Cloaker: Hardware Supported Rootkit Concealment
#1

This article is presented by:
Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell
Department of Computer Science
University of Illinois at Urbana-Champaign
201 N Goodwin Ave, Urbana


Cloaker: Hardware Supported Rootkit Concealment

Abstract
Rootkits are used by malicious attackers who desire to run software on a compromised machine without being de- tected. They have become stealthier over the years as a consequence of the ongoing struggle between attackers and system defenders. In order to explore the next step in rootkit evolution and to build strong defenses, we look at this issue from the point of view of an attacker. We construct Cloaker, a proof-of-concept rootkit for the ARM platform that is non- persistent and only relies on hardware state modifications for concealment and operation. A primary goal in the de- sign of Cloaker is to not alter any part of the host oper- ating system (OS) code or data, thereby achieving immu- nity to all existing rootkit detection techniques which per- form integrity, behavior and signature checks of the host OS. Cloaker also demonstrates that a self-contained ex- ecution environment for malicious code can be provided without relying on the host OS for any services. Integrity checks of hardware state in each of the machine’s devices are required in order to detect rootkits such as Cloaker. We present a framework for the Linux kernel that incorpo- rates integrity checks of hardware state performed by device drivers in order to counter the threat posed by rootkits such as Cloaker.
Introduction
In order to surreptitiously control a compromised computer, an intruder typically installs software that tries to conceal malicious code. This software is commonly referred to as a rootkit. A rootkit hides itself and some malicious payload from the operating system, users and intrusion detection tools. The techniques utilized by rootkits to avoid detection have evolved over the years. Older rootkits modified system files and were easily detected by tools that checked for file integrity or rootkit signatures . To avoid being detected by such tools, rootkit designers resorted to more complex techniques such as modifying boot sectors and manipulating the in-memory image of the kernel. These rootkits are susceptible to detection by tools that check kernel code and data for alteration . Rootkits that modify the system BIOS or device firmware can also be detected by integrity checking tools. More recently, virtualization technology has been studied as yet another means to conceal rootkits . These rootkits remain hidden by running the host OS in a virtual machine environment. To counter the threat from these Virtual Machine Based Rootkits (VMBRs), researchers have detailed approaches to detect if code is executing inside a virtual machine . Is this the end of the line for rootkit evolution? We believe that other hardware features can still be exploited to conceal rootkits. For example, ShadowWalker exploits the existence of separate instruction and data address translation buffers to hide itself. While Shadow Walker exhibits some weaknesses that allow it to be detected by existing approaches, we aim to show that it is possible to construct a rootkit that exploits changes to hardware state for more effective concealment. Studying the construction of such a rootkit fuels the proactive design and deployment of new countermeasures. Similar approaches have been used in the past by other researchers .

For more information about this article,please follow the link:
http://srgsec.cs.illinois.edu/cloaker.pdf
Reply

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page
Popular Searches: biomas supported solar thermal hybrid power plant seminar report, bio mass supported solar thermal report, visibility attribute not supported in this configuration, cloaker hardware supported rootkit concealment, self supported chimney, flare stack pile supported base foundation design calculation sample, frame loss error concealment for svc,

[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  Hardware for image processing - Basics Eye – Human vision sensor ppt computer topic 0 7,756 25-03-2014, 11:12 PM
Last Post: computer topic
  Grasshopper - A Persistent Operating System for Conventional Hardware full report project topics 1 2,920 09-02-2012, 10:13 AM
Last Post: seminar addict
  Java Debug Hardware Modules Using JBits smart paper boy 0 1,015 18-08-2011, 02:00 PM
Last Post: smart paper boy
  Network PC Hardware Manager seminar class 0 892 23-03-2011, 11:15 AM
Last Post: seminar class
  A HARDWARE ARCHITECTURE FOR MULTIMEDIA ENCRYPTION AND AUTHENTICATION USING THE DISCR seminar class 2 14,822 19-03-2011, 03:26 PM
Last Post: seminar class
  Packet loss concealment using audio morphing ppt project topics 0 1,222 08-02-2011, 12:45 PM
Last Post: project topics
  Locally Adaptive Passive Error Concealment for Wavelet Coded Images project report helper 0 788 18-10-2010, 10:47 AM
Last Post: project report helper
  Hardware load balancer seminar surveyer 0 991 18-10-2010, 09:18 AM
Last Post: seminar surveyer
Thumbs Down Hardware Abstraction Layer - HAL Computer Science Clay 1 2,120 12-10-2010, 04:39 PM
Last Post: projectsofme
  HARDWARE AND SOFTWARE SYSTEMS AND NETWORKS seminar surveyer 0 963 09-10-2010, 12:13 PM
Last Post: seminar surveyer

Forum Jump: