When Side Channel Becomes Good: Kernel Malware Attack Investigation

Security and privacy issues have been a concern and have become one of the main factors hindering the promotion and popularization of cloud computing. In recent years, cache side channel attack are presented by many researchers to crack cryptographic algorithms (e.g., AES, RSA), bypass ASLR and etc. Cache side channel had been considered as a hacking tool to conduct harmful activities on victim systems. However, from a defender’s perspective, cache side channel can also be employed to explore valuable information. Our paper employs cache side channel to obtain a deep insight on what kind of behaviors kernel malware may conduct. In specific, we propose a novel approach to conduct kernel malware attack investigation with Flush+Reload cache side channel. We have built a proof-of-concept prototype and designed some case studies to conduct extensive experiments. The evaluation results show that our system is capable of understanding what kind of behaviors kernel malware may conduct correctly.

[1]  Xiangyu Zhang,et al.  Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows , 2015, ACSAC.

[2]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[3]  Xiangyu Zhang,et al.  LogGC: garbage collecting audit log , 2013, CCS.

[4]  Klaus Wagner,et al.  Flush+Flush: A Stealthier Last-Level Cache Attack , 2015, ArXiv.

[5]  Yuan Xiao,et al.  Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices , 2016, CCS.

[6]  Gernot Heiser,et al.  The Last Mile: An Empirical Study of Timing Channels on seL4 , 2014, CCS.

[7]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[8]  Bruce Schneier,et al.  Side channel cryptanalysis of product ciphers , 2000 .

[9]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[10]  Terrance E. Boult,et al.  A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions , 2016, IEEE Communications Surveys & Tutorials.

[11]  Stefan Mangard,et al.  ARMageddon: Cache Attacks on Mobile Devices , 2015, USENIX Security Symposium.

[12]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[13]  Ernesto Damiani,et al.  From Security to Assurance in the Cloud , 2015, ACM Comput. Surv..

[14]  Fengyuan Xu,et al.  High Fidelity Data Reduction for Big Data Security Dependency Analyses , 2016, CCS.

[15]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[16]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[17]  Xuxian Jiang,et al.  Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring , 2009, 2009 International Conference on Availability, Reliability and Security.

[18]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[19]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[20]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[21]  Gorka Irazoqui Apecechea,et al.  S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Fei Wang,et al.  HERCULE: attack story reconstruction via community discovery on correlated log graph , 2016, ACSAC.

[23]  Gorka Irazoqui Apecechea,et al.  Wait a Minute! A fast, Cross-VM Attack on AES , 2014, RAID.

[24]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[25]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.

[26]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[27]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[28]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.