The Experts below are selected from a list of 66 Experts worldwide ranked by ideXlab platform
Henry L. Owen - One of the best experts on this subject based on the ideXlab platform.
-
ESORICS - Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table
Computer Security – ESORICS 2004, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised Systems, specifiCally looking at recovering from kernel-level rootkits. An attacker that has compromised a System will often install a set of tools, known as a rootkit, which will break trust in the System as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. SpecifiCally, current kernel-level rootkits replace trusted System Calls with trojaned System Calls. Our approach to recover from these type of rootkits is to extract the System Call Table from a known-good kernel image and reinstall the System Call Table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.
-
re establishing trust in compromised Systems recovering from rootkits that trojan the System Call Table
European Symposium on Research in Computer Security, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised Systems, specifiCally looking at recovering from kernel-level rootkits. An attacker that has compromised a System will often install a set of tools, known as a rootkit, which will break trust in the System as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. SpecifiCally, current kernel-level rootkits replace trusted System Calls with trojaned System Calls. Our approach to recover from these type of rootkits is to extract the System Call Table from a known-good kernel image and reinstall the System Call Table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.
-
IWIA - A methodology to detect and characterize Kernel level rootkit exploits involving redirection of the System Call Table
Second IEEE International Information Assurance Workshop 2004. Proceedings., 2004Co-Authors: John G. Levine, Julian B Grizzard, Henry L. OwenAbstract:There is no standardized methodology at present to characterize rootkits that compromise the security of computer Systems. The ability to characterize rootkits will provide System administrators with information so that they can take the best possible recovery actions and may also help to detect additional instances and prevent the further installation of the rootkit allowing the security community to react faster to new rootkit exploits. There are limited capabilities at present to detect rootkits, but in most cases these capabilities only indicate that a System is infected without identifying the specific rootkit. We propose a mathematical framework for classifying rootkit exploits as existing, modifications to existing, or entirely new. An indepth analysis of a particular type of kernel rootkit is conducted in order to develop a characterization. As a result of this characterization and analysis, we propose some new methods to detect this particular class of rootkit exploit.
-
A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table
IEEE SoutheastCon 2004. Proceedings., 2004Co-Authors: John G. Levine, P.w. Hutto, Julian B Grizzard, Henry L. OwenAbstract:A cracker who gains access to a computer System will normally install some method, for use at a later time that allows the cracker to come back onto the System with root privilege. One method that a cracker may use is the installation of a rootkit on the compromised System. A kernel level rootkit will modify the underlying kernel of the installed operating System. The kernel controls everything that happens on a computer. We are developing a standardized methodology to characterize rootkits. The ability to characterize rootkits will provide System administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. We propose new methods for characterizing kernel level rootkits. These methods may also be used in the detection of kernel rootkits.
-
A methodology for detecting and classifying rootkit exploits
2004Co-Authors: John G. Levine, Henry L. OwenAbstract:We propose a methodology to detect and classify rootkit exploits. The goal of this research is to provide System administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions concerning Systems that are compromised by rootkits. There is no such methodology available at present to perform this function. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. A formal framework was developed in order to define rootkit exploits as an existing rootkit, a modification to an existing, or an entirely new rootkit. A methodology was then described in order to apply this framework against rootkits that are to be investigated. We then proposed some new methods to detect and characterize specific types of rootkit exploits. These methods consisted of identifying unique string signatures of binary execuTable files as well as examining the System Call Table within the System kernel. We established a Honeynet in order to aid in our research efforts and then applied our methodology to a previously unseen rootkit that was targeted against the Honeynet. By using our methodology we were able to uniquely characterize this rootkit and identify some unique signatures that could be used in the detection of this specific rootkit. We applied our methodology against nine additional rootkit exploits and were able to identify unique characteristics for each of these rootkits. These characteristics could also be used in the prevention and detection of these rootkits.
Julian B Grizzard - One of the best experts on this subject based on the ideXlab platform.
-
ESORICS - Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table
Computer Security – ESORICS 2004, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised Systems, specifiCally looking at recovering from kernel-level rootkits. An attacker that has compromised a System will often install a set of tools, known as a rootkit, which will break trust in the System as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. SpecifiCally, current kernel-level rootkits replace trusted System Calls with trojaned System Calls. Our approach to recover from these type of rootkits is to extract the System Call Table from a known-good kernel image and reinstall the System Call Table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.
-
re establishing trust in compromised Systems recovering from rootkits that trojan the System Call Table
European Symposium on Research in Computer Security, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised Systems, specifiCally looking at recovering from kernel-level rootkits. An attacker that has compromised a System will often install a set of tools, known as a rootkit, which will break trust in the System as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. SpecifiCally, current kernel-level rootkits replace trusted System Calls with trojaned System Calls. Our approach to recover from these type of rootkits is to extract the System Call Table from a known-good kernel image and reinstall the System Call Table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.
-
A methodology to detect and characterize Kernel level rootkit exploits involving redirection of the System Call Table
Second IEEE International Information Assurance Workshop 2004. Proceedings., 2004Co-Authors: J. Levine, Julian B Grizzard, H. OwenAbstract:There is no standardized methodology at present to characterize rootkits that compromise the security of computer Systems. The ability to characterize rootkits will provide System administrators with information so that they can take the best possible recovery actions and may also help to detect additional instances and prevent the further installation of the rootkit allowing the security community to react faster to new rootkit exploits. There are limited capabilities at present to detect rootkits, but in most cases these capabilities only indicate that a System is infected without identifying the specific rootkit. We propose a mathematical framework for classifying rootkit exploits as existing, modifications to existing, or entirely new. An indepth analysis of a particular type of kernel rootkit is conducted in order to develop a characterization. As a result of this characterization and analysis, we propose some new methods to detect this particular class of rootkit exploit.
-
IWIA - A methodology to detect and characterize Kernel level rootkit exploits involving redirection of the System Call Table
Second IEEE International Information Assurance Workshop 2004. Proceedings., 2004Co-Authors: John G. Levine, Julian B Grizzard, Henry L. OwenAbstract:There is no standardized methodology at present to characterize rootkits that compromise the security of computer Systems. The ability to characterize rootkits will provide System administrators with information so that they can take the best possible recovery actions and may also help to detect additional instances and prevent the further installation of the rootkit allowing the security community to react faster to new rootkit exploits. There are limited capabilities at present to detect rootkits, but in most cases these capabilities only indicate that a System is infected without identifying the specific rootkit. We propose a mathematical framework for classifying rootkit exploits as existing, modifications to existing, or entirely new. An indepth analysis of a particular type of kernel rootkit is conducted in order to develop a characterization. As a result of this characterization and analysis, we propose some new methods to detect this particular class of rootkit exploit.
-
A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table
IEEE SoutheastCon 2004. Proceedings., 2004Co-Authors: John G. Levine, P.w. Hutto, Julian B Grizzard, Henry L. OwenAbstract:A cracker who gains access to a computer System will normally install some method, for use at a later time that allows the cracker to come back onto the System with root privilege. One method that a cracker may use is the installation of a rootkit on the compromised System. A kernel level rootkit will modify the underlying kernel of the installed operating System. The kernel controls everything that happens on a computer. We are developing a standardized methodology to characterize rootkits. The ability to characterize rootkits will provide System administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. We propose new methods for characterizing kernel level rootkits. These methods may also be used in the detection of kernel rootkits.
John G. Levine - One of the best experts on this subject based on the ideXlab platform.
-
ESORICS - Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table
Computer Security – ESORICS 2004, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised Systems, specifiCally looking at recovering from kernel-level rootkits. An attacker that has compromised a System will often install a set of tools, known as a rootkit, which will break trust in the System as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. SpecifiCally, current kernel-level rootkits replace trusted System Calls with trojaned System Calls. Our approach to recover from these type of rootkits is to extract the System Call Table from a known-good kernel image and reinstall the System Call Table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.
-
re establishing trust in compromised Systems recovering from rootkits that trojan the System Call Table
European Symposium on Research in Computer Security, 2004Co-Authors: Julian B Grizzard, John G. Levine, Henry L. OwenAbstract:We introduce the notion of re-establishing trust in compromised Systems, specifiCally looking at recovering from kernel-level rootkits. An attacker that has compromised a System will often install a set of tools, known as a rootkit, which will break trust in the System as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. SpecifiCally, current kernel-level rootkits replace trusted System Calls with trojaned System Calls. Our approach to recover from these type of rootkits is to extract the System Call Table from a known-good kernel image and reinstall the System Call Table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.
-
IWIA - A methodology to detect and characterize Kernel level rootkit exploits involving redirection of the System Call Table
Second IEEE International Information Assurance Workshop 2004. Proceedings., 2004Co-Authors: John G. Levine, Julian B Grizzard, Henry L. OwenAbstract:There is no standardized methodology at present to characterize rootkits that compromise the security of computer Systems. The ability to characterize rootkits will provide System administrators with information so that they can take the best possible recovery actions and may also help to detect additional instances and prevent the further installation of the rootkit allowing the security community to react faster to new rootkit exploits. There are limited capabilities at present to detect rootkits, but in most cases these capabilities only indicate that a System is infected without identifying the specific rootkit. We propose a mathematical framework for classifying rootkit exploits as existing, modifications to existing, or entirely new. An indepth analysis of a particular type of kernel rootkit is conducted in order to develop a characterization. As a result of this characterization and analysis, we propose some new methods to detect this particular class of rootkit exploit.
-
A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table
IEEE SoutheastCon 2004. Proceedings., 2004Co-Authors: John G. Levine, P.w. Hutto, Julian B Grizzard, Henry L. OwenAbstract:A cracker who gains access to a computer System will normally install some method, for use at a later time that allows the cracker to come back onto the System with root privilege. One method that a cracker may use is the installation of a rootkit on the compromised System. A kernel level rootkit will modify the underlying kernel of the installed operating System. The kernel controls everything that happens on a computer. We are developing a standardized methodology to characterize rootkits. The ability to characterize rootkits will provide System administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. We propose new methods for characterizing kernel level rootkits. These methods may also be used in the detection of kernel rootkits.
-
A methodology for detecting and classifying rootkit exploits
2004Co-Authors: John G. Levine, Henry L. OwenAbstract:We propose a methodology to detect and classify rootkit exploits. The goal of this research is to provide System administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions concerning Systems that are compromised by rootkits. There is no such methodology available at present to perform this function. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. A formal framework was developed in order to define rootkit exploits as an existing rootkit, a modification to an existing, or an entirely new rootkit. A methodology was then described in order to apply this framework against rootkits that are to be investigated. We then proposed some new methods to detect and characterize specific types of rootkit exploits. These methods consisted of identifying unique string signatures of binary execuTable files as well as examining the System Call Table within the System kernel. We established a Honeynet in order to aid in our research efforts and then applied our methodology to a previously unseen rootkit that was targeted against the Honeynet. By using our methodology we were able to uniquely characterize this rootkit and identify some unique signatures that could be used in the detection of this specific rootkit. We applied our methodology against nine additional rootkit exploits and were able to identify unique characteristics for each of these rootkits. These characteristics could also be used in the prevention and detection of these rootkits.
Giovanni Vigna - One of the best experts on this subject based on the ideXlab platform.
