Title:
Operating System Interface Obfuscation and the Revealing of Hidden Operations
Operating System Interface Obfuscation and the Revealing of Hidden Operations
| dc.contributor.author | Srivastava, Abhinav | en_US |
| dc.contributor.author | Lanzi, Andrea | en_US |
| dc.contributor.author | Giffin, Jonathon | en_US |
| dc.contributor.corporatename | Georgia Institute of Technology. College of Computing | en_US |
| dc.contributor.corporatename | Georgia Institute of Technology. School of Computer Science | en_US |
| dc.contributor.corporatename | Università degli studi di Milano-Bicocca. Dipartimento di Informatica e Comunicazione | en_US |
| dc.date.accessioned | 2009-10-13T21:42:21Z | |
| dc.date.available | 2009-10-13T21:42:21Z | |
| dc.date.issued | 2008 | |
| dc.description.abstract | Many software security solutions—including malware analyzers, information flow tracking systems, auditing utilities, and host-based intrusion detectors—rely on knowledge of standard system call interfaces to reason about process execution behavior. In this work, we first obfuscate the Windows and Linux system call interfaces to degrade the effectiveness of these tools. Our attack, called Illusion, invokes privileged kernel operations in the kernel at the request of user-level processes without requiring those processes to call the actual system calls corresponding to the operations. The Illusion interface hides system operations from user-, kernel-, and hypervisor-level monitors mediating the conventional system-call interface. Illusion alters neither static kernel code nor read-only dispatch tables, remaining elusive from tools protecting kernel memory. We then consider the problem of Illusion attacks and augment system call data with kernel-level execution information to expose the hidden kernel operations. We present a Xen-based monitoring system, Sherlock, that adds kernel execution watchpoints to the stream of system call events. Sherlock automatically adapts its sensitivity based on security requirements to remain performant on desktop systems. | en_US |
| dc.identifier.uri | http://hdl.handle.net/1853/30452 | |
| dc.language.iso | en_US | en_US |
| dc.publisher | Georgia Institute of Technology | en_US |
| dc.relation.ispartofseries | SCS Technical Report ; GT-CS-08-09 | en_US |
| dc.subject | Hypervisor | en_US |
| dc.subject | Intrusion detection systems | en_US |
| dc.subject | Malicious software | en_US |
| dc.subject | Operating system kernels | en_US |
| dc.subject | System-call interface | en_US |
| dc.subject | Virtual machine | en_US |
| dc.subject | Watchpoints | en_US |
| dc.title | Operating System Interface Obfuscation and the Revealing of Hidden Operations | en_US |
| dc.type | Text | |
| dc.type.genre | Technical Report | |
| dspace.entity.type | Publication | |
| local.contributor.corporatename | College of Computing | |
| local.contributor.corporatename | School of Computer Science | |
| local.relation.ispartofseries | College of Computing Technical Report Series | |
| local.relation.ispartofseries | School of Computer Science Technical Report Series | |
| relation.isOrgUnitOfPublication | c8892b3c-8db6-4b7b-a33a-1b67f7db2021 | |
| relation.isOrgUnitOfPublication | 6b42174a-e0e1-40e3-a581-47bed0470a1e | |
| relation.isSeriesOfPublication | 35c9e8fc-dd67-4201-b1d5-016381ef65b8 | |
| relation.isSeriesOfPublication | 26e8e5bc-dc81-469c-bd15-88e6f98f741d |