Recognize and Monitor Kernel Virtualization Using Memory Heat Map

Authors

  • G. Soujanya Lakshmi  PG Scholar, Department of MCA, St.Ann's College of Engineering &Technology, Chirala, Andhra Pradesh, India
  • P.S. Naveen Kumar  Assistant Professor, Department of MCA, St.Ann's College of Engineering& Technology, Chirala, Andhra Pradesh, India

Keywords:

Kernel, OS, Process monitoring, Malware analysis, Virtual Machine Monitor, memory heat map, real-time systems, Malware, Virtualization, Operating System Security

Abstract

Increasingly cyber attacks target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. We focus on the threat posed by smart phone root kits. Root kits are malware that stealthily modify operating system code and data to achieve malicious goals, and have long been a problem for desktops. We propose, in this paper, an autonomic architecture called SHARK. Secure Hardware support Against Root Kit by employing hardware support to provide system-level security without trusting the software stack, including the OS kernel. Smart phones expose several unique interfaces, such as voice, GPS and battery that root kits can exploit in novel ways. The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine based rootkits (VMBRs). We draw attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode based root kit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control the predictable nature of real-time embedded applications. We introduce Memory Heat Map (MHM) to characterize the memory behavior of the operating system. Our machine learning algorithms automatically summarize the information contained in the MHMs and then detect deviations from the normal memory behavior patterns. Normally kernel can be protected by using three different strategies which includes monitoring the invoked process snooping the incoming packets at network level and establishing trust of a process by using TCB(Trusted computing Base updated by the admin) different methods in different layer for example In network layer by snooping incoming packets.

References

  1. N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh, “Copilot - a coprocessor-based kernel runtime integrity monitor,” in Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, ser. SSYM'04. Berkeley, CA, USA: USENIX Association, 2004, pp. 13-13
  2. Google fixes android root-access flaw news/security/0,39044215,62048148,00.htm.
  3. Mcafee mobile security report 2008. research/mobile_security_report_2008.html.
  4. National institute of science and technology fips pub 180-2: Sha256 hashing algorithm.
  5. Rootkits,The Growing Threat, McAfee. rootkits1 en.pdf.
  6. Vinod Ganapathy Arati Baliga and Liviu Iftode. Automatic inference and enforcement of kernel data structure invariants. In ACSAC '08: Proceedings of the Annual Computer Security and Applications Conference, 2008.
  7. Arati Baliga, Liviu Iftode, and Xiaoxin Chen. Automated containment of rootkits attacks. Computers & Security, 27(7-8):323 - 334, 2008.
  8. J. Rutkowska. Subverting Vista Kernel for Fun and Profit. Presented at Black Hat USA, Aug. 2006.
  9. Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3B: System Programming Guide, Part 2. May 2007.
  10. Arati Baliga, Liviu Iftode, and Xiaoxin Chen. Automated containment of rootkits attacks. Computers & Security, 27(7-8):323 - 334, 2008.
  11. Arati Baliga, Pandurang Kamat, and Liviu Iftode. Lurking in the shadows: Identifying systemic threats to kernel data. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, 2007.
  12. Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide, Part 1. May 2007.
  13. Intel Corporation. Intel 82801DB I/O Controller Hub 4 (ICH4). May 2002.
  14. Intel Corporation. Intel 845GE/845PE Chipset Datasheet. Oct. 2002.
  15. N. L. Binkert, R. G. Dreslinski, L. R. Hsu, K. T. Lim, A. G. Saidi, and S. K. Reinhardt. The m5 simulator: Modeling networked systems. IEEE Micro, 26(4):52-60, July 2006.
  16. Buffer. Hijacking linux page fault handler. Phrack Magazine, 0x0B, 0x3D, Phile #0x07 of 0x0f, 2003.
  17. Intel. Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide, Part 1, 2007.
  18. T. Kgil, L. Falk, and T. Mudge. Chiplock: support for secure microarchitectures. SIGARCH Computer Archititecture News, 33(1):134-143, 2005.
  19. S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. SubVirt: Implementing malware with virtual machines. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2
  20. P. Magnusson, M. Christensson J. Eskilson, D. Forsgren, G. Hallberg, J. Hogberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A Full System Simulation Platform. IEEE Computer, Feb. 2002.
  21. S. Chen, B. Falsafi, P. B. Gibbons, M. Kozuch, T. C. Mowry, R. Teodorescu, A. Ailamaki, L. Fix, G. R. Ganger, B. Lin, and S. W. Schlosser. Log-based architectures for general-purpose monitoring of deployed code. In Workshop on architectural and system support for improving software dependability, 2006.
  22. J. Criswell, N. Dautenhahn, and V. Adve. Kcofi: Complete control-flow integrity for commodity operating system kernels. In IEEE Symposium on Security and Privacy, 2014.
  23. H. Etoh. GCC Extension for Protecting Applications From Stacksmashing Attacks. Accessed May 2011.
  24. Vendicator. Stack Shield: A “Stack Smashing” Technique Protection Tool for Linux. Accessed May 2011.
  25. Bypassing Non-executable-stack during Exploitation using Return-tolibc. Phrack Magazine.
  26. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08), pages 27-38. ACM Press, Oct. 2008.
  27. Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A virtual machine-based platform for trusted computing. In SOSP03: ACM Symposium on Operating System Principles, October 2003.
  28. Tal Garfinkel and Mendel Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, 2003.
  29. M. Hypponen. The state of cell phone malware in 2007.
  30. Nick L. Petroni Jr., Timothy Fraser, Jesus Molina, and William A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In Security '04: Proceedings of the USENIX Security Symposium, 2004.
  31. Gene H. Kim and Eugene H. Spafford. The design and implementation of tripwire: a file system integrity checker. In CCS '94: Proceedings of the 2nd ACM Conference on Computer and communications security,1994.

International Journal of Scientific Research in Science and Technology

Downloads

Published

2018-04-30

Issue

Volume 4, Issue 5, March-April-2018

Section

Research Articles

License

Copyright (c) IJSRST

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
G. Soujanya Lakshmi, P.S. Naveen Kumar, " Recognize and Monitor Kernel Virtualization Using Memory Heat Map , International Journal of Scientific Research in Science and Technology(IJSRST), Online ISSN : 2395-602X, Print ISSN : 2395-6011, Volume 4, Issue 5, pp.18-23, March-April-2018.