Detecting Compromised Kernel Hooks with Support of Hardware Debugging Features 被引量：3

Detecting Compromised Kernel Hooks with Support of Hardware Debugging Features

下载PDF

导出

摘要 Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge, this paper proposes a framework, called HooklMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept pro- totype system of HooklMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HooklMA is capable of detecting compomised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtirre overhead introduced by HooklMA is about 21.5%. Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context information. To address this challenge, this paper proposes a framework, called HookIMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept prototype system of HookIMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HookIMA is capable of detecting compromised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtime overhead introduced by HookIMA is about 21.5%.

作者 Shi Wenchang Zhou HongWei Yuan JinHui Liang Bin

机构地区 School of Information Key Laboratory of Data Engineering and Knowledge Engineering of Ministry of Education Information Engineering University of China

出处《China Communications》 SCIE CSCD 2012年第10期78-90,共13页 中国通信（英文版）

基金 The authors would like to thank the anonymous reviewers for their insightful corrnlents that have helped improve the presentation of this paper. The work was supported partially by the National Natural Science Foundation of China under Grants No. 61070192, No.91018008, No. 61170240 the National High-Tech Research Development Program of China under Grant No. 2007AA01ZA14 the Natural Science Foundation of Beijing un- der Grant No. 4122041.

关键词 operating system kernel hook integrity HARDWARE control flow 内核空间功能检测硬件调试调试功能挂钩原型系统操作系统防御机制

分类号 TP316.81 [自动化与计算机技术—计算机软件与理论] TP337 [自动化与计算机技术—计算机系统结构]

引文网络
相关文献

参考文献29

1DAVI L, DMITRIENKO A, EGELE M, et al. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones[C]// Proceedings of the 19th Network and Distributed System Security Symposium: February 5-8, 2012, San Diego, California.
2HOFMANN O, DUNN A, KIM S, et al. Ensuring Operating System Kemel Integrity with OSck[C]// Proceeding of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems: March 5- 11,2011, Newport Beach, CA, USA. ACM Press, 2011 : 279- 290.
3WANG Zhi, JIANG Xuanxian, CUI Weidong, et al. Countering Kernel Rootkits with Lightweight Hook Protection [C]//Proceedings of the 16th ACM Conference on Computer and Communications Security: November 9-13, 2009, Chicago, Illinois, USA. ACM Press, 2009: 545-554.
4LI Jinku, WANG Zhi, BLETSCH T, et al. Corrprehensive and Efficient Protection of Kemel Control Data[J]. IEEE Transactions on Information Forensics and Security, 2011, 6(4): 1404-1417.
5lntel. IA-32 Intel Architecture Software Developer's Manual Volume 3B: System Programming Guide [EB/OL]. http://www. intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html, 2011.
6UnixBench [EB/OL]. http://ftp.tux.org/pub/benchmarks/system/unixbench, 2012.
7SFSHADRI A, LUK M, QU Ning, et al. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes [C]// Proceedings of the 21st Symposium on Operating Systems Principles: October 14-17, 2007, Stevenson, Washington, USA. ACM Press, 335-350.
8RILEY R, JIANG Xuxian, XU Dongyan. Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing[C]//Proceedings of 1 lth Proceedings of the l lth Recent Advances in Intrusion Detection: Sepetember 15-17, 2008, Cambridge, MA, USA. Springer-Verlag, 2008: 1-20.
9PETRONI N, HICKS M. Automated Detection of Persistent Kernel Control-Flow Attacks [C]// Proceedings of the 14th ACM Conference on Computer and Communications Security: October 29-November 2, 2007, Alelxandria, VA, USA. ACM Press, 103-115.
10WANG Zhi, JIANG Xuxian, CUI Weidong, et al. Countering Persistent Kernel Rootldts Through Systematic Hook Discovery[C]// Proceedings of the l lth Recent Advances in Intrusion Detection: September 15-17, 2008, MIT, Cambridge, Massachusetts, USA. Springer-Verlag, 2008: 21-38.

