< "Automatically Generating Models for Botnet Detection" | GSoC'09: Some Updates for Glastopf >

"Bypassing Kernel Code Integrity Protection Mechanisms"

A paper that we will publish next month at USENIX Security'09 is entitled "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms". In return-oriented programming, an attacker re-uses existing code: he searches for short instruction sequences (typically only one instruction) which are followed by a RET. By cleverly chaining these sequences, an attacker can build a gadget that then performs an actual computation, e.g., the gadget adds two operands. By combining these gadgets, an attacker can then perform arbitrary computations. Return-oriented programming was popularized by Shacham (CCS'07 paper targeting Linux/x86, CCS'08 paper targeting Solaris/SPARC). In our paper we present a system to automatically find useful instructions, build gadgets, and then generate a return-oriented program for Windows as the target OS. In a case study, we show how this system can be used to implement a return-oriented rootkit, bypassing typical kernel code integrity mechanisms. The main insight here is that integrity mechanisms protect against injection of code - however, if the attacker re-uses existing code, these approaches typically fail.

Abstract: Protecting the kernel of an operating system against attacks, especially injection of malicious code, is an important factor for implementing secure operating systems. Several kernel integrity protection mechanism were proposed recently that all have a particular shortcoming: They cannot protect against attacks in which the attacker re-uses existing code within the kernel to perform malicious computations. In this paper, we present the design and implementation of a system that fully automates the process of constructing instruction sequences that can be used by an attacker for malicious computations. We evaluate the system on different commodity operating systems and show the portability and universality of our approach. Finally, we describe the implementation of a practical attack that can bypass existing kernel integrity protection mechanisms.

The paper contains all the details and the results of our experiments are also available. The main part of this work was performed by Ralf Hund, it was the topic of his thesis. Furthermore, Felix Freiling helped with the project. And the word cloud was generated with the help of Wordle
This entry was posted by Thorsten Holz on Saturday, July 18. 2009 at 08:13. and is filed under paper. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5