Scheduled System Maintenance:
Some services will be unavailable Sunday, March 29th through Monday, March 30th. We apologize for the inconvenience.
By Topic

Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

The purchase and pricing options are temporarily unavailable. Please try again later.
4 Author(s)
Jinpeng Wei ; Sch. of Comput. Sci., Georgia Inst. of Technol., Atlanta, GA ; Payne, B.D. ; Giffin, J. ; Pu, C.

A new class of stealthy kernel-level malware, called transient kernel control flow attacks, uses dynamic soft timers to achieve significant work while avoiding any persistent changes to kernel code or data. We demonstrate that soft timers can be used to implement attacks such as a stealthy key logger and a CPU cycle stealer. To defend against these attacks, we propose an approach based on static analysis of the entire kernel, which identifies and catalogs all legitimate soft timer interrupt requests (STIR) in a database. At run-time, a reference monitor in a trusted virtual machine compares each STIR with the database, only allowing the execution of known good STIRs. Our defensive technique has no false negatives because it mediates every STIR execution and prevents execution of all unknown, illegitimate STIRs, and no false positives because the relevant kernel code analyzed was unambiguous. The overhead for this additional security is less than 7% for each of our benchmarks.

Published in:

Computer Security Applications Conference, 2008. ACSAC 2008. Annual

Date of Conference:

8-12 Dec. 2008