同被引文献48

1Attacking the Core: Kernel Exploiting Notes [EB/Oll. [2013-9-5]. http://phrack.org/issues. html?issue=64&id=6.
2PAYNE B D, CARBONE M, lEE W, et al. Secure and Flexible Monitoring of Virtual Machines [C]// Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007): December 10-14, 2007. Miami Beach, Fl, USA, 2007: 385-397.
3WANG Zhi, JIANG Xuxian, CUI Weidong, et al. Countering Kernel Rootkits with lightweight Hook Protection[C]// Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS): November 9-13, 2009. Chicago, IL, USA, 2009: 545-554.
4BOVET D, CESATI M. Understanding the Linux Kernel[M]. 3rd ed. Sebastopol, CA, USA: O'Reilly & Associates Inc., 2005.
5INTEL COPERATION. Intel 64 and IA-32 Architectures Software[EB/OL]. [2013-9-5]. http:// www.intel.com/Assets/PDF/manuaIi253669.pdf.
6PAYNE B D, CARBONE M, SHARIF M, et aL. Lares: An Architecture for Secure Active Monitoring Using Virtualization[C]// Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP 2008): May 18-22, 2008. Oakland, CA, USA, 2008: 233-247.
7SHARIF M, LEE Wenke, CUI Weidong, et aL. Secure in-VM Monitoring Using Hardware Virtualization[C]// Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS): November 9-13,2009. Chicago, IL, USA, 2009: 477-487.
8PETRONI JR N L, HICKS M. Automated Detection of Persistent Kernel Control-Flow Attacks[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07): October 29-November 2, 2007. Alexandria, VA, USA, 2007: 103-115.
9HOFMANN 0 S, DUNN A M, KIM S, et aL. Ensuring Operating System Kernel Integrity with OSck[C]// Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS): March 5-11, 2011. Newport Beach, CA, USA, 2011: 279-290.
10TIAN Donghai, ZENG Qiang, WU Dinghao, et aL. Kruiser: Semi-Synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring[C]// Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS): February 5-8, 2012. San Diego, CA, USA, 2012.

引证文献3

1田东海,李轩涯,胡昌振,闫怀志.OPKH: A Lightweight Online Approach to Protecting Kernel Hooks in Kernel Modules[J].China Communications,2013,10(11):15-23.
2SHI Wenchang,ZHOU Hongwei,YUAN Jinhui,LIANG Bin.DCFl-Checker： Checking Kernel Dynamic Control Flow Integrity with Performance Monitoring Counter[J].China Communications,2014,11(9):31-46. 被引量：2
3石文昌,宋元,周春喜.一种基于多核的完整性度量实施方法[J].广西科学院学报,2020,36(3):317-322. 被引量：1

二级引证文献3

1Yu LiangGuojun PengYuan LuoHuanguo Zhang.Mitigating ROP Attacks via ARM-Specific In-Place Instruction Randomization[J].China Communications,2016,13(9):208-226.
2樊佩茹,赵波,倪明涛,陈治宏.APM:适用于IaaS平台的agent保护机制[J].通信学报,2018,39(4):176-188. 被引量：1
3陈栋.探讨多核实时操作系统的确定性调度设计[J].电力系统装备,2021(8):169-170.

1田东海,李轩涯,胡昌振,闫怀志.OPKH: A Lightweight Online Approach to Protecting Kernel Hooks in Kernel Modules[J].China Communications,2013,10(11):15-23.
2Michael Morales 青成(译).管理员的调试入门-掌握使用Windows调试器作为备份诊断工具[J].Windows IT Pro Magazine（国际中文版）,2009(8):42-44.
3高翔,熊选东,马自堂,李作辉.一种基于Apache框架的PKI实现[J].微计算机信息,2008,24(27):56-57. 被引量：2
4冯富霞,李森贵.基于Netfilter改善网络性能的研究与实现[J].安徽工程科技学院学报（自然科学版）,2008,23(3):61-64. 被引量：1
5易长安.一种实用的程序调试技术[J].福建电脑,2009,25(8):175-175.
6贺细平,李弟平,张历卓.Windows Hooks中录制与回放钩子的运行机制剖析[J].电脑与信息技术,2006,14(6):6-11. 被引量：3
7朱宏志.用Debugging Tools for Windows寻找服务器意外重启的线索[J].黑客防线,2007(5):74-74.
8Jian\|jun Zhao Department of Computer Science and Engineering, Fukuoka Institute of Technology, Fukuoka 811 0295, Japan.Dynamic Slicing of Object Oriented Programs[J].Wuhan University Journal of Natural Sciences,2001,6(Z1):391-397.
9Alexis Zhang.Debugging Tools来了,不再怕Windows的“大蓝脸”[J].电脑爱好者,2008,0(1):33-33.
10Kun ZHOU.GPU parallel computing： Programming language,debugging tools and data structures[J].Frontiers of Electrical and Electronic Engineering in China,2012,7(1):5-15.

China Communications

2012年第10期

浏览历史

内容加载中请稍等...

Detecting Compromised Kernel Hooks with Support of Hardware Debugging Features 被引量：3

参考文献29

同被引文献48

引证文献3

二级引证文献3

相关作者

相关机构

相关主题

浏览历史