Advertisement

Host-Based Security Sensor Integrity in Multiprocessing Environments

  • Thomas Richard McEvoy
  • Stephen D. Wolthusen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6047)

Abstract

Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for host-based sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers.

This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.

Keywords

Virtual Machine Shared Memory Intrusion Detection Kernel Feature Concealment Technique 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)Google Scholar
  2. 2.
    Petroni, N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In: Proceedings of the 15th USENIX Security Symposium (2006)Google Scholar
  3. 3.
    King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), vol. 0, pp. 314–327. IEEE Computer Society, Los Alamitos (2006)CrossRefGoogle Scholar
  4. 4.
    Rutkowska, J.: Beyond the cpu: Defeating hardware based ram acquisition. Defcon (2007)Google Scholar
  5. 5.
    Heasman, J.: Implementing and Detecting an ACPI BIOS Root Kit. In: Briefing at Black Hat 2005, Las Vegas, NV, USA (July 2005)Google Scholar
  6. 6.
    Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005)Google Scholar
  7. 7.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of the 10th Annual Network And Distributed System Security Symposium (NDSS 2003), Internet Society, San Diego (2003)Google Scholar
  8. 8.
    Yee, B., Tygar, J.D.: Secure Coprocessors in Electronic Commerce Applications. In: Geer, D.E. (ed.) Proceedings of the First USENIX Workshop on Electronic Commerce, p. 14. USENIX Press, New York (1995)Google Scholar
  9. 9.
    Wang, Y.-M., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. In: 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377. IEEE Computer Society, Los Alamitos (2005)CrossRefGoogle Scholar
  10. 10.
    Petroni Jr., N.L., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: di Vimercati, S.D.C., Syverson, P. (eds.) Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 103–115. ACM Press, New York (2007)CrossRefGoogle Scholar
  11. 11.
    Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-Aware Malware Detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005), pp. 32–46. IEEE Press, Piscataway (2005)CrossRefGoogle Scholar
  12. 12.
    Baliga, A., Kamat, P., Iftode, L.: Lurking in the Shadows: Identifying Systemic Threats to Kernel Data. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy (S&P 2007), pp. 246–251. IEEE Press, Piscataway (2007)CrossRefGoogle Scholar
  13. 13.
    Chuvakin, A.: An overview of unix rootkits. White Paper, iDefense Laboratories, iDefence Inc., 14151 Newbrook Suite, Chantilly, VA 20151 (2003)Google Scholar
  14. 14.
    Wilhelm, J., cker Chiueh, T.: A Forced Sampled Execution Approach to Kernel Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure Coprocessor-Based Intrusion Detection. In: Muller, G., Jul, E. (eds.) Proceedings of the 10th ACM SIGOPS European Workshop, pp. 239–242. ACM Press, New York (2002)CrossRefGoogle Scholar
  16. 16.
    Molina, J., Arbaugh, W.: Using Independent Auditors as Intrusion Detection Systems. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 291–302. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Williams, P.D., Spafford, E.H.: CuPIDS: An Exploration of Highly Focused, Co-Processor-based Information System Protection. Computer Networks 51(5), 1284–1298 (2007)MATHCrossRefGoogle Scholar
  18. 18.
    Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: Ning, P., Syverson, P., Jha, S. (eds.) Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 51–62. ACM Press, New York (2008)CrossRefGoogle Scholar
  20. 20.
    Huang, Y., Stavrou, A., Ghosh, A.K., Jajodia, S.: Efficiently Tracking Application Interactions using Lightweight Virtualization. In: Nieh, J., Stavrou, A. (eds.) Proceedings of the 1st ACM Workshop on Virtual Machine Security (VMSec 2008), pp. 19–28. ACM Press, New York (2008)CrossRefGoogle Scholar
  21. 21.
    Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection through VMM-based ”out-of-the-box” Semantic View Reconstruction. In: De Capitani di Vimercati, S., Syverson, P. (eds.) Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 128–138. ACM Press, New York (2007)CrossRefGoogle Scholar
  22. 22.
    Riley, R., Jiang, X., Xu, D.: Multi-Aspect Profiling of Kernel Rootkit Behavior. In: Proceedings of the 4th ACM European Conference on Computer Systems, pp. 47–69. ACM Press, Nuremberg (2008)Google Scholar
  23. 23.
    Thober, M., Pendergrass, J.A., McDonell, C.D.: Improving Coherency of Runtime Integrity Measurement. In: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing, pp. 51–60. ACM Press, Alexandria (2008)CrossRefGoogle Scholar
  24. 24.
    Loscocco, P., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux Kernel Integrity Measurement using Contextual Inspection. In: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 21–29. ACM Press, Alexandria (2007)CrossRefGoogle Scholar
  25. 25.
    Oplinger, J., Lam, M.S.: Enhancing Software Reliability with Speculative Threads. In: Gharachorloo, K. (ed.) Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII), pp. 184–196. ACM Press, New York (2002)Google Scholar
  26. 26.
    Nightingale, E.B., Peek, D., Chen, P.M., Flinn, J.: Parallelizing Security Checks on Commodity Hardware. In: Eggers, S., Larus, J. (eds.) Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII), pp. 308–318. ACM Press, New York (2008)CrossRefGoogle Scholar
  27. 27.
    for review), A (Anonymised for review). In (Anonymised for review) (September 2008)Google Scholar
  28. 28.
    Garg, V.K.: 1. In: Elements of Distributed Computing. John Wiley and Sons Inc., Chichester (2002)Google Scholar
  29. 29.
    Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy, vol. 0, pp. 231–245 (2007)Google Scholar
  30. 30.
    Ring, S., Cole, E.: Taking a Lesson from Stealthy Rootkits. IEEE Security and Privacy 02(4), 38–45 (2004)CrossRefGoogle Scholar
  31. 31.
    Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE Press, Miami Beach (2007)Google Scholar
  32. 32.
    Cavallaro, L., Saxena, P., Sekar, R.: On the Limits of Information Flow Techniques for Malware Analysis and Containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Asanovic, K., Bodik, R., Catanzaro, B.C., Gebis, J.J., Husbands, P., Keutzer, K., Patterson, D.A., Plishker, W.L., Shalf, J., Williams, S.W., Yelick, K.A.: The landscape of parallel computing research: A view from berkeley. Technical Report UCB/EECS-2006-183, EECS Department, University of California, Berkeley (December 2006)Google Scholar
  34. 34.
    Ivan Sklyarov: 21. In: Programming Linux Hacker Tools Uncovered. A-LIST, LLC (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Thomas Richard McEvoy
    • 1
  • Stephen D. Wolthusen
    • 1
    • 2
  1. 1.Information Security Group, Department of Mathematics, Royal HollowayUniversity of LondonEgham Hill, EghamUK
  2. 2.Norwegian Information Security LaboratoryGjøvik University CollegeGjøvikNorway

Personalised recommendations