CT-ISG: Advanced Techniques to Detect Kernel-Level Rootkits

CT-ISG：检测内核级 Rootkit 的先进技术

• 批准号: 0831268
• 负责人: Vinod Ganapathy
• 金额: $ 40万
• 依托单位: Rutgers University New Brunswick
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-09-01 至 2012-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0831268&HistoricalAwards=false
• 关键词: CT; ISG; Advanced; Techniques; Detect

The integrity of commodity operating system kernels is threatened by rootkitsthat modify key kernel data structures to achieve a variety of malicious goals.While rootkits have historically been known to affect control data in thekernel, recent work demonstrates rootkits that affect system security bymodifying non-control data, such as linked lists used to manage bookkeepinginformation and metadata used for memory management. Existing techniques failto detect such rootkits effectively.This project is developing techniques to provide real-time protection againstrootkits by detecting anomalies in both control and non-control kernel databehavior using automatically-generated integrity specifications. This goal isbeing achieved in two steps. First, a technique to mine specifications ofkernel data structure integrity is being developed. These specifications are bemined automatically as data structure invariants. Second, these techniques arebeing extended using operating system support to provide real-time detection.Impacts and Results: The techniques developed in this project will defendagainst the next generation of rootkits, and will enable real-time detection ofsuch rootkits. In addition, techniques to infer kernel invariants may also find applications in operating system reliability, fault tolerance andsoftware engineering. The PIs will disseminate the results by releasing the tools developed. The results of this project will equip the workforce with aninter-disciplinary toolkit, that combines operating systems, computer security,and software engineering, to address the challenges posed by the nextgeneration of stealth malware.

商用操作系统内核的完整性受到 Rootkit 的威胁，Rootkit 会修改关键内核数据结构以实现各种恶意目标。虽然 Rootkit 历史上已知会影响内核中的控制数据，但最近的研究表明 Rootkit 通过修改非控制数据（例如用于管理簿记信息的链表和用于内存管理的元数据）来影响系统安全。现有技术无法有效检测此类 Rootkit。该项目正在开发技术，通过使用自动生成的完整性规范检测控制和非控制内核数据行为中的异常，提供针对 Rootkit 的实时保护。这一目标分两步实现。 首先，正在开发一种挖掘内核数据结构完整性规范的技术。这些规范被自动挖掘为数据结构不变量。 其次，这些技术正在使用操作系统支持进行扩展，以提供实时检测。影响和结果：该项目中开发的技术将防御下一代 Rootkit，并将实现对此类 Rootkit 的实时检测。 此外，推断内核不变量的技术也可以在操作系统可靠性、容错和软件工程中找到应用。 PI 将通过发布开发的工具来传播结果。 该项目的成果将为员工配备一个跨学科的工具包，该工具包结合了操作系统、计算机安全和软件工程，以应对下一代隐形恶意软件带来的挑战。