Skip to main content
SpringerLink
Log in

Host-Based Security Sensor Integrity in Multiprocessing Environments

  • Conference paper
Book cover Information Security, Practice and Experience (ISPEC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6047))

Abstract

Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for host-based sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers.

This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)

    Google Scholar 

  2. Petroni, N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In: Proceedings of the 15th USENIX Security Symposium (2006)

    Google Scholar 

  3. King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), vol. 0, pp. 314–327. IEEE Computer Society, Los Alamitos (2006)

    Chapter  Google Scholar 

  4. Rutkowska, J.: Beyond the cpu: Defeating hardware based ram acquisition. Defcon (2007)

    Google Scholar 

  5. Heasman, J.: Implementing and Detecting an ACPI BIOS Root Kit. In: Briefing at Black Hat 2005, Las Vegas, NV, USA (July 2005)

    Google Scholar 

  6. Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005)

    Google Scholar 

  7. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of the 10th Annual Network And Distributed System Security Symposium (NDSS 2003), Internet Society, San Diego (2003)

    Google Scholar 

  8. Yee, B., Tygar, J.D.: Secure Coprocessors in Electronic Commerce Applications. In: Geer, D.E. (ed.) Proceedings of the First USENIX Workshop on Electronic Commerce, p. 14. USENIX Press, New York (1995)

    Google Scholar 

  9. Wang, Y.-M., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. In: 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377. IEEE Computer Society, Los Alamitos (2005)

    Chapter  Google Scholar 

  10. Petroni Jr., N.L., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: di Vimercati, S.D.C., Syverson, P. (eds.) Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 103–115. ACM Press, New York (2007)

    Chapter  Google Scholar 

  11. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-Aware Malware Detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005), pp. 32–46. IEEE Press, Piscataway (2005)

    Chapter  Google Scholar 

  12. Baliga, A., Kamat, P., Iftode, L.: Lurking in the Shadows: Identifying Systemic Threats to Kernel Data. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy (S&P 2007), pp. 246–251. IEEE Press, Piscataway (2007)

    Chapter  Google Scholar 

  13. Chuvakin, A.: An overview of unix rootkits. White Paper, iDefense Laboratories, iDefence Inc., 14151 Newbrook Suite, Chantilly, VA 20151 (2003)

    Google Scholar 

  14. Wilhelm, J., cker Chiueh, T.: A Forced Sampled Execution Approach to Kernel Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure Coprocessor-Based Intrusion Detection. In: Muller, G., Jul, E. (eds.) Proceedings of the 10th ACM SIGOPS European Workshop, pp. 239–242. ACM Press, New York (2002)

    Chapter  Google Scholar 

  16. Molina, J., Arbaugh, W.: Using Independent Auditors as Intrusion Detection Systems. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 291–302. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  17. Williams, P.D., Spafford, E.H.: CuPIDS: An Exploration of Highly Focused, Co-Processor-based Information System Protection. Computer Networks 51(5), 1284–1298 (2007)

    Article  MATH  Google Scholar 

  18. Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  19. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: Ning, P., Syverson, P., Jha, S. (eds.) Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 51–62. ACM Press, New York (2008)

    Chapter  Google Scholar 

  20. Huang, Y., Stavrou, A., Ghosh, A.K., Jajodia, S.: Efficiently Tracking Application Interactions using Lightweight Virtualization. In: Nieh, J., Stavrou, A. (eds.) Proceedings of the 1st ACM Workshop on Virtual Machine Security (VMSec 2008), pp. 19–28. ACM Press, New York (2008)

    Chapter  Google Scholar 

  21. Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection through VMM-based ”out-of-the-box” Semantic View Reconstruction. In: De Capitani di Vimercati, S., Syverson, P. (eds.) Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 128–138. ACM Press, New York (2007)

