research-article

A chipset level network backdoor: bypassing host-based firewall & IDS

Authors:

Sherri Sparks,

Shawn Embleton,

Cliff C. ZouAuthors Info & Claims

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

Pages 125 - 134

https://doi.org/10.1145/1533057.1533076

Published: 10 March 2009 Publication History

Get Access

Abstract

Chipsets refer to a set of specialized chips on a computer's motherboard or an expansion card [12]. In this paper we present a proof of concept chipset level rootkit/network backdoor. It interacts directly with network interface card hardware based on a widely deployed Intel chipset 8255x, and we tested it successfully on two different Ethernet cards with this chipset. The network backdoor has the ability to both covertly send out packets and receive packets, without the need to disable security software installed in the compromised host in order to hide its presence. Because of its low-level position in a computer system, the backdoor is capable of bypassing virtually all commodity firewall and host-based intrusion detection software, including popular, widely deployed applications like Snort and Zone Alarm Security Suite. Such network backdoors, while complicated and hardware specific, are likely to become serious threats in high profile attacks like corporate espionage or cyber terrorist attacks.

References

[1]

Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3B: System Programming Guide, Part 2. May 2007.

Google Scholar

[2]

Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide, Part 1. May 2007.

Google Scholar

[3]

Intel Corporation. Intel 8255x 10/100 Mbps Ethernet Controller Family: Open Source Software Developer Manual, January 2006.

Google Scholar

[4]

R. Bejtlich. Extrusion Detection: Security Monitoring for Internal Intrusions. AddisonWesley, first edition, 2006.

Digital Library

Google Scholar

[5]

Joanna Rutkowska. "Rootkits vs. Stealth by Design Malware", Presented at Black Hat, Europe 2006.

Google Scholar

[6]

Alexander Tereshkin. "Rootkits: Attacking Personal Firewalls", Presented at Black Hat USA, 2006.

Google Scholar

[7]

Windows XP Firewall. http://www.microsoft.com/windowsxp/using/networking/sec urity/winfirewall.mspx

Google Scholar

[8]

Zone Alarm. http://www.zonealarm.com/store/content/home.jsp

Google Scholar

[9]

Snort. http://www.snort.org/

Google Scholar

[10]

AOL/NCSA Online Safety Study. Conducted by America Online and the National Cyber Security Alliance. Dec. 2005.

Google Scholar

[11]

Microsoft Corporation. Windows XP Firewall.

Google Scholar

[12]

Chipset. http://en.wikipedia.org/wiki/Chipset

Google Scholar

[13]

Gramm-Leach Bliley Act. http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

Google Scholar

[14]

Payment Card Industry Data Security Standard. https://www.pcisecuritystandards.org/

Google Scholar

[15]

J. Bulter and G. Hoglund. "Rootkits: Subverting the Windows Kernel." Addison Wesley. 2005.

Digital Library

Google Scholar

[16]

W. Cui, R. H. Katz, and W. Tan. BINDER: An Extrusion-based Break-In Detector for Personal Computers. In 2005 USENIX Annual Technical Conference. 2005.

Digital Library

Google Scholar

[17]

Salvador Mandujano. "Identifying Attack Code through an Ontology-Based Multiagent Tool: FROID." In Proceedings of the World Academy of Science, Engineering, and Technology, June 2005.

Google Scholar

[18]

F. Bellifemine, A. Poggi, and G. Rimassa. "JADE --- A FIPA-compliant agent framework." In Proceedings of Practical Applications of Intelligent Agents, 1999.

Google Scholar

[19]

K. Borders and A. Prakash. "Web Tap: Detecting Covert Web Traffic". In ACM Conference on Commputer and Communications Security. 2004.

Digital Library

Google Scholar

[20]

Y. Zhang and V. Paxson. "Detecting Backdoors". In Proceedings of the 9th USENIX Security Symposium. August, 2000.

Digital Library

Google Scholar

[21]

NDIS. http://en.wikipedia.org/wiki/Network_Driver_Interface_Specification

Google Scholar

[22]

Network Packet Generator. http://www.wikistc.org/wiki/Network_packet_generator

Google Scholar

[23]

Greg Hoglund. "A *REAL* NT Rootkit, patching the NT Kernel". In Phrack Vol. 9, Issue 55. 1999.

