Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge,...Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge, this paper proposes a framework, called HooklMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept pro- totype system of HooklMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HooklMA is capable of detecting compomised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtirre overhead introduced by HooklMA is about 21.5%.展开更多
Trusted path is one of the crucial features that operating systems must provide for fundamental security support. In order to explore the possibility of implementing a trusted path mechanism with the support of truste...Trusted path is one of the crucial features that operating systems must provide for fundamental security support. In order to explore the possibility of implementing a trusted path mechanism with the support of trusted platform module (TPM) technologies, and to support TPM capabilities in operating systems, the paper extended the scope of the conventional trusted path to cover the situation in which a user communicates with software residing on a remote host. The paper combined the concept of operating system support for trusted path with that for TPM platforms, and proposed the architecture of an extended trusted path mechanism in operating system with considerations on TPM-capable platforms support. As part of the author's research in secure operating systems, the work of the paper was carried out with Linux as an experimental prototype system. The research result shows that TPM capabilities can strengthen extended trusted path mechanisms of operating systems.展开更多
It is a challenge to verify integrity of dynamic control flows due to their dynamic and volatile nature. To meet the challenge, existing solutions usually implant an "attachment" in each control transfer. However, t...It is a challenge to verify integrity of dynamic control flows due to their dynamic and volatile nature. To meet the challenge, existing solutions usually implant an "attachment" in each control transfer. However, the attachment introduces additional cost except performance penalty. For example, the attachment must be unique or restrictedly modified. In this paper, we propose a novel approach to detect integrity of dynamic control flows by counting executed branch instructions without involving any attachment. Our solution is based on the following observation. If a control flow is compromised, the number of executed branch instructions will be abnormally increased. The cause is that intruders usually hijack control flows for malicious execution which absolutely introduces additional branch instructions. Inspired by the above observation, in this paper, we devise a novel system named DCFI- Checker, which detect integrity corruption of dynamic control flows with the support of Performance Monitoring Counter (PMC). We have developed a proof-of-concept prototype system of DCFI-Checker on Linux fedora 5. Our experiments with existing kemel rootkits and buffer overflow attack show that DCFI- Checker is effective to detect compromised dynamic control transfer, and performance evaluations indicate that performance penaltyinduced by DCFI-Checker is acceptable.展开更多
Copy-Move Forgery(CMF) is one of the simple and effective operations to create forged digital images.Recently,techniques based on Scale Invariant Features Transform(SIFT) are widely used to detect CMF.Various approach...Copy-Move Forgery(CMF) is one of the simple and effective operations to create forged digital images.Recently,techniques based on Scale Invariant Features Transform(SIFT) are widely used to detect CMF.Various approaches under the SIFT-based framework are the most acceptable ways to CMF detection due to their robust performance.However,for some CMF images,these approaches cannot produce satisfactory detection results.For instance,the number of the matched keypoints may be too less to prove an image to be a CMF image or to generate an accurate result.Sometimes these approaches may even produce error results.According to our observations,one of the reasons is that detection results produced by the SIFT-based framework depend highly on parameters whose values are often determined with experiences.These values are only applicable to a few images,which limits their application.To solve the problem,a novel approach named as CMF Detection with Particle Swarm Optimization(CMFDPSO) is proposed in this paper.CMFD-PSO integrates the Particle Swarm Optimization(PSO) algorithm into the SIFT-based framework.It utilizes the PSO algorithm to generate customized parameter values for images,which are used for CMF detection under the SIFT-based framework.Experimental results show that CMFD-PSO has good performance.展开更多
Small or smooth cloned regions are difficult to be detected in image copy-move forgery (CMF) detection. Aiming at this problem, an effective method based on image segmentation and swarm intelligent (SI) algorithm ...Small or smooth cloned regions are difficult to be detected in image copy-move forgery (CMF) detection. Aiming at this problem, an effective method based on image segmentation and swarm intelligent (SI) algorithm is proposed. This method segments image into small nonoverlapping blocks. A calculation of smooth degree is given for each block. Test image is segmented into independent layers according to the smooth degree. SI algorithm is applied in finding the optimal detection parameters for each layer. These parameters are used to detect each layer by scale invariant features transform (SIFT)-based scheme, which can locate a mass of keypoints. The experimental results prove the good performance of the proposed method, which is effective to identify the CMF image with small or smooth cloned region.展开更多
In order to enhance the security of a browser password manager, we propose an approach based on a hardware trusted platform module (TPM). Our approach encrypts users' passwords with keys generated by the TPM, which...In order to enhance the security of a browser password manager, we propose an approach based on a hardware trusted platform module (TPM). Our approach encrypts users' passwords with keys generated by the TPM, which uses a master password as the credential for authorization to access the TPM. Such a hardware-based feature may provide an efficient way to protect users' passwords. Experiment and evaluation results show that our approach performs well to defend against password stealing attack and brute force attack. Attackers cannot get passwords directly from the browser, therefore they will spend incredible time to obtain passwords. Besides, performance cost induced by our approach is acceptable.Abstract: In order to enhance the security of a browser password manager, we propose an approach based on a hardware trusted platform module (TPM). Our approach encrypts users' passwords with keys generated by the TPM, which uses a master password as the credential for authorization to access the TPM. Such a hardware-based feature may provide an efficient way to protect users' passwords. Experiment and evaluation results show that our approach performs well to defend against password stealing attack and brute force attack. Attackers cannot get passwords directly from the browser, therefore they will spend incredible time to obtain passwords. Besides, performance cost induced by our approach is acceptable.展开更多
基金The authors would like to thank the anonymous reviewers for their insightful corrnlents that have helped improve the presentation of this paper. The work was supported partially by the National Natural Science Foundation of China under Grants No. 61070192, No.91018008, No. 61170240 the National High-Tech Research Development Program of China under Grant No. 2007AA01ZA14 the Natural Science Foundation of Beijing un- der Grant No. 4122041.
文摘Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge, this paper proposes a framework, called HooklMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept pro- totype system of HooklMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HooklMA is capable of detecting compomised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtirre overhead introduced by HooklMA is about 21.5%.
基金Supported by the National Natural Science Foun-dation of China (60373054)
文摘Trusted path is one of the crucial features that operating systems must provide for fundamental security support. In order to explore the possibility of implementing a trusted path mechanism with the support of trusted platform module (TPM) technologies, and to support TPM capabilities in operating systems, the paper extended the scope of the conventional trusted path to cover the situation in which a user communicates with software residing on a remote host. The paper combined the concept of operating system support for trusted path with that for TPM platforms, and proposed the architecture of an extended trusted path mechanism in operating system with considerations on TPM-capable platforms support. As part of the author's research in secure operating systems, the work of the paper was carried out with Linux as an experimental prototype system. The research result shows that TPM capabilities can strengthen extended trusted path mechanisms of operating systems.
基金The work is supported in part by the National Natural Science Foundation of China,Natural Science Foundation of Beijing,National 863 High-Tech Research Development Program of China
文摘It is a challenge to verify integrity of dynamic control flows due to their dynamic and volatile nature. To meet the challenge, existing solutions usually implant an "attachment" in each control transfer. However, the attachment introduces additional cost except performance penalty. For example, the attachment must be unique or restrictedly modified. In this paper, we propose a novel approach to detect integrity of dynamic control flows by counting executed branch instructions without involving any attachment. Our solution is based on the following observation. If a control flow is compromised, the number of executed branch instructions will be abnormally increased. The cause is that intruders usually hijack control flows for malicious execution which absolutely introduces additional branch instructions. Inspired by the above observation, in this paper, we devise a novel system named DCFI- Checker, which detect integrity corruption of dynamic control flows with the support of Performance Monitoring Counter (PMC). We have developed a proof-of-concept prototype system of DCFI-Checker on Linux fedora 5. Our experiments with existing kemel rootkits and buffer overflow attack show that DCFI- Checker is effective to detect compromised dynamic control transfer, and performance evaluations indicate that performance penaltyinduced by DCFI-Checker is acceptable.
基金supported in part by the National Natural Science Foundation of China under grant No.(61472429,61070192,91018008,61303074,61170240)Beijing Natural Science Foundation under grant No.4122041+1 种基金National High-Tech Research Development Program of China under grant No.2007AA01Z414National Science and Technology Major Project of China under grant No.2012ZX01039-004
文摘Copy-Move Forgery(CMF) is one of the simple and effective operations to create forged digital images.Recently,techniques based on Scale Invariant Features Transform(SIFT) are widely used to detect CMF.Various approaches under the SIFT-based framework are the most acceptable ways to CMF detection due to their robust performance.However,for some CMF images,these approaches cannot produce satisfactory detection results.For instance,the number of the matched keypoints may be too less to prove an image to be a CMF image or to generate an accurate result.Sometimes these approaches may even produce error results.According to our observations,one of the reasons is that detection results produced by the SIFT-based framework depend highly on parameters whose values are often determined with experiences.These values are only applicable to a few images,which limits their application.To solve the problem,a novel approach named as CMF Detection with Particle Swarm Optimization(CMFDPSO) is proposed in this paper.CMFD-PSO integrates the Particle Swarm Optimization(PSO) algorithm into the SIFT-based framework.It utilizes the PSO algorithm to generate customized parameter values for images,which are used for CMF detection under the SIFT-based framework.Experimental results show that CMFD-PSO has good performance.
基金Supported by the National Natural Science Foundation of China(61472429,61070192,91018008,61303074,61170240)the National High Technology Research Development Program of China(863 Program)(2007AA01Z414)+1 种基金the National Science and Technology Major Project of China(2012ZX01039-004)the Beijing Natural Science Foundation(4122041)
文摘Small or smooth cloned regions are difficult to be detected in image copy-move forgery (CMF) detection. Aiming at this problem, an effective method based on image segmentation and swarm intelligent (SI) algorithm is proposed. This method segments image into small nonoverlapping blocks. A calculation of smooth degree is given for each block. Test image is segmented into independent layers according to the smooth degree. SI algorithm is applied in finding the optimal detection parameters for each layer. These parameters are used to detect each layer by scale invariant features transform (SIFT)-based scheme, which can locate a mass of keypoints. The experimental results prove the good performance of the proposed method, which is effective to identify the CMF image with small or smooth cloned region.
基金Supported by the National Natural Science Foundation of China(61472429,61070192,91018008,61303074,61170240)the Beijing Municipal Natural Science Foundation(4122041)National High-Technology Research and Development Program of China(863 Program)(2007AA01Z414)
文摘In order to enhance the security of a browser password manager, we propose an approach based on a hardware trusted platform module (TPM). Our approach encrypts users' passwords with keys generated by the TPM, which uses a master password as the credential for authorization to access the TPM. Such a hardware-based feature may provide an efficient way to protect users' passwords. Experiment and evaluation results show that our approach performs well to defend against password stealing attack and brute force attack. Attackers cannot get passwords directly from the browser, therefore they will spend incredible time to obtain passwords. Besides, performance cost induced by our approach is acceptable.Abstract: In order to enhance the security of a browser password manager, we propose an approach based on a hardware trusted platform module (TPM). Our approach encrypts users' passwords with keys generated by the TPM, which uses a master password as the credential for authorization to access the TPM. Such a hardware-based feature may provide an efficient way to protect users' passwords. Experiment and evaluation results show that our approach performs well to defend against password stealing attack and brute force attack. Attackers cannot get passwords directly from the browser, therefore they will spend incredible time to obtain passwords. Besides, performance cost induced by our approach is acceptable.
