Countering unauthorized code execution on commodity kernels: A survey of common interfaces allowing kernel code modification

Motivated by the goal of hardening operating system kernels against rootkits and related malware, we survey the common interfaces and methods which can be used to modify (either legitimately or maliciously) the kernel which is run on a commodity desktop computer. We also survey how these interfaces can be restricted or disabled. While we concentrate mainly on Linux, many of the methods for modifying kernel code also exist on other operating systems, some of which are discussed.

[1]  Thomas Ball,et al.  The concept of dynamic analysis , 1999, ESEC/FSE-7.

[2]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[3]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[4]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[5]  Donghai Tian,et al.  Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions , 2011, NDSS.

[6]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[7]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[8]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[9]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[10]  Robert Love,et al.  Linux Kernel Development , 2003 .

[11]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[12]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[13]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[14]  Tipster Se Cm Architecture Overview , 1996, TIPSTER.

[15]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Xiaoxin Chen,et al.  Paladin : Automated Detection and Containment of Rootkit Attacks , 2006 .

[17]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[18]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[19]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[20]  J. Heasman Implementing and Detecting a PCI Rootkit , 2006 .

[21]  Anthony Ralston,et al.  Encyclopedia of Computer Science , 1971 .

[22]  Michael E. Papka,et al.  The web page , 2000 .

[23]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[24]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[25]  Patrick Mochel The sysfs Filesystem , 2005 .

[26]  Abhinav Srivastava,et al.  Efficient Monitoring of Untrusted Kernel-Mode Execution , 2011, NDSS.

[27]  Robert Love,et al.  Linux Kernel Development (2nd Edition) (Novell Press) , 2005 .

[28]  Andrew bunnie Huang Hacking the Xbox , 2003 .

[29]  Koen De Bosschere,et al.  Linux Kernel Compaction through Cold Code Swapping , 2009, Trans. High Perform. Embed. Archit. Compil..

[30]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[31]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[32]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[33]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[34]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[35]  Patrick D. McDaniel,et al.  Rootkit-resistant disks , 2008, CCS.

[36]  Keith J. Jones,et al.  10th USENIX Security Symposium , 2001, login Usenix Mag..

[37]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[38]  William Stallings,et al.  Operating Systems: Internals and Design Principles , 1991 .

[39]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[40]  Christoforos E. Kozyrakis,et al.  Real-World Buffer Overflow Protection for Userspace and Kernelspace , 2008, USENIX Security Symposium.

[41]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[42]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[43]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[44]  Jun Xu,et al.  Address Space Layout Permutation , 2006 .

[45]  Vol,et al.  Transactions on High-Performance Embedded Architectures and Compilers II , 2009, Trans. HiPEAC.

[46]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[47]  Calton Pu,et al.  SubDomain: Parsimonious Server Security , 2000, LISA.

[48]  Mick Bauer,et al.  Paranoid penguin: an introduction to Novell AppArmor , 2006 .

[49]  Nicolas Ruff,et al.  Windows memory forensics , 2008, Journal in Computer Virology.

[50]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[51]  Greg Kroah-Hartman Signed kernel modules , 2004 .

[52]  Jean-Loup Baer,et al.  Computer systems architecture , 1980 .

[53]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.