Abstract
Altering in-memory kernel data, attackers are able to manipulate the running behaviors of operating systems without injecting any malicious code. This type of attack is called kernel data attack. Intuitively, the security impact of such an attack seems minor, and thus, it has not yet drawn much attention from the security community. In this paper, we thoroughly investigate kernel data attack, showing that its damage could be as serious as kernel rootkits, and then propose countermeasures. More specifically, by tampering with kernel data, we first demonstrate that attackers can stealthily subvert various kernel security mechanisms. Then, we further develop a new keylogger called DLOGGER, which is more stealthy than existing keyloggers. Instead of injecting any malicious code, it only alters kernel data and leverages existing benign kernel code to build a covert channel, through which attackers can steal sensitive information. Therefore, existing defense mechanisms including those deployed at hypervisor level that search for hidden processes/hidden modules, or monitor kernel code integrity, will not be able to detect DLOGGER. To counter against kernel data attack, by classifying kernel data into different categories and handling them separately, we propose a defense mechanism and evaluate its efficacy with real experiments. Our experimental results show that our defense is effective in detecting kernel data attack with negligible performance overhead.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
2 million facebook, gmail and twitter passwords stolen in massive hack (2013). http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/
Bailey, K., Ceze, L., Gribble, S. D., Levy, H. M.: Operating system implications of fast, cheap, non-volatile memory. In: Proceedings of the 13th USENIX Conference on Hot topics in Operating Systems (HotOS), pp. 2–7. USENIX Association (2011)
Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: Annual Computer Security Applications Conference (ACSAC), pp. 77–86. IEEE (2008)
Baliga, A., Kamat, P., Iftode, L.: Lurking in the shadows: identifying systemic threats to kernel data. In: IEEE Symposium on Security and Privacy (SP), pp. 246–251. IEEE (2007)
Berger, Y., Wool, A., Yeredor, A.: Dictionary attacks using keyboard acoustic emanations. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), pp. 245–254. ACM (2006)
Bianchi, A., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Blacksheep: detecting compromised hosts in homogeneous crowds. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 341–352. ACM (2012)
Caulfield, A.M., De, A., Coburn, J., Mollow, T.I., Gupta, R.K., Swanson, S.: Moneta: a high-performance storage array architecture for next-generation, non-volatile memories. In: Proceedings of the 43rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pp. 385–395. IEEE Computer Society (2010)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pp. 559–572. ACM (2010)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium, p. 12 (2005)
Cox, M.: Red hat’s top 11 most serious flaw types for 2009 (2010). https://lwn.net/Articles/374752/
Cuadro cpu benchmark. http://sourceforge.net/projects/cuadrocpubenchm
Elhage, N.: Much ado about null: Exploiting a kernel null dereference. https://blogs.oracle.com/ksplice/entry/much_ado_about_null_exploiting1
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the 10th Annual Symposium on Network and Distributed Systems Security (NDSS), pp. 191–206 (2003)
Gu, Z., Sumner, W.N., Deng, Z., Zhang, X., Drip, D.: A framework for purifying trojaned kernel drivers. In: Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE (2013)
Hofmann, O., Dunn, A., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with osck. In: Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 279–290. ACM (2011)
Kang, M.G., McCamant, S., Poosankam, P., Song, D.: Dta++: dynamic taint analysis with targeted control-flow propagation. In: Proceedings of the 18th Annual Symposium on Network and Distributed Systems Security (NDSS) (2011)
Kim, G.H., Spafford, E.H.: The design, implementation of tripwire: a file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security (CCS), pp. 18–29. ACM (1994)
Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy gpu-based keylogger. In: Proceedings of the 6th European Workshop on System Security (EuroSec) (2013)
Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with return-less kernels. In: Proceedings of the 5th European Conference on Computer Systems (EuroSys), pp. 195–208. ACM (2010)
Linux kernel ’sock\(\_\)sendpage()’ null pointer dereference vulnerability. http://www.securityfocus.com/bid/36038
Liu, R., Shen, D., Yang, C., Yu, S., Wang, C.M.: Nvm duet: unified working memory and persistent store architecture. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 455–470. ACM (2014)
Liu, Z., Lee, J., Zeng, J., Wen, Y., Lin, Z., Shi, W.: Cpu transparent protection of os kernel and hypervisor integrity with programmable dram. In: Proceedings of the 40th Annual International Symposium on Computer Architecture (ISCA), pp. 392–403. ACM/IEEE (2013)
Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 28–37. ACM (2012)
Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 13th Annual Symposium on Network and Distributed System Security Symposium (NDSS) (2005)
Ormandy, T.: Another kernel null pointer vulnerability. http://lwn.net/Articles/347006/
Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy (SP), pp. 601–615. IEEE (2012)
Petroni, Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot-a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium, pp. 179–194 (2004)
Petroni, Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th Conference on USENIX Security Symposium, pp. 15–22 (2006)
Petroni, Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 103–115. ACM (2007)
Raywood, D.: Sinowal trojan steals data from around 500,000 cards and accounts. SC Magazine (2008)
rd. Writing linux kernel keylogger. https://www.thc.org/papers/writing-linux-kernel-keylogger.txt
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Rosenberg, D.: Interesting kernel exploit posted. https://lwn.net/Articles/419141/
Rosenberg, D.: Linux kernel<= 2.6.37 - local privilege escalation. http://www.exploit-db.com/exploits/15704/
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: Proceedings of the 20th Conference on USENIX Security Symposium (2011)
Slowinska, A., Bos, H.: Pointless tainting?: evaluating the practicality of pointer tainting. In: Proceedings of the 4th ACM European Conference on Computer systems (EuroSys), pp. 61–74. ACM (2009)
Spengler, B.: On exploiting null ptr derefs, disabling selinux, and silently fixedlinux vulns. http://seclists.org/dailydave/2007/q1/224
Venkataraman, S., Tolia, N., Ranganathan, P., Campbell, R.H., et al.: Consistent and durable data structures for non-volatile byte-addressable memory. In: Proceedings of the 9th USENIX Conference on File and Storage Technologies (FAST), pp. 61–75 (2011)
Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Symposium on Network and Distributed System Security (NDSS) (2014)
Vuagnoux, M., Pasini, S.: Compromising electromagnetic emanations of wired and wireless keyboards. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 1–16 (2009)
Wang, H.J., Platt, J.C., Chen, Y., Zhang, R., Wang, Y.-M.: Automatic misconfiguration troubleshooting with peerpressure. In: Proceedings of the 6th USENIX Conference on Operating Systems Design and Implementation (OSDI), vol. 4, pp. 245–257 (2004)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), pp. 545–554. ACM (2009)
J. Xiao, Xu, Z., Huang, H., Wang, H.: Security implications of memory deduplication in a virtualized environment. In: Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2013)
Yin, H., Liang, Z., Song, D.: HookFinder: identifying and understanding malware hooking behaviors. In: Proceedings of the 15th Annual Symposium on Network and Distributed Systems Security (NDSS) (2008)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 116–127. ACM (2007)
Zhuang, L., Zhou, F., Tygar, J.D.: Keyboard acoustic emanations revisited. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 373–382. ACM (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Xiao, J., Huang, H., Wang, H. (2015). Kernel Data Attack Is a Realistic Security Threat. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-28865-9_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28864-2
Online ISBN: 978-3-319-28865-9
eBook Packages: Computer ScienceComputer Science (R0)