System Call API Obfuscation (Extended Abstract)

Srivastava, Abhinav; Lanzi, Andrea; Giffin, Jonathon

doi:10.1007/978-3-540-87403-4_36

Abhinav Srivastava¹,
Andrea Lanzi^1,2 &
Jonathon Giffin¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Included in the following conference series:

International Workshop on Recent Advances in Intrusion Detection

1769 Accesses
6 Citations

Abstract

We claim that attacks can evade the comprehension of security tools that rely on knowledge of standard system call interfaces to reason about process execution behavior. Our attack, called Illusion, will invoke privileged operations in a Windows or Linux kernel at the request of user-level processes without requiring those processes to call the actual system calls corresponding to the operations. The Illusion interface will hide system operations from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion will alter neither static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 89.00; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 1996)
Google Scholar
Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2004)
Google Scholar
Jiang, X., Wang, X.: Out-of-the-box monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)
Chapter Google Scholar
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Symposium on Operating System Principles (SOSP), Stevenson, WA (October 2007)
Google Scholar
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)
Google Scholar

Download references

Author information

Authors and Affiliations

School of Computer Science, Georgia Institute of Technology, USA
Abhinav Srivastava, Andrea Lanzi & Jonathon Giffin
Dipartimento di Informatica e Comunicazione, Università degli Studi di Milano, Italy
Andrea Lanzi

Authors

Abhinav Srivastava
View author publications
You can also search for this author in PubMed Google Scholar
Andrea Lanzi
View author publications
You can also search for this author in PubMed Google Scholar
Jonathon Giffin
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Srivastava, A., Lanzi, A., Giffin, J. (2008). System Call API Obfuscation (Extended Abstract). In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_36

Download citation

DOI: https://doi.org/10.1007/978-3-540-87403-4_36
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87402-7
Online ISBN: 978-3-540-87403-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics