Automated detection of persistent kernel control-flow attacks

14 years 5 months ago

Download www.cs.umd.edu

This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-ﬂow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modiﬁcation of the kernel’s control-ﬂow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-ﬂow modiﬁcations; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-ﬂow modifying rootkits we could install, while imposing unnoticeable overhead for both a typical web server workload and CPU-intensive workloads when operating at 10 second intervals. Categories and Subject Descriptors D.4.6 [OPERATING SYSTEMS]: Security and Protection—Invasive software General Terms Security Keywords CFI, integrity, virtualization, rootkit, kernel

Nick L. Petroni Jr., Michael W. Hicks

Real-time Traffic

CCS 2007 | Control-ﬂow Modifying Rootkits | Rootkits | Security Privacy | State-based Control-ﬂow Integrity |

claim paper

Post Info
More Details (n/a)

Added	07 Jun 2010
Updated	07 Jun 2010
Type	Conference
Year	2007
Where	CCS
Authors	Nick L. Petroni Jr., Michael W. Hicks

Comments (0)

Sciweavers

Automated detection of persistent kernel control-flow attacks

CCS 2007 | Control-ﬂow Modifying Rootkits | Rootkits | Security Privacy | State-based Control-ﬂow Integrity |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers