Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software

Remote attackers use network reconnaissance techniques, such as port scanning, to gain information about a victim machine and then use this information to launch an attack. Current network reconnaissance techniques, that are typically below the application layer, are limited in the sense that they can only give basic information, such as what services a victim is running. Furthermore, modern remote exploits typically come from a server and attack a client that has connected to it, rather than the attacker connecting directly to the victim. In this paper, we raise this question and answer it: Can the attacker go beyond the traditional techniques of network reconnaissance and gain high-level, detailed information? We investigate remote timing channel attacks against ClamAV antivirus and show that it is possible, with high accuracy, for the remote attacker to check how up-to-date the victim's antivirus signature database is. Because the strings the attacker uses to do this are benign (i.e., they do not trigger the antivirus) and the attack can be accomplished through many different APIs, the attacker has a large amount of flexibility in hiding the attack.

[1]  Dan S. Wallach,et al.  Opportunities and Limits of Remote Timing Attacks , 2009, TSEC.

[2]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[3]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[4]  Werner Schindler,et al.  A Timing Attack against RSA with the Chinese Remainder Theorem , 2000, CHES.

[5]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[6]  Adrian Perrig,et al.  Remote detection of virtual machine monitors with fuzzy benchmarking , 2008, OPSR.

[7]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[8]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[9]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[10]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[11]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[12]  François-Xavier Standaert,et al.  Introduction to Side-Channel Attacks , 2010, Secure Integrated Circuits and Systems.

[13]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[14]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[15]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[16]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[17]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.