论文信息 - Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table

Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table

We introduce the notion of re-establishing trust in compromised systems, specifically looking at recovering from kernel-level rootkits. An attacker that has compromised a system will often install a set of tools, known as a rootkit, which will break trust in the system as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. Specifically, current kernel-level rootkits replace trusted system calls with trojaned system calls. Our approach to recover from these type of rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.

Henry L. Owen | Julian B. Grizzard | John G. Levine

[1] J.B. Grizzard,et al. Towards a trusted immutable kernel extension (TIKE) for self-healing systems: a virtual machine approach , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[2] Harold W. Thimbleby,et al. A Framework for Modelling Trojans and Computer Virus Infection , 1998, Comput. J..

[3] H. Owen,et al. Application of a methodology to characterize rootkits retrieved from honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[4] K. Thompson. Reflections on trusting trust , 1984, CACM.

[5] Daniel Pierre Bovet,et al. Understanding the Linux Kernel , 2000 .

[6] J.B. Grizzard,et al. A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table , 2004, IEEE SoutheastCon, 2004. Proceedings..

[7] Eugene H. Spafford,et al. The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[8] Henry Owen,et al. A Methodology for Detecting New Binary Rootkit Exploits , 2003 .

[9] Henry L. Owen,et al. A methodology to detect and characterize Kernel level rootkit exploits involving redirection of the system call table , 2004, Second IEEE International Information Assurance Workshop, 2004. Proceedings..