Identifying Systemic Threats to Kernel Data: Attacks and Defense Techniques

Identifying Systemic Threats to Kernel Data: Attacks and Defense Techniques

Arati Baliga (Rutgers University, USA), Pandurang Kamat (Rutgers University, USA), Vinod Ganapathy (Rutgers University, USA) and Liviu Iftode (Rutgers University, USA)
DOI: 10.4018/978-1-60566-850-5.ch003
OnDemand PDF Download:
No Current Special Offers


The authors demonstrate a new class of attacks and also present a novel automated technique to detect them. The attacks do not explicitly exhibit hiding behavior but are stealthy by design. They do not rely on user space programs to provide malicious functionality but achieve the same by simply manipulating kernel data. These attacks are symbolic of a larger systemic problem within the kernel, thus requiring comprehensive analysis. The author’s novel rootkit detection technique based on automatic inference of data structure invariants, which can automatically detect such advanced stealth attacks on the kernel.
Chapter Preview


Integrity of the operating system kernel is critical to the security of all applications and data on the computer system. Tampering with the kernel is traditionally performed by malware, commonly known as rootkits. The term “rootkit” was originally used to refer to a toolkit developed by the attacker, which would help conceal his presence on the compromised system. The rootkit was typically installed after the attacker obtained “root” level control and attempted to hide the malicious objects belonging to him, such as files, processes and network connections.

A rootkit infested system can be exploited by remote attackers stealthily, such as exfiltration of sensitive information or system involvement in fraudulent or malicious activities without the user’s knowledge or permission. The lack of appropriate detection tools allows such systems to stealthily lie within the attackers realm for indefinite periods of time. Recent studies have shown a phenomenal increase in the number of malware that use stealth techniques commonly employed by rootkits. For example, a report by MacAfee Avert Labs (MacAfee, 2006) observes a 600% increase in the number of rootkits in the three year period from 2004-2006. Indeed, this trend continues even today; according to the forum (Antirootkit, n.d.), over 200 rootkits were discovered in the first quarter of 2008 alone.

Complete Chapter List

Search this Book: