Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers

Research Article

Kernel Data Attack Is a Realistic Security Threat

  • @INPROCEEDINGS{10.1007/978-3-319-28865-9_8,
        author={Jidong Xiao and Hai Huang and Haining Wang},
        title={Kernel Data Attack Is a Realistic Security Threat},
        proceedings={Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2016},
        month={2},
        keywords={},
        doi={10.1007/978-3-319-28865-9_8}
    }
    
  • Jidong Xiao
    Hai Huang
    Haining Wang
    Year: 2016
    Kernel Data Attack Is a Realistic Security Threat
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-28865-9_8
Jidong Xiao1,*, Hai Huang2, Haining Wang3
  • 1: College of William and Mary
  • 2: IBM T.J. Watson Research Center
  • 3: University of Delaware
*Contact email: jxiao@email.wm.edu

Abstract

Altering in-memory kernel data, attackers are able to manipulate the running behaviors of operating systems without injecting any malicious code. This type of attack is called kernel data attack. Intuitively, the security impact of such an attack seems minor, and thus, it has not yet drawn much attention from the security community. In this paper, we thoroughly investigate kernel data attack, showing that its damage could be as serious as kernel rootkits, and then propose countermeasures. More specifically, by tampering with kernel data, we first demonstrate that attackers can stealthily subvert various kernel security mechanisms. Then, we further develop a new keylogger called DLOGGER, which is more stealthy than existing keyloggers. Instead of injecting any malicious code, it only alters kernel data and leverages existing benign kernel code to build a covert channel, through which attackers can steal sensitive information. Therefore, existing defense mechanisms including those deployed at hypervisor level that search for hidden processes/hidden modules, or monitor kernel code integrity, will not be able to detect DLOGGER. To counter against kernel data attack, by classifying kernel data into different categories and handling them separately, we propose a defense mechanism and evaluate its efficacy with real experiments. Our experimental results show that our defense is effective in detecting kernel data attack with negligible performance overhead.