Automatic Inference and Enforcement of Kernel Data Structure Invariants

14 years 6 months ago

Download discolab.rutgers.edu

Kernel-level rootkits aﬀect system security by modifying key kernel data structures to achieve a variety of malicious goals. While early rootkits modiﬁed control data structures, such as the system call table and values of function pointers, recent work has demonstrated rootkits that maliciously modify non-control data. Prior techniques for rootkit detection fail to identify such rootkits either because they focus solely on detecting control data modiﬁcations or because they require elaborate, manually-supplied speciﬁcations to detect modiﬁcations of non-control data. This paper presents a novel rootkit detection technique that automatically detects rootkits that modify both control and non-control data. The key idea is to externally observe the execution of the kernel during a training period and hypothesize invariants on kernel data structures. These invariants are used as speciﬁcations of data structure integrity during an enforcement phase; violation of these invariant...

Arati Baliga, Vinod Ganapathy, Liviu Iftode

Real-time Traffic

ACSAC 2008 | Data Structures | Non-control Data | Rootkits | Security Privacy |

claim paper

Post Info
More Details (n/a)

Added	28 May 2010
Updated	28 May 2010
Type	Conference
Year	2008
Where	ACSAC
Authors	Arati Baliga, Vinod Ganapathy, Liviu Iftode

Comments (0)

Sciweavers

Automatic Inference and Enforcement of Kernel Data Structure Invariants

ACSAC 2008 | Data Structures | Non-control Data | Rootkits | Security Privacy |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers