System Call API Obfuscation (Extended Abstract)

  • Abhinav Srivastava
  • Andrea Lanzi
  • Jonathon Giffin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5230)


We claim that attacks can evade the comprehension of security tools that rely on knowledge of standard system call interfaces to reason about process execution behavior. Our attack, called Illusion, will invoke privileged operations in a Windows or Linux kernel at the request of user-level processes without requiring those processes to call the actual system calls corresponding to the operations. The Illusion interface will hide system operations from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion will alter neither static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory.


System Call Kernel Module Malicious Code Handler Function Standard Operating System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 1996)Google Scholar
  2. 2.
    Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2004)Google Scholar
  3. 3.
    Jiang, X., Wang, X.: Out-of-the-box monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Symposium on Operating System Principles (SOSP), Stevenson, WA (October 2007)Google Scholar
  5. 5.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Abhinav Srivastava
    • 1
  • Andrea Lanzi
    • 1
    • 2
  • Jonathon Giffin
    • 1
  1. 1.School of Computer ScienceGeorgia Institute of TechnologyUSA
  2. 2.Dipartimento di Informatica e ComunicazioneUniversità degli Studi di MilanoItaly

Personalised recommendations