Skip to main content
Springer Nature Link
Log in

Subverting Operating System Properties Through Evolutionary DKOM Attacks

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9721))

Abstract

Modern rootkits have moved their focus on the exploitation of dynamic memory structures, which allows them to tamper with the behavior of the system without modifying or injecting any additional code.

In this paper we discuss a new class of Direct Kernel Object Manipulation (DKOM) attacks that we call Evolutionary DKOM (E-DKOM). The goal of this attack is to alter the way some data structures “evolve” over time. As case study, we designed and implemented an instance of Evolutionary DKOM attack that targets the OS scheduler for both userspace programs and kernel threads. Moreover, we discuss the implementation of a hypervisor-based data protection system that mimics the behavior of an OS component (in our case the scheduling system) and detect any unauthorized modification. We finally discuss the challenges related to the design of a general detection system for this class of attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Tripwire. http://www.tripwire.com/

  2. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 340–353 (2005)

    Google Scholar 

  3. Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC 2008, pp. 77–86 (2008)

    Google Scholar 

  4. Baliga, A., Kamat, P., Iftode, L.: Lurking in the shadows: identifying systemic threats to kernel data. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 246–251(2007)

    Google Scholar 

  5. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 555–565. ACM, New York (2009)

    Google Scholar 

  6. Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, HOTOS (2001)

    Google Scholar 

  7. Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2), 63–81 (2011)

    Article  Google Scholar 

  8. Cui, W., Peinado, M., Xu, Z., and Chan, E. Tracking rootkit footprints with a practical memory analysis system. In: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 601–615. USENIX, Bellevue (2012)

    Google Scholar 

  9. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2011

    Google Scholar 

  10. Fattori, A., Lanzi, A., Balzarotti, D., Kirda, E.: Hypervisor-based malware protection with accessminer. Comput. Secur. 52, 33–50 (2015)

    Article  Google Scholar 

  11. Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the 25\(^{th}\) International Conference on Automated Software Engineering (ASE), Antwerp, Belgium, September 2010. https://code.google.com/p/hyperdbg/

  12. Fedler, R., Kulicke, M., Schtte, J.: An antivirus api for android malware recognition. In: MALWARE (2013)

    Google Scholar 

  13. Garfinkel, T.: Traps and pitfalls: practical problems in in system call interposition based security tools. In: Proceedings of the Network and Distributed Systems Security Symposium, February 2003

    Google Scholar 

  14. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed Systems Security Symposium, pp. 191–206 (2003)

    Google Scholar 

  15. Grill, B., Platzer, C., Eckel, J.: A practical approach for generic bootkit detection and prevention. In: EuroSec (2014)

    Google Scholar 

  16. Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22(4), 36–38 (1988)

    Article  Google Scholar 

  17. Haukli, L.: Exposing bootkits with bios emulation. In: Blackhat US, August 2014

    Google Scholar 

  18. Hofmann, O., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ASPLOS (2011)

    Google Scholar 

  19. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)

    Google Scholar 

  20. Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Presented as Part of the 18th USENIX Security Symposium (USENIX Security 2009). USENIX, Montreal (2009)

    Google Scholar 

  21. Jang, D., Lee, H., Kim, M., Kim, D., Kim, D., Kang, B.B.: Atra: address translation redirection attack against hardware-based external monitors. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 167–178. ACM, New York (2014)

    Google Scholar 

  22. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2007)

    Google Scholar 

  23. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the USENIX 2006 Annual Technical Conference, USENIX 2006, Boston, MA, June 2006

    Google Scholar 

  24. Kim, G.H., Spafford, E.H.: The design, implementation of tripwire: a file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, CCS 1994, pp. 18–29 (1994)

    Google Scholar 

  25. Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security, EuroSec, Prague, Czech Republic, April 2013

    Google Scholar 

  26. Lee, H., Moon, H., Jang, D., Kim, K., Lee, J., Paek, Y., Kang, B.B.: Ki-mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: Presented as Part of the 22nd USENIX Security Symposium, pp. 511–526. USENIX, Washington, D.C. (2013)

    Google Scholar 

  27. Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Usenix Security Symposium, San Jose, CA, July 2008

    Google Scholar 

  28. Love, R.: intro to inotify. http://www.linuxjournal.com/article/8478

  29. Microsoft. PatchGuard - Kernel Patch Protection. https://technet.microsoft.com/en-us/library/cc759759

  30. Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 28–37. ACM, New York (2012)

    Google Scholar 

  31. Peter Silberman and C.H.A.O.S. FUTo. http://uninformed.org/index.cgi?v=3&a=7&p=7

  32. Petroni, J., Fraser, T., Molina, J., Arbaugh, W. A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium - vol. 13, SSYM 2004, p. 13. USENIX Association, San Diego (2004)

    Google Scholar 

  33. Petroni, Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 103–115, October 2007

    Google Scholar 

  34. Petroni Jr., N.L., Fraser, T., Walters, A.A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th Conference on USENIX Security Symposium, p. 20 (2006)

    Google Scholar 

  35. Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2009), Fukuoka, Japan, March 2009

    Google Scholar 

  36. Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178–197. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  37. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  38. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to guarantee lifetime kernel code integrity for commodity oses. In: Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), October 2007

    Google Scholar 

  39. Seshadri, A., Perrig, A., Doorn, L.V., Khosla, P.: Swatt: software-based attestation for embedded devices. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

  40. Srivastava, A., Giffin, J.: Efficient protection of kernel data structures via object partitioning. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 429–438 (2012)

    Google Scholar 

  41. Srivastava, A., Lanzi, A., Giffin, J.T.: System call API obfuscation (extended abstract). In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 421–422. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  42. Srivastava, A., Lanzi, A., Giffin, J., Balzarotti, D.: Operating system interface obfuscation and the revealing of hidden operations. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 214–233. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  43. Vogl, S., Gawlik, R., Garmany, B., Kittel, T., Pfoh, J., Eckert, C., Holz, T.: Dynamic hooks: hiding control flow changes within non-control data. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 813–328. USENIX Association, San Diego, August 2014

    Google Scholar 

  44. Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS), February 2014

    Google Scholar 

  45. Volatility Foundation. psxview Volatility command. https://github.com/volatilityfoundation/volatility/wiki/Command

  46. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 545–554 (2009)

    Google Scholar 

  47. Wei, J., Payne, B. D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: ACSAC (2008)

    Google Scholar 

  48. Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure coprocessor-based intrusion detection. In: Proceedings of the Tenth ACM SIGOPS European Workshop, September 2002

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Eurecom, Biot, France

    Mariano Graziano & Davide Balzarotti

  2. Università degli Studi di Milano, Milan, Italy

    Lorenzo Flore & Andrea Lanzi

  3. Cisco Systems, Inc., San Jose, CA, USA

    Mariano Graziano

Authors
  1. Mariano Graziano
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lorenzo Flore
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrea Lanzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Davide Balzarotti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mariano Graziano .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Pozuelo de Alarcón, Madrid, Spain

    Juan Caballero

  2. Mondragon University, Arrasate, Guipúzcoa, Spain

    Urko Zurutuza

  3. Universidad de Zaragoza, Zaragoza, Spain

    Ricardo J. Rodríguez

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Graziano, M., Flore, L., Lanzi, A., Balzarotti, D. (2016). Subverting Operating System Properties Through Evolutionary DKOM Attacks. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40667-1_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40666-4

  • Online ISBN: 978-3-319-40667-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics