The Experts below are selected from a list of 996 Experts worldwide ranked by ideXlab platform
Ryan Riley - One of the best experts on this subject based on the ideXlab platform.
-
on the detection of kernel level Rootkits using hardware performance counters
Computer and Communications Security, 2017Co-Authors: Baljit Singh, Jesse Elwell, Dmitry Evtyushkin, Ryan Riley, Iliano CervesatoAbstract:Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine learning to train a detector to distinguish between benign applications and malware. In this work, we provide a more comprehensive analysis of the applicability of using machine learning and HPCs for a specific subset of malware: kernel Rootkits. We design five synthetic Rootkits, each providing a single piece of Rootkit functionality, and execute each while collecting HPC traces of its impact on a specific benchmark application. We then apply machine learning feature selection techniques in order to determine the most relevant HPCs for the detection of these Rootkits. We identify 16 HPCs that are useful for the detection of hooking based roots, and also find that Rootkits employing direct kernel object manipulation (DKOM) do not significantly impact HPCs. We then use these synthetic Rootkit traces to train a detection system capable of detecting new Rootkits it has not seen previously with an accuracy of over 99%. Our results indicate that HPCs have the potential to be an effective tool for Rootkit detection, even against new Rootkits not previously seen by the detector.
-
1A Framework for Prototyping and Testing Data-Only Rootkit Attacks
2016Co-Authors: Ryan RileyAbstract:Version 1.0 This is a preprint of the paper accepted in Elsevier Computers & Security Abstract—Kernel Rootkits—attacks which modify a running operating system kernel in order to hide an attacker’s presence— are significant threats. Recent advances in Rootkit defense tech-nology will force Rootkit threats to rely on only modifying kernel data structures without injecting and executing any new code; however these data-only kernel Rootkit attacks are still both realistic and powerful. In this work we present DORF, a framework for prototyping and testing data-only Rootkit attacks. DORF is an object-oriented framework that allows researchers to construct attacks that can be easily ported between various Linux distributions and versions. The current implementation of DORF contains a group of existing and new data-only attacks, and the portability of DORF is demonstrated by porting it to 6 different Linux distributions. The goal of DORF is to allow researchers to construct repeatable experiments with little effort, which will in turn advance research into data-only attacks and defenses
-
A framework for prototyping and testing data-only Rootkit attacks
Computers & Security, 2013Co-Authors: Ryan RileyAbstract:Kernel Rootkits-attacks which modify a running operating system kernel in order to hide an attacker's presence-are significant threats. Recent advances in Rootkit defense technology will force Rootkit threats to rely on only modifying kernel data structures without injecting and executing any new code; however these data-only kernel Rootkit attacks are still both realistic and powerful. In this work we present DORF, a framework for prototyping and testing data-only Rootkit attacks. DORF is an object-oriented framework that allows researchers to construct attacks that can be easily ported between various Linux distributions and versions. The current implementation of DORF contains a group of existing and new data-only attacks, and the portability of DORF is demonstrated by porting it to 6 different Linux distributions. The goal of DORF is to allow researchers to construct repeatable experiments with little effort, which will in turn advance research into data-only attacks and defenses.
-
multi aspect profiling of kernel Rootkit behavior
European Conference on Computer Systems, 2009Co-Authors: Ryan Riley, Xuxian JiangAbstract:Kernel Rootkits, malicious software designed to compromise a running operating system kernel, are difficult to analyze and profile due to their elusive nature, the variety and complexity of their behavior, and the privilege level at which they run. However, a comprehensive kernel Rootkit profile that reveals key aspects of the Rootkit's behavior is helpful in aiding a detailed manual analysis by a human expert. In this paper we present PoKeR, a kernel Rootkit profiler capable of producing multi-aspect Rootkit profiles which include the revelation of Rootkit hooking behavior, the exposure of targeted kernel objects (both static and dynamic), assessment of user-level impacts, as well as the extraction of kernel Rootkit code. The system is designed to be deployed in scenarios which can tolerate high overheads, such as honeypots. Our evaluation results with a number of real-world kernel Rootkits show that PoKeR is able to accurately profile a variety of Rootkits ranging from traditional ones with system call hooking to more advanced ones with direct kernel object manipulation. The obtained profiles lead to unique insights into the Rootkits' characteristics and demonstrate PoKeR's usefulness as a tool for Rootkit investigators.
-
defeating dynamic data kernel Rootkit attacks via vmm based guest transparent monitoring
Availability Reliability and Security, 2009Co-Authors: Junghwan Rhee, Ryan Riley, Xuxian JiangAbstract:Targeting the operating system kernel, the core of trust in a system, kernel Rootkits are able to compromise the entire system, placing it under malicious control, while eluding detection efforts. Within the realm of kernel Rootkits, dynamic data Rootkits are particularly elusive due to the fact that they attack only data targets. Dynamic data Rootkits avoid code injection and instead use existing kernel code to manipulate kernel data. Because they do not execute any new code, they are able to complete their attacks without violating kernel code integrity. We propose a prevention solution that blocks dynamic data kernel Rootkit attacks by monitoring kernel memory access using virtual machine monitor (VMM) policies. Although the VMM is an external monitor, our system preemptively detects changes to monitored kernel data states and enables fine-grained inspection of memory accesses on dynamically changing kernel data. In addition, readable and writable kernel data can be protected by exposing the illegal use of existing code by dynamic data kernel Rootkits.We have implemented a prototype of our system using the QEMU VMM. Our experiments show that it successfully defeats synthesized dynamic data kernel Rootkits in real-time, demonstrating its effectiveness and practicality.
Henry L. Owen - One of the best experts on this subject based on the ideXlab platform.
-
detecting and categorizing kernel level Rootkits to aid future detection
IEEE Symposium on Security and Privacy, 2006Co-Authors: J F Levine, J B Grizzard, Henry L. OwenAbstract:Existing techniques to detect kernel-level Rootkits expose some infections, but they don't identify specific attacks. This Rootkit categorization approach helps system administrators identify the extent of specific infections, aiding in optimal recovery and faster reactions to future attacks. The authors present a framework to detect and classify Rootkits and discuss a methodology for determining if a system has been infected by a kernel-level Rootkit. Once infection is established, administrators can create new signatures for kernel-level Rootkits to detect them. The authors conducted their research on a Red Hat Linux-based system, but the methodology is applicable to other Linux distributions based on the standard Linux kernel. They also believe the method can apply to other Unix- and Windows-based systems.
-
re establishing trust in compromised systems recovering from Rootkits that trojan the system call table
European Symposium on Research in Computer Security, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised systems, specifically looking at recovering from kernel-level Rootkits. An attacker that has compromised a system will often install a set of tools, known as a Rootkit, which will break trust in the system as well as serve the attacker with other functionalities. One type of Rootkit is a kernel-level Rootkit, which will patch running kernel code with untrusted kernel code. Specifically, current kernel-level Rootkits replace trusted system calls with trojaned system calls. Our approach to recover from these type of Rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running kernel. Building on our approach to current generation Rootkits, we discuss future generation Rootkits and address how to recover from them.
-
A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table
IEEE SoutheastCon 2004. Proceedings., 2004Co-Authors: John G. Levine, P.w. Hutto, Julian B Grizzard, Henry L. OwenAbstract:A cracker who gains access to a computer system will normally install some method, for use at a later time that allows the cracker to come back onto the system with root privilege. One method that a cracker may use is the installation of a Rootkit on the compromised system. A kernel level Rootkit will modify the underlying kernel of the installed operating system. The kernel controls everything that happens on a computer. We are developing a standardized methodology to characterize Rootkits. The ability to characterize Rootkits will provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving Rootkits. We propose new methods for characterizing kernel level Rootkits. These methods may also be used in the detection of kernel Rootkits.
-
A methodology for detecting and classifying Rootkit exploits
2004Co-Authors: John G. Levine, Henry L. OwenAbstract:We propose a methodology to detect and classify Rootkit exploits. The goal of this research is to provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions concerning systems that are compromised by Rootkits. There is no such methodology available at present to perform this function. This may also help to detect and fingerprint additional instances and prevent further security instances involving Rootkits. A formal framework was developed in order to define Rootkit exploits as an existing Rootkit, a modification to an existing, or an entirely new Rootkit. A methodology was then described in order to apply this framework against Rootkits that are to be investigated. We then proposed some new methods to detect and characterize specific types of Rootkit exploits. These methods consisted of identifying unique string signatures of binary executable files as well as examining the system call table within the system kernel. We established a Honeynet in order to aid in our research efforts and then applied our methodology to a previously unseen Rootkit that was targeted against the Honeynet. By using our methodology we were able to uniquely characterize this Rootkit and identify some unique signatures that could be used in the detection of this specific Rootkit. We applied our methodology against nine additional Rootkit exploits and were able to identify unique characteristics for each of these Rootkits. These characteristics could also be used in the prevention and detection of these Rootkits.
Xuxian Jiang - One of the best experts on this subject based on the ideXlab platform.
-
An Integrated Architecture for Automatic Indication, Avoidance and Profiling of Kernel Rootkit Attacks
2014Co-Authors: Dongyan Xu, Eugene H. Spafford, Xuxian JiangAbstract:Abstract : The objective of this project is to mitigate or eliminate threats of kernel Rootkits against production computer systems. The main goal of this research is the development of an integrated, virtualization-based architecture for automatic indication, avoidance and profiling of kernel Rootkit attacks while maintaining non-stop production system operation. Under this architecture, a production system (running as a virtual machine or VM) executes at full speed under normal circumstances, while the proposed architecture watches out for the first sign of a kernel Rootkit attack and indicates the attack right before it strikes. In response, the production VM splits into two copies: one is the same production VM running uninterrupted and without the negative impact of the Rootkit; while the other one is a live profiling VM which will generate a multi-aspect profile of the kernel Rootkit. Moreover, the profile will guide the generation of a variety of kernel attack defense techniques, which will be applied back to the production system and shield it from future Rootkit attacks.
-
transparent protection of commodity os kernels using hardware virtualization
International Conference on Security and Privacy in Communication Systems, 2010Co-Authors: Michael Grace, Deepa Srinivasan, Xuxian Jiang, Zhenkai Liang, Zhi Wang, Siarhei LiakhAbstract:Kernel Rootkits are among the most insidious threats to computer security today. By employing various code injection techniques, they are able to maintain an omnipotent presence in the compromised OS kernels. Existing preventive countermeasures typically employ virtualization technology as part of their solutions. However, they are still limited in either (1) requiring modifying the OS kernel source code for the protection or (2) leveraging software-based virtualization techniques such as binary translation with a high overhead to implement a Harvard architecture (which is robust to various code injection techniques used by kernel Rootkits). In this paper, we introduce hvmHarvard, a hardware virtualization-based Harvard architecture that transparently protects commodity OS kernels from kernel Rootkit attacks and significantly reduces the performance overhead. Our evaluation with a Xen-based prototype shows that it can transparently protect legacy OS kernels with Rootkit resistance while introducing < 5% performance overhead.
-
multi aspect profiling of kernel Rootkit behavior
European Conference on Computer Systems, 2009Co-Authors: Ryan Riley, Xuxian JiangAbstract:Kernel Rootkits, malicious software designed to compromise a running operating system kernel, are difficult to analyze and profile due to their elusive nature, the variety and complexity of their behavior, and the privilege level at which they run. However, a comprehensive kernel Rootkit profile that reveals key aspects of the Rootkit's behavior is helpful in aiding a detailed manual analysis by a human expert. In this paper we present PoKeR, a kernel Rootkit profiler capable of producing multi-aspect Rootkit profiles which include the revelation of Rootkit hooking behavior, the exposure of targeted kernel objects (both static and dynamic), assessment of user-level impacts, as well as the extraction of kernel Rootkit code. The system is designed to be deployed in scenarios which can tolerate high overheads, such as honeypots. Our evaluation results with a number of real-world kernel Rootkits show that PoKeR is able to accurately profile a variety of Rootkits ranging from traditional ones with system call hooking to more advanced ones with direct kernel object manipulation. The obtained profiles lead to unique insights into the Rootkits' characteristics and demonstrate PoKeR's usefulness as a tool for Rootkit investigators.
-
defeating dynamic data kernel Rootkit attacks via vmm based guest transparent monitoring
Availability Reliability and Security, 2009Co-Authors: Junghwan Rhee, Ryan Riley, Xuxian JiangAbstract:Targeting the operating system kernel, the core of trust in a system, kernel Rootkits are able to compromise the entire system, placing it under malicious control, while eluding detection efforts. Within the realm of kernel Rootkits, dynamic data Rootkits are particularly elusive due to the fact that they attack only data targets. Dynamic data Rootkits avoid code injection and instead use existing kernel code to manipulate kernel data. Because they do not execute any new code, they are able to complete their attacks without violating kernel code integrity. We propose a prevention solution that blocks dynamic data kernel Rootkit attacks by monitoring kernel memory access using virtual machine monitor (VMM) policies. Although the VMM is an external monitor, our system preemptively detects changes to monitored kernel data states and enables fine-grained inspection of memory accesses on dynamically changing kernel data. In addition, readable and writable kernel data can be protected by exposing the illegal use of existing code by dynamic data kernel Rootkits.We have implemented a prototype of our system using the QEMU VMM. Our experiments show that it successfully defeats synthesized dynamic data kernel Rootkits in real-time, demonstrating its effectiveness and practicality.
-
guest transparent prevention of kernel Rootkits with vmm based memory shadowing
Recent Advances in Intrusion Detection, 2008Co-Authors: Ryan Riley, Xuxian Jiang, Dongyan XuAbstract:Kernel Rootkits pose a significant threat to computer systems as they run at the highest privilege level and have unrestricted access to the resources of their victims. Many current efforts in kernel Rootkit defense focus on the detectionof kernel Rootkits --- after a Rootkit attack has taken place, while the smaller number of efforts in kernel Rootkit preventionexhibit limitations in their capability or deployability. In this paper we present a kernel Rootkit prevention system called NICKLE which addresses a common, fundamental characteristic of most kernel Rootkits: the need for executing their own kernel code. NICKLE is a lightweight, virtual machine monitor (VMM) based system that transparently prevents unauthorized kernel code execution for unmodified commodity (guest) OSes. NICKLE is based on a new scheme called memory shadowing, wherein the trusted VMM maintains a shadow physical memory for a running VM and performs real-time kernel code authentication so that only authenticated kernel code will be stored in the shadow memory. Further, NICKLE transparently routes guest kernel instruction fetches to the shadow memory at runtime. By doing so, NICKLE guarantees that only the authenticated kernel code will be executed, foiling the kernel Rootkit's attempt to strike in the first place. We have implemented NICKLE in three VMM platforms: QEMU+KQEMU, VirtualBox, and VMware Workstation. Our experiments with 23 real-world kernel Rootkits targeting the Linux or Windows OSes demonstrate NICKLE's effectiveness. Furthermore, our performance evaluation shows that NICKLE introduces small overhead to the VMM platform.
Julian B Grizzard - One of the best experts on this subject based on the ideXlab platform.
-
Application of a methodology to characterize Rootkits retrieved from honeynets
2005Co-Authors: J. Levine, Julian B Grizzard, H. OwenAbstract:Techniques and methods currently exist to detect if a certain type of Rootkit has exploited a computer systems. However, these current techniques and methods can only indicate that a system has been exploited by a Rootkit. We are currently developing a methodology to indicate if a Rootkit is previously known or if it is a modified or entirely new Rootkit. We present in this paper an application of our methodology against a previously unseen Rootkit that was collected from the Georgia Tech Honeynet. We conduct our analysis process against this Rootkit and are able to identify specific characteristics for subsequent detections of this Rootkit. This ability will provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving Rootkits. © 2004 IEEE.
-
re establishing trust in compromised systems recovering from Rootkits that trojan the system call table
European Symposium on Research in Computer Security, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised systems, specifically looking at recovering from kernel-level Rootkits. An attacker that has compromised a system will often install a set of tools, known as a Rootkit, which will break trust in the system as well as serve the attacker with other functionalities. One type of Rootkit is a kernel-level Rootkit, which will patch running kernel code with untrusted kernel code. Specifically, current kernel-level Rootkits replace trusted system calls with trojaned system calls. Our approach to recover from these type of Rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running kernel. Building on our approach to current generation Rootkits, we discuss future generation Rootkits and address how to recover from them.
-
A methodology to detect and characterize Kernel level Rootkit exploits involving redirection of the system call table
Second IEEE International Information Assurance Workshop 2004. Proceedings., 2004Co-Authors: J. Levine, Julian B Grizzard, H. OwenAbstract:There is no standardized methodology at present to characterize Rootkits that compromise the security of computer systems. The ability to characterize Rootkits will provide system administrators with information so that they can take the best possible recovery actions and may also help to detect additional instances and prevent the further installation of the Rootkit allowing the security community to react faster to new Rootkit exploits. There are limited capabilities at present to detect Rootkits, but in most cases these capabilities only indicate that a system is infected without identifying the specific Rootkit. We propose a mathematical framework for classifying Rootkit exploits as existing, modifications to existing, or entirely new. An indepth analysis of a particular type of kernel Rootkit is conducted in order to develop a characterization. As a result of this characterization and analysis, we propose some new methods to detect this particular class of Rootkit exploit.
-
A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table
IEEE SoutheastCon 2004. Proceedings., 2004Co-Authors: John G. Levine, P.w. Hutto, Julian B Grizzard, Henry L. OwenAbstract:A cracker who gains access to a computer system will normally install some method, for use at a later time that allows the cracker to come back onto the system with root privilege. One method that a cracker may use is the installation of a Rootkit on the compromised system. A kernel level Rootkit will modify the underlying kernel of the installed operating system. The kernel controls everything that happens on a computer. We are developing a standardized methodology to characterize Rootkits. The ability to characterize Rootkits will provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving Rootkits. We propose new methods for characterizing kernel level Rootkits. These methods may also be used in the detection of kernel Rootkits.
Cliff C Zou - One of the best experts on this subject based on the ideXlab platform.
-
smm Rootkit a new breed of os independent malware
Security and Communication Networks, 2013Co-Authors: Shawn Embleton, Sherri Sparks, Cliff C ZouAbstract:The emergence of hardware virtualization technology has led to the development of OS independent malware such as the virtual machine-based Rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The system management Mode based Rootkit (SMBR). System Management mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy Rootkits used for high-profile targeted attacks. In this paper, we present our development of a proof of concept SMM Rootkit. In it, we explore the potential of system management mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP and receive remote command packets stealthily. By modifying and reflashing the BIOS, the SMM Rootkit can install itself on a computer even if the computer has originally locked its SMM. The Rootkit hides its memory footprint and requires no changes to the existing operating system. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware. Copyright © 2009 John Wiley & Sons, Ltd.
-
smm Rootkits a new breed of os independent malware
International Workshop on Security, 2008Co-Authors: Shawn Embleton, Sherri Sparks, Cliff C ZouAbstract:The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine based Rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode based Rootkit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy Rootkits. In this paper, we present our development of a proof of concept SMM Rootkit. In it, we explore the potential of System Management Mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP. The Rootkit hides its memory footprint and requires no changes to the existing Operating System. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware.
