期刊名称:International Journal of Innovative Research in Computer and Communication Engineering
印刷版ISSN:2320-9798
电子版ISSN:2320-9801
出版年度:2015
卷号:3
期号:7
DOI:10.15680/ijircce.2015.0307148
出版社:S&S Publications
摘要:Rootkits affect system security by modifying kernel data structures to achieve a variety of maliciousgoals. While early rootkits modified control data structures, such as the system call table and values of functionpointers, recent work has demonstrated root kits that maliciously modify non control data. Most prior techniques forroot kit detection have focused solely on detecting control data modifications and, therefore, fail to detect such rootkits. This paper presents a novel technique to detect rootkits that modify both control and non control data. The mainidea is to externally observe the execution of the kernel during an inference phase and hypothesize invariants on kerneldata structures. A root kit detection phase uses these invariants as specifications of data structure integrity. During thisphase, violation of invariants indicates an infection. We have implemented Gibraltar, a prototype tool that infers kerneldata structure invariants and uses them to detect root kits. Experiments show that Gibraltar can effectively detectpreviously known rootkits, including those that modify non-control data structures.
关键词:Kernel-level rootkits; non control data attacks; invariant inference; static and dynamic program;analysis.
