research-article

Diversification of system calls in linux kernel

Authors:

Samuel Laurén,

Ville LeppänenAuthors Info & Claims

CompSysTech '15: Proceedings of the 16th International Conference on Computer Systems and Technologies

Pages 284 - 291

https://doi.org/10.1145/2812428.2812447

Published: 25 June 2015 Publication History

Abstract

This paper presents system call diversification as a method for protecting operating systems and rendering malicious programs ineffective. The idea is to change all the system call numbers in the kernel and in the applications that invoke these system calls. As a result, it becomes much more difficult for a harmful program to access resources of a computer since the new system call interface is not known by malware. The diversification of system call numbers is unique for each computer and the space of possible system call remappings is huge. Consecutively, one piece of malware no longer works on several computers and becomes incompatible with their environment. In this paper, we present three different models for system call diversification in Linux kernel. We also provide a detailed discussion on our implementation of one of these models.

References

[1]

Barrantes, E. G., Ackley, D. H, Forrest, S., Stefanovic, D.: Randomized instruction set emulation. ACM Trans. Inf. Syst. Secur. 8(1): pp. 3--40, 2005.

Digital Library

[2]

Barrantes, E. G., Ackley, D. H., Palmer, T. S., Stefanovic, D., Zovi, D. D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. ACM Conference on Computer and Communications Security 2003, pp. 281--289.

Digital Library

[3]

D. Bruschi, L. Cavallaro, and A. Lanzi. An efficient technique for preventing mimicry and impossible paths execution attacks. Performance, Computing, and Communications Conference, IPCCC 2007. pp. 418--425, IEEE, 2007.

[4]

Chew, M., Song, D. Mitigating buffer overflows by operating system randomization. Technical Report CMU-CS-02-197, Department of Computer Science, Carnegie Mellon University, 2002.

[5]

Cohen, F. B. Operating System Protection through Program Evolution. Comput. Secur., 12(6) pp. 565--584, October 1993.

Digital Library

[6]

Jajodia, S., Ghosh, A. K., Swarup, V., Wang, C., Wang X. S.: Moving Target Defense, Creating Asymmetric Uncertainty for Cyber Threats, Advances in Information Security 54, Springer, 2011.

Digital Library

[7]

Jiang, X., Wang, H. J., Xu, D., Wang, Y-M. Randsys: Thwarting code injection attacks with system service interface randomization. In IEEE International Symposium on Reliable Distributed Systems, SRDS 2007, pages 209--218, 2007.

Digital Library

[8]

Kc, G. S., Keromytis, A. D., and V. Prevelakis. Countering Code-injection Attacks with Instruction-set Randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS '03, pp. 272--280, 2003.

Digital Library

[9]

Laurén, S., Mäki, P., Rauti, S., Hosseinzadeh, S., Hyrynsalmi, S., Leppänen, V.: Symbol Diversification of Linux Binaries. In Proceedings of World Congress on Internet Security (WorldCIS-2014), pp. 75--80, Infonomics Society, 2014.

[10]

Liang, Z., Liang, B., Li, L. A system call randomization based method for countering code injection attacks. In International Conference on Networks Security, Wireless Communications and Trusted Computing, NSWCTC 2009, pages 584--587, 2009.

Digital Library

[11]

Rauti, S., Holvitie, J., Leppänen, V.: Towards a Diversification Framework for Operating System Protection. In: Proceedings of the 15th International Conference on Computer Systems and Technologies, 286--293, ACM, 2014.

Digital Library

[12]

Rauti, S., Laurén, S., Hosseinzadeh, S., Mäkelä, J.-M., Hyrynsalmi, S., Leppänen, V.: Diversification of System Calls in Linux Binaries. In: Proceedings of the 6th International Conference on Trustworthy Systems (InTrust 2014), 255--271, Beijing Institute of Technology, 2014.

[13]

Rauti, S., Leppänen, V.: A Proxy-Like Obfuscator for Web Application Protection. International Journal on Information Technologies and Security 6(1), 39--52, 2014.

[14]

Rauti, S., Leppänen, V.: Browser Extension-Based Man-in-the-Browser Attacks Against Ajax Applications with Countermeasures. In: Proceedings of the 13th International Conference on Computer Systems and Technologies, 251--258, ACM Press, 2012.

