The Experts below are selected from a list of 1215 Experts worldwide ranked by ideXlab platform
Liviu Iftode - One of the best experts on this subject based on the ideXlab platform.
-
Rootkits on Smart Phones: Attacks and Implications
2014Co-Authors: Jeffrey Bickford, Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Smart phones are increasingly being equipped with operating systems that compare in complexity with those on desktop computers. This trend makes smart phone operating systems vulnerable to many of the same threats as desktop operating systems. This paper examines the threat posed by Rootkits to smart phones. Rootkits are malware that stealthily achieve their goals by modifying operating system code and data, and have long been a problem for desktops. However, smart phones expose several unique interfaces, such as voice, GPS and battery, that Rootkits can exploit in novel ways. These attacks can have serious social consequences, ranging from loss of privacy to denial of service during emergencies. This paper demonstrates the threat of smart phone Rootkits with three novel attacks. We implemented Rootkits that allow a remote attacker to: (1) snoop on a victim’s confidential conversations; (2) snoop on a victim’s geographical location; and (3) stealthily exhaust the battery on a victim’s phone. We also discuss the social implications of each of these attacks
-
detecting kernel level Rootkits using data structure invariants
IEEE Transactions on Dependable and Secure Computing, 2011Co-Authors: Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Rootkits affect system security by modifying kernel data structures to achieve a variety of malicious goals. While early Rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated Rootkits that maliciously modify noncontrol data. Most prior techniques for rootkit detection have focused solely on detecting control data modifications and, therefore, fail to detect such Rootkits. This paper presents a novel technique to detect Rootkits that modify both control and noncontrol data. The main idea is to externally observe the execution of the kernel during an inference phase and hypothesize invariants on kernel data structures. A rootkit detection phase uses these invariants as specifications of data structure integrity. During this phase, violation of invariants indicates an infection. We have implemented Gibraltar, a prototype tool that infers kernel data structure invariants and uses them to detect Rootkits. Experiments show that Gibraltar can effectively detect previously known Rootkits, including those that modify noncontrol data structures.
-
Rootkits on smart phones attacks implications and opportunities
Workshop on Mobile Computing Systems and Applications, 2010Co-Authors: Jeffrey Bickford, Arati Baliga, Vinod Ganapathy, Ryan Ohare, Liviu IftodeAbstract:Smart phones are increasingly being equipped with operating systems that compare in complexity with those on desktop computers. This trend makes smart phone operating systems vulnerable to many of the same threats as desktop operating systems.In this paper, we focus on the threat posed by smart phone Rootkits. Rootkits are malware that stealthily modify operating system code and data to achieve malicious goals, and have long been a problem for desktops. We use three example Rootkits to show that smart phones are just as vulnerable to Rootkits as desktop operating systems. However, the ubiquity of smart phones and the unique interfaces that they expose, such as voice, GPS and battery, make the social consequences of Rootkits particularly devastating. We conclude the paper by identifying the challenges that need to be addressed to effectively detect Rootkits on smart phones.
-
automatic inference and enforcement of kernel data structure invariants
Annual Computer Security Applications Conference, 2008Co-Authors: Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Kernel-level Rootkits affect system security by modifying key kernel data structures to achieve a variety of malicious goals. While early Rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated Rootkits that maliciously modify non-control data. Prior techniques for rootkit detection fail to identify such Rootkits either because they focus solely on detecting control data modifications or because they require elaborate, manually-supplied specifications to detect modifications of non-control data. This paper presents a novel rootkit detection technique that automatically detects Rootkits that modify both control and non-control data. The key idea is to externally observe the execution of the kernel during a training period and hypothesize invariants on kernel data structures. These invariants are used as specifications of data structure integrity during an enforcement phase; violation of these invariants indicates the presence of a rootkit. We present the design and implementation of Gibraltar, a tool that uses the above approach to infer and enforce invariants. In our experiments, we found that Gibraltar can detect Rootkits that modify both control and non-control data structures, and that its false positive rate and monitoring overheads are negligible.
-
Automated containment of Rootkits attacks
Computers & Security, 2008Co-Authors: Arati Baliga, Liviu Iftode, Xiaoxin ChenAbstract:Rootkit attacks are a serious threat to computer systems. Packaged with other malwares such as worms, viruses and spyware, Rootkits pose a more potent threat than ever before by allowing malware to evade detection. In the absence of appropriate tools to counter such attacks, compromised machines stay undetected for extended periods of time. Leveraging virtual machine technology, we propose a solution for real-time automated detection and containment of rootkit attacks. We have developed a prototype using VMware Workstation to illustrate the solution. Our analysis and experimental results indicate that this approach can very successfully detect and contain the effects of a large percentage of Rootkits found for Linux today. We also demonstrate with an example, how this approach is particularly effective against malwares that use Rootkits to hide.
Arati Baliga - One of the best experts on this subject based on the ideXlab platform.
-
Rootkits on Smart Phones: Attacks and Implications
2014Co-Authors: Jeffrey Bickford, Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Smart phones are increasingly being equipped with operating systems that compare in complexity with those on desktop computers. This trend makes smart phone operating systems vulnerable to many of the same threats as desktop operating systems. This paper examines the threat posed by Rootkits to smart phones. Rootkits are malware that stealthily achieve their goals by modifying operating system code and data, and have long been a problem for desktops. However, smart phones expose several unique interfaces, such as voice, GPS and battery, that Rootkits can exploit in novel ways. These attacks can have serious social consequences, ranging from loss of privacy to denial of service during emergencies. This paper demonstrates the threat of smart phone Rootkits with three novel attacks. We implemented Rootkits that allow a remote attacker to: (1) snoop on a victim’s confidential conversations; (2) snoop on a victim’s geographical location; and (3) stealthily exhaust the battery on a victim’s phone. We also discuss the social implications of each of these attacks
-
detecting kernel level Rootkits using data structure invariants
IEEE Transactions on Dependable and Secure Computing, 2011Co-Authors: Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Rootkits affect system security by modifying kernel data structures to achieve a variety of malicious goals. While early Rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated Rootkits that maliciously modify noncontrol data. Most prior techniques for rootkit detection have focused solely on detecting control data modifications and, therefore, fail to detect such Rootkits. This paper presents a novel technique to detect Rootkits that modify both control and noncontrol data. The main idea is to externally observe the execution of the kernel during an inference phase and hypothesize invariants on kernel data structures. A rootkit detection phase uses these invariants as specifications of data structure integrity. During this phase, violation of invariants indicates an infection. We have implemented Gibraltar, a prototype tool that infers kernel data structure invariants and uses them to detect Rootkits. Experiments show that Gibraltar can effectively detect previously known Rootkits, including those that modify noncontrol data structures.
-
Rootkits on smart phones attacks implications and opportunities
Workshop on Mobile Computing Systems and Applications, 2010Co-Authors: Jeffrey Bickford, Arati Baliga, Vinod Ganapathy, Ryan Ohare, Liviu IftodeAbstract:Smart phones are increasingly being equipped with operating systems that compare in complexity with those on desktop computers. This trend makes smart phone operating systems vulnerable to many of the same threats as desktop operating systems.In this paper, we focus on the threat posed by smart phone Rootkits. Rootkits are malware that stealthily modify operating system code and data to achieve malicious goals, and have long been a problem for desktops. We use three example Rootkits to show that smart phones are just as vulnerable to Rootkits as desktop operating systems. However, the ubiquity of smart phones and the unique interfaces that they expose, such as voice, GPS and battery, make the social consequences of Rootkits particularly devastating. We conclude the paper by identifying the challenges that need to be addressed to effectively detect Rootkits on smart phones.
-
automatic inference and enforcement of kernel data structure invariants
Annual Computer Security Applications Conference, 2008Co-Authors: Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Kernel-level Rootkits affect system security by modifying key kernel data structures to achieve a variety of malicious goals. While early Rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated Rootkits that maliciously modify non-control data. Prior techniques for rootkit detection fail to identify such Rootkits either because they focus solely on detecting control data modifications or because they require elaborate, manually-supplied specifications to detect modifications of non-control data. This paper presents a novel rootkit detection technique that automatically detects Rootkits that modify both control and non-control data. The key idea is to externally observe the execution of the kernel during a training period and hypothesize invariants on kernel data structures. These invariants are used as specifications of data structure integrity during an enforcement phase; violation of these invariants indicates the presence of a rootkit. We present the design and implementation of Gibraltar, a tool that uses the above approach to infer and enforce invariants. In our experiments, we found that Gibraltar can detect Rootkits that modify both control and non-control data structures, and that its false positive rate and monitoring overheads are negligible.
-
Automated containment of Rootkits attacks
Computers & Security, 2008Co-Authors: Arati Baliga, Liviu Iftode, Xiaoxin ChenAbstract:Rootkit attacks are a serious threat to computer systems. Packaged with other malwares such as worms, viruses and spyware, Rootkits pose a more potent threat than ever before by allowing malware to evade detection. In the absence of appropriate tools to counter such attacks, compromised machines stay undetected for extended periods of time. Leveraging virtual machine technology, we propose a solution for real-time automated detection and containment of rootkit attacks. We have developed a prototype using VMware Workstation to illustrate the solution. Our analysis and experimental results indicate that this approach can very successfully detect and contain the effects of a large percentage of Rootkits found for Linux today. We also demonstrate with an example, how this approach is particularly effective against malwares that use Rootkits to hide.
Henry L. Owen - One of the best experts on this subject based on the ideXlab platform.
-
detecting and categorizing kernel level Rootkits to aid future detection
IEEE Symposium on Security and Privacy, 2006Co-Authors: J F Levine, J B Grizzard, Henry L. OwenAbstract:Existing techniques to detect kernel-level Rootkits expose some infections, but they don't identify specific attacks. This rootkit categorization approach helps system administrators identify the extent of specific infections, aiding in optimal recovery and faster reactions to future attacks. The authors present a framework to detect and classify Rootkits and discuss a methodology for determining if a system has been infected by a kernel-level rootkit. Once infection is established, administrators can create new signatures for kernel-level Rootkits to detect them. The authors conducted their research on a Red Hat Linux-based system, but the methodology is applicable to other Linux distributions based on the standard Linux kernel. They also believe the method can apply to other Unix- and Windows-based systems.
-
re establishing trust in compromised systems recovering from Rootkits that trojan the system call table
European Symposium on Research in Computer Security, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised systems, specifically looking at recovering from kernel-level Rootkits. An attacker that has compromised a system will often install a set of tools, known as a rootkit, which will break trust in the system as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. Specifically, current kernel-level Rootkits replace trusted system calls with trojaned system calls. Our approach to recover from these type of Rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running kernel. Building on our approach to current generation Rootkits, we discuss future generation Rootkits and address how to recover from them.
-
A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table
IEEE SoutheastCon 2004. Proceedings., 2004Co-Authors: John G. Levine, P.w. Hutto, Julian B Grizzard, Henry L. OwenAbstract:A cracker who gains access to a computer system will normally install some method, for use at a later time that allows the cracker to come back onto the system with root privilege. One method that a cracker may use is the installation of a rootkit on the compromised system. A kernel level rootkit will modify the underlying kernel of the installed operating system. The kernel controls everything that happens on a computer. We are developing a standardized methodology to characterize Rootkits. The ability to characterize Rootkits will provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving Rootkits. We propose new methods for characterizing kernel level Rootkits. These methods may also be used in the detection of kernel Rootkits.
Mehdi Kharrazi - One of the best experts on this subject based on the ideXlab platform.
-
1Back to Static Analysis for Kernel-Level Rootkit Detection
2016Co-Authors: Seyyedeh Atefeh Musavi, Mehdi KharraziAbstract:Abstract — Rootkit’s main goal is to hide itself and other modules present in the malware. Their stealthy nature has made their detection further difficult, specially in the case of kernel-level Rootkits. There have been many dynamic analysis techniques proposed for detecting kernel-level Rootkits, while on the other hand, static analysis has not been popular. This is perhaps due to its poor performance in detecting malware in general, which could be attributed to the level of obfuscation employed in binaries which make static analysis difficult if not impossible. In this manuscript we make two important observations, first there is usually little obfuscation used in legitimate kernel-level code, as opposed to the malicious kernel-level code. Second, one of the main approaches to penetrate the Windows operating system is through kernel-level drivers. Therefore by focusing on detecting malicious kernel drivers employed by the rootkit, one could detect the rootkit while avoiding the issues with current detection technique. Given these two observation, we propose a simple static analysis technique with the aim of detecting malicious driver. We first study the current trends in the implementation of kernel-level rookits. Afterwards, we proposed a set of features to quantify the malicious behavior in kernel drivers. These features are then evaluated through a set of experiments on 4420 malicious and legitimate drivers, obtaining an accuracy of 98.15 % in distinguishing between these drivers. Index Terms — Malware, Rootkit, Static analysis, Kernel driver. I
-
back to static analysis for kernel level rootkit detection
IEEE Transactions on Information Forensics and Security, 2014Co-Authors: Seyyedeh Atefeh Musavi, Mehdi KharraziAbstract:Rootkit’s main goal is to hide itself and other modules present in the malware. Their stealthy nature has made their detection further difficult, especially in the case of kernel-level Rootkits. There have been many dynamic analysis techniques proposed for detecting kernel-level Rootkits, while on the other hand, static analysis has not been popular. This is perhaps due to its poor performance in detecting malware in general, which could be attributed to the level of obfuscation employed in binaries which make static analysis difficult if not impossible. In this paper, we make two important observations, first there is usually little obfuscation used in legitimate kernel-level code, as opposed to the malicious kernel-level code. Second, one of the main approaches to penetrate the Windows operating system is through kernel-level drivers. Therefore, by focusing on detecting malicious kernel drivers employed by the rootkit, one could detect the rootkit while avoiding the issues with current detection technique. Given these two observation, we propose a simple static analysis technique with the aim of detecting malicious driver. We first study the current trends in the implementation of kernel-level rookits. Afterward, we proposed a set of features to quantify the malicious behavior in kernel drivers. These features are then evaluated through a set of experiments on 4420 malicious and legitimate drivers, obtaining an accuracy of 98.15% in distinguishing between these drivers.
