research-article

ATRA: Address Translation Redirection Attack against Hardware-based External Monitors

Authors:

Brent Byunghoon KangAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 167 - 178

https://doi.org/10.1145/2660267.2660303

Published: 03 November 2014 Publication History

Abstract

Hardware-based external monitors have been proposed as a trustworthy method for protecting the kernel integrity. We introduce the design and implementation of Address Translation Redirection Attack (ATRA) that enables complete evasion of the hardware-based external monitor that anchors its trust on a separate processor. ATRA circumvents the external monitor by redirecting the memory access to critical kernel objects into a non-monitored region. Despite the seriousness of the ATRA issue, the address translation integrity has been assumed in many hardware-based external monitors and the possibility of its exploitation has been suggested yet many considered hypothetical. We explore the intricate details of ATRA, explain major challenges in realizing ATRA in practice, and address them with two types of ATRA called Memory-bound ATRA and Register-bound ATRA. Our evaluations with benchmarks show that ATRA does not introduce a noticeable performance degradation to the host system, proving practical applicability of the attack to alert the researchers to seriously address ATRA in designing future external monitors.

References

[1]

Z. Wang, X. Jiang, W. Cui, and P. Ning, "Countering kernel rootkits with lightweight hook protection," in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS '09, 2009, pp. 545--554.

Digital Library

[2]

B. D. Payne, M. Carbone, M. Sharif, and W. Lee, "Lares: An architecture for secure active monitoring using virtualization," in Proceedings of the 2008 IEEE Symposium on Security and Privacy, ser. SP '08. Washington, DC, USA: IEEE Computer Society, pp. 233--247.

Digital Library

[3]

O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel, "Ensuring operating system kernel integrity with osck," in Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems, ser. ASPLOS '11. New York, NY, USA: ACM, pp. 279--290.

Digital Library

[4]

A. Seshadri, M. Luk, N. Qu, and A. Perrig, "Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses," in Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, ser. SOSP '07. New York, NY, USA: ACM, pp. 335--350.

Digital Library

[5]

N. L. Petroni, Jr. and M. Hicks, "Automated detection of persistent kernel control-flow attacks," in Proceedings of the 14th ACM conference on Computer and communications security, ser. CCS '07. New York, NY, USA: ACM, pp. 103--115.

Digital Library

[6]

X. Jiang, X. Wang, and D. Xu, "Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction," in Proceedings of the 14th ACM conference on Computer and communications security, ser. CCS '07, 2007, pp. 128--138.

Digital Library

[7]

N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh, "Copilot - A coprocessor-based kernel runtime integrity monitor," in Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, ser. SSYM'04. Berkeley, CA, USA: USENIX Association, pp. 13--13.

Digital Library

[8]

H. Moon, H. Lee, J. Lee, K. Kim, Y. Paek, and B. B. Kang, "Vigilare: toward snoop-based kernel integrity monitor," in Proceedings of the 2012 ACM conference on Computer and communications security, ser. CCS '12. New York, NY, USA: ACM, pp. 28--37.

Digital Library

[9]

H. Lee, H. Moon, D. Jang, K. Kim, J. Lee, Y. Paek, and B. B. Kang, "Ki-mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object," in Proceedings of the 22nd USENIX conference on Security, ser. SEC'13, 2013, pp. 511--526.

Digital Library

[10]

Z. Liu, J. Lee, J. Zeng, Y. Wen, Z. Lin, and W. Shi, "Cpu transparent protection of os kernel and hypervisor integrity with programmable dram," in Proceedings of the 40th Annual International Symposium on Computer Architecture, ser. ISCA '13, 2013, pp. 392--403.

Digital Library

[11]

Y. Kinebuchi, S. Butt, V. Ganapathy, L. Iftode, and T. Nakajima, "Monitoring integrity using limited local memory," Information Forensics and Security, IEEE Transactions on, vol. 8, no. 7, pp. 1230--1242, 2013.

Digital Library

[12]

A. T. Rafal Wojtczuk, Joanna Rutkowska. Xen 0wning trilogy.

[13]

Xen: Security vulnerabilities. {Online}. Available: http://www. cvedetails.com/vulnerability-list/vendorn id-6276/XEN.html

[14]

Vmware: Vulnerability statistics. {Online}. Available: http://www.cvedetails.com/vendor/252/Vmware.html

[15]

Vulnerability report: Xen 3.x. {Online}. Available: http://secunia.com/advisories/product/15863

[16]

Vulnerability report: Vmware esx server 3.x.

[17]

J. Wang, A. Stavrou, and A. Ghosh, "Hypercheck: A hardware-assisted integrity monitor," in Recent Advances in Intrusion Detection, ser. Lecture Notes in Computer Science, S. Jha, R. Sommer, and C. Kreibich, Eds. Springer Berlin, Heidelberg, pp. 158--177, 10.1007/978--3--642--15512--3--9.

Digital Library

[18]

S. Jin and J. Huh, "Secure mmu: Architectural support for memory isolation among virtual machines," in Dependable Systems and Networks Workshops (DSN-W), 2011 IEEE/IFIP 41st International Conference on, 2011, pp. 217--222.

Digital Library

[19]

M. I. Sharif, W. Lee, W. Cui, and A. Lanzi, "Secure in-vm monitoring using hardware virtualization," in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS '09, 2009, pp. 477--487.

Digital Library

[20]

J. D. McCalpin, "Memory bandwidth and machine balance in current high performance computers," IEEE Computer Society Technical Committee on Computer Architecture (TCCA) Newsletter, pp. 19--25, Dec. 1995.

[21]

Byte-unixbench: A unix benchmark suite. {Online}. Available: http://code.google.com/p/byte-unixbench/

[22]

Intel 64 and IA-32 Architectures Software Developer's Manual, INTEL, Aug 2012.

[23]

D. P. Bovet and M. Cesati, Understanding the Linux Kernel, 2nd ed. O'Reilly and Associates, Dec. 2002.

Digital Library

[24]

Idt hooking. {Online}. Available: http://resources.infosecinstitute.com/hooking-idt/

[25]

The lxr project. {Online}. Available: http://lxr.sourceforge.net/en/index.shtml

[26]

Stealth. the adore rootkit version 0.42. {Online}. Available: http://teso.scene.at/releases.php

[27]

System calls and rootkits. {Online}. Available: http://lwn.net/Articles/297500/

[28]

B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee, "Virtuoso: Narrowing the semantic gap in virtual machine introspection," in Security and Privacy (SP), 2011 IEEE Symposium on, 2011, pp. 297--312.

Digital Library

[29]

J. Rhee, R. Riley, D. Xu, and X. Jiang, "Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory," in Proceedings of the 13th international conference on Recent advances in intrusion detection, ser. RAID'10, 2010, pp. 178--197.

Digital Library

[30]

B. Payne, M. de Carbone, and W. Lee, "Secure and flexible monitoring of virtual machines," in Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, 2007, pp. 385--397.

[31]

A. Lanzi, M. I. Sharif, and W. Lee, "K-tracer: A system for extracting kernel malware behavior." in 16th Symposium on Network and Distributed System Security, ser. NDSS '09, 2009.

[32]

Y. Fu and Z. Lin, "Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection," in Security and Privacy (SP), 2012 IEEE Symposium on, 2012, pp. 586--600.

Digital Library

[33]

A. Srivastava and J. Giffin, "Efficient protection of kernel data structures via object partitioning," in Proceedings of the 28th Annual Computer Security Applications Conference, ser. ACSAC '12, 2012, pp. 429--438.

Digital Library

[34]

M. Grace, Z. Wang, D. Srinivasan, J. Li, X. Jiang, Z. Liang, and S. Liakh, "Transparent protection of commodity os kernels using hardware virtualization," in Security and Privacy in Communication Networks. Springer, 2010, pp. 162--180.

Cited By

Liu HXing JHuang YZhuo DDevadas SChen ACalandrino JTroncoso C(2023)Remote direct memory introspectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620575(6043-6060)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620575
T RE AU D(2023)Improved Intrusion Detection System That Uses Machine Learning Techniques to Proactively Defend DDoS AttackITM Web of Conferences10.1051/itmconf/2023560501156(05011)Online publication date: 9-Aug-2023
https://doi.org/10.1051/itmconf/20235605011
Kumavat KGomes J(2022)Survey of Detection Techniques for DDoS Attacks2022 3rd International Conference on Intelligent Engineering and Management (ICIEM)10.1109/ICIEM54221.2022.9853064(657-663)Online publication date: 27-Apr-2022
https://doi.org/10.1109/ICIEM54221.2022.9853064
Show More Cited By

Index Terms

ATRA: Address Translation Redirection Attack against Hardware-based External Monitors
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Vigilare: toward snoop-based kernel integrity monitor
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

In this paper, we present Vigilare system, a kernel integrity monitor that is architected to snoop the bus traffic of the host system from a separate independent hardware. This snoop-based monitoring enabled by the Vigilare system, overcomes the ...
A dynamic per-context verification of kernel address integrity from external monitors
Abstract
The introduction of Address Translation Redirection Attack (ATRA) has revealed a critical weakness in all existing hardware-based external kernel integrity monitors. The attack redefines system's memory mappings in favor of the ...
MOSKG: countering kernel rootkits with a secure paging mechanism

The kernel-level rootkits compromise the security of operating systems. In the current research studies, virtualization is used as a key tool against these attacks with virtualization-based memory protection. There are glitches in the memory protection ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
740
Total Downloads

Downloads (Last 12 months)45
Downloads (Last 6 weeks)3

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu HXing JHuang YZhuo DDevadas SChen ACalandrino JTroncoso C(2023)Remote direct memory introspectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620575(6043-6060)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620575
T RE AU D(2023)Improved Intrusion Detection System That Uses Machine Learning Techniques to Proactively Defend DDoS AttackITM Web of Conferences10.1051/itmconf/2023560501156(05011)Online publication date: 9-Aug-2023
https://doi.org/10.1051/itmconf/20235605011
Kumavat KGomes J(2022)Survey of Detection Techniques for DDoS Attacks2022 3rd International Conference on Intelligent Engineering and Management (ICIEM)10.1109/ICIEM54221.2022.9853064(657-663)Online publication date: 27-Apr-2022
https://doi.org/10.1109/ICIEM54221.2022.9853064
Kwon DHwang DPaek Y(2021)A Hardware Platform for Ensuring OS Kernel Integrity on RISC-VElectronics10.3390/electronics1017206810:17(2068)Online publication date: 26-Aug-2021
https://doi.org/10.3390/electronics10172068
Li MZhang YLin ZKim YKim JVigna GShi E(2021)CrossLine: Breaking "Security-by-Crash" based Memory Isolation in AMD SEVProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3485253(2937-2950)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3485253
Zhong BZeng Q(2021)SecPT: Providing Efficient Page Table Protection based on SMAP Feature in an Untrusted Commodity Kernel2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom53373.2021.00045(215-223)Online publication date: Oct-2021
https://doi.org/10.1109/TrustCom53373.2021.00045
Zhou LZhang FXiao JLeach KWeimer WDing XWang G(2021)A Coprocessor-based Introspection Framework via Intel Management EngineIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.3071092(1-1)Online publication date: 2021
https://doi.org/10.1109/TDSC.2021.3071092
Hwang DYang MJeon SLee YKwon DPaek Y(2019)RiskiM: Toward Complete Kernel Protection with Hardware Support2019 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE.2019.8715277(740-745)Online publication date: Mar-2019
https://doi.org/10.23919/DATE.2019.8715277
Tian SSzefer JBazargan KNeuendorffer S(2019)Temporal Thermal Covert Channels in Cloud FPGAsProceedings of the 2019 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays10.1145/3289602.3293920(298-303)Online publication date: 20-Feb-2019
https://dl.acm.org/doi/10.1145/3289602.3293920
Kwon OKim YHuh JYoon H(2019)ZeroKernel: Secure Context-isolated Execution on Commodity GPUsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.2946250(1-1)Online publication date: 2019
https://doi.org/10.1109/TDSC.2019.2946250
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten