Results 1 - 10
of
18
Self-service Cloud Computing
, 2012
"... Modern cloud computing infrastructures use virtual machine monitors (VMMs) that often include a large and complex administrative domain with privileges to inspect client VM state. Attacks against or misuse of the administrative domain can compromise client security and privacy. Moreover, these VMMs ..."
Abstract
-
Cited by 11 (3 self)
- Add to MetaCart
Modern cloud computing infrastructures use virtual machine monitors (VMMs) that often include a large and complex administrative domain with privileges to inspect client VM state. Attacks against or misuse of the administrative domain can compromise client security and privacy. Moreover, these VMMs provide clients inflexible control over their own VMs, as a result of which clients have to rely on the cloud provider to deploy useful services, such as VM introspection-based security tools. We introduce a new self-service cloud (SSC) computing model that addresses these two shortcomings. SSC splits administrative privileges between a system-wide domain and per-client administrative domains. Each client can manage and perform privileged system tasks on its own VMs, thereby providing flexibility. The system-wide administrative domain cannot inspect the code, data or computation of client VMs, thereby ensuring security and privacy. SSC also allows providers and clients to establish mutually trusted services that can check regulatory compliance while respecting client privacy. We have implemented SSC by modifying the Xen hypervisor. We demonstrate its utility by building user domains to perform privileged tasks such as memory introspection, storage intrusion detection, and anomaly detection.
Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection
"... The rapid growth of mobile malware necessitates the presence of robust malware detectors on mobile devices. However, running malware detectors on mobile devices may drain their battery, causing users to disable these protection mechanisms to save power. This paper studies the security versus energy ..."
Abstract
-
Cited by 10 (2 self)
- Add to MetaCart
(Show Context)
The rapid growth of mobile malware necessitates the presence of robust malware detectors on mobile devices. However, running malware detectors on mobile devices may drain their battery, causing users to disable these protection mechanisms to save power. This paper studies the security versus energy tradeoffs for a particularly challenging class of malware detectors, namely rootkit detectors. We investigate the security versus energy tradeoffs along two axes: attack surface and malware scanning frequency, for both code and data based rootkit detectors. Our findings, based on a real implementation on a mobile handheld device, reveal that protecting against code-driven attacks is relatively cheap, while protecting against all data-driven attacks is prohibitively expensive. Based on our findings, we determine a sweet spot in the security versus energy tradeoff, called the balanced profile, which protects a mobile device against a vast majority of known attacks, while consuming a limited amount of extra battery power. Categories and Subject Descriptors. C.5.3 [Computer System Implementation]: Microcomputers—Portable devices (e.g., laptops,
Security Implications of Memory Deduplication in a Virtualized Environment
"... Abstract — Memory deduplication has been widely used in various commodity hypervisors. By merging identical memory contents, it allows more virtual machines to run concurrently on top of a hypervisor. However, while this technique improves memory efficiency, it has a large impact on system security. ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract — Memory deduplication has been widely used in various commodity hypervisors. By merging identical memory contents, it allows more virtual machines to run concurrently on top of a hypervisor. However, while this technique improves memory efficiency, it has a large impact on system security. In particular, memory deduplication is usually implemented using a variant of copy-on-write techniques, for which, writing to a shared page would incur a longer access time than those nonshared. In this paper, we investigate the security implication of memory deduplication from the perspectives of both attackers and defenders. On one hand, using the artifact above, we demonstrate two new attacks to create a covert channel and detect virtualization, respectively. On the other hand, we also show that memory deduplication can be leveraged to safeguard Linux kernel integrity. I.
Blacksheep: Detecting Compromised Hosts in Homogeneous Crowds
"... The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker’s presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker’s presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions. In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host. We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider’s network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep’s usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.
Evasion-resistant malware signature based on profiling kernel data structure objects
- In Proceedings of the 2012 7th International Conference on Risks and Security of Internet and Systems, CRISIS ’12
, 2012
"... Abstract — Malware authors attempt in an endless effort to find new methods to evade the malware detection engines. A popular method is the use of obfuscation technologies that change the syntax of malicious code while preserving the execution semantics. This leads to the evasion of signatures that ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Abstract — Malware authors attempt in an endless effort to find new methods to evade the malware detection engines. A popular method is the use of obfuscation technologies that change the syntax of malicious code while preserving the execution semantics. This leads to the evasion of signatures that are built based on the code syntax. In this paper, we propose a novel approach to develop an evasion-resistant malware signature. This signature is based on the malware’s execution profiles extracted from kernel data structure objects and neither uses malicious code syntax specific information code execution flow information. Thus, proposed signature is more resistant to obfuscation methods and resilient in detecting malicious code variants. To evaluate the effectiveness of the proposed approach, a prototype signature generation tool called SigGENE is developed. The effectiveness of signatures generated by SigGENE evaluated using an experimental root kit-simulation tool that employs techniques commonly found in rootkits. This simulation-tool is obfuscated using several different methods. In further experiments, real-world malware samples that have different variants with the same behavior used to verify the real-world applicability of the approach. The experiments show that the proposed approach is effective, not only in generating a signature that detects the malware and its variants and defeats different obfuscation methods, but also, in producing an execution profiles that can be used to characterize different malicious attacks.
Monitoring Integrity using Limited Local Memory
"... System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state of the art system integrity monitors rely on virtualization tec ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state of the art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastructure is part of the trusted computing base. However, modern virtual machine monitors are complex entities, with large code bases that are difficult to verify. In this paper, we present a new machine architecture called limited local memory (LLM), which we leverage to set up an alternative tamper-proof execution environment for system integrity monitors. This architecture leverages recent trends in multicore chip design to equip each processing core with access to a small, private memory area. We show that the features of the LLM architecture, combined with a novel secure paging mechanism, suffice to bootstrap a tamper-proof execution environment without support for hardware virtualization. We demonstrate the utility of this architecture by building a rootkit detector that leverages the key features of LLM. This rootkit detector can safely inspect a target operating system without itself becoming the victim of infection.
Cyber-Physical Systems: Survey
"... The cyber-physical systems are the combination of computational elements and physical entities that can interact with humans through many modalities. The security includes the malicious attempts by adversary that disrupts or destructs the functions of physical systems that affects infrastructure, bu ..."
Abstract
- Add to MetaCart
(Show Context)
The cyber-physical systems are the combination of computational elements and physical entities that can interact with humans through many modalities. The security includes the malicious attempts by adversary that disrupts or destructs the functions of physical systems that affects infrastructure, businesses, and routine human life. The research in cyber-physical systems is in its infantry. The work requires the development of security models at cloud interacting with physical systems. The current research discusses four parts. The security requirements in the future engineering systems includes the state of security in cloud cyber-physical systems, security requirements in Hadoop distributed file systems and trust-based security model in sensor networks. Further, the proposed research develops the agent-based approach as an example of trust-based packet transfer. The approach keeps the each node’s current status. The results show that maintaining the ratings of each node, the trust can be calculated and eliminate the malicious node.
Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data
"... Generally speaking, malicious code leverages hooks within a system to divert the control flow. Without them, an attacker is blind to the events occurring in the sys-tem, rendering her unable to perform malicious activities (e.g., hiding of files or capturing of keystrokes). How-ever, while hooks are ..."
Abstract
- Add to MetaCart
(Show Context)
Generally speaking, malicious code leverages hooks within a system to divert the control flow. Without them, an attacker is blind to the events occurring in the sys-tem, rendering her unable to perform malicious activities (e.g., hiding of files or capturing of keystrokes). How-ever, while hooks are an integral part of modern attacks, they are at the same time one of their biggest weaknesses: Even the most sophisticated attack can be easily identi-fied if one of its hooks is found. In spite of this fact, hooking mechanisms have remained almost unchanged over the last years and still rely on the persistent mod-ification of code or control data to divert the control flow. As a consequence, hooks represent an abnormal-ity within the system that is permanently evident and can in many cases easily be detected as the hook detection mechanisms of recent years amply demonstrated. In this paper, we propose a novel hooking concept that we refer to as dynamic hooking. Instead of modifying persistent control data permanently, this hooking mech-anisms targets transient control data such as return ad-dresses at run-time. The hook itself will thereby reside within non-control data and remains hidden until it is triggered. As a result, there is no evident connection be-tween the hook and the actual control flow change, which enables dynamic hooks to successfully evade existing de-tection mechanisms. To realize this idea, dynamic hooks make use of exploitation techniques to trigger vulner-abilities at run-time. Due to this approach, dynamic hooks cannot only be used to arbitrarily modify the con-trol flow, but can also be applied to conduct non-control data attacks, which makes them more powerful than their predecessors. We implemented a prototype that makes uses of static program slicing and symbolic execution to automatically extract paths for dynamic hooks that can then be used by a human expert for their realization. To demonstrate this, we used the output provided by our prototype to implement concrete examples of dynamic hooks for both modern Linux and Windows kernels.
Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX KI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object KI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutab
"... Abstract Kernel rootkits undermine the integrity of system by manipulating its operating system kernel. External hardware-based monitors can serve as a root of trust that is resilient to rootkit attacks. The existing external hardware-based approaches lack an event-triggered verification scheme for ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract Kernel rootkits undermine the integrity of system by manipulating its operating system kernel. External hardware-based monitors can serve as a root of trust that is resilient to rootkit attacks. The existing external hardware-based approaches lack an event-triggered verification scheme for mutable kernel objects. To address the issue, we present KI-Mon, a hardware-based platform for event-triggered kernel integrity monitor. A refined form of bus traffic monitoring efficiently verifies the update values of the objects, and callback verification routines can be programmed and executed for a designated event space. We have built a KI-Mon prototype to demonstrate the efficacy of KI-Mon's event-triggered mechanism in terms of performance overhead for the monitored host system and the processor usage of the KI-Mon processor.
1 Monitoring Integrity using Limited Local Memory
"... Abstract—System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state of the art system integrity monitors rely on virtualiza ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state of the art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastructure is part of the trusted computing base. However, modern virtual machine monitors are complex entities, with large code bases that are difficult to verify. In this paper, we present a new machine architecture called limited local memory (LLM), which we leverage to set up an alternative tamper-proof execution environment for system integrity monitors. This architecture leverages recent trends in multicore chip design to equip each processing core with access to a small, private memory area. We show that the features of the LLM architecture, combined with a novel secure paging mechanism, suffice to bootstrap a tamper-proof execution environment without support for hardware virtualization. We demonstrate the utility of this architecture by building a rootkit detector that leverages the key features of LLM. This rootkit detector can safely inspect a target operating system without itself becoming the victim of infection. I.
