< "Automatically Generating Models for Botnet Detection" | GSoC'09: Some Updates for Glastopf >

"Bypassing Kernel Code Integrity Protection Mechanisms"

A paper that we will publish next month at USENIX Security'09 is entitled "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms". In return-oriented programming, an attacker re-uses existing code: he searches for short instruction sequences (typically only one instruction) which are followed by a RET. By cleverly chaining these sequences, an attacker can build a gadget that then performs an actual computation, e.g., the gadget adds two operands. By combining these gadgets, an attacker can then perform arbitrary computations. Return-oriented programming was popularized by Shacham (CCS'07 paper targeting Linux/x86, CCS'08 paper targeting Solaris/SPARC). In our paper we present a system to automatically find useful instructions, build gadgets, and then generate a return-oriented program for Windows as the target OS. In a case study, we show how this system can be used to implement a return-oriented rootkit, bypassing typical kernel code integrity mechanisms. The main insight here is that integrity mechanisms protect against injection of code - however, if the attacker re-uses existing code, these approaches typically fail.

Abstract: Protecting the kernel of an operating system against attacks, especially injection of malicious code, is an important factor for implementing secure operating systems. Several kernel integrity protection mechanism were proposed recently that all have a particular shortcoming: They cannot protect against attacks in which the attacker re-uses existing code within the kernel to perform malicious computations. In this paper, we present the design and implementation of a system that fully automates the process of constructing instruction sequences that can be used by an attacker for malicious computations. We evaluate the system on different commodity operating systems and show the portability and universality of our approach. Finally, we describe the implementation of a practical attack that can bypass existing kernel integrity protection mechanisms.

The paper contains all the details and the results of our experiments are also available. The main part of this work was performed by Ralf Hund, it was the topic of his thesis. Furthermore, Felix Freiling helped with the project. And the word cloud was generated with the help of Wordle
This entry was posted by Thorsten Holz on Saturday, July 18. 2009 at 08:13. and is filed under paper. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Albert Sparks says:
    #1 2011-07-13 03:30 (Reply)

    Increased security within the ecommerce and general computing arena is almost as important as personal safety! The research and detailed that has been provided in this article is comforting that we are assured that malicious humans cannot attack or undermine the integrity of the work being completed through internet computing.

  2. smart card says:
    #2 2011-07-18 15:57 (Reply)

    I completely agree with you Albert. We definitely need increased security efforts within the ecommerce and general computing arena. There is so much personal information shared over the internet. We need to make sure that the operating systems are secure from potential threats and attacks. Thorsten, thank you for providing the paper that was published at USENIX Security'09. I look forward to reading over it.

  3. car values says:
    #3 2011-10-13 13:36 (Reply)

    I like all the comments and the good topic chosen here.Here is little but deep information about the kernel.

  4. Patio furniture orange county says:
    #4 2011-10-18 08:35 (Reply)

    This is great. I couldn't agree more. We definitely need to make sure operating systems are more secure, in order to scorch potential threats. Thanks for the article!

  5. classifieds says:
    #5 2011-12-29 22:17 (Reply)

    This is a great site and the info that you are providing is really good. thanks for sharing this info with us. keep it up.

  6. Web Design Guildford says:
    #6 2012-01-02 18:34 (Reply)

    Please can you tell me where I can download the paper from? Thanks!


Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5