Nytro Posted November 10, 2013 Report Posted November 10, 2013 Return-Oriented Rootkits:Bypassing Kernel Code Integrity Protection MechanismsAbstractProtecting the kernel of an operating system against attacks,especially injection of malicious code, is an importantfactor for implementing secure operating systems.Several kernel integrity protection mechanism were proposedrecently that all have a particular shortcoming:They cannot protect against attacks in which the attackerre-uses existing code within the kernel to perform maliciouscomputations. In this paper, we present the designand implementation of a system that fully automates theprocess of constructing instruction sequences that can beused by an attacker for malicious computations. We evaluatethe system on different commodity operating systemsand show the portability and universality of ourapproach. Finally, we describe the implementation of apractical attack that can bypass existing kernel integrityprotection mechanisms.1 IntroductionMotivation. Since it is hard to prevent users from runningarbitrary programs within their own account, allmodern operating systems implement protection conceptsthat protect the realm of one user from another.Furthermore, it is necessary to protect the kernel itselffrom attacks. The basis for such mechanisms is usuallycalled reference monitor [2]. A reference monitorcontrols all accesses to system resources and only grantsthem if they are allowed. While reference monitors arean integral part of any of today’s mainstream operatingsystems, they are of limited use: because of the sheersize of a mainstream kernel, the probability that somesystem call, kernel driver or kernel module contains avulnerability rises. Such vulnerabilities can be exploitedto subvert the operating system in arbitrary ways, givingrise to so called rootkits, malicious software runningwithout the user’s notice.Download:https://www.usenix.org/legacy/event/sec09/tech/full_papers/hund.pdf Quote
