A Taxonomy of Software Deceptive Interpretation in the Linux Operating System
Abstract
Rootkits are malicious tools installed on compromised computer systems that help intruders take advantage of and maintain unauthorized access. Modern rootkits routinely employ deceptive interpretation to evade detection. This allows them to remain hidden and operational for extended periods of time, drastically prolonging and escalating the damage from the system compromise. This report investigates the concept of deceptive interpretation in order to explore high assurance approaches to detect rootkits. A taxonomy was developed through a systematic analysis of the Linux operating system that enumerates all possible mechanisms of performing software deceptive interpretation. Many novel mechanisms, not yet implemented in published rootkits, were discovered and included in the taxonomy. Categorization was based on the system objects that need to be modified for the deceptive interpretation mechanism. As a result, detectors that target the set of system objects associated with a category will be able to detect all deceptive interpreters in that category including previously unknown implementations. This work can serve as the basis for developing an alternative to the signature-based approach with the capability to provide categorical protection against deceptive interpreters and rootkits.
Document Details
- Document Type
- Technical Report
- Publication Date
- Nov 10, 2004
- Accession Number
- ADA430296
Entities
People
- Amitabh Khashnobish
- Jim Luo
- John Mcdermott
- Judy Froscher
- Margery Li
Organizations
- United States Naval Research Laboratory