Digital Library

[15]

Rauti S., Leppänen, V.: Man-in-the-Browser Attacks in Modern Web Browsers. In: Babak Akhbar, Hamid Arabnia (Eds.), Emerging Trends in ICT Security, Emerging Trends in Computer Science & Applied Computing, 169--480, Morgan Kaufmann Publishers, 2014.

[16]

Sobell, M. G. A Practical Guide to Linux. Addison-Wesley, 1999.

Digital Library

[17]

Srivastava, A., Lanzi, A., Giffin, J. and Balzarotti, D. Operating system interface obfuscation and the revealing of hidden operations. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 6739 of Lecture Notes in Computer Science, pages 214--233. Springer Berlin Heidelberg, 2011.

Digital Library

Cited By

Liu WCi LLiu L(2020)A New Method of Fuzzy Support Vector Machine Algorithm for Intrusion DetectionApplied Sciences10.3390/app1003106510:3(1065)Online publication date: 5-Feb-2020
https://doi.org/10.3390/app10031065
Rauti SKoivunen LMäki PHosseinzadeh SLaurén SHolvitie JLeppänen V(2018)Internal Interface Diversification as a Security Measure in Sensor NetworksJournal of Sensor and Actuator Networks10.3390/jsan70100127:1(12)Online publication date: 6-Mar-2018
https://doi.org/10.3390/jsan7010012
Mäki PRauti SHosseinzadeh SKoivunen LLeppänen VJiang CRana OAntonopoulos N(2016)Interface diversification in IoT operating systemsProceedings of the 9th International Conference on Utility and Cloud Computing10.1145/2996890.3007877(304-309)Online publication date: 6-Dec-2016
https://dl.acm.org/doi/10.1145/2996890.3007877
Show More Cited By

Diversification of system calls in linux kernel
1. Security and privacy
  1. Systems security

Recommendations

Diversification of System Calls in Linux Binaries
INTRUST 2014: Revised Selected Papers of the 6th International Conference on Trusted Systems - Volume 9473

This paper studies the idea of using large-scale diversification to protect operating systems and make malware ineffective. The idea is to first diversify the system call interface on a specific computer so that it becomes very challenging for a piece ...
Linux kernel
Linux System Administration (Craig Hunt Linux Library)

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CompSysTech '15: Proceedings of the 16th International Conference on Computer Systems and Technologies

June 2015

411 pages

ISBN:9781450333573

DOI:10.1145/2812428

Editors:
Boris Rachev
QUERBIE Inc., Woburn, Massachusetts
,
Angel Smrikarov
University of Ruse, Bulgaria

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

UORB: University of Ruse, Bulgaria
Querbie: Querbie
TECHUVB: Technical University of Varna, Bulgaria

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 June 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

CyberTrust Program

Conference

CompSysTech '15

Sponsor:

UORB
Querbie
TECHUVB

CompSysTech '15: International Conference on Computer Systems and Technologies

June 25 - 26, 2015

Dublin, Ireland

Acceptance Rates

Overall Acceptance Rate 241 of 492 submissions, 49%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
143
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu WCi LLiu L(2020)A New Method of Fuzzy Support Vector Machine Algorithm for Intrusion DetectionApplied Sciences10.3390/app1003106510:3(1065)Online publication date: 5-Feb-2020
https://doi.org/10.3390/app10031065
Rauti SKoivunen LMäki PHosseinzadeh SLaurén SHolvitie JLeppänen V(2018)Internal Interface Diversification as a Security Measure in Sensor NetworksJournal of Sensor and Actuator Networks10.3390/jsan70100127:1(12)Online publication date: 6-Mar-2018
https://doi.org/10.3390/jsan7010012
Mäki PRauti SHosseinzadeh SKoivunen LLeppänen VJiang CRana OAntonopoulos N(2016)Interface diversification in IoT operating systemsProceedings of the 9th International Conference on Utility and Cloud Computing10.1145/2996890.3007877(304-309)Online publication date: 6-Dec-2016
https://dl.acm.org/doi/10.1145/2996890.3007877
Laurén SRauti SLeppänen VBahsoon RWeinreich R(2016)An interface diversified honeypot for malware analysisProccedings of the 10th European Conference on Software Architecture Workshops10.1145/2993412.2993417(1-6)Online publication date: 28-Nov-2016
https://dl.acm.org/doi/10.1145/2993412.2993417

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten