research-article

A sense of others: behavioral attestation of UNIX processes on remote platforms

Authors:

Toqeer Ali Syed,

Shahrulniza Musa,

Mohammad Nauman, and

Sohail KhanAuthors Info & Claims

ICUIMC '12: Proceedings of the 6th International Conference on Ubiquitous Information Management and Communication

February 2012

Article No.: 51, Pages 1 - 7

https://doi.org/10.1145/2184751.2184814

Published: 20 February 2012 Publication History

Abstract

Remote attestation is a technique in Trusted Computing to verify the trustworthiness of a client platform. The most well-known method of verifying the client system to the remote end is the Integrity Measurement Architecture (IMA). IMA relies on the hashes of applications to prove the trusted state of the target system to the remote challenger. This hash-based approach leads to several problems including highly rigid target domains. To overcome these problems several dynamic attestation techniques have been proposed. These techniques rely on the runtime behavior of an application or data structures and sequence of system calls. In this paper we propose a new attestation technique that relies on the seminal work done in Sequence Time Delay Embedding (STIDE). We present our target architecture in which the client end is leveraged with STIDE and the short sequences of system call patterns associated with a process are measured and reported to the challenger. Furthermore, we investigate how this technique can shorten the reported data as compared to other system call-based attestation techniques. The primary advantage of this technique is to detect zero-day malware at the client platform. There are two most important metrics for the successful implementation of dynamic behavior attestation. One is the time required for processing on the target system and second is the network overhead. In our proposed model we concentrate on maximizing the efficiency of these metrics.

References

[1]

M. Alam, X. Zhang, M. Nauman, T. Ali, and J-P. Seifert. Model-based Behavioral Attestation. In SACMAT '08: Proceedings of the thirteenth ACM symposium on Access control models and technologies., New York, NY, USA, 2008. ACM Press.

Digital Library

[2]

S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical report, Department of Computer Engineering, Chalmers University, 2000.

[3]

L. Davi, A. R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In Proceedings of the 2009 ACM workshop on Scalable trusted computing, pages 49--54. ACM, 2009.

Digital Library

[4]

S. Forrest, SA Hofmeyr, A. Somayaji, and TA Longstaff. A sense of self for unix processes. In 1996 IEEE Symposium on Security and Privacy, 1996. Proceedings., pages 120--128, 1996.

Digital Library

[5]

Liang Gu, Yueqiang Cheng, Xuhua Ding, Robert Deng, Yao Guo, and Weizhong Shao. Remote Attestation on Function Execution. In InTrust'09: Proceedings of the 2009 International Conference on Trusted Systems, 2009.

Digital Library

[6]

Liang Gu, Xuhua Ding, Robert Deng, Bing Xie, and Hong Mei. Remote Attestation on Program Execution. In STC '08: Proceedings of the 2008 ACM Workshop on Scalable Trusted Computing, New York, NY, USA, 2008. ACM.

Digital Library

[7]

S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151--180, 1998.

[8]

Trent Jaeger, Reiner Sailer, and Umesh Shankar. PRIMA: Policy-Reduced Integrity Measurement Architecture. In SACMAT '06: Proceedings of the eleventh ACM Symposium on Access Control Models and Technologies, pages 19--28, New York, NY, USA, 2006. ACM Press.

Digital Library

[9]

C. Kruegel and T. Toth. Using decision trees to improve signature-based intrusion detection. In Recent Advances in Intrusion Detection, pages 173--191. Springer, 2003.

[10]

Peter A. Loscocco, Perry W. Wilson, J. Aaron Pendergrass, and C. Durward McDonell. Linux Kernel Integrity Measurement Using Contextual Inspection. In STC '07: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pages 21--29, New York, NY, USA, 2007. ACM.

Digital Library

[11]

J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, pages 315--328. ACM, 2008.

Digital Library

[12]

B. Mehdi, F. Ahmed, S. A. Khayyam, and M. Farooq. Towards a Theory of Generalizing System Call Representation For In-Execution Malware Detection. In ICC'10: Proceedings of the IEEE International Conference on Communications, 2010.

[13]

D. Mutz, W. Robertson, G. Vigna, and R. Kemmerer. Exploiting execution context for the detection of anomalous system calls. In Recent Advances in Intrusion Detection (RAID'07), pages 1--20. Springer, 2007.

Digital Library

[14]

M. Nauman, S. Khan, X. Zhang, and J. P. Seifert. Beyond kernel-level Integrity Measurement: Enabling Remote Attestation for the Android Platform. In Trust and Trustworthy Computing, pages 1--15. Springer, 2010.

Digital Library

[15]

Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, 2004.

Digital Library

[16]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS'08), pages 552--561. ACM New York, NY, USA, 2007.

Digital Library

[17]

TCG. TCG Specification Architecture Overview v1.2, page 11--12. Technical report, Trusted Computing Group, April 2004.

[18]

TCG. Trusted Computing Group, 2010. http://www.trustedcomputinggroup.org/.

[19]

University of New Mexico. Computer Immune Systems -- Datasets, Accessed May, 2010. Available at: http://www.cs.unm.edu/~immsec/systemcalls.htm.

[20]

W. O. Wilson, J. Feyereisl, and U. Aickelin. Detecting Motifs in System Call Sequences. In 8th international workshop on Information security applications, page 157. Springer, 2007.

Digital Library

Cited By

Alsayed ABinsawad MAli JKhalid AAhmed W(2020)Realizing Macro Based Technique for Behavioral Attestation on Remote PlatformIntelligent Systems and Applications10.1007/978-3-030-55180-3_10(132-144)Online publication date: 25-Aug-2020
https://doi.org/10.1007/978-3-030-55180-3_10
Jiang SLian MLu CGu QRuan SXie X(2018)Ensemble Prediction Algorithm of Anomaly Monitoring Based on Big Data Analysis Platform of Open-Pit Mine SlopeComplexity10.1155/2018/10487562018Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1155/2018/1048756
Syed TMusa SRahman AJan S(2015)Towards Secure Instance Migration in the Cloud2015 International Conference on Cloud Computing (ICCC)10.1109/CLOUDCOMP.2015.7149664(1-6)Online publication date: Apr-2015
https://doi.org/10.1109/CLOUDCOMP.2015.7149664

Index Terms

A sense of others: behavioral attestation of UNIX processes on remote platforms
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Realization of dynamic behavior using remotely verifiable n-call slides in Unix process execution trace
ICUIMC '13: Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication

Trusted computing presents a technique called remote attestation which helps in verifying the trustworthiness of a client's system. Generally known and mostly used methods to verify a target system's integrity are mostly static in nature. For the ...
Read More
Model-Driven Remote Attestation: Attesting Remote System from Behavioral Aspect
ICYCS '08: Proceedings of the 2008 The 9th International Conference for Young Computer Scientists

Remote attestation was introduced in TCG specificationsto determine whether a remote system is trusted to behavein a particular manner for a specific purpose; however,most of the existing approaches attest only the integritystate of a remote system and ...
Read More
Analysis of existing remote attestation techniques

This paper has been written as a part of the research project that is working towards the implementation of dynamic behavioral attestation for mobile platforms. The motivation behind this paper was to analyze the existing remote attestation techniques ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICUIMC '12: Proceedings of the 6th International Conference on Ubiquitous Information Management and Communication

February 2012

852 pages

ISBN:9781450311724

DOI:10.1145/2184751

Conference Chairs:
Suk-Han Lee
Sungkyunkwan University, Korea
,
Lajos Hanzo
University of Southampton, UK
,
Roslan Ismail
Universiti Kuala Lumpur, Malaysia
,
Program Chairs:
Dongsoo S. Kim
Indiana University
,
Min Young Chung
Sungkyunkwan University, Korea
,
Sang-Won Lee
Sungkyunkwan University, Korea

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing
SKKU: SUNGKYUNKWAN UNIVERSITY

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 February 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICUIMC '12

Sponsor:

SIGAPP
SKKU

ICUIMC '12: The 6th International Conference on Ubiquitous Information Management and Communication

February 20 - 22, 2012

Kuala Lumpur, Malaysia

Acceptance Rates

Overall Acceptance Rate 251 of 941 submissions, 27%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
144
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Alsayed ABinsawad MAli JKhalid AAhmed W(2020)Realizing Macro Based Technique for Behavioral Attestation on Remote PlatformIntelligent Systems and Applications10.1007/978-3-030-55180-3_10(132-144)Online publication date: 25-Aug-2020
https://doi.org/10.1007/978-3-030-55180-3_10
Jiang SLian MLu CGu QRuan SXie X(2018)Ensemble Prediction Algorithm of Anomaly Monitoring Based on Big Data Analysis Platform of Open-Pit Mine SlopeComplexity10.1155/2018/10487562018Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1155/2018/1048756
Syed TMusa SRahman AJan S(2015)Towards Secure Instance Migration in the Cloud2015 International Conference on Cloud Computing (ICCC)10.1109/CLOUDCOMP.2015.7149664(1-6)Online publication date: Apr-2015
https://doi.org/10.1109/CLOUDCOMP.2015.7149664

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents