Results 1 - 10
of
10
Enforcing system-wide control flow integrity for exploit detection and diagnosis
- In the 8th ACM SIGSAC symposium on Information, computer and communications security (ASIACCS
, 2013
"... Modern malware like Stuxnet is complex and exploits multiple vulnerabilites in not only the user level processes but also the OS kernel to compromise a system. A main trait of such exploits is manipulation of control flow. There is a pressing need to diagnose such exploits. Existing solutions that m ..."
Abstract
-
Cited by 5 (1 self)
- Add to MetaCart
(Show Context)
Modern malware like Stuxnet is complex and exploits multiple vulnerabilites in not only the user level processes but also the OS kernel to compromise a system. A main trait of such exploits is manipulation of control flow. There is a pressing need to diagnose such exploits. Existing solutions that monitor control flow either have large overhead or high false positives and false negatives, hence making their deployment impractical. In this paper, we present Total-CFI, an efficient and practical tool built on a software emulator, capable of exploit detection by enforcing system-wide Control Flow Integrity (CFI). Total-CFI performs punctual guest OS view reconstruction to identify key guest kernel semantics like processes, code modules and threads. It incorporates a novel thread stack identification algorithm that identifies the stack boundaries for different threads in the system. Furthermore, Total-CFI enforces a CFI policy- a combination of whitelist based and shadow call stack based approaches to monitor indirect control flows and detect exploits. We provide a proof-of-concept implementation of Total-CFI on DECAF, built on top of Qemu. We tested 25 commonly used programs and 7 recent real world exploits on Windows OS and found 0 false positives and 0 false negatives respectively. The boot time overhead was found to be no more than 64.1 % and the average memory overhead was found to be 7.46KB per loaded module, making it feasible for hardware integration.
Leveraging USB to Establish Host Identity Using Commodity Devices
, 2013
"... Abstract—Determining a computer’s identity is a challenge of critical importance to users wishing to ensure that they are interacting with the correct system; it is also extremely valuable to forensics investigators. However, even hosts that contain trusted computing hardware to establish identity c ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Determining a computer’s identity is a challenge of critical importance to users wishing to ensure that they are interacting with the correct system; it is also extremely valuable to forensics investigators. However, even hosts that contain trusted computing hardware to establish identity can be defeated by relay and impersonation attacks. In this paper, we consider how to leverage the virtually ubiquitous USB interface to uniquely identify computers based on the characteristics of their hardware, firmware, and software stacks. We collect USB data on a corpus of over 250 machines with a variety of hardware and software configurations, and through machine learning classification tech-niques we demonstrate that, given a period of observation on the order of tenths of a second, we can differentiate hosts based on a variety of attributes such as operating system, manufacturer, and model with upwards of 90 % accuracy. Over longer periods of observation on the order of minutes, we demonstrate the ability to distinguish between hosts that are seemingly identical; using Random Forest classification and statistical analysis, we generate fingerprints that can be used to uniquely and consistently identify 70 % of a field of 30 machines that share identical OS and hardware specifications. Additionally, we show that we can detect the presence of a hypervisor on a computer with 100% accuracy and that our results are resistant to concept drift, a spoofing attack in which malicious hosts provide fraudulent USB messages, and relaying of commands from other machines. Our techniques are thus generally employable in an easy-to-use and low-cost fashion. I.
HYBRID-BRIDGE: Efficiently Bridging the Semantic Gap in Virtual Machine Introspection via Decoupled Execution and Training Memoization
- In NDSS
, 2014
"... Abstract—Recent advances show that it is possible to reuse the legacy binary code to bridge the semantic gap in virtual machine introspection (VMI). However, existing such VMI solutions often have high performance overhead (up to hundreds of times slow-down), which significantly hinders their practi ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Recent advances show that it is possible to reuse the legacy binary code to bridge the semantic gap in virtual machine introspection (VMI). However, existing such VMI solutions often have high performance overhead (up to hundreds of times slow-down), which significantly hinders their practicality especially for cloud providers who wish to perform real-time monitoring of the virtual machine states. As such, this paper presents HYBRID-BRIDGE, a new system that uses an efficient decoupled execution and training memoization approach to automatically bridge the semantic gap. The key idea is to combine the strengths of both offline training based approach and online kernel data redirection based approach, with a novel training data memoization and fall back mechanism at hypervisor layer that decouples the expensive Taint Analysis Engine (TAE) from the execution of hardware-based virtualization and moves the TAE to software-based virtualization. The experimental results show that HYBRID-BRIDGE substantially improves the performance overhead of existing binary code reuse based VMI solutions with at least one order of magnitude for many of the tested benchmark tools including ps, netstat, and lsmod. I.
Cpu transparent protection of os kernel and hypervisor integrity with programmable dram
- In ISCA
, 2013
"... Increasingly, cyber attacks (e.g., kernel rootkits) target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. To eliminate these threats, it is imperative to develop innovative solutions running be-low the attack surface. This paper ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Increasingly, cyber attacks (e.g., kernel rootkits) target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. To eliminate these threats, it is imperative to develop innovative solutions running be-low the attack surface. This paper presents MGUARD, a new most inner ring solution for inspecting the system integrity that is directly integrated with the DRAM DIMM devices. More specifically, we design a programmable guard that is integrated with the advanced memory buffer of FB-DIMM to continuously monitor all the mem-ory traffic and detect the system integrity violations. Unlike the existing approaches that are either snapshot-based or lack compati-bility and flexibility, MGUARD continuously monitors the integrity of all the outer rings including both OS kernel and hypervisor of interest, with a greater extendibility enabled by a programmable interface. It offers a hardware drop-in solution transparent to the host CPU and memory controller. Moreover, MGUARD is isolated from the host software and hardware, leading to strong security for remote attackers. Our simulation-based experimental results show that MGUARD introduces no speed overhead, and is able to detect nearly all the OS-kernel and hypervisor control data related rootkits we tested.
Automatically Deriving Pointer Reference Expressions from Binary Code for Memory Dump Analysis
"... Given a crash dump or a kernel memory snapshot, it is often de-sirable to have a capability that can traverse its pointers to locate the root cause of the crash, or check their integrity to detect the control flow hijacks. To achieve this, one key challenge lies in how to locate where the pointers a ..."
Abstract
- Add to MetaCart
(Show Context)
Given a crash dump or a kernel memory snapshot, it is often de-sirable to have a capability that can traverse its pointers to locate the root cause of the crash, or check their integrity to detect the control flow hijacks. To achieve this, one key challenge lies in how to locate where the pointers are. While locating a pointer usually requires the data structure knowledge of the corresponding program, an important advance made by this work is that we show a tech-nique of extracting address-independent data reference expressions for pointers through dynamic binary analysis. This novel pointer reference expression encodes how a pointer is accessed through the combination of a base address (usually a global variable) with certain offset and further pointer dereferences. We have applied our techniques to OS kernels, and our experimental results with a num-ber of real world kernel malware show that we can correctly identify the hijacked kernel function pointers by locating them using the extracted pointer reference expressions when only given a memory snapshot.
Robust Fingerprinting for Relocatable Code
"... Robust fingerprinting of executable code contained in a mem-ory image is a prerequisite for a large number of security and forensic applications, especially in a cloud environment. Prior state of the art has focused specifically on identifying kernel versions by means of complex differential analysi ..."
Abstract
- Add to MetaCart
(Show Context)
Robust fingerprinting of executable code contained in a mem-ory image is a prerequisite for a large number of security and forensic applications, especially in a cloud environment. Prior state of the art has focused specifically on identifying kernel versions by means of complex differential analysis of several aspects of the kernel code implementation. In this work, we present a novel technique that can iden-tify any relocatable code, including the kernel, based on in-herent patterns present in relocation tables. We show that such patterns are very distinct and can be used to accurately and efficiently identify known executables in a memory snap-shot, including remnants of prior executions. We develop a research prototype, codeid, and evaluate its efficacy on more than 50,000 sample executables containing kernels, kernel modules, applications, dynamic link libraries, and malware. The empirical results show that our method achieves almost 100 % accuracy with zero false negatives.
Recommended Citation
, 2014
"... This dissertation is an in-depth case study of NATO advisors and their perceived influence in Afghanistan (2009-2012). It explores the two-part question, how do foreign security actors (ministerial advisors and security force trainers, advisors, and commanders) attempt to influence their host-nation ..."
Abstract
- Add to MetaCart
(Show Context)
This dissertation is an in-depth case study of NATO advisors and their perceived influence in Afghanistan (2009-2012). It explores the two-part question, how do foreign security actors (ministerial advisors and security force trainers, advisors, and commanders) attempt to influence their host-nation partners and what are their perceptions of these approaches on changes in local capacity, values, and security governance norms? I argue that security sector reform (SSR) programs in fragile states lack an explicit theory of change that specifies how reform occurs. From this view, I theorize internationally led SSR as “guided institutional transfer, ” grounded in rationalist and social constructivist explanations of convergence, diffusion, and socialization processes. Responding to calls for greater depth and emphasis on interactions and institutional change in SSR research, I examine NATO’s efforts in Afghanistan as an extreme case of SSR in which external-internal interactions were the highest. A stratified, purposive sample of 68 military and civilian elites (24 ministerial advisors, 27 embedded field advisors and commanders, and 17 experts and external observers) participated in a confidential, semi-structured interview.
HYPERSHELL: A Practical Hypervisor Layer Guest OS Shell for Automated In-VMManagement
, 2014
"... Conference is sponsored by USENIX. ..."
(Show Context)
unknown title
"... The correct identification of operating system kernel versions is the first critical step in and network security services, monitor the deployed VMs for abnormal behavior, and maintain an accurate overall picture of the VM population. n the VM moni-rivacy and overall portant problems. der who does n ..."
Abstract
- Add to MetaCart
(Show Context)
The correct identification of operating system kernel versions is the first critical step in and network security services, monitor the deployed VMs for abnormal behavior, and maintain an accurate overall picture of the VM population. n the VM moni-rivacy and overall portant problems. der who does not e systems, and the provider itself would not want to dedicate more than a token amount of capacity to the screening task. In a forensic context, where the analysis is performed on a memory snapshot, privacy is not really a concern and (unless a huge number of memory images are examined) even less efficient methods will do the job. However, we do have the additional concern of device/OS heterogeneity, which means that genericity (general applicability) is a
