Ecole d'ingénieur et centre de recherche en Sciences du numérique

Subverting operating system properties through evolutionary DKOM attacks

Graziano, Mariano; Flore, Lorenzo; Lanzi, Andrea; Balzarotti, Davide

DIMVA 2016, 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 7-8, 2016, San Sebastian, Spain / Also published in LNCS, Vol. 9721/2016

Modern rootkits have moved their focus on the exploitation of dynamic memory structures, which allows them to tamper with the behavior of the system without modifying or injecting any additional code. In this paper we discuss a new class of Direct Kernel Object Manipulation (DKOM) attacks that we call Evolutionary DKOM (E-DKOM). The goal of this attack is to alter the way some data structures "evolve" over time. As case study, we designed and implemented an instance of Evolutionary DKOM attack that targets the OS scheduler for both userspace programs and kernel threads. Moreover, we discuss the implementation of a hypervisor-based data protection system that mimics the behavior of an OS component (in our case the scheduling system) and detect any unauthorized modification. We finally discuss the challenges related to the design of a general detection system for this class of attacks. 

Document Doi Bibtex

Titre:Subverting operating system properties through evolutionary DKOM attacks
Type:Conférence
Langue:English
Ville:San Sebastian
Pays:ESPAGNE
Date:
Département:Sécurité numérique
Eurecom ref:4893
Copyright: © Springer. Personal use of this material is permitted. The definitive version of this paper was published in DIMVA 2016, 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 7-8, 2016, San Sebastian, Spain / Also published in LNCS, Vol. 9721/2016 and is available at : http://dx.doi.org/10.1007/978-3-319-40667-1_1
Bibtex: @inproceedings{EURECOM+4893, doi = {http://dx.doi.org/10.1007/978-3-319-40667-1_1}, year = {2016}, title = {{S}ubverting operating system properties through evolutionary {DKOM} attacks}, author = {{G}raziano, {M}ariano and {F}lore, {L}orenzo and {L}anzi, {A}ndrea and {B}alzarotti, {D}avide }, booktitle = {{DIMVA} 2016, 13th {C}onference on {D}etection of {I}ntrusions and {M}alware \& {V}ulnerability {A}ssessment, {J}uly 7-8, 2016, {S}an {S}ebastian, {S}pain / {A}lso published in {LNCS}, {V}ol. 9721/2016}, address = {{S}an {S}ebastian, {ESPAGNE}}, month = {07}, url = {http://www.eurecom.fr/publication/4893} }
Voir aussi: