An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data

The ability of intruders to hide their presence in compromised systems has surpassed the ability of the current generation of integrity monitors to detect them. Once in control of a system, intruders modify the state of constantly-changing dynamic kernel data structures to hide their processes and elevate their privileges. Current monitoring tools are limited to detecting changes in nominally static kernel data and text and cannot distinguish a valid state change from tampering in these dynamic data structures. We introduce a novel general architecture for defining and monitoring semantic integrity constraints using a specification language-based approach. This approach will enable a new generation of integrity monitors to distinguish valid states from tampering.

[1]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[2]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[3]  Samiha Mourad,et al.  On the Reliability of the IBM MVS/XA Operating System , 1987, IEEE Transactions on Software Engineering.

[4]  Karl N. Levitt,et al.  A specification-based intrusion detection system for AODV , 2003, SASN '03.

[5]  Leah H. Jamieson,et al.  Establishing the Genuinity of Remote Computer Systems , 2003, USENIX Security Symposium.

[6]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[7]  Dennis McLeod,et al.  A framework for data base semantic integrity , 1976, ICSE '76.

[8]  D. Hollingworth,et al.  Enhancing operating system resistance to information warfare , 2000, MILCOM 2000 Proceedings. 21st Century Military Communications. Architectures and Technologies for Information Superiority (Cat. No.00CH37155).

[9]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[10]  Martin C. Rinard,et al.  Automatic detection and repair of errors in data structures , 2003, OOPSLA '03.

[11]  Brian Demsky Data structure repair using goal-directed reasoning , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[12]  Steven J. DeRose,et al.  XML Path Language (XPath) Version 1.0 , 1999 .

[13]  Robert Love,et al.  Linux Kernel Development , 2003 .

[14]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[15]  Trent Jaeger,et al.  Secure coprocessor-based intrusion detection , 2002, EW 10.

[16]  Martin C. Rinard,et al.  Static specification analysis for termination of specification-based data structure repair , 2003, 14th International Symposium on Software Reliability Engineering, 2003. ISSRE 2003..

[17]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[18]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[19]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[20]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[21]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[22]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[23]  R. D. Royer,et al.  The 5ESS switching system: Maintenance capabilities , 1985, AT&T Technical Journal.

[24]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[25]  Robert Tappan Morris,et al.  USENIX Association Proceedings of HotOS IX : The 9 th Workshop on Hot Topics in Operating Systems , 2003 .

[26]  Licia Capra,et al.  xlinkit: a consistency checking and smart link generation service , 2002, TOIT.

[27]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[28]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[29]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[30]  Wolfgang Emmerich,et al.  Consistency management with repair actions , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..