The work described in this paper investigates the problem
of identifying and deterring stealthy malicious processes on
a host. We point out the lack of strong application iden-
tication in main stream operating systems. We solve the
application identication problem by proposing a novel iden-
tication model in which user-level applications are required
to present identication proofs at run time to be authenti-
cated by the kernel using an embedded secret key. The se-
cret key of an application is registered with a trusted kernel
using a key registrar and is used to uniquely authenticate
and authorize the application. We present a protocol for
secure authentication of applications. Additionally, we de-
velop a system call monitoring architecture that uses our
model to verify the identity of applications when making
critical system calls. Our system call monitoring can be
integrated with existing policy specication frameworks to
enforce application-level access rights. We implement and
evaluate a prototype of our monitoring architecture in Linux
as device drivers with nearly no modication of the ker-
nel. The results from our extensive performance evaluation
shows that our prototype incurs low overhead, indicating the
feasibility of our model

Almohri, Hussain M. J.

Kafura, Denis

Yao, Danfeng

English

Computer Science Technical Reports @Virginia Tech

A practical mimicry attack against powerful system-call monitors.

A VMM-based system call interposition framework for program monitoring.

Access control policies and languages.

Access control policy combining: theory meets practice.

Access the Linux kernel using the /proc filesystem,

Analyzing and comparing the protection quality of security enhanced operating systems.

Authenticated system calls.

Authorizing applications in singularity.

Auto-generating access control policies for applications by static analysis with user input recognition.

BitBlaze: A new approach to computer security via binary analysis.

BLADE: an attack-agnostic approach for preventing drive-by malware infections.

Building systems that flexibly control downloaded executable content.

Control of system calls from outside of virtual machines.

Cryptographic Hash Functions.

D-algebra for composing access control policy decisions.

Enhancing ubiquitous systems through system call mining.

Integrating flexible support for security policies into the Linux operating system.

Keying hash functions for message authentication.

Knowing where your input is from: Kernel-level provenance verification.

lmbench: portable tools for performance analysis.

Making Linux protection mechanisms egalitarian with UserFS.

Mining specifications of malicious behavior.

Network intrusion detection based on system calls and data mining.

Operating system protection for fine-grained programs.

PRIMA: policy-reduced integrity measurement architecture.

SEEdit: SELinux Security Policy configuration system with higher level language.

Semantics-aware malware detection.

Stealthy Malware Detection and Monitoring Through VMM-based “out-of-the-box” Semantic View Reconstruction.

Strong cryptography in the Linux kernel.

System call monitoring using authenticated system calls.

The evolution of system-call monitoring.

Transparent process monitoring in a virtual environment.

Trusted Computing Platforms: Design and Applications.

Understanding the linux kernel. O’Reilly,

Vx32: lightweight user-level sandboxing on the x86.

xfACL: an extensible functional language for access control.

XML-based access control languages. Information Security

Identifying Native Applications with High Assurance

Main stream operating system kernels lack a strong and re-liable mechanism for identifying the running processes and binding them to the corresponding executable applications. In this paper, we address the identification problem by proposing a novel secure application identification model in which user-level applications are required to present identi-fication proofs at run time to be authenticated to the kernel. In our model, applications are supplied with unique secret keys. The secret key of an application is registered with a trusted kernel at the installation time and is used to uniquely authenticate the application. We present a protocol for the secure authentication of applications. Additionally, we de-velop a system call monitoring architecture that uses our model to verify the identity of applications when making designated system calls. Our system call monitoring can be integrated with existing mandatory access control systems to enforce application-level access rights. We implement and evaluate a prototype of our monitoring architecture in Linux as device drivers with no modification of the kernel. The re-sults from our extensive performance evaluation shows that our prototype incurs low overhead, indicating the feasibility of our approach for cryptographically identifying and au-thenticating applications in the operating system

Identifying Native Applications with High Assurance

Abstract

Similar works

Full text

Available Versions

Computer Science Technical Reports @Virginia Tech

CiteSeerX