A sense of others: behavioral attestation of UNIX processes on remote platforms

Remote attestation is a technique in Trusted Computing to verify the trustworthiness of a client platform. The most well-known method of verifying the client system to the remote end is the Integrity Measurement Architecture (IMA). IMA relies on the hashes of applications to prove the trusted state of the target system to the remote challenger. This hash-based approach leads to several problems including highly rigid target domains. To overcome these problems several dynamic attestation techniques have been proposed. These techniques rely on the runtime behavior of an application or data structures and sequence of system calls. In this paper we propose a new attestation technique that relies on the seminal work done in Sequence Time Delay Embedding (STIDE). We present our target architecture in which the client end is leveraged with STIDE and the short sequences of system call patterns associated with a process are measured and reported to the challenger. Furthermore, we investigate how this technique can shorten the reported data as compared to other system call-based attestation techniques. The primary advantage of this technique is to detect zero-day malware at the client platform. There are two most important metrics for the successful implementation of dynamic behavior attestation. One is the time required for processing on the target system and second is the network overhead. In our proposed model we concentrate on maximizing the efficiency of these metrics.

[1]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[2]  Giovanni Vigna,et al.  Exploiting Execution Context for the Detection of Anomalous System Calls , 2007, RAID.

[3]  Robert H. Deng,et al.  Remote attestation on program execution , 2008, STC '08.

[4]  Robert H. Deng,et al.  Remote Attestation on Function Execution (Work-in-Progress) , 2009, INTRUST.

[5]  Robert H. Deng,et al.  Remote Attestation on Function Execution , 2010 .

[6]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[7]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[8]  J. Aaron Pendergrass,et al.  Linux kernel integrity measurement using contextual inspection , 2007, STC '07.

[9]  Muddassar Farooq,et al.  Towards a Theory of Generalizing System Call Representation for In-Execution Malware Detection , 2010, 2010 IEEE International Conference on Communications.

[10]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[11]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[12]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[13]  Uwe Aickelin,et al.  Detecting Motifs in System Call Sequences , 2007, WISA.

[14]  TCG Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[15]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[16]  Christopher Krügel,et al.  Using Decision Trees to Improve Signature-Based Intrusion Detection , 2003, RAID.

[17]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[18]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[19]  Jean-Pierre Seifert,et al.  Beyond Kernel-Level Integrity Measurement: Enabling Remote Attestation for the Android Platform , 2010, TRUST.

[20]  Jean-Pierre Seifert,et al.  Model-based behavioral attestation , 2008, SACMAT '08.