Nytro Posted November 23, 2011 Report Posted November 23, 2011 Return-Oriented Rootkits:Bypassing Kernel Code Integrity Protection MechanismsRalf Hund Thorsten Holz Felix C. FreilingLaboratory for Dependable Distributed SystemsUniversity of Mannheim, Germanyhund@uni-mannheim.de, fholz,freilingg@informatik.uni-mannheim.deAbstractProtecting the kernel of an operating system against attacks, especially injection of malicious code, is an important factor for implementing secure operating systems.Several kernel integrity protection mechanism were proposed recently that all have a particular shortcoming:They cannot protect against attacks in which the attackerre-uses existing code within the kernel to perform malicious computations. In this paper, we present the designand implementation of a system that fully automates theprocess of constructing instruction sequences that can beused by an attacker for malicious computations. We evaluate the system on different commodity operating systems and show the portability and universality of ourapproach. Finally, we describe the implementation of apractical attack that can bypass existing kernel integrityprotection mechanisms.Download:http://www.usenix.org/event/sec09/tech/full_papers/hund.pdf Quote
