Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits

Hiromasa Shimada, Tatsuo Nakajima

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    2 Citations (Scopus)

    Abstract

    The integrity checker validates the data structures in a target OS kernel from outside to enhance system security. Because of a huge number of kernel data structures, all possible invariants cannot be generated automatically, as we encounter a combinatorial explosion. In this paper, we propose a framework to generate a practical integrity checker automatically without examining all data structures in an OS kernel. Hidden rootkits infect the pointer variables of kernel data structures, a filter proposed in the framework reduces the number of target kernel data structures without decreasing the detection accuracy. In our experiments, the proposed system generates an integrity checker for three Linux kernels in a practical time, and a generated integrity checker can detect all of the hidden root kits infecting the kernel data structures.

    Original languageEnglish
    Title of host publicationProceedings - 2014 IEEE International Conference on Ubiquitous Intelligence and Computing, 2014 IEEE International Conference on Autonomic and Trusted Computing, 2014 IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages441-448
    Number of pages8
    ISBN (Print)9781479976461
    DOIs
    Publication statusPublished - 2015 Oct 23
    Event11th IEEE International Conference on Ubiquitous Intelligence and Computing and 11th IEEE International Conference on Autonomic and Trusted Computing and 14th IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014 - Denpasar, Bali, Indonesia
    Duration: 2014 Dec 92014 Dec 12

    Other

    Other11th IEEE International Conference on Ubiquitous Intelligence and Computing and 11th IEEE International Conference on Autonomic and Trusted Computing and 14th IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014
    CountryIndonesia
    CityDenpasar, Bali
    Period14/12/914/12/12

    Fingerprint

    Data structures
    Security systems
    Explosions
    Malware
    Experiments

    Keywords

    • Automatic Invariant Generatiom
    • Operating Systems
    • Rootkit
    • Security
    • Virtual Machine Monitor

    ASJC Scopus subject areas

    • Artificial Intelligence
    • Computer Science Applications

    Cite this

    Shimada, H., & Nakajima, T. (2015). Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits. In Proceedings - 2014 IEEE International Conference on Ubiquitous Intelligence and Computing, 2014 IEEE International Conference on Autonomic and Trusted Computing, 2014 IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014 (pp. 441-448). [7306988] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/UIC-ATC-ScalCom.2014.8

    Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits. / Shimada, Hiromasa; Nakajima, Tatsuo.

    Proceedings - 2014 IEEE International Conference on Ubiquitous Intelligence and Computing, 2014 IEEE International Conference on Autonomic and Trusted Computing, 2014 IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014. Institute of Electrical and Electronics Engineers Inc., 2015. p. 441-448 7306988.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Shimada, H & Nakajima, T 2015, Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits. in Proceedings - 2014 IEEE International Conference on Ubiquitous Intelligence and Computing, 2014 IEEE International Conference on Autonomic and Trusted Computing, 2014 IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014., 7306988, Institute of Electrical and Electronics Engineers Inc., pp. 441-448, 11th IEEE International Conference on Ubiquitous Intelligence and Computing and 11th IEEE International Conference on Autonomic and Trusted Computing and 14th IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014, Denpasar, Bali, Indonesia, 14/12/9. https://doi.org/10.1109/UIC-ATC-ScalCom.2014.8
    Shimada H, Nakajima T. Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits. In Proceedings - 2014 IEEE International Conference on Ubiquitous Intelligence and Computing, 2014 IEEE International Conference on Autonomic and Trusted Computing, 2014 IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014. Institute of Electrical and Electronics Engineers Inc. 2015. p. 441-448. 7306988 https://doi.org/10.1109/UIC-ATC-ScalCom.2014.8
    Shimada, Hiromasa ; Nakajima, Tatsuo. / Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits. Proceedings - 2014 IEEE International Conference on Ubiquitous Intelligence and Computing, 2014 IEEE International Conference on Autonomic and Trusted Computing, 2014 IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 441-448
    @inproceedings{4ff9fffb8ec046018b13e2887994d0a3,
    title = "Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits",
    abstract = "The integrity checker validates the data structures in a target OS kernel from outside to enhance system security. Because of a huge number of kernel data structures, all possible invariants cannot be generated automatically, as we encounter a combinatorial explosion. In this paper, we propose a framework to generate a practical integrity checker automatically without examining all data structures in an OS kernel. Hidden rootkits infect the pointer variables of kernel data structures, a filter proposed in the framework reduces the number of target kernel data structures without decreasing the detection accuracy. In our experiments, the proposed system generates an integrity checker for three Linux kernels in a practical time, and a generated integrity checker can detect all of the hidden root kits infecting the kernel data structures.",
    keywords = "Automatic Invariant Generatiom, Operating Systems, Rootkit, Security, Virtual Machine Monitor",
    author = "Hiromasa Shimada and Tatsuo Nakajima",
    year = "2015",
    month = "10",
    day = "23",
    doi = "10.1109/UIC-ATC-ScalCom.2014.8",
    language = "English",
    isbn = "9781479976461",
    pages = "441--448",
    booktitle = "Proceedings - 2014 IEEE International Conference on Ubiquitous Intelligence and Computing, 2014 IEEE International Conference on Autonomic and Trusted Computing, 2014 IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",

    }

    TY - GEN

    T1 - Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits

    AU - Shimada, Hiromasa

    AU - Nakajima, Tatsuo

    PY - 2015/10/23

    Y1 - 2015/10/23

    N2 - The integrity checker validates the data structures in a target OS kernel from outside to enhance system security. Because of a huge number of kernel data structures, all possible invariants cannot be generated automatically, as we encounter a combinatorial explosion. In this paper, we propose a framework to generate a practical integrity checker automatically without examining all data structures in an OS kernel. Hidden rootkits infect the pointer variables of kernel data structures, a filter proposed in the framework reduces the number of target kernel data structures without decreasing the detection accuracy. In our experiments, the proposed system generates an integrity checker for three Linux kernels in a practical time, and a generated integrity checker can detect all of the hidden root kits infecting the kernel data structures.

    AB - The integrity checker validates the data structures in a target OS kernel from outside to enhance system security. Because of a huge number of kernel data structures, all possible invariants cannot be generated automatically, as we encounter a combinatorial explosion. In this paper, we propose a framework to generate a practical integrity checker automatically without examining all data structures in an OS kernel. Hidden rootkits infect the pointer variables of kernel data structures, a filter proposed in the framework reduces the number of target kernel data structures without decreasing the detection accuracy. In our experiments, the proposed system generates an integrity checker for three Linux kernels in a practical time, and a generated integrity checker can detect all of the hidden root kits infecting the kernel data structures.

    KW - Automatic Invariant Generatiom

    KW - Operating Systems

    KW - Rootkit

    KW - Security

    KW - Virtual Machine Monitor

    UR - http://www.scopus.com/inward/record.url?scp=84949551742&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84949551742&partnerID=8YFLogxK

    U2 - 10.1109/UIC-ATC-ScalCom.2014.8

    DO - 10.1109/UIC-ATC-ScalCom.2014.8

    M3 - Conference contribution

    SN - 9781479976461

    SP - 441

    EP - 448

    BT - Proceedings - 2014 IEEE International Conference on Ubiquitous Intelligence and Computing, 2014 IEEE International Conference on Autonomic and Trusted Computing, 2014 IEEE International Conference on Scalable Computing and Communications and Associated Symposia/Workshops, UIC-ATC-ScalCom 2014

    PB - Institute of Electrical and Electronics Engineers Inc.

    ER -