Abstract
We introduce the notion of re-establishing trust in compromised systems, specifically looking at recovering from kernel-level rootkits. An attacker that has compromised a system will often install a set of tools, known as a rootkit, which will break trust in the system as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. Specifically, current kernel-level rootkits replace trusted system calls with trojaned system calls. Our approach to recover from these type of rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running kernel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Levine, J., Culver, B., Owen, H.: A methodology for detecting new binary rootkit exploits. In: Proceedings IEEE SoutheastCon 2003, Ocho Rios, Jamaica (2003)
Georgia Tech honeynet research project (2004), http://users.ece.gatech.edu/~owen/Research/HoneyNet/HoneyNet_home.htm
Thimbleby, H., Anderson, S., Cairns, P.: A framework for modelling trojans and computer virus infection. The Computer Journal 41, 445–458 (1998)
Levine, J., Grizzard, J., Owen, H.: A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table. In: Proceedings of Second IEEE International Information Assurance Workshop, pp. 107–125. IEEE, Los Alamitos (2004)
Levine, J.G., Grizzard, J.B., Owen, H.L.: A methodology to characterize kernel level rootkit exploits that overwrite the system call table. In: Proceedings of IEEE SoutheastCon, pp. 25–31. IEEE, Los Alamitos (2004)
Trojan horse programs and rootkits. Technical Report 08/03, National Infrastructure Security Co-Ordination Centre (2003)
Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: A file system integrity checker. In: ACM Conference on Computer and Communications Security, pp. 18–29 (1994)
The chkrootkit website (2004), http://www.chkrootkit.org/
kern check.c (2003), http://la-samhna.de/library/kern_check.c
kad (pseudo): Handling interrupt descriptor table for fun and profit, issue 59, article 4 (2002), http://www.phrack.org
WWJH.NET (2003), http://wwjh.net
Bovet, D., Cesati, M.: Understanding the Linux Kernel. O’Reilly&Associates, Sebastopol (2003)
Levine, J.G., Grizzard, J.B., Owen, H.L.: Application of a methodology to characterize rootkits retrieved from honeynets. In: Proceedings of 5th IEEE Information Assurance Workshop, pp. 15–21 (2004)
Re-establishing trust tools (2003), http://users.ece.gatech.edu/~owen/Research/trust_tools/trust_tools.htm
sd (pseudo), devik (pseudo): Linux on-the-fly kernel patching without lkm, issue 58, article 7 (2001), http://www.phrack.org
Thompson, K.: Reflections on trusting trust. Commun. ACM 27, 761–763 (1984)
Labs, S.: Subverting the kernel (2004), http://la-samhna.de/library/rootkits/basics.html
Grizzard, J.B., Levine, J.G., Owen, H.L.: Toward a trusted immutable kernel extension (TIKE) for self-healing systems: a virtual machine approach. In: Proceedings of 5th IEEE Information Assurance Workshop, pp. 444–445 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Grizzard, J.B., Levine, J.G., Owen, H.L. (2004). Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds) Computer Security – ESORICS 2004. ESORICS 2004. Lecture Notes in Computer Science, vol 3193. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30108-0_23
Download citation
DOI: https://doi.org/10.1007/978-3-540-30108-0_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22987-2
Online ISBN: 978-3-540-30108-0
eBook Packages: Springer Book Archive