rootkit-based attacks and defenses past, present and future vinod ganapathy rutgers university...
TRANSCRIPT
![Page 1: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/1.jpg)
Rootkit-based Attacks and Defenses Past, Present and Future
Vinod GanapathyRutgers University
Joint work with Liviu Iftode, Arati Baliga, Jeffrey Bickford (Rutgers) Andrés Lagar-Cavilla and Alex Varshavsky (AT&T Research)
![Page 2: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/2.jpg)
What are rootkits?
• Tools used by attackers to conceal their presence on a compromised system
• Typically installed after attacker has obtained root privileges
• Stealth achieved by hiding accompanying malicious user-level programs
2
Rootkits = Stealthy malware
![Page 3: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/3.jpg)
Rootkit-based attack scenario
Sensitive informationCredit card: 4358654606SSN: 543106789
Internet
Kernel
Applications
Anti virus Key Logger
Backdoor
Kernel code Kernel data
3
Rootkits hide malware from anti-malware tools
Rootkit-infected kernel
![Page 4: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/4.jpg)
Significance of the problem
4
• Microsoft reported that 7% of all infections from client machines are because of rootkits (2010).
• Rootkits are the vehicle of choice for botnet-based attacks: e.g., Torpig, Storm.– Allow bot-masters to retain long-term control
• A number of high-profile cases based on rootkits: – Stuxnet (2010), Sony BMG (2005), Greek
wiretapping scandal (2004/5)
![Page 5: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/5.jpg)
Evolution of rootkits
USER SPACE
KERNEL SPACE
BELOW OS KERNEL
/usr/bin/ls
/usr/bin/ps
/usr/bin/login
System binaries
Shared Libraries
System call table IDT
Hypervisor-based rootkits(Subvirt, Bluepill)
Process Lists
Kernel Code
5
Focus of this talk: Kernel-level rootkits
BELOW HYPERVISORDevice/Firmware rootkits
(Stuxnet)
![Page 6: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/6.jpg)
Manipulating control data
int main(){ open(…) ... return(0)}
sys_open(...){ ...}
evil_open(...){ ...}
sys_openevil_open
System call table
• Change function pointers: Linux Adore rootkit
6
KERNELUSER SPACE
![Page 7: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/7.jpg)
Manipulating non-control data
run_list
next_task
run_list
next_task
run_list
next_task
run_list
next_task
all-tasks
run-list
Hidden process
• Change non-control data: Windows Fu rootkit
Process A Process B Process C
7
![Page 8: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/8.jpg)
Manipulating non-control data• Goal: Attack the kernel’s pseudorandom number
generator (PRNG) [Baliga et al., 2007]
8
Urandom Entropy Pool(128 bytes)
SecondaryEntropy Pool(128 bytes)
PrimaryEntropy Pool(512 bytes)
/dev/random
/dev/urandom
External Entropy Sources
The operating system kernel presents a vast attack surface for rootkits.
![Page 9: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/9.jpg)
• Observation: Rootkits operate by maliciously modifying kernel data structures– Modify function pointers to hijack control flow– Modify process lists to hide malicious
processes– Modify polynomials to corrupt output of PRNG
Detecting rootkits: Main idea
9
Continuously monitor the integrity of kernel data structures
![Page 10: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/10.jpg)
• Challenge: Data structure integrity monitor must be independent of the monitored system
• Solution: Use external hardware, such as a coprocessor, or a hypervisor to build the monitor
System call table
PRNG pools
Process lists
10
Continuously monitor the integrity of kernel data structures
KernelCode
KernelData
Data structure integrity monitor
![Page 11: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/11.jpg)
• Challenge: Must monitor kernel code, control and non-control data structures
• Solution: Periodically fetch and monitor all of kernel memory
System call table
PRNG pools
Process lists
11
Continuously monitor the integrity of kernel data structures
KernelCode
KernelData
Data structure integrity monitor
![Page 12: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/12.jpg)
