[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

When Side Channel Becomes Good: Kernel Malware Attack Investigation

  • Conference paper
  • First Online:
Artificial Intelligence and Security (ICAIS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11633))

Included in the following conference series:

  • 1763 Accesses

Abstract

Security and privacy issues have been a concern and have become one of the main factors hindering the promotion and popularization of cloud computing. In recent years, cache side channel attack are presented by many researchers to crack cryptographic algorithms (e.g., AES, RSA), bypass ASLR and etc. Cache side channel had been considered as a hacking tool to conduct harmful activities on victim systems. However, from a defender’s perspective, cache side channel can also be employed to explore valuable information. Our paper employs cache side channel to obtain a deep insight on what kind of behaviors kernel malware may conduct. In specific, we propose a novel approach to conduct kernel malware attack investigation with Flush+Reload cache side channel. We have built a proof-of-concept prototype and designed some case studies to conduct extensive experiments. The evaluation results show that our system is capable of understanding what kind of behaviors kernel malware may conduct correctly.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Dkom(direct kernel objectmanipulation). https://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf

  2. Irazoqui Apecechea, G., Eisenbarth, T., Sunar, B.: S\$ a: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: 2015 IEEE Symposium on Security and Privacy (S&P), pp. 591–604, San Jose, CA, USA, 17–21 May 2015

    Google Scholar 

  3. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! a fast, cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_15

    Chapter  Google Scholar 

  4. Ardagna, C.A., Asal, R., Damiani, E., Vu, Q.H.: From security to assurance in the cloud: a survey. ACM Comput. Surv. 48(1), 2:1–2:50 (2015)

    Article  Google Scholar 

  5. Bahram,S., et al.: Dksm: subverting virtual machine introspection for fun and profit. In: Proceedings of IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 82–91 (2010)

    Google Scholar 

  6. Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: 9th USENIX Workshop on Offensive Technologies (WOOT), Washington, DC, USA, 10–11 August 2015

    Google Scholar 

  7. Bates, A., Tian, D., Butler, K., Moyer, T.: Trustworthy whole-system provenance for the linux kernel. In: USENIX Security, pp. 319–334 (2015)

    Google Scholar 

  8. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 555–565 (2009)

    Google Scholar 

  9. Cock, D., Ge, Q., Murray, T.C., Heiser, G.: The last mile: an empirical study of timing channels on seL4. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 570–581, Scottsdale, AZ, USA, 3–7 November 2014

    Google Scholar 

  10. Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+Flush: a fast and stealthy cache attack. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 279–299. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_14

    Chapter  Google Scholar 

  11. Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: 32nd IEEE Symposium on Security and Privacy (S&P), pp. 490–505, Berkeley, California, USA, 22–25 May 2011

    Google Scholar 

  12. Kelsey, J., Schneier, B., Wagner, D.A., Hall, C.: Side channel cryptanalysis of product ciphers. J. Comput. Secur. 8(2/3), 141–158 (2000)

    Article  Google Scholar 

  13. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    Chapter  Google Scholar 

  14. Lee, K., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2013)

    Google Scholar 

  15. Lee, K., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 1005–1016 (2013)

    Google Scholar 

  16. Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: Armageddon: cache attacks on mobile devices. In: 25th USENIX Security Symposium (Security), pp. 549–564, Austin, TX, USA, 10–12 August 2016

    Google Scholar 

  17. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy (S&P), pp. 605–622, San Jose, CA, USA, 17–21 May 2015

    Google Scholar 

  18. Ma, S., Lee, K., Kim, C., Rhee, J., Zhang, X., Xu, D.: Accurate, low cost and instrumentation-free security audit logging for windows. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 401–410 (2011)

    Google Scholar 

  19. Ma, S., Zhang, X., Xu, D.: Protracer: towards practical provenance tracing by alternating between logging and tainting. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  20. Pei, K., et al.: HERCULE: attack story reconstruction via community discovery on correlated log graph. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 583–595 (2016)

    Google Scholar 

  21. Pohly, D., McLaughlin, S., McDaniel, P., Butler, K.: Hi-Fi: collecting high-fidelity whole-system provenance. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 259–268 (2012)

    Google Scholar 

  22. Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. In: 2009 International Conference on Availability, Reliability and Security, pp. 74–81 (2009)

    Google Scholar 

  23. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 199–212, Chicago, Illinois, USA, 9–13 November 2009

    Google Scholar 

  24. Rudd, E., Rozsa, A., Gunther, M., Boult, T.: A survey of stealth malware: attacks, mitigation measures, and steps toward autonomous open world solutions. IEEE Commun. Surv. Tutor. 99, 1–28 (2016)

    Google Scholar 

  25. Xu, Z., et al.: High fidelity data reduction for big data security dependency analyses. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 504–516 (2016)

    Google Scholar 

  26. Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Security Symposium (Security), pp. 719–732, San Diego, CA, USA, 20–22 August 2014

    Google Scholar 

  27. Zhang, X., Xiao, Y., Zhang, Y.: Return-oriented flush-reload side channels on ARM and their implications for android devices. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 858–870, Vienna, Austria, 24–28 October 2016

    Google Scholar 

  28. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: The ACM Conference on Computer and Communications Security (CCS), pp. 305–316, Raleigh, NC, USA, 16–18 October 2012

    Google Scholar 

  29. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 990–1003, Scottsdale, AZ, USA, 3–7 November 2014

    Google Scholar 

Download references

Acknowledgement

We would like to thank the anonymous reviewers for their insightful comments that greatly helped to improve this paper. Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of these agencies.

Author information

Authors and Affiliations

  1. China Industrial Control Systems Cyber Security Emergency Response Team, Beijing, China

    Libo Yin, Chonghua Wang, Jun Li, Rongchao Yin & Hao Jiang

  2. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Yang Jiao

Authors
  1. Libo Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chonghua Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rongchao Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yang Jiao
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hao Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chonghua Wang .

Editor information

Editors and Affiliations

  1. Nanjing University of Information Science and Technology, Nanjing, China

    Xingming Sun

  2. Nanjing University of Information Science and Technology, Nanjing, China

    Zhaoqing Pan

  3. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yin, L., Wang, C., Li, J., Yin, R., Jiao, Y., Jiang, H. (2019). When Side Channel Becomes Good: Kernel Malware Attack Investigation. In: Sun, X., Pan, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2019. Lecture Notes in Computer Science(), vol 11633. Springer, Cham. https://doi.org/10.1007/978-3-030-24265-7_49

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-24265-7_49

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-24264-0

  • Online ISBN: 978-3-030-24265-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation