10-04-2017, 07:48 PM
This article is presented by:
Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell
Department of Computer Science
University of Illinois at Urbana-Champaign
201 N Goodwin Ave, Urbana
Cloaker: Hardware Supported Rootkit Concealment
Abstract
Rootkits are used by malicious attackers who desire to run software on a compromised machine without being de- tected. They have become stealthier over the years as a consequence of the ongoing struggle between attackers and system defenders. In order to explore the next step in rootkit evolution and to build strong defenses, we look at this issue from the point of view of an attacker. We construct Cloaker, a proof-of-concept rootkit for the ARM platform that is non- persistent and only relies on hardware state modifications for concealment and operation. A primary goal in the de- sign of Cloaker is to not alter any part of the host oper- ating system (OS) code or data, thereby achieving immu- nity to all existing rootkit detection techniques which per- form integrity, behavior and signature checks of the host OS. Cloaker also demonstrates that a self-contained ex- ecution environment for malicious code can be provided without relying on the host OS for any services. Integrity checks of hardware state in each of the machine s devices are required in order to detect rootkits such as Cloaker. We present a framework for the Linux kernel that incorpo- rates integrity checks of hardware state performed by device drivers in order to counter the threat posed by rootkits such as Cloaker.
Introduction
In order to surreptitiously control a compromised computer, an intruder typically installs software that tries to conceal malicious code. This software is commonly referred to as a rootkit. A rootkit hides itself and some malicious payload from the operating system, users and intrusion detection tools. The techniques utilized by rootkits to avoid detection have evolved over the years. Older rootkits modified system files and were easily detected by tools that checked for file integrity or rootkit signatures . To avoid being detected by such tools, rootkit designers resorted to more complex techniques such as modifying boot sectors and manipulating the in-memory image of the kernel. These rootkits are susceptible to detection by tools that check kernel code and data for alteration . Rootkits that modify the system BIOS or device firmware can also be detected by integrity checking tools. More recently, virtualization technology has been studied as yet another means to conceal rootkits . These rootkits remain hidden by running the host OS in a virtual machine environment. To counter the threat from these Virtual Machine Based Rootkits (VMBRs), researchers have detailed approaches to detect if code is executing inside a virtual machine . Is this the end of the line for rootkit evolution? We believe that other hardware features can still be exploited to conceal rootkits. For example, ShadowWalker exploits the existence of separate instruction and data address translation buffers to hide itself. While Shadow Walker exhibits some weaknesses that allow it to be detected by existing approaches, we aim to show that it is possible to construct a rootkit that exploits changes to hardware state for more effective concealment. Studying the construction of such a rootkit fuels the proactive design and deployment of new countermeasures. Similar approaches have been used in the past by other researchers .
For more information about this article,please follow the link:
http://srgsec.cs.illinois.edu/cloaker.pdf