RUcore: Rutgers University Community Repository
Automated detection and containment of stealth attacks on the operating system kernel
Descriptive
TypeOfResource
Text
TitleInfo
(ID = T-1)
Title
Automated detection and containment of stealth attacks on the operating system kernel
Identifier
ETD_1411
Identifier
(type = hdl)
http://hdl.rutgers.edu/1782.2/rucore10001600001.ETD.000050489
Language
LanguageTerm
(authority = ISO639-2);
(type = code)
eng
Genre
(authority = marcgt)
theses
Subject
(ID = SBJ-1);
(authority = RUETD)
Topic
Computer Science
Subject
(ID = SBJ-1);
(authority = ETD-LCSH)
Topic
Computer security
Subject
(ID = SBJ-1);
(authority = ETD-LCSH)
Topic
Data protection
Abstract
The operating system kernel serves as the root of trust for all applications running on the computer system. A compromised system can be exploited by remote attackers stealthily, such as exfiltration of sensitive information, wasteful usage of the system's resources, or involving the system in malicious activities without the user's knowledge or permission. The lack of appropriate detection tools allows such systems to stealthily lie within the attackers realm for indefinite periods of time. Stealth attacks on the kernel are carried out by malware commonly known as rootkits. The goal of the rootkit is to conceal the presence of the attacker on the victim system. Conventionally, kernel rootkits modified the kernel to achieve stealth, while most functionality was provided by accompanying user space programs. The newer kernel rootkits achieve the malice and stealth solely by modifying kernel data. This dissertation explores the threat posed by both types of kernel rootkits and proposes novel automated techniques for their detection and containment. Our first contribution is an automated containment technique built using the virtualization architecture. This technique counters the ongoing damage done to the system by the conventional kernel rootkits. It is well suited for attacks that employ kernel or user mode stealth but provide most of the malicious functionality as user space programs. Our second contribution is to identify a new class of stealth attacks on the kernel, which do not exhibit explicit hiding behavior but are stealthy by design. They achieve their malicious objectives by solely modifying data within the kernel. These attacks demonstrate that the threat posed to kernel data is systemic requiring comprehensive protection.
Our final contribution is a novel automated technique that can be used for detection of such stealth data-centric attacks. The key idea behind this technique is to automatically identify and extract invariants exhibited by kernel data structures during a training phase. These invariants are used as specifications of data structure integrity and are enforced during runtime. Our technique could successfully detect all rootkits that were publicly available. It could also detect more recent stealth attacks developed by us or proposed by
other recent research literature.
Our final contribution is a novel automated technique that can be used for detection of such stealth data-centric attacks. The key idea behind this technique is to automatically identify and extract invariants exhibited by kernel data structures during a training phase. These invariants are used as specifications of data structure integrity and are enforced during runtime. Our technique could successfully detect all rootkits that were publicly available. It could also detect more recent stealth attacks developed by us or proposed by
other recent research literature.
PhysicalDescription
Extent
xii, 105 p. : ill.
InternetMediaType
application/pdf
InternetMediaType
text/xml
Note
(type = degree)
Ph.D.
Note
(type = bibliography)
Includes bibliographical references (p. 99-103)
Note
(type = statement of responsibility)
by Arati Baliga
Name
(ID = NAME-1);
(type = personal)
NamePart
(type = family)
Baliga
NamePart
(type = given)
Arati
Role
RoleTerm
(authority = RULIB);
(type = )
author
DisplayForm
Arati Baliga
Name
(ID = NAME-2);
(type = personal)
NamePart
(type = family)
Iftode
NamePart
(type = given)
Liviu
Role
RoleTerm
(authority = RULIB);
(type = )
chair
Affiliation
Advisory Committee
DisplayForm
Liviu Iftode
Name
(ID = NAME-3);
(type = personal)
NamePart
(type = family)
Ganapathy
NamePart
(type = given)
Vinod
Role
RoleTerm
(authority = RULIB);
(type = )
internal member
Affiliation
Advisory Committee
DisplayForm
Vinod Ganapathy
Name
(ID = NAME-4);
(type = personal)
NamePart
(type = family)
Trappe
NamePart
(type = given)
Wade
Role
RoleTerm
(authority = RULIB);
(type = )
internal member
Affiliation
Advisory Committee
DisplayForm
Wade Trappe
Name
(ID = NAME-5);
(type = personal)
NamePart
(type = family)
Jaeger
NamePart
(type = given)
Trent
Role
RoleTerm
(authority = RULIB);
(type = )
outside member
Affiliation
Advisory Committee
DisplayForm
Trent Jaeger
Name
(ID = NAME-1);
(type = corporate)
NamePart
Rutgers University
Role
RoleTerm
(authority = RULIB);
(type = )
degree grantor
Name
(ID = NAME-2);
(type = corporate)
NamePart
Graduate School - New Brunswick
Role
RoleTerm
(authority = RULIB);
(type = )
school
OriginInfo
DateCreated
(point = );
(qualifier = exact)
2009
DateOther
(qualifier = exact);
(type = degree)
2009-01
Place
PlaceTerm
(type = code)
xx
Location
PhysicalLocation
(authority = marcorg)
NjNbRU
RelatedItem
(type = host)
TitleInfo
Title
Rutgers University Electronic Theses and Dissertations
Identifier
(type = RULIB)
ETD
RelatedItem
(type = host)
TitleInfo
Title
Graduate School - New Brunswick Electronic Theses and Dissertations
Identifier
(type = local)
rucore19991600001
Identifier
(type = doi)
doi:10.7282/T33B60FK
Genre
(authority = ExL-Esploro)
ETD doctoral
Back to the top
Rights
RightsDeclaration
(AUTHORITY = GS);
(ID = rulibRdec0006)
The author owns the copyright to this work.
Copyright
Status
Copyright protected
Availability
Status
Open
RightsEvent
(AUTHORITY = rulib);
(ID = 1)
Type
Permission or license
Detail
Non-exclusive ETD license
AssociatedObject
(AUTHORITY = rulib);
(ID = 1)
Type
License
Name
Author Agreement License
Detail
I hereby grant to the Rutgers University Libraries and to my school the non-exclusive right to archive, reproduce and distribute my thesis or dissertation, in whole or in part, and/or my abstract, in whole or in part, in and from an electronic format, subject to the release date subsequently stipulated in this submittal form and approved by my school. I represent and stipulate that the thesis or dissertation and its abstract are my original work, that they do not infringe or violate any rights of others, and that I make these grants as the sole owner of the rights to my thesis or dissertation and its abstract. I represent that I have obtained written permissions, when necessary, from the owner(s) of each third party copyrighted matter to be included in my thesis or dissertation and will supply copies of such upon request by my school. I acknowledge that RU ETD and my school will not distribute my thesis or dissertation or its abstract if, in their reasonable judgment, they believe all such rights have not been secured. I acknowledge that I retain ownership rights to the copyright of my work. I also retain the right to use all or part of this thesis or dissertation in future works, such as articles or books.
Back to the top
Technical
ContentModel
ETD
MimeType
(TYPE = file)
application/pdf
MimeType
(TYPE = container)
application/x-tar
FileSize
(UNIT = bytes)
22097920
Checksum
(METHOD = SHA1)
7fc5badd4e29e21170029c8eb7483c3e20aa4585
Back to the top
Statistical Profile