Abstract
Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for host-based sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers.
This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)
Petroni, N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In: Proceedings of the 15th USENIX Security Symposium (2006)
King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), vol. 0, pp. 314–327. IEEE Computer Society, Los Alamitos (2006)
Rutkowska, J.: Beyond the cpu: Defeating hardware based ram acquisition. Defcon (2007)
Heasman, J.: Implementing and Detecting an ACPI BIOS Root Kit. In: Briefing at Black Hat 2005, Las Vegas, NV, USA (July 2005)
Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005)
Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of the 10th Annual Network And Distributed System Security Symposium (NDSS 2003), Internet Society, San Diego (2003)
Yee, B., Tygar, J.D.: Secure Coprocessors in Electronic Commerce Applications. In: Geer, D.E. (ed.) Proceedings of the First USENIX Workshop on Electronic Commerce, p. 14. USENIX Press, New York (1995)
Wang, Y.-M., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. In: 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377. IEEE Computer Society, Los Alamitos (2005)
Petroni Jr., N.L., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: di Vimercati, S.D.C., Syverson, P. (eds.) Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 103–115. ACM Press, New York (2007)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-Aware Malware Detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005), pp. 32–46. IEEE Press, Piscataway (2005)
Baliga, A., Kamat, P., Iftode, L.: Lurking in the Shadows: Identifying Systemic Threats to Kernel Data. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy (S&P 2007), pp. 246–251. IEEE Press, Piscataway (2007)
Chuvakin, A.: An overview of unix rootkits. White Paper, iDefense Laboratories, iDefence Inc., 14151 Newbrook Suite, Chantilly, VA 20151 (2003)
Wilhelm, J., cker Chiueh, T.: A Forced Sampled Execution Approach to Kernel Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)
Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure Coprocessor-Based Intrusion Detection. In: Muller, G., Jul, E. (eds.) Proceedings of the 10th ACM SIGOPS European Workshop, pp. 239–242. ACM Press, New York (2002)
Molina, J., Arbaugh, W.: Using Independent Auditors as Intrusion Detection Systems. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 291–302. Springer, Heidelberg (2002)
Williams, P.D., Spafford, E.H.: CuPIDS: An Exploration of Highly Focused, Co-Processor-based Information System Protection. Computer Networks 51(5), 1284–1298 (2007)
Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: Ning, P., Syverson, P., Jha, S. (eds.) Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 51–62. ACM Press, New York (2008)
Huang, Y., Stavrou, A., Ghosh, A.K., Jajodia, S.: Efficiently Tracking Application Interactions using Lightweight Virtualization. In: Nieh, J., Stavrou, A. (eds.) Proceedings of the 1st ACM Workshop on Virtual Machine Security (VMSec 2008), pp. 19–28. ACM Press, New York (2008)
Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection through VMM-based ”out-of-the-box” Semantic View Reconstruction. In: De Capitani di Vimercati, S., Syverson, P. (eds.) Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 128–138. ACM Press, New York (2007)
Riley, R., Jiang, X., Xu, D.: Multi-Aspect Profiling of Kernel Rootkit Behavior. In: Proceedings of the 4th ACM European Conference on Computer Systems, pp. 47–69. ACM Press, Nuremberg (2008)
Thober, M., Pendergrass, J.A., McDonell, C.D.: Improving Coherency of Runtime Integrity Measurement. In: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing, pp. 51–60. ACM Press, Alexandria (2008)
Loscocco, P., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux Kernel Integrity Measurement using Contextual Inspection. In: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 21–29. ACM Press, Alexandria (2007)
Oplinger, J., Lam, M.S.: Enhancing Software Reliability with Speculative Threads. In: Gharachorloo, K. (ed.) Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII), pp. 184–196. ACM Press, New York (2002)
Nightingale, E.B., Peek, D., Chen, P.M., Flinn, J.: Parallelizing Security Checks on Commodity Hardware. In: Eggers, S., Larus, J. (eds.) Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII), pp. 308–318. ACM Press, New York (2008)
for review), A (Anonymised for review). In (Anonymised for review) (September 2008)
Garg, V.K.: 1. In: Elements of Distributed Computing. John Wiley and Sons Inc., Chichester (2002)
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy, vol. 0, pp. 231–245 (2007)
Ring, S., Cole, E.: Taking a Lesson from Stealthy Rootkits. IEEE Security and Privacy 02(4), 38–45 (2004)
Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE Press, Miami Beach (2007)
Cavallaro, L., Saxena, P., Sekar, R.: On the Limits of Information Flow Techniques for Malware Analysis and Containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)
Asanovic, K., Bodik, R., Catanzaro, B.C., Gebis, J.J., Husbands, P., Keutzer, K., Patterson, D.A., Plishker, W.L., Shalf, J., Williams, S.W., Yelick, K.A.: The landscape of parallel computing research: A view from berkeley. Technical Report UCB/EECS-2006-183, EECS Department, University of California, Berkeley (December 2006)
Ivan Sklyarov: 21. In: Programming Linux Hacker Tools Uncovered. A-LIST, LLC (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
McEvoy, T.R., Wolthusen, S.D. (2010). Host-Based Security Sensor Integrity in Multiprocessing Environments. In: Kwak, J., Deng, R.H., Won, Y., Wang, G. (eds) Information Security, Practice and Experience. ISPEC 2010. Lecture Notes in Computer Science, vol 6047. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12827-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-12827-1_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12826-4
Online ISBN: 978-3-642-12827-1
eBook Packages: Computer ScienceComputer Science (R0)