Self-Healing Mechanisms for Kernel System Compromise - PowerPoint PPT Presentation

About This Presentation
Title:

Self-Healing Mechanisms for Kernel System Compromise

Description:

Recovery. Adaptation. a. X. a. a. Out of current bounds. Concept. After-the-fact ... Solution: Leverage the Linux kallsyms symbol table to resolve and repair addresses ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 15
Provided by: Huy70
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Self-Healing Mechanisms for Kernel System Compromise


1
Self-Healing Mechanisms for Kernel System
Compromise
  • Sandy Ring, David Esler, and Eric Cole
  • Advanced Technology Research Center
  • The Sytex Group, Inc

2
Kernel-level rootkits
  • What are rootkits?
  • Intruders use rootkit attacks to conceal
    malicious 1) processes
  • 2) files
  • 3) network connections
  • Detection is the hardest aspect

3
Scope
a
  • Detection
  • Forensics
  • Recovery
  • Adaptation

a
a
X
4
Out of current bounds
5
Concept
  • After-the-fact
  • Non-signature dependent
  • Comparison of user to kernel behavior
  • Loadable kernel module

6
Implementation
  1. System Call Table Analysis
  2. Hidden Process Termination
  3. Hidden File Removal
  4. Attack Traffic Blocking

7
System Call Table Analysis

  • Problem Intruders patch addresses in the
    system call table and redirect applications
  • Solution Leverage the Linux kallsyms symbol
    table to resolve and repair addresses
  • Future Considerations Establish call graphs for
    frequently used functions, perhaps generate
    signatures?



8
Hidden Process Termination
  • Problem Attackers can hide processes using
    system call patching, PID 0 renumbering, and task
    queue removal
  • Solution Compare user space to kernel
    utilization views and terminate discrepancies

9
Hidden Process Termination
10
Hidden File Removal
  • Problem This is the hardest problem, the number
    of ways to hide files is never ending.
  • Solution Compare user space listings to kernel
    file system level records
  • Future Considerations Go lower and look for
    block chains on the drive, but how do you avoid
    false positives from deleted files?

11
Attacker Traffic Blocking
  • Problem Attackers can hide connections to
    backdoors which can record and take action on any
    remediation active you make.
  • Solution Immediate disable the communication to
    suspect processes by monitoring and closing
    connections via a dev_add_pack handler

12
Results
  • Passed functionality testing
  • Minor system degradation (left)
  • Negligible network latency (right)

System degradation
Network performance
13
Conclusion
After-the-fact is good, but it should be combined
with the adaptability to prevent future attacks
all together.
14
Questions and Suggestions for Improvement?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Self-Healing Mechanisms for Kernel System Compromise" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!