An Investigation of Kernel Data Attacks and Countermeasures - Cyber

Abstract

Altering in-memory kernel data, attackers are able to manipulate the running behaviors of operating systems without injecting any malicious code. This type of attack is called kernel data attack. Intuitively, the security impact of such an attack seems minor, and thus, it has not yet drawn much attention from the security community. In this project, we will thoroughly investigate kernel data attack, showing that its damage could be as serious as kernel rootkits, and then propose countermeasures. More speci cally, by tampering with kernel data, we will rst demonstrate that attackers can stealthily subvert various kernel security mechanisms. Then, we will further develop a new keylogger called DLOGGER, which is more stealthy than existing keyloggers. Instead of injecting any malicious code, it only alters kernel data and leverages existing benign kernel code to build a covert channel, through which attackers can steal sensitive information. Therefore, existing defense mecha- nisms including those deployed at hypervisor level that search for hidden processes/hidden modules, or monitor kernel code integrity, will not be able to detect DLOGGER. To counter against kernel data attack, by classifying kernel data into di erent categories and handling them separately, we propose a defense mechanism and plan to evaluate its e cacy with real experiments. We expect the results of this project to enable transformative rethinking of the current kernel data security issues in a computer system. Our proposed techniques will be developed in novel attack tools and related countermeasure tools.

Document Details

Document Type

DoD Grant Award

Publication Date

Aug 12, 2016

Source ID

N000141512136

Entities

Tags