Google Scholar

[24]

J. Heasman. Implementing and Detecting an ACPI BIOS Rootkit. Presented at Black Hat Federal, 2006.

Google Scholar

[25]

x86 virtualization. http://en.wikipedia.org/wiki/X86_virtualization

Google Scholar

[26]

Intel® Virtualization Technology for Directed I/O. http://www.intel.com/technology/itj/2006/v10i3/2-io/7-conclusion.htm

Google Scholar

[27]

Extrusion detection. http://en.wikipedia.org/wiki/Extrusion_detection

Google Scholar

[28]

D. Whyte, P. Oorschot, E. Kranakis. Exposure Maps: Removing Reliance on Attribution during Scanning Detection. USENIX HotSec 2006.

Digital Library

Google Scholar

[29]

VMware VMsafe Security Technology. http://www.vmware.com/technology/security/vmsafe.html

Google Scholar

[30]

XenAccess Library. http://code.google.com/p/xenaccess/

Google Scholar

Cited By

View all

KWON OKWON HYOON H(2019)Rootkit inside GPU Kernel ExecutionIEICE Transactions on Information and Systems10.1587/transinf.2019EDL8104E102.D:11(2261-2264)Online publication date: 1-Nov-2019
https://doi.org/10.1587/transinf.2019EDL8104
Yoon J(2019)Using a Deep-Learning Approach for Smart IoT Network Packet Analysis2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW.2019.00039(291-299)Online publication date: Jun-2019
https://doi.org/10.1109/EuroSPW.2019.00039
Balzarotti DDi Pietro RVillani A(2018)The impact of GPU-assisted malware on memory forensicsDigital Investigation: The International Journal of Digital Forensics & Incident Response10.1016/j.diin.2015.05.01014:S1(S16-S24)Online publication date: 20-Dec-2018
https://dl.acm.org/doi/10.1016/j.diin.2015.05.010
Show More Cited By

Index Terms

A chipset level network backdoor: bypassing host-based firewall & IDS
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Cloaker: Hardware Supported Rootkit Concealment
SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy

Rootkits are used by malicious attackers who desire to run software on a compromised machine without being detected. They have become stealthier over the years as a consequence of the ongoing struggle between attackers and system defenders. In order to ...
Rootkits and Their Effects on Information Security

A rootkit is cloaked software that infiltrates an operating system or a database with the intention to escape detection, resist removal, and perform a specific operation. Many rootkits are designed to invade the "root," or kernel, of the program, and ...
Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection

Existing techniques to detect kernel-level rootkits expose some infections, but they don't identify specific attacks. This rootkit categorization approach helps system administrators identify the extent of specific infections, aiding in optimal recovery ...

Reviews

Reviewer: A. Squassabia

The cost of ignoring a theoretical flaw of host-based firewall solutions such as Zone Alarm or the popular Windows XP firewall is confirmed in practice in this paper. There is an unsolved ambiguity at the root of the design of these security artifacts-Is the operating system (OS) protecting the firewall, or is the firewall protecting the operating system__?__ The theoretically correct answer is an enthusiastic, "Both!" That, unfortunately, is easier said than done-one or the other will have primacy, and its integrity will be assumed by necessity. This paper describes what happens when the assumption of integrity of the OS is taken for granted and shows, with a successful proof-of-concept implementation, that a malicious network device driver can become a backdoor undetectable to host-based firewalls. The paper neglects one aspect. While the backdoor, as designed, works very well under the debugger, the paper never addresses how it could do something maliciously useful. For instance, one may argue that a second architectural component is needed to gather data of interest that the device driver backdoor may then export to the outside, undetected. How the data gatherer would push the harvested information to the device driver is not addressed. Communication is normally mediated by the OS, but such mediation is undesirable, and in fact impossible, as designed; yet, alternate routes are not clearly identified. Another omission is the installation modality of the malicious device driver; it is considered out of scope, which is acceptable. Installation, however, is likely to require privileged console access. This reinforces the truth that computer security is an articulated process with many components. Placing too much trust in a host-based firewall as a silver bullet is unwise, as there are no silver bullets. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

March 2009

408 pages

ISBN:9781605583945

DOI:10.1145/1533057

General Chairs:
Wanqing Li
University of Wollongong, Australia
,
Willy Susilo
University of Wollongong, Australia
,
Udaya Tupakula
Macquarie University, Australia
,
Program Chairs:
Rei Safavi-Naini
University of Calgary, Canada
,
Vijay Varadharajan
Macquarie University, Australia

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Division of Computer and Network Systems

Conference

Asia CCS 09

Sponsor:

SIGSAC

Asia CCS 09: Asia CCS 2009 ACM Symposium on Information, Computer and Communications Security

March 10 - 12, 2009

Sydney, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
810
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

KWON OKWON HYOON H(2019)Rootkit inside GPU Kernel ExecutionIEICE Transactions on Information and Systems10.1587/transinf.2019EDL8104E102.D:11(2261-2264)Online publication date: 1-Nov-2019
https://doi.org/10.1587/transinf.2019EDL8104
Yoon J(2019)Using a Deep-Learning Approach for Smart IoT Network Packet Analysis2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW.2019.00039(291-299)Online publication date: Jun-2019
https://doi.org/10.1109/EuroSPW.2019.00039
Balzarotti DDi Pietro RVillani A(2018)The impact of GPU-assisted malware on memory forensicsDigital Investigation: The International Journal of Digital Forensics & Incident Response10.1016/j.diin.2015.05.01014:S1(S16-S24)Online publication date: 20-Dec-2018
https://dl.acm.org/doi/10.1016/j.diin.2015.05.010
Xu LXu KShen MRen KFan JGuan CChen WLui JWang XWolf ALiu YHu C(2017)MINOSProceedings of the ACM Turing 50th Celebration Conference - China10.1145/3063955.3063996(1-10)Online publication date: 12-May-2017
https://dl.acm.org/doi/10.1145/3063955.3063996
Abbasi AHashemi MZambon EEtalle S(2017)Stealth Low-Level Manipulation of Programmable Logic Controllers I/O by Pin Control ExploitationCritical Information Infrastructures Security10.1007/978-3-319-71368-7_1(1-12)Online publication date: 22-Nov-2017
https://doi.org/10.1007/978-3-319-71368-7_1
Song WChoi HKim JKim EKim YKim J(2016)PIkitProceedings of the 25th USENIX Conference on Security Symposium10.5555/3241094.3241098(37-51)Online publication date: 10-Aug-2016
https://dl.acm.org/doi/10.5555/3241094.3241098
Schiffman JKaplan D(2014)The SMM Rootkit RevisitedProceedings of the 2014 Ninth International Conference on Availability, Reliability and Security10.1109/ARES.2014.44(279-286)Online publication date: 8-Sep-2014
https://dl.acm.org/doi/10.1109/ARES.2014.44
Zaddach JKurmus ABalzarotti DBlass EFrancillon AGoodspeed TGupta MKoltsidas IPayne C(2013)Implementation and implications of a stealth hard-drive backdoorProceedings of the 29th Annual Computer Security Applications Conference10.1145/2523649.2523661(279-288)Online publication date: 9-Dec-2013
https://dl.acm.org/doi/10.1145/2523649.2523661
Schuster FHolz TSadeghi AGligor VYung M(2013)Towards reducing the attack surface of software backdoorsProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516716(851-862)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516716
Corregedor MVon Solms S(2011)Implementing rootkits to address operating system vulnerabilities2011 Information Security for South Africa10.1109/ISSA.2011.6027521(1-8)Online publication date: Aug-2011
https://doi.org/10.1109/ISSA.2011.6027521

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Cloaker: Hardware Supported Rootkit Concealment

Rootkits and Their Effects on Information Security

Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection

Reviews

Access critical reviews of Computing literature here