Abstract:Unauthorized data alteration has been a longstanding threat since the emergence of malware. System and application software can be reinstalled and hardware can be replaced, but user data is priceless in many cases. Especially in recent years, ransomware has become high-impact due to its direct monetization model. State-of-the-art defenses are mostly based on known signature or behavior analysis, and more importantly, require an uncompromised OS kernel. However, malware with the highest software privileges has shown its obvious existence. We propose to move from current detection/recovery based mechanisms to data loss prevention, where the focus is on armoring data instead of counteracting malware. Our solution, Inuksuk, relies on today's Trusted Execution Environments (TEEs), as available both on the CPU and storage device, to achieve programmable write protection. We back up a copy of user-selected files as write-protected at all times, and subsequent updates are written as new versions securely through TEE. We implement Inuksuk on Windows 7 and 10, and Linux (Ubuntu); our core design is OS and application agnostic, and incurs no run-time performance penalty for applications. File transfer disruption can be eliminated or alleviated through access modes and customizable update policies (e.g., interval, granularity). For Inuksuk's adoptability in modern OSes, we have also ported Flicker (EuroSys 2008), a defacto standard tool for in-OS privileged TEE management, to the latest 64-bit Windows.

Cryptography and Security

Liang DENG,Qing-Kai ZENG

DOI: https://doi.org/10.13328/j.cnki.jos.005017

2016-01-01

Abstract:In commodity OS, the OS kernel runs in the highest privilege layer to manage hardware resources and provides system services. Thus, security-sensitive applications are vulnerable to compromises the underlying untrusted kernel. In this paper, an approach named AppFort is proposed to protect applications from an untrusted OS kernel. To address the high overheads of existing solutions, AppFort makes use of the unique combination of an x86 hardware feature (operand address size), kernel code integrity protection and kernel control flow integrity protection, to intercept and verify both hardware and software operations of the untrusted kernel. As a result, AppFort efficiently protects application's memory, control flows and file I/O, even if the kernel is fully compromised. Experimental results demonstrate that AppFort only incurs very small overhead, which is much better than previous work.

mingwei zhao,rongan jiang

DOI: https://doi.org/10.1007/978-3-642-28798-5_18

2012-01-01

Abstract:As a new kind of Trojan horse which combines with the kernel Rootkit technologies, kernel Trojan horse has received a great mount of people's attention and been used a lot. However, the sensitive property of kernel Trojan which follows traditional architecture model is fully exposed to the security software, and needs kernel concealment module to complete all the hidden works, thus the concealment module is too large, easily detected by security software. Based on the analysis of Trojan collaborative concealment model, this paper improves the traditional architecture model and introduces a lightweight concealment module of pure kernel Trojan horse architecture model. Furthermore, an example which adopts the improved model is present in this paper. The experimental results verify the feasibility and efficient of the improved model. © 2012 Springer-Verlag.

Yilin Zhou,Guojun Peng,Zichuan Li,Side Liu

DOI: https://doi.org/10.23919/jcc.ja.2022-0409

2024-02-13

China Communications

Abstract:According to the boot process of modern computer systems, whoever boots first will gain control first. Taking advantage of this feature, a malicious code called bootkit can hijack the control before the OS bootloader and bypass security mechanisms in boot process. That makes bootkits difficult to detect or clean up thoroughly. With the improvement of security mechanisms and the emergence of UEFI, the attack and defense techniques for bootkits have constantly been evolving. We first introduce two boot modes of modern computer systems and present an attack model of bootkits by some sophistical samples. Then we discuss some classic attack techniques used by bootkits from their initial appearance to the present on two axes, including boot mode axis and attack phase axis. Next, we evaluate the race to the bottom of the system and the evolution process between bootkits and security mechanisms. At last, we present the possible future direction for bootkits in the context of continuous improvement of OS and firmware security mechanisms.

telecommunications