The Experts below are selected from a list of 279 Experts worldwide ranked by ideXlab platform
Xuxian Jiang - One of the best experts on this subject based on the ideXlab platform.
-
An Integrated Architecture for Automatic Indication, Avoidance and Profiling of Kernel Rootkit Attacks
2014Co-Authors: Dongyan Xu, Eugene H. Spafford, Xuxian JiangAbstract:Abstract : The objective of this project is to mitigate or eliminate threats of Kernel Rootkits against production computer systems. The main goal of this research is the development of an integrated, virtualization-based architecture for automatic indication, avoidance and profiling of Kernel rootkit attacks while maintaining non-stop production system operation. Under this architecture, a production system (running as a virtual machine or VM) executes at full speed under normal circumstances, while the proposed architecture watches out for the first sign of a Kernel rootkit attack and indicates the attack right before it strikes. In response, the production VM splits into two copies: one is the same production VM running uninterrupted and without the negative impact of the rootkit; while the other one is a live profiling VM which will generate a multi-aspect profile of the Kernel rootkit. Moreover, the profile will guide the generation of a variety of Kernel attack defense techniques, which will be applied back to the production system and shield it from future rootkit attacks.
-
Data-Centric OS Kernel Malware Characterization
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Junghwan Rhee, Xuxian Jiang, Ryan Riley, Dongyan XuAbstract:Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS Kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime Kernel object mapping system which has an un-tampered view of Kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new Kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world Kernel Rootkits demonstrate the effectiveness of data-centric malware signatures.
-
Securing virtualization: techniques and applications
2012Co-Authors: Xuxian Jiang, Zhi WangAbstract:Virtualization is being widely adopted in today’s computing systems. Its unique advantages in isolating and introspecting commodity OSes as virtual machines have enabled a wide spectrum of applications. However, a common, fundamental assumption of all these virtualization-based systems is the presence of a trustworthy hypervisor. Unfortunately, recent successful attacks against hypervisors, in addition to the bloated trusted computing base and highly complex internal logic of commodity (type-I and type-II) hypervisors, seriously question the validity of this assumption. In this dissertation, we first present two systems to mitigate the threats posed by vulnerable type-I and type-II hypervisors, respectively: HyperSafe is a lightweight approach that enables control flow integrity of type-I hypervisors for their self-protection. It has two key techniques: non-bypassable memory lockdown reliably protects the hypervisor’s code integrity even in the presence of exploitable memory corruption bugs, and restricted pointer indexing enforces control flow integrity by converting control data into restricted pointer indexes; HyperLock is a systematic approach to strictly isolate vulnerable type-II hypervisors from compromising the host OSes. It also has two key techniques: hypervisor isolation runtime securely isolates a hypervisor in its own dedicated address space and restricts its instruction set for safe execution, and hypervisor shadowing efficiently creates an individual shadow hypervisor for each guest so that a compromised hypervisor can affect only the paired guest, not others. We have built a prototype for both systems based respectively on two open-source type-I hypervisors (i.e., BitVisor and Xen) and one type-II hypervisor (i.e., KVM). The security experiments and performance measurements of these prototypes demonstrated the practicality and effectiveness of our approaches. The above two systems lay a solid foundation for secure virtualization-based systems. A wide range of virtualization-based security mechanisms can benefit from them. HookSafe, the third system presented in this dissertation, is one such system designed to mitigate serious threats from Kernel Rootkits. Specifically, many Kernel Rootkits hide their presence and activities by subverting Kernel hooks (function pointers). A critical step toward eliminating Kernel Rootkits is to protect such hooks from being hijacked. This remains as a challenge due to the so-called protection granularity gap: Kernel hook protection requires byte-level granularity but commodity hardware only provides page-level protection. HookSafe leverages the virtualization technology to address this problem. A key observation behind our approach is that a Kernel hook, once initialized, may be frequently read but rarely changed. As such, HookSafe relocates those Kernel hooks to dedicated memory pages and regulates accesses to them efficiently with hardware-based page-level protection. Our experiments with a prototype of HookSafe demonstrate that HookSafe can enable large-scale hook protection with a small overhead.
-
RAID - Kernel malware analysis with un-tampered and temporal views of dynamic Kernel memory
Lecture Notes in Computer Science, 2010Co-Authors: Junghwan Rhee, Dongyan Xu, Ryan Riley, Xuxian JiangAbstract:Dynamic Kernel memory has been a popular target of recent Kernel malware due to the difficulty of determining the status of volatile dynamic Kernel objects. Some existing approaches use Kernel memory mapping to identify dynamic Kernel objects and check Kernel integrity. The snapshot-based memory maps generated by these approaches are based on the Kernel memory which may have been manipulated by Kernel malware. In addition, because the snapshot only reflects the memory status at a single time instance, its usage is limited in temporal Kernel execution analysis. We introduce a new runtime Kernel memory mapping scheme called allocation-driven mapping, which systematically identifies dynamic Kernel objects, including their types and lifetimes. The scheme works by capturing Kernel object allocation and deallocation events. Our system provides a number of unique benefits to Kernel malware analysis: (1) an un-tampered view wherein the mapping of Kernel data is unaffected by the manipulation of Kernel memory and (2) a temporal view of Kernel objects to be used in temporal analysis of Kernel execution. We demonstrate the effectiveness of allocation-driven mapping in two usage scenarios. First, we build a hidden Kernel object detector that uses an un-tampered view to detect the data hiding attacks of 10 Kernel Rootkits that directly manipulate Kernel objects (DKOM). Second, we develop a temporal malware behavior monitor that tracks and visualizes malware behavior triggered by the manipulation of dynamic Kernel objects. Allocation-driven mapping enables a reliable analysis of such behavior by guiding the inspection only to the events relevant to the attack.
-
SecureComm - Transparent Protection of Commodity OS Kernels Using Hardware Virtualization
Lecture Notes of the Institute for Computer Sciences Social Informatics and Telecommunications Engineering, 2010Co-Authors: Michael Grace, Xuxian Jiang, Zhi Wang, Jinku Li, Deepa Srinivasan, Zhenkai Liang, Siarhei LiakhAbstract:Kernel Rootkits are among the most insidious threats to computer security today. By employing various code injection techniques, they are able to maintain an omnipotent presence in the compromised OS Kernels. Existing preventive countermeasures typically employ virtualization technology as part of their solutions. However, they are still limited in either (1) requiring modifying the OS Kernel source code for the protection or (2) leveraging software-based virtualization techniques such as binary translation with a high overhead to implement a Harvard architecture (which is robust to various code injection techniques used by Kernel Rootkits). In this paper, we introduce hvmHarvard, a hardware virtualization-based Harvard architecture that transparently protects commodity OS Kernels from Kernel rootkit attacks and significantly reduces the performance overhead. Our evaluation with a Xen-based prototype shows that it can transparently protect legacy OS Kernels with rootkit resistance while introducing < 5% performance overhead.
Dongyan Xu - One of the best experts on this subject based on the ideXlab platform.
-
An Integrated Architecture for Automatic Indication, Avoidance and Profiling of Kernel Rootkit Attacks
2014Co-Authors: Dongyan Xu, Eugene H. Spafford, Xuxian JiangAbstract:Abstract : The objective of this project is to mitigate or eliminate threats of Kernel Rootkits against production computer systems. The main goal of this research is the development of an integrated, virtualization-based architecture for automatic indication, avoidance and profiling of Kernel rootkit attacks while maintaining non-stop production system operation. Under this architecture, a production system (running as a virtual machine or VM) executes at full speed under normal circumstances, while the proposed architecture watches out for the first sign of a Kernel rootkit attack and indicates the attack right before it strikes. In response, the production VM splits into two copies: one is the same production VM running uninterrupted and without the negative impact of the rootkit; while the other one is a live profiling VM which will generate a multi-aspect profile of the Kernel rootkit. Moreover, the profile will guide the generation of a variety of Kernel attack defense techniques, which will be applied back to the production system and shield it from future rootkit attacks.
-
Data-Centric OS Kernel Malware Characterization
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Junghwan Rhee, Xuxian Jiang, Ryan Riley, Dongyan XuAbstract:Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS Kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime Kernel object mapping system which has an un-tampered view of Kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new Kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world Kernel Rootkits demonstrate the effectiveness of data-centric malware signatures.
-
IPCCC - Improved Kernel security through memory layout randomization
2013 IEEE 32nd International Performance Computing and Communications Conference (IPCCC), 2013Co-Authors: Dannie M. Stanley, Dongyan Xu, Eugene H. SpaffordAbstract:The vast majority of hosts on the Internet, including mobile clients, are running on one of three major operating system families. Malicious operating system Kernel software, such as the code introduced by a Kernel rootkit, is strongly dependent on the organization of the victim operating system. Due to the lack of diversity of operating systems, attackers can craft a single Kernel exploit that has the potential to infect millions of hosts. If the underlying structure of vulnerable operating system components has been changed, in an unpredictable manner, then attackers must create many unique variations of their exploit to attack vulnerable systems en masse. If enough variants of the vulnerable software exist, then mass exploitation is much more difficult to achieve. Many forms of automatic software diversification have been explored and found to be useful for preventing malware infection. Forrest et. al. make a strong case for software diversity and describe a few possible techniques including: adding or removing nonfunctional code, reordering code, and reordering memory layouts. Our techniques build on the latter. We describe two different ways to mutate an operating system Kernel using memory layout randomization to resist Kernel-based attacks. We introduce a new method for randomizing the stack layout of function arguments. Additionally, we refine a previous technique for record layout randomization by introducing a static analysis technique for determining the randomizability of a record. We developed prototypes of our techniques using the plugin architecture offered by GCC. To test the security benefits our techniques, we randomized multiple Linux Kernels using our compiler plugins. We attacked the randomized Kernels using multiple Kernel Rootkits. We show that by strategically selecting just a few components for randomization, our techniques prevent Kernel rootkit infection.
-
MILCOM - Guest-transparent instruction authentication for self-patching Kernels
MILCOM 2012 - 2012 IEEE Military Communications Conference, 2012Co-Authors: Dannie M. Stanley, Dongyan Xu, Zhui Deng, Rick Porter, Shane SnyderAbstract:Attackers can exploit vulnerable programs that are running with elevated permissions to insert Kernel Rootkits into a system. Security mechanisms have been created to prevent Kernel rootkit implantation by relocating the vulnerable physical system to a guest virtual machine and enforcing a W ⊕ KX memory access control policy from the host virtual machine monitor. Such systems must also be able to identify and authorize the introduction of known-good Kernel code. Previous works use cryptographic hashes to verify the integrity of Kernel code at load-time. The hash creation and verification procedure depends on immutable Kernel code. However, some modern Kernels contain self-patching Kernel code; they may overwrite executable instructions in memory after load-time. Such dynamic patching may occur for a variety of reason including: CPU optimizations, multiprocessor compatibility adjustments, and advanced debugging. The previous hash verification procedure cannot handle such modifications. We describe the design and implementation of a procedure that verifies the integrity of each modified instruction as it is introduced into the guest Kernel. Our experiments with a self-patching Linux guest Kernel show that our system can correctly detect and verify all valid instruction modifications and reject all invalid ones. In most cases our patch-level verification procedure incurs only nominal performance impact.
-
AsiaCCS - Characterizing Kernel malware behavior with Kernel data access patterns
Proceedings of the 6th ACM Symposium on Information Computer and Communications Security - ASIACCS '11, 2011Co-Authors: Junghwan Rhee, Dongyan XuAbstract:Characterizing malware behavior using its control flow faces several challenges, such as obfuscations in static analysis and the behavior variations in dynamic analysis. This paper introduces a new approach to characterizing Kernel malware's behavior by using Kernel data access patterns unique to the malware. The approach neither uses malware's control flow consisting of temporal ordering of malware code execution, nor the code-specific information about the malware. Thus, the malware signature based on such data access patterns is resilient in matching malware variants. To evaluate the effectiveness of this approach, we first generated the signatures of three classic Rootkits using their data access patterns, and then matched them with a group of Kernel execution instances which are benign or compromised by 16 Kernel Rootkits. The malware signatures did not trigger any false positives in benign Kernel runs; however, Kernel runs compromised by 16 Rootkits were detected due to the data access patterns shared with the compared signature(s). We further observed similar data access patterns in the signatures of the tested Rootkits and exposed popular rootkit attack operations by ranking common data behavior across Rootkits. Our experiments show that our approach is effective not only to detect the malware whose signature is available, but also to determine its variants which share Kernel data access patterns.
Jiwu Jing - One of the best experts on this subject based on the ideXlab platform.
-
ESORICS (2) - RootkitDet: Practical End-to-End Defense against Kernel Rootkits in a Cloud Environment
Computer Security - ESORICS 2014, 2014Co-Authors: Lingchen Zhang, Sachin Shetty, Jiwu JingAbstract:In cloud environments, Kernel-level Rootkits still pose serious security threats to guest OSes. Existing defenses against Kernel-level rootkit have limitations when applied to cloud environments. In this paper, we propose RootkitDet, an end-to-end defense system capable of detecting and diagnosing Rootkits in guest OSes with the intent to recover the system modifications caused by the Rootkits in cloud environments. RootkitDet detects Rootkits by identifying suspicious code region in the Kernel space of guest OSes through the underneath hypervisor, performs diagnosis on the code of the detected rootkit to categorize it and identify modifications, and reverses the modifications if possible to eliminate the effect of Rootkits. Our evaluation results show that the RootkitDet is effective on detection of Kernel-level Rootkits and recovery modifications with less than 1% performance overhead to the guest OSes and the computation and network overhead is linear with the quantity of the VM instances being monitored.
-
rootkitdet practical end to end defense against Kernel Rootkits in a cloud environment
European Symposium on Research in Computer Security, 2014Co-Authors: Lingchen Zhang, Sachin Shetty, Jiwu JingAbstract:In cloud environments, Kernel-level Rootkits still pose serious security threats to guest OSes. Existing defenses against Kernel-level rootkit have limitations when applied to cloud environments. In this paper, we propose RootkitDet, an end-to-end defense system capable of detecting and diagnosing Rootkits in guest OSes with the intent to recover the system modifications caused by the Rootkits in cloud environments. RootkitDet detects Rootkits by identifying suspicious code region in the Kernel space of guest OSes through the underneath hypervisor, performs diagnosis on the code of the detected rootkit to categorize it and identify modifications, and reverses the modifications if possible to eliminate the effect of Rootkits. Our evaluation results show that the RootkitDet is effective on detection of Kernel-level Rootkits and recovery modifications with less than 1% performance overhead to the guest OSes and the computation and network overhead is linear with the quantity of the VM instances being monitored.
-
RootkitDet: Practical end-to-end defense against Kernel Rootkits in a cloud environment
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2014Co-Authors: Lingchen Zhang, Sachin Shetty, Peng Liu, Jiwu JingAbstract:Despite the increasing popularity of cloud services, ensuring the security and availability of data, resources and services remains an ongoing research challenge. Distributed denial of service (DDoS) attacks are not a new threat, but remain a major security challenge and are a topic of ongoing research interest. Mitigating DDoS attack in cloud presents a new dimension to solutions proffered in traditional computing due to its architecture and features. This paper reviews 96 publications on DDoS attack and defense approaches in cloud computing published between January 2009 and December 2015, and discusses existing research trends. A taxonomy and a conceptual cloud DDoS mitigation framework based on change point detection are presented. Future research directions are also outlined.
Ryan Riley - One of the best experts on this subject based on the ideXlab platform.
-
on the detection of Kernel level Rootkits using hardware performance counters
Computer and Communications Security, 2017Co-Authors: Baljit Singh, Ryan Riley, Dmitry Evtyushkin, Jesse Elwell, Iliano CervesatoAbstract:Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine learning to train a detector to distinguish between benign applications and malware. In this work, we provide a more comprehensive analysis of the applicability of using machine learning and HPCs for a specific subset of malware: Kernel Rootkits. We design five synthetic Rootkits, each providing a single piece of rootkit functionality, and execute each while collecting HPC traces of its impact on a specific benchmark application. We then apply machine learning feature selection techniques in order to determine the most relevant HPCs for the detection of these Rootkits. We identify 16 HPCs that are useful for the detection of hooking based roots, and also find that Rootkits employing direct Kernel object manipulation (DKOM) do not significantly impact HPCs. We then use these synthetic rootkit traces to train a detection system capable of detecting new Rootkits it has not seen previously with an accuracy of over 99%. Our results indicate that HPCs have the potential to be an effective tool for rootkit detection, even against new Rootkits not previously seen by the detector.
-
AsiaCCS - On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters
Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security - ASIA CCS '17, 2017Co-Authors: Baljit Singh, Ryan Riley, Dmitry Evtyushkin, Jesse Elwell, Iliano CervesatoAbstract:Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine learning to train a detector to distinguish between benign applications and malware. In this work, we provide a more comprehensive analysis of the applicability of using machine learning and HPCs for a specific subset of malware: Kernel Rootkits. We design five synthetic Rootkits, each providing a single piece of rootkit functionality, and execute each while collecting HPC traces of its impact on a specific benchmark application. We then apply machine learning feature selection techniques in order to determine the most relevant HPCs for the detection of these Rootkits. We identify 16 HPCs that are useful for the detection of hooking based roots, and also find that Rootkits employing direct Kernel object manipulation (DKOM) do not significantly impact HPCs. We then use these synthetic rootkit traces to train a detection system capable of detecting new Rootkits it has not seen previously with an accuracy of over 99%. Our results indicate that HPCs have the potential to be an effective tool for rootkit detection, even against new Rootkits not previously seen by the detector.
-
Data-Centric OS Kernel Malware Characterization
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Junghwan Rhee, Xuxian Jiang, Ryan Riley, Dongyan XuAbstract:Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS Kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime Kernel object mapping system which has an un-tampered view of Kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new Kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world Kernel Rootkits demonstrate the effectiveness of data-centric malware signatures.
-
A framework for prototyping and testing data-only rootkit attacks
Computers & Security, 2013Co-Authors: Ryan RileyAbstract:Kernel Rootkits-attacks which modify a running operating system Kernel in order to hide an attacker's presence-are significant threats. Recent advances in rootkit defense technology will force rootkit threats to rely on only modifying Kernel data structures without injecting and executing any new code; however these data-only Kernel rootkit attacks are still both realistic and powerful. In this work we present DORF, a framework for prototyping and testing data-only rootkit attacks. DORF is an object-oriented framework that allows researchers to construct attacks that can be easily ported between various Linux distributions and versions. The current implementation of DORF contains a group of existing and new data-only attacks, and the portability of DORF is demonstrated by porting it to 6 different Linux distributions. The goal of DORF is to allow researchers to construct repeatable experiments with little effort, which will in turn advance research into data-only attacks and defenses.
-
RAID - Kernel malware analysis with un-tampered and temporal views of dynamic Kernel memory
Lecture Notes in Computer Science, 2010Co-Authors: Junghwan Rhee, Dongyan Xu, Ryan Riley, Xuxian JiangAbstract:Dynamic Kernel memory has been a popular target of recent Kernel malware due to the difficulty of determining the status of volatile dynamic Kernel objects. Some existing approaches use Kernel memory mapping to identify dynamic Kernel objects and check Kernel integrity. The snapshot-based memory maps generated by these approaches are based on the Kernel memory which may have been manipulated by Kernel malware. In addition, because the snapshot only reflects the memory status at a single time instance, its usage is limited in temporal Kernel execution analysis. We introduce a new runtime Kernel memory mapping scheme called allocation-driven mapping, which systematically identifies dynamic Kernel objects, including their types and lifetimes. The scheme works by capturing Kernel object allocation and deallocation events. Our system provides a number of unique benefits to Kernel malware analysis: (1) an un-tampered view wherein the mapping of Kernel data is unaffected by the manipulation of Kernel memory and (2) a temporal view of Kernel objects to be used in temporal analysis of Kernel execution. We demonstrate the effectiveness of allocation-driven mapping in two usage scenarios. First, we build a hidden Kernel object detector that uses an un-tampered view to detect the data hiding attacks of 10 Kernel Rootkits that directly manipulate Kernel objects (DKOM). Second, we develop a temporal malware behavior monitor that tracks and visualizes malware behavior triggered by the manipulation of dynamic Kernel objects. Allocation-driven mapping enables a reliable analysis of such behavior by guiding the inspection only to the events relevant to the attack.
Lui Sha - One of the best experts on this subject based on the ideXlab platform.
-
Memory Heat Map: Anomaly detection in real-time embedded systems using memory behavior
Proceedings - Design Automation Conference, 2015Co-Authors: Man-ki Yoon, Jaesik Choi, Sibin Mohan, Lui ShaAbstract:In this paper, we introduce a novel mechanism that identifies abnormal system-wide behaviors using the predictable nature of real-time embedded applications. We introduce Memory Heat Map (MHM) to characterize the memory behavior of the operating system. Our machine learning algorithms au-tomatically (a) summarize the information contained in the MHMs and then (b) detect deviations from the normal mem-ory behavior patterns. These methods are implemented on top of a multicore processor architecture to aid in the process of monitoring and detection. The techniques are evaluated using multiple attack scenarios including Kernel Rootkits and shellcode. To the best of our knowledge, this is the first work that uses aggregated memory behavior for detecting system anomalies especially the concept of memory heat maps.
