Abstract | ||
---|---|---|
A new class of stealthy kernel-level malware, called transient kernel control flow attacks, uses dynamic soft timers to achieve significant work while avoiding any persistent changes to kernel code or data. We demonstrate that soft timers can be used to implement attacks such as a stealthy key logger and a CPU cycle stealer. To defend against these attacks, we propose an approach based on static analysis of the entire kernel, which identifies and catalogs all legitimate soft timer interrupt requests (STIR) in a database. At run-time, a reference monitor in a trusted virtual machine compares each STIR with the database, only allowing the execution of known good STIRs. Our defensive technique has no false negatives because it mediates every STIR execution and prevents execution of all unknown, illegitimate STIRs, and no false positives because the relevant kernel code analyzed was unambiguous. The overhead for this additional security is less than 7% for each of our benchmarks. |
Year | DOI | Venue |
---|---|---|
2008 | 10.1109/ACSAC.2008.40 | ACSAC |
Keywords | Field | DocType |
entire kernel,control flow attacks,soft timers,legitimate soft timer interrupt,false positive,relevant kernel code,dynamic soft timers,stir execution,kernel code,soft-timer driven transient kernel,false negative,transient kernel control flow,interrupts,virtual machine,kernel,reactive power,static analysis,virtual machines,linux,data structures,security,control flow | Virtual machine,Computer security,Computer science,Keystroke logging,Real-time computing,Timer,Interrupt,Control flow,Reference monitor,Malware,Instruction cycle,Operating system,Embedded system | Conference |
ISSN | Citations | PageRank |
1063-9527 | 17 | 0.81 |
References | Authors | |
23 | 4 |
Name | Order | Citations | PageRank |
---|---|---|---|
Jinpeng Wei | 1 | 221 | 20.22 |
Bryan D. Payne | 2 | 285 | 13.46 |
Jonathon Giffin | 3 | 379 | 15.67 |
Calton Pu | 4 | 5377 | 877.83 |