• Challenge: Specifying properties to monitor• Solution: Use anomaly detection
– Inference phase: Infer data structure invariants– Detection phase: Enforce data structure invariants
System call table
PRNG pools
Process lists
12
Continuously monitor the integrity of kernel data structures
KernelCode
KernelData
Data structure integrity monitor
![Page 13: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/13.jpg)
Rootkit detection using invariants
int main(){ open(…) ... return(0)}
sys_open(...){ ...}
evil_open(...){ ...}
evil_open
System call table
13
Invariant: Function pointer values in system call table should not change
![Page 14: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/14.jpg)
run_list
next_task
run_list
next_task
run_list
next_task
run_list
next_task
all-tasks
run-list
Hidden processProcess A Process B Process C
14
Rootkit detection using invariants
Invariant: run-list all-tasks
![Page 15: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/15.jpg)
Rootkit detection using invariants
15
Urandom Entropy Pool(128 bytes)
SecondaryEntropy Pool
(128 bytes)Primary
Entropy Pool
(512 bytes)
/dev/random
/dev/urandom
External Entropy Sources
Invariants• poolinfo.tap1 is one of {26, 103}• poolinfo.tap2 is one of {20, 76}• poolinfo.tap3 is one of {14, 51}• poolinfo.tap4 is one of {7, 25}• poolinfo.tap5 == 1
![Page 16: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/16.jpg)
A new rootkit detection tool
• Gibraltar* Identifies rootkits that modify control and non-
control data* Automatically infers specifications of data
structure integrity* Is physically isolated from the target machine
16
![Page 17: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/17.jpg)
17
Hypervisor
Target Monitor
KernelCode
KernelData
Gibraltar daemon
InvariantDBMemory
page
2Reconstruct data structures
?3
Alert user
Architecture of Gibraltar
Fetch Page1
MyrinetNIC
MyrinetNIC
![Page 18: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/18.jpg)
Components of Gibraltar
Page Fetcher
Data StructureExtractor
Root Symbols
Kernel Data Definitions
PhysicalMemory Address
010101 010000110011
010101 010000110011
Invariants
Enforcer
InvariantTemplates
Invariant Generator
Training
Enforcement
Run-listAll-tasks
run-list all-tasks
run-list all-tasks?
18
![Page 19: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/19.jpg)
Data structure extractor
• Inputs:– Memory pages from target machine– Root symbols: Entry-points into target’s
kernel– Type definitions of target’s kernel
• Output: snapshot of target’s memory• Main idea: Traverse memory pages using
root symbols and type definitions and extract data structures
19
![Page 20: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/20.jpg)
Invariant generator
• Executes during a controlled, inference phase
• Inputs: Memory snapshots from a benign (uninfected) kernel
• Output: Likely data structure invariants
20
Invariants serve as specifications of data structure integrity
![Page 21: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/21.jpg)
Invariant generator
• Used an off-the-shelf tool: Daikon [Ernst et al., 2000]
• Daikon observes execution of user-space programs and hypothesizes likely invariants
• We adapted Daikon to reason about snapshots– Obtain snapshots at different times during training– Hypothesize likely invariants across snapshots
21
![Page 22: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/22.jpg)
Invariant enforcer
• Observes and enforces invariants on target’s execution.
• Inputs: – Invariants inferred during training– Memory pages from target
• Algorithm: – Extract snapshots of target’s data structures– Enforce invariants
22
![Page 23: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/23.jpg)
Experimental evaluation
① How effective is Gibraltar at detecting rootkits? i.e., what is the false negative rate?
② What is the quality of automatically-generated invariants? i.e., what is the false positive rate?
23
![Page 24: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/24.jpg)
Experimental setup
• Implemented on a Intel Xeon 2.80GHz, 1GB machine, running Linux-2.4.20
• Fetched memory pages using Myrinet PCI card – We also have a Xen-based implementation.
• Obtained invariants by training the system using several benign workloads
24
![Page 25: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/25.jpg)
① False negative evaluation
• Conducted experiments with 23 Linux rootkits 14 rootkits from PacketStorm 9 advanced rootkits, discussed in the literature
• All rootkits modify kernel control and non-control data
• Installed rootkits one at a time and tested effectiveness of Gibraltar at detecting the infection
25
![Page 26: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/26.jpg)
26November 30, 2009
Rootkit name Data structures affected Detected?1. Adore-0.42 System call table (from PacketStorm)
2. All-root System call table (from PacketStorm)
3. Kbd System call table (from PacketStorm)
4. Kis-0.9 System call table (from PacketStorm)
5. Linspy2 System call table (from PacketStorm)
6. Modhide System call table (from PacketStorm)
7. Phide System call table (from PacketStorm)
8. Rial System call table (from PacketStorm)
9. Rkit-1.01 System call table (from PacketStorm)
10. Shtroj2 System call table (from PacketStorm)
11. Synapsys-0.4 System call table (from PacketStorm)
12. THC Backdoor System call table (from PacketStorm)
13. Adore-ng VFS hooks/UDP recvmsg (from PacketStorm)
14. Knark-2.4.3 System call table, proc hooks (from PacketStorm)
15. Disable Firewall Netfilter hooks (Baliga et al., 2007)
16. Disable PRNG VFS hooks (Baliga et al., 2007)
17. Altering RTC VFS hooks (Baliga et al., 2007)
18. Defeat signature scans
VFS hooks (Baliga et al., 2007)
19. Entropy pool struct poolinfo (Baliga et al., 2007)
20. Hidden process Process lists (Petroni et al., 2006)
21. Linux Binfmt Shellcode.com
22. Resource waste struct zone_struct (Baliga et al., 2007)
23. Intrinsic DOS int max_threads (Baliga et al., 2007)
![Page 27: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/27.jpg)
② False positive evaluation• Ran a benign workload for 42 minutes
– Copying Linux kernel source code– Editing a text document– Compiling the Linux kernel– Downloading eight videos from Internet– Perform file system operations using the
IOZone benchmark
• Measured how many invariants were violated
27
![Page 28: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/28.jpg)
② False positive evaluation
28November 30, 2009
• Only considered persistent invariants, i.e., those that survived machine reboots during our evaluation– Total of 236,444 invariants– 0.035% raise spuriously violated during
normal operation (82 unique invariants)
• Can also infer transient invariants
– Had much higher false positive rate (0.65%)
init_fs->root->d_sb->s_dirty.next->i_dentry.next->
d_child.prev->d_inode->i_fop.read == 0xeff9bf60
run_list all_tasks
![Page 29: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/29.jpg)
Performance evaluation
• Training time: total of 56 minutes 25 mins to collect snapshots (total 15
snapshots) 31 minutes to infer invariants
• Detection time Ranges from 15 seconds up to 132 seconds
• PCI Overhead 0.49%, measured using the stream benchmark
29
![Page 30: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/30.jpg)
30
Part I: The past and presentDetecting Kernel-Level Rootkitsusing Data Structure Invariants
Part 2: The futureSecurity versus Energy Tradeoffs for Host-based Mobile Rootkit Detection
![Page 31: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/31.jpg)
31
The rise of mobile malware• Mobile devices increasingly ubiquitous:
– Store personal and contextual information.– Used for sensitive tasks, e.g., online banking.
• Mobile malware has immense potential to cause societal damage.
• Kaspersky Labs report (2009).– 106 types of mobile malware.– 514 variants.
• Prediction: We have only seen the tip of the iceberg.
![Page 32: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/32.jpg)
Are mobile rootkits possible?OS Lines of Code
Linux 2.6 Kernel 10 millionAndroid 20 millionSymbian 20 million
Complexity comparable to desktops
34
![Page 33: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/33.jpg)
33
The threat of mobile rootkits• Several recent reports of mobile malware
gaining root access.• iPhone:
– iKee.A, iKee.B (2009). – Exploited jailbroken iPhones via SSH.
• Android: – GingerMaster, DroidDeluxe, DroidKungFu
(2011). – Apps that perform root exploits against
Android.
![Page 34: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/34.jpg)
34
What can a mobile rootkit do?
Snoop on private phone conversations
Track user location using GPS
Email sensitive documents to attacker
Stealthily enable camera and microphone
Exhaust the battery
![Page 35: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/35.jpg)
38
Detecting mobile rootkits
Mobile hardware
Hypervisor
Trusted domain
Mobile OS
A host-based approach
Detector
• Detection tools run in a trusted domain
• Mobile hypervisors soon– VMWare– OKL4 Microvisor (Evoke)– Xen on ARM (Samsung)
![Page 36: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/36.jpg)
36
Main challenge: Battery power
• Desktop machines can execute host-based malware detection systems 24/7.
• Mobile devices are limited by their battery.
• Rootkit detection mechanisms in their current form have high energy cost.– With Gibraltar, battery life decreases 2x faster. – Running the detector only when charging is not
an option.
![Page 37: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/37.jpg)
37
Security/energy tradeoff
• Host-based security monitors will consume energy– Optimizing for energy less security
• Results in a security/energy tradeoff• Our goal:
– Formally characterize and quantify this tradeoff
– Use tradeoff to configure the security monitor to balance security and energy
![Page 38: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/38.jpg)
38
How to conserve energy?
Frequency of Checks
Attac
k Su
rfac
e
Wha
t to
Chec
k
When to Check
Is there a sweet spot?
Frequency of Checks– “When to check?”– Scan less frequently– Timing versus events
Attack Surface– “What to check?”– Scan fewer code/data
objects
![Page 39: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/39.jpg)
39
Experimental platform
• Viliv S5– Intel Atom 1.33GHz, 1.5W.– 3G, WiFi, GPS, Bluetooth.– Battery: 32000 mWh.
• Xen Hypervisor– Evaluated the tradeoff using two existing rootkit
detectors within trusted domain.– Gibraltar and Patagonix [USENIX Security 2008]
• Workloads– 3G and WiFi workload simulating user browsing.– Lmbench for a CPU intensive workload.
![Page 40: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/40.jpg)
40
Experimental setup
![Page 41: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/41.jpg)
41
Hypervisor
Guest domain Trusted domain
KernelCode
KernelData
Gibraltar daemon
InvariantDBData
page
2Reconstruct data structures
?3
Alert user
Gibraltar: Checking data integrity
Fetch Page1
131201 invariants on 2209 data structures
![Page 42: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/42.jpg)
42
Evaluating Gibraltar
while(1) { for all kernel data structures { get current value check against invariant }}
• Maximum security• 100% CPU usage• Poor energy efficiency
IdleContinuous
Scan
Must trade security for energy
![Page 43: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/43.jpg)
43Poll Frequency (seconds)
Attack Surface
0
Static Data
AllData
FunctionPointers
All Lists
Process List
1 5 30 120
Original design of Gibraltar
Frequency of Checks
Tradeoffs for Gibraltar
![Page 44: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/44.jpg)
44
while(1) { for all kernel data structures { get current value check against invariant }}
while(1) {every “x” seconds { for all kernel data structures { get current value check against invariant }}
Modifying check frequency
Idle Scan
![Page 45: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/45.jpg)
45
Sweet Spot!
Results: Modifying check frequency
![Page 46: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/46.jpg)
46
Modifying attack surface monitored
while(1) { for all kernel data structures { get current value check against invariant }}
while(1) { for all kernel data structures { for a subset of data structures { get current value check against invariant }}
![Page 47: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/47.jpg)
47
96% of rootkits![Petroni et al. CCS ‘07]
Results: Modifying attack surface
![Page 48: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/48.jpg)
48
Hypervisor
Guest domain Trusted domain
Code: OS & applications Data
Patagonix daemon
HashDBCode
page
Resume guest
1
2
3
hash(page)
Alertuser
Patagonix: Checking code integrity
?
509709 hashes for 10929 binary files
![Page 49: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/49.jpg)
49
AllCode
Root Processes
KernelCode
34150101
Original design of Patagonix
Frequency of Checks
Event threshold:pages executed between checks
Attack SurfaceTradeoffs for Patagonix
![Page 50: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/50.jpg)
50
Results: Modifying check frequency Low overhead
after initial checks
![Page 51: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/51.jpg)
51
Results: Modifying attack surface
![Page 52: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/52.jpg)
52
• Monitor kernel code and static data, function pointers and lists: Protects against 96% of known attacks.
• Use polling sweet spot of 30 seconds.
Putting it all together
![Page 53: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/53.jpg)
Rootkit-based Attacks and DefensesPast, Present and Future
Vinod Ganapathy [email protected]
Thank You
References:• Gibraltar: ACSAC 2008, IEEE TDSC 2011. • Mobile rootkits: HotMobile 2011, MobiSys 2011.
![Page 54: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/54.jpg)
37
Example: Conversation Snooping
Attacker Send SMSRootkit-infected
Dial me “666-6666”
Call AttackerTurn on Mic
Delete SMS
![Page 55: Rootkit-based Attacks and Defenses Past, Present and Future Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu Joint work with Liviu Iftode, Arati](https://reader038.vdocuments.net/reader038/viewer/2022103015/5517fe765503466e558b4570/html5/thumbnails/55.jpg)
Feasibility of cloud offload
Cloud offload impractical energy-wise