    Chapter  Google Scholar 

  22. Riley, R., Jiang, X., Xu, D.: Multi-Aspect Profiling of Kernel Rootkit Behavior. In: Proceedings of the 4th ACM European Conference on Computer Systems, pp. 47–69. ACM Press, Nuremberg (2008)

    Google Scholar 

  23. Thober, M., Pendergrass, J.A., McDonell, C.D.: Improving Coherency of Runtime Integrity Measurement. In: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing, pp. 51–60. ACM Press, Alexandria (2008)

    Chapter  Google Scholar 

  24. Loscocco, P., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux Kernel Integrity Measurement using Contextual Inspection. In: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 21–29. ACM Press, Alexandria (2007)

    Chapter  Google Scholar 

  25. Oplinger, J., Lam, M.S.: Enhancing Software Reliability with Speculative Threads. In: Gharachorloo, K. (ed.) Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII), pp. 184–196. ACM Press, New York (2002)

    Google Scholar 

  26. Nightingale, E.B., Peek, D., Chen, P.M., Flinn, J.: Parallelizing Security Checks on Commodity Hardware. In: Eggers, S., Larus, J. (eds.) Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII), pp. 308–318. ACM Press, New York (2008)

    Chapter  Google Scholar 

  27. for review), A (Anonymised for review). In (Anonymised for review) (September 2008)

    Google Scholar 

  28. Garg, V.K.: 1. In: Elements of Distributed Computing. John Wiley and Sons Inc., Chichester (2002)

    Google Scholar 

  29. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy, vol. 0, pp. 231–245 (2007)

    Google Scholar 

  30. Ring, S., Cole, E.: Taking a Lesson from Stealthy Rootkits. IEEE Security and Privacy 02(4), 38–45 (2004)

    Article  Google Scholar 

  31. Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE Press, Miami Beach (2007)

    Google Scholar 

  32. Cavallaro, L., Saxena, P., Sekar, R.: On the Limits of Information Flow Techniques for Malware Analysis and Containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  33. Asanovic, K., Bodik, R., Catanzaro, B.C., Gebis, J.J., Husbands, P., Keutzer, K., Patterson, D.A., Plishker, W.L., Shalf, J., Williams, S.W., Yelick, K.A.: The landscape of parallel computing research: A view from berkeley. Technical Report UCB/EECS-2006-183, EECS Department, University of California, Berkeley (December 2006)

    Google Scholar 

  34. Ivan Sklyarov: 21. In: Programming Linux Hacker Tools Uncovered. A-LIST, LLC (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Department of Mathematics, Royal Holloway, University of London, Egham Hill, Egham, TW20 0EX, UK

    Thomas Richard McEvoy & Stephen D. Wolthusen

  2. Norwegian Information Security Laboratory, Gjøvik University College, P.O. Box 191, N-2802, Gjøvik, Norway

    Stephen D. Wolthusen

Authors
  1. Thomas Richard McEvoy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephen D. Wolthusen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information Security Engineering, Soonchunhyang University, 646 Eupnae-ri, Shinchang-myun, Asan-si, 336-745, Chungcheongnam-do, Korea

    Jin Kwak

  2. School of Information Systems, Singapore Management University, 469 Bukit Timah Road, 259756, Singapore

    Robert H. Deng

  3. Internet and Security Policy Division, Korea Internet and Security Agency, Daedong B/D, Garak-dong 79-3, Songpa-gu, 138-950, Seoul, Korea

    Yoojae Won

  4. School of Computer Science, University of Birmingham, B15 2TT, Birmingham, UK

    Guilin Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

McEvoy, T.R., Wolthusen, S.D. (2010). Host-Based Security Sensor Integrity in Multiprocessing Environments. In: Kwak, J., Deng, R.H., Won, Y., Wang, G. (eds) Information Security, Practice and Experience. ISPEC 2010. Lecture Notes in Computer Science, vol 6047. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12827-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-12827-1_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-12826-4

  • Online ISBN: 978-3-642-12827-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation