Flying under the Radar: Maintaining Control of Kernel without Changing Kernel Code or Persistent Data Structures

TitleFlying under the Radar: Maintaining Control of Kernel without Changing Kernel Code or Persistent Data Structures
Publication TypeConference Paper
Year of Publication2011
AuthorsJinpeng Wei, Calton Pu, Keke Chen
Abstract

Cyber-spies rely on technologies such as rootkits to maintain a stealthy control of the victim kernel. Current techniques can detect changes to kernel code (e.g., SecVisor) and data (e.g., SBCFI), but have difficulties with transient kernel control flow attacks that insert execution requests into interrupt or kernel work queues (K-queues) without changing kernel code or data. Two examples implemented using Linux tasklets illustrate the effectiveness of K-queue attacks: key logger and CPU cycle stealer. Possible defenses to protect the kernel against K-queue attacks are outlined