"Flying under the Radar: Maintaining Control of Kernel without Changing Kernel Code or Persistent Data Structures" by Jinpeng Wai

Selected Works of Keke Chen

Presentation

Flying under the Radar: Maintaining Control of Kernel without Changing Kernel Code or Persistent Data Structures

Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research

Jinpeng Wai
Calton Pu
Keke Chen, Wright State University - Main Campus

Link

Document Type

Conference Proceeding

Publication Date

10-1-2011

Find in a Library

Catalog Record

Disciplines

Abstract

Cyber-spies rely on technologies such as rootkits to maintain a stealthy control of the victim kernel. Current techniques can detect changes to kernel code (e.g., SecVisor) and data (e.g., SBCFI), but have difficulties with transient kernel control flow attacks that insert execution requests into interrupt or kernel work queues (K-queues) without changing kernel code or data. Two examples implemented using Linux tasklets illustrate the effectiveness of K-queue attacks: key logger and CPU cycle stealer. Possible defenses to protect the kernel against K-queue attacks are outlined.

Comments

Presented at the 7th Annual Cyber Security and Information Intelligence Research Workshop, Oak Ridge, TN, October 12-14, 2011.

DOI

10.1145/2179298.2179377

Citation Information

Jinpeng Wai, Calton Pu and Keke Chen. "Flying under the Radar: Maintaining Control of Kernel without Changing Kernel Code or Persistent Data Structures" Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research (2011) ISSN: 9781450309455
Available at: http://works.bepress.com/keke_chen/41/