Abstract
Securing embedded control systems presents a unique challenge. In addition to the resource restrictions inherent to embedded devices, embedded control systems must accommodate strict, non-negotiable timing requirements, and their massive scale greatly increases other costs such as power consumption. These constraints render conventional host-based intrusion detection – using a hypervisor to create a safe environment under which a monitoring entity can operate – costly and impractical.
This paper describes the design and implementation of Autoscopy, an experimental host-based intrusion detection system that operates from within the kernel and leverages its built-in tracing framework to identify control flow anomalies that are often caused by rootkits hijacking kernel hooks. Experimental tests demonstrate that Autoscopy can detect representative control flow hijacking techniques while maintaining a low performance overhead.
Chapter PDF
Similar content being viewed by others
References
M. Abadi, M. Budiu, U. Erlingsson and J. Ligatti, Control flow integrity: Principles, implementations and applications, ACM Transactions on Information and System Security, vol. 13(1), pp. 4:1–40, 2009.
S. Bratus, M. Locasto, A. Ramaswamy and S. Smith, VM-based security overkill: A lament for applied systems security research, Proceedings of the New Security Paradigms Workshop, pp. 51–60, 2010.
B. Cantrill, M. Shapiro and A. Leventhal, Dynamic instrumentation of production systems, Proceedings of the USENIX Annual Technical Conference, pp. 15–28, 2004.
N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Symantec, Mountain View, California (www.symantec.com/content/en/us/enterprise /media/security_response/whitepapers/w32_stuxnet_dossier.pdf), 2011.
S. Forrest, S. Hofmeyr, A. Somayaji and T. Longstaff, A sense of self for Unix processes, Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–128, 1996.
B. Hicks, S. Rueda, T. Jaeger and P. McDaniel, From trusted to secure: Building and executing applications that enforce system security, Proceedings of the USENIX Annual Technical Conference, 2007.
Institute of Electrical and Electronics Engineers, IEEE 1646-2004 Standard: Communication Delivery Time Performance Requirements for Electric Power Substation Automation, Piscataway, New Jersey, 2004.
X. Jiang, X. Wang and D. Xu, Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction, Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, pp. 128–138, 2007.
C. Kolbitsch, P. Comparetti, C. Kruegel, E. Kirda, X. Zhou and X. Wang, Effective and efficient malware detection at the end host, Proceedings of the Eighteenth USENIX Security Symposium, pp. 351–366, 2009.
B. Lee, S. Moon and Y. Lee, Application-specific packet capturing using kernel probes, Proceedings of the Eleventh IFIP/IEEE International Conference on Symposium on Integrated Network Management, pp. 303–306, 2009.
M. LeMay and C. Gunter, Cumulative attestation kernels for embedded systems, Proceedings of the Fourteenth European Symposium on Research in Computer Security, pp. 655–670, 2009.
J. Levine, J. Grizzard and H. Owen, A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table, Proceedings of the Second IEEE International Information Assurance Workshop, pp. 107–125, 2004.
L. Litty, H. Lagar-Cavilla and D. Lie, Hypervisor support for identifying covertly executing binaries, Proceedings of the Seventeenth USENIX Security Symposium, pp. 243–258, 2008.
A. Mavinakayanahalli, P. Panchamukhi, J. Keniston, A. Keshavamurthy and M. Hiramatsu, Probing the guts of Kprobes, Proceedings of the Linux Symposium, vol. 2, pp. 109–124, 2006.
L. McVoy and C. Staelin, lmbench: Portable tools for performance analysis, Proceedings of the USENIX Annual Technical Conference, 1996.
T. Mittner, Exploiting gresecurity/PaX with Dan Rosenberg and Jon Oberheide (resources.infosecinstitute.com/exploiting-gresecuritypax), May 18, 2011.
I. Molnar, NX (No eXecute) support for x86, 2.6.7-rc2-bk2, Linux Kernel Mailing List (lkml.org/lkml/2004/6/2/228), June 2, 2004.
Motorola Solutions, ACE3600 Specifications Sheet, Schaumburg, Illinois (www.motorola.com/web/Business/Products/SCADA%20Products/ACE 3600/%5FDocuments/Static%20Files/ACE3600%20Specifications%20She et.pdf?pLibItem=1), 2009.
Openwall, Linux kernel patch from the Openwall Project (www.openwall.com/linux).
PaX Team, Homepage (pax.grsecurity.net).
B. Payne, M. Carbone, M. Sharif and W. Lee, Lares: An architecture for secure active monitoring using virtualization, Proceedings of the IEEE Symposium on Security and Privacy, pp. 233–247, 2008.
N. Petroni, T. Fraser, J. Molina and W. Arbaugh, Copilot – A coprocessor-based kernel runtime integrity monitor, Proceedings of the Thirteenth USENIX Security Symposium, pp. 179–194, 2004.
N. Petroni and M. Hicks, Automated detection of persistent kernel control flow attacks, Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, pp. 103–115, 2007.
phrack.org, Phrack, no. 50 (www.phrack.org/issues.html?issue=50), April 9, 2007.
pragmatic/THC, (Nearly) complete Linux loadable kernel modules (dl.pac ketstormsecurity.net/docs/hack/LKM_HACKING.html), 1999.
V. Prasad, W. Cohen, F. Eigler, M. Hunt, J. Keniston and B. Chen, Locating system problems using dynamic instrumentation, Proceedings of the Linux Symposium, pp. 49–64, 2005.
P. Proctor, The Practical Intrusion Detection Handbook, Prentice-Hall, Upper Saddle River, New Jersey, 2001.
A. Ramaswamy, Autoscopy: Detecting Pattern-Searching Rootkits via Control Flow Tracing, Master’s Thesis, Department of Computer Science, Dartmouth College, Hanover, New Hampshire, 2009.
R. Riley, X. Jiang and D. Xu, Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing, Proceedings of the Eleventh International Symposium on Recent Advances in Intrusion Detection, pp. 1–20, 2008.
Schweitzer Engineering Laboratories, Home, Pullman, Washington (www.selinc.com).
Schweitzer Engineering Laboratories, SEL-3354 Embedded Automation Computing Platform Data Sheet, Pullman, Washington (www.selinc.com/WorkArea/DownloadAsset.aspx?id=6196), 2011.
D. Singh and W. Kaiser, The Atom LEAP Platform for Energy-Efficient Embedded Computing, Technical Report, Center for Embedded Network Sensing, University of California at Los Angeles, Los Angeles, California, 2010.
s0ftpr0ject Team, Tools and Projects (www.s0ftpj.org/en/tools.html).
R. Sommer and V. Paxson, Outside the closed world: On using machine learning for network intrusion detection, Proceedings of the IEEE Symposium on Security and Privacy, pp. 305–316, 2010.
SourceForge.net, Linux Test Project (ltp.sourceforge.net).
Standard Performance Evaluation Corporation, SPEC CPU2000 Benchmark Suite, Gainesville, Florida (www.spec.org/cpu2000), 2007.
V. Thampi, udis86 Disassembler Library for x86 and x86-64 (udis86.sf.net), 2009.
Transmission and Distribution World, About 212 million “smart” electric meters in 2014, says ABI Research (tdworld.com/smart_grid_automa tion/abi-research-smart-meters-0210), February 3, 2010.
Z. Wang, X. Jiang, W. Cui and P. Ning, Countering kernel rootkits with lightweight hook protection, Proceedings of the Sixteenth ACM Conference on Computer and Communications Security, pp. 545–554, 2009.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Reeves, J., Ramaswamy, A., Locasto, M., Bratus, S., Smith, S. (2011). Lightweight Intrusion Detection for Resource-Constrained Embedded Control Systems. In: Butts, J., Shenoi, S. (eds) Critical Infrastructure Protection V. ICCIP 2011. IFIP Advances in Information and Communication Technology, vol 367. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24864-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-24864-1_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24863-4
Online ISBN: 978-3-642-24864-1
eBook Packages: Computer ScienceComputer Science (R0)