-
detecting kernel level rootkits through binary analysis
Annual Computer Security Applications Conference, 2004Co-Authors: Christopher Kruegel, William Van B. Robertson, Giovanni VignaAbstract:A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence. Originally, root-kits mainly included modified versions of System auditing programs (e.g., ps or netstat on a Unix System). However, for operating Systems that support loadable kernel modules (e.g., Linux and Solaris), a new type of rootkit has recently emerged. These rootkits are implemented as kernel modules, and they do not require modification of user-space binaries to conceal malicious activity. Instead, these rootkits operate within the kernel, modifying critical data structures such as the System Call Table or the list of currently-loaded kernel modules. This paper presents a technique that exploits binary analysis to ascertain, at load time, if a module's behavior resembles the behavior of a rootkit. Through this method, it is possible to provide additional protection against this type of malicious modification of the kernel. Our technique relies on an abstract model of module behavior that is not affected by small changes in the binary image of the module. Therefore, the technique is resistant to attempts to conceal the malicious nature of a kernel module.
-
ACSAC - Detecting kernel-level rootkits through binary analysis
20th Annual Computer Security Applications Conference, 2004Co-Authors: Christopher Kruegel, William Van B. Robertson, Giovanni VignaAbstract:A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence. Originally, root-kits mainly included modified versions of System auditing programs (e.g., ps or netstat on a Unix System). However, for operating Systems that support loadable kernel modules (e.g., Linux and Solaris), a new type of rootkit has recently emerged. These rootkits are implemented as kernel modules, and they do not require modification of user-space binaries to conceal malicious activity. Instead, these rootkits operate within the kernel, modifying critical data structures such as the System Call Table or the list of currently-loaded kernel modules. This paper presents a technique that exploits binary analysis to ascertain, at load time, if a module's behavior resembles the behavior of a rootkit. Through this method, it is possible to provide additional protection against this type of malicious modification of the kernel. Our technique relies on an abstract model of module behavior that is not affected by small changes in the binary image of the module. Therefore, the technique is resistant to attempts to conceal the malicious nature of a kernel module.
Christopher Kruegel - One of the best experts on this subject based on the ideXlab platform.
-
detecting kernel level rootkits through binary analysis
Annual Computer Security Applications Conference, 2004Co-Authors: Christopher Kruegel, William Van B. Robertson, Giovanni VignaAbstract:A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence. Originally, root-kits mainly included modified versions of System auditing programs (e.g., ps or netstat on a Unix System). However, for operating Systems that support loadable kernel modules (e.g., Linux and Solaris), a new type of rootkit has recently emerged. These rootkits are implemented as kernel modules, and they do not require modification of user-space binaries to conceal malicious activity. Instead, these rootkits operate within the kernel, modifying critical data structures such as the System Call Table or the list of currently-loaded kernel modules. This paper presents a technique that exploits binary analysis to ascertain, at load time, if a module's behavior resembles the behavior of a rootkit. Through this method, it is possible to provide additional protection against this type of malicious modification of the kernel. Our technique relies on an abstract model of module behavior that is not affected by small changes in the binary image of the module. Therefore, the technique is resistant to attempts to conceal the malicious nature of a kernel module.
-
ACSAC - Detecting kernel-level rootkits through binary analysis
20th Annual Computer Security Applications Conference, 2004Co-Authors: Christopher Kruegel, William Van B. Robertson, Giovanni VignaAbstract:A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence. Originally, root-kits mainly included modified versions of System auditing programs (e.g., ps or netstat on a Unix System). However, for operating Systems that support loadable kernel modules (e.g., Linux and Solaris), a new type of rootkit has recently emerged. These rootkits are implemented as kernel modules, and they do not require modification of user-space binaries to conceal malicious activity. Instead, these rootkits operate within the kernel, modifying critical data structures such as the System Call Table or the list of currently-loaded kernel modules. This paper presents a technique that exploits binary analysis to ascertain, at load time, if a module's behavior resembles the behavior of a rootkit. Through this method, it is possible to provide additional protection against this type of malicious modification of the kernel. Our technique relies on an abstract model of module behavior that is not affected by small changes in the binary image of the module. Therefore, the technique is resistant to attempts to conceal the malicious nature of a kernel module.
