Abstract:
Kernel queue (K-Queue for short) enables a new hiding technique that can be used by the attacker to maintain stealthy control of the victim operating system after a successful break-in. K-Queue-driven attacks can achieve continual malicious function execution without persistently changing either kernel code or data (from the "gold" distribution), which prevents state-of-the-art kernel integrity monitors such as CFI and SBCFI from detecting them.

We have studied a concrete instance of K-Queue-driven attacks that use the soft timer mechanism found in nearly all full-featured operating systems. We demonstrate that an attacker can use soft timer interrupt requests (STIRs) to perform powerful attacks, including key logging and denial of service. To defend against soft-timer-driven kernel control flow attacks, we propose and implement an approach based on an automated static analysis of the entire kernel that identifies and catalogs all legitimate STIRs in a database. At runtime, a reference monitor in a trusted virtual machine compares each pending STIR with STIRs in the database, allowing the execution of only known good STIRs. Our defensive technique effectively mitigates soft-timer-driven attacks at a low cost (less than 7% for each of our benchmarks).

Based on the STIR work, we design and implement a solution to the general class of K-Queue-driven attacks which can exploit IRQ action queues, tasklet queues, soft timer queues, and work queues. Our first contribution is a unified framework and a set of tools that can generate specifications of K-Queue summary signatures and the corresponding checking code in an automated way. We also design and implement a unified runtime reference monitor based on virtualization that validates K-Queue invariants and guards such invariants against tampering. Finally, we perform a comprehensive experimental evaluation of the scalability of our static analysis framework and tool set, which shows that different K-Queue analyzers have significant overlapping that can be exploited for better efficiency; and we carry out an evaluation of the complexity and runtime overhead of our K-Queue Checker which suggests ways for further optimization.

Biography:
Jinpeng Wei is an assistant professor at the School of Information and Computing Sciences and a fresh graduate from Georgia Institute of Technology. His current research interests include malware detection, run-time integrity of systems software, security in emerging computing systems, and software vulnerability modeling, detection, risk-assessment, and prevention. Jinpeng has published at good systems or security conferences or journals, co-authored two books, was the recipient of two best paper awards, and is a named inventor on a filed regular patent.