Vinod Ganapathy - One of the best experts on this subject based on the ideXlab platform.
-
Rootkits on Smart Phones: Attacks and Implications
2014Co-Authors: Jeffrey Bickford, Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Smart phones are increasingly being equipped with operating systems that compare in complexity with those on desktop computers. This trend makes smart phone operating systems vulnerable to many of the same threats as desktop operating systems. This paper examines the threat posed by Rootkits to smart phones. Rootkits are malware that stealthily achieve their goals by modifying operating system code and data, and have long been a problem for desktops. However, smart phones expose several unique interfaces, such as voice, GPS and battery, that Rootkits can exploit in novel ways. These attacks can have serious social consequences, ranging from loss of privacy to denial of service during emergencies. This paper demonstrates the threat of smart phone Rootkits with three novel attacks. We implemented Rootkits that allow a remote attacker to: (1) snoop on a victim’s confidential conversations; (2) snoop on a victim’s geographical location; and (3) stealthily exhaust the battery on a victim’s phone. We also discuss the social implications of each of these attacks
-
detecting kernel level Rootkits using data structure invariants
IEEE Transactions on Dependable and Secure Computing, 2011Co-Authors: Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Rootkits affect system security by modifying kernel data structures to achieve a variety of malicious goals. While early Rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated Rootkits that maliciously modify noncontrol data. Most prior techniques for rootkit detection have focused solely on detecting control data modifications and, therefore, fail to detect such Rootkits. This paper presents a novel technique to detect Rootkits that modify both control and noncontrol data. The main idea is to externally observe the execution of the kernel during an inference phase and hypothesize invariants on kernel data structures. A rootkit detection phase uses these invariants as specifications of data structure integrity. During this phase, violation of invariants indicates an infection. We have implemented Gibraltar, a prototype tool that infers kernel data structure invariants and uses them to detect Rootkits. Experiments show that Gibraltar can effectively detect previously known Rootkits, including those that modify noncontrol data structures.
-
Rootkits on smart phones attacks implications and opportunities
Workshop on Mobile Computing Systems and Applications, 2010Co-Authors: Jeffrey Bickford, Arati Baliga, Vinod Ganapathy, Ryan Ohare, Liviu IftodeAbstract:Smart phones are increasingly being equipped with operating systems that compare in complexity with those on desktop computers. This trend makes smart phone operating systems vulnerable to many of the same threats as desktop operating systems.In this paper, we focus on the threat posed by smart phone Rootkits. Rootkits are malware that stealthily modify operating system code and data to achieve malicious goals, and have long been a problem for desktops. We use three example Rootkits to show that smart phones are just as vulnerable to Rootkits as desktop operating systems. However, the ubiquity of smart phones and the unique interfaces that they expose, such as voice, GPS and battery, make the social consequences of Rootkits particularly devastating. We conclude the paper by identifying the challenges that need to be addressed to effectively detect Rootkits on smart phones.
-
automatic inference and enforcement of kernel data structure invariants
Annual Computer Security Applications Conference, 2008Co-Authors: Arati Baliga, Vinod Ganapathy, Liviu IftodeAbstract:Kernel-level Rootkits affect system security by modifying key kernel data structures to achieve a variety of malicious goals. While early Rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated Rootkits that maliciously modify non-control data. Prior techniques for rootkit detection fail to identify such Rootkits either because they focus solely on detecting control data modifications or because they require elaborate, manually-supplied specifications to detect modifications of non-control data. This paper presents a novel rootkit detection technique that automatically detects Rootkits that modify both control and non-control data. The key idea is to externally observe the execution of the kernel during a training period and hypothesize invariants on kernel data structures. These invariants are used as specifications of data structure integrity during an enforcement phase; violation of these invariants indicates the presence of a rootkit. We present the design and implementation of Gibraltar, a tool that uses the above approach to infer and enforce invariants. In our experiments, we found that Gibraltar can detect Rootkits that modify both control and non-control data structures, and that its false positive rate and monitoring overheads are negligible.
