{"title":"潜伏在阴影中:识别对内核数据的系统性威胁","authors":"A. Baliga, P. Kamat, L. Iftode","doi":"10.1109/SP.2007.25","DOIUrl":null,"url":null,"abstract":"The integrity of kernel code and data is fundamental to the integrity of the computer system. Tampering with the kernel data is an attractive venue for rootkit writers since malicious modifications in the kernel are harder to identify compared to their user-level counterparts. So far however, the pattern followed for tampering is limited to hiding malicious objects in user-space. This involves manipulating a subset of kernel data structures that are related to intercepting user requests or affecting the user's view of the system. Hence, defense techniques are built around detecting such hiding behavior. The contribution of this paper is to demonstrate a new class of stealthy attacks that only exist in kernel space and do not employ any hiding techniques traditionally used by rootkits. These attacks are stealthy because the damage done to the system is not apparent to the user or intrusion detection systems installed on the system and are symbolic of a more systemic problem present throughout the kernel. Our goal in building these attack prototypes was to show that such attacks are not only realistic, but worse; they cannot be detected by the current generation of kernel integrity monitors, without prior knowledge of the attack signature.","PeriodicalId":131863,"journal":{"name":"2007 IEEE Symposium on Security and Privacy (SP '07)","volume":"134 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-05-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"99","resultStr":"{\"title\":\"Lurking in the Shadows: Identifying Systemic Threats to Kernel Data\",\"authors\":\"A. Baliga, P. Kamat, L. Iftode\",\"doi\":\"10.1109/SP.2007.25\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The integrity of kernel code and data is fundamental to the integrity of the computer system. Tampering with the kernel data is an attractive venue for rootkit writers since malicious modifications in the kernel are harder to identify compared to their user-level counterparts. So far however, the pattern followed for tampering is limited to hiding malicious objects in user-space. This involves manipulating a subset of kernel data structures that are related to intercepting user requests or affecting the user's view of the system. Hence, defense techniques are built around detecting such hiding behavior. The contribution of this paper is to demonstrate a new class of stealthy attacks that only exist in kernel space and do not employ any hiding techniques traditionally used by rootkits. These attacks are stealthy because the damage done to the system is not apparent to the user or intrusion detection systems installed on the system and are symbolic of a more systemic problem present throughout the kernel. Our goal in building these attack prototypes was to show that such attacks are not only realistic, but worse; they cannot be detected by the current generation of kernel integrity monitors, without prior knowledge of the attack signature.\",\"PeriodicalId\":131863,\"journal\":{\"name\":\"2007 IEEE Symposium on Security and Privacy (SP '07)\",\"volume\":\"134 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-05-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"99\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2007 IEEE Symposium on Security and Privacy (SP '07)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SP.2007.25\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE Symposium on Security and Privacy (SP '07)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2007.25","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Lurking in the Shadows: Identifying Systemic Threats to Kernel Data
The integrity of kernel code and data is fundamental to the integrity of the computer system. Tampering with the kernel data is an attractive venue for rootkit writers since malicious modifications in the kernel are harder to identify compared to their user-level counterparts. So far however, the pattern followed for tampering is limited to hiding malicious objects in user-space. This involves manipulating a subset of kernel data structures that are related to intercepting user requests or affecting the user's view of the system. Hence, defense techniques are built around detecting such hiding behavior. The contribution of this paper is to demonstrate a new class of stealthy attacks that only exist in kernel space and do not employ any hiding techniques traditionally used by rootkits. These attacks are stealthy because the damage done to the system is not apparent to the user or intrusion detection systems installed on the system and are symbolic of a more systemic problem present throughout the kernel. Our goal in building these attack prototypes was to show that such attacks are not only realistic, but worse; they cannot be detected by the current generation of kernel integrity monitors, without prior knowledge of the attack signature.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
