A framework for prototyping and testing data-only rootkit attacks

Kernel rootkits-attacks which modify a running operating system kernel in order to hide an attacker's presence-are significant threats. Recent advances in rootkit defense technology will force rootkit threats to rely on only modifying kernel data structures without injecting and executing any new code; however these data-only kernel rootkit attacks are still both realistic and powerful. In this work we present DORF, a framework for prototyping and testing data-only rootkit attacks. DORF is an object-oriented framework that allows researchers to construct attacks that can be easily ported between various Linux distributions and versions. The current implementation of DORF contains a group of existing and new data-only attacks, and the portability of DORF is demonstrated by porting it to 6 different Linux distributions. The goal of DORF is to allow researchers to construct repeatable experiments with little effort, which will in turn advance research into data-only attacks and defenses.

[1]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[2]  Xuxian Jiang,et al.  Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory , 2010, RAID.

[3]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[4]  Xuxian Jiang,et al.  Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring , 2009, 2009 International Conference on Availability, Reliability and Security.

[5]  Mohamed Almorsy,et al.  Operating System Kernel Data Disambiguation to Support Security Analysis , 2012, NSS.

[6]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[7]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[8]  Samuel T. King,et al.  Digging for Data Structures , 2008, OSDI.

[9]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[10]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[11]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[12]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[13]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[14]  Mick Bauer,et al.  Paranoid penguin: an introduction to Novell AppArmor , 2006 .

[15]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[16]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[17]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[18]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[19]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[20]  Xuxian Jiang,et al.  Multi-aspect profiling of kernel rootkit behavior , 2009, EuroSys '09.

[21]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[22]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[23]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[24]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[25]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.