Dartmouth Computer Science Technical Reports

TR2009-652: The Effects of Introspection on Computer Security Policies

Tue, 09 Jun 2009 16:25:38 -0400

What does it mean to be an expert? And what makes an expert more capable than a non-expert when it comes to evaluating and articulating their impressions about something as commonly practiced as food tasting? How do we explain those behaviors that humans perform very well, but don't quite know why? Studies have shown that there exists a class of activities that we as humans execute well intuitively, but that we perform much worse upon introspection. Evidence supports the claim that the act of introspection actually causes us to do more poorly at these tasks.

My goal is to apply this idea to computer security. At present, designs for most security policy interfaces leave much to be desired. This lack of usability leaves these systems in need of improvement, possibly causing users to become more vulnerable than they otherwise would have. My research includes a user study on the privacy policies of the interface for a social networking website similar to Facebook. Evidence from the study supports the claim that the act of introspecting upon one's personal security policy actually makes one worse at making policy decisions.

Published June 2009 by Dartmouth College, Computer Science

TR2009-651: Developing an Improved, Web-Based Classroom Response System with Web Services

Tue, 09 Jun 2009 16:17:09 -0400

Classroom Response Systems (CRS) are an in-class technology used to poll students and instantly display an aggregate representation of their responses. CRS have been around since the 1970s and have become increasingly more popular in higher education lecture halls. Even though technology, specifically computers and communications, has improved significantly since the 1970s, CRS have remained surprisingly unchanged. The purpose of this project was to develop an innovative web-based CRS using web services. The web-based aspect utilizes Dartmouth's wireless campus while the web services back-end makes the product more extensible. Lastly, we added a set of out-of-class learning tools for students as well as an in-class tool called the Confusion Meter to enhance student-to-instructor communication. With these features, our goal was to create a free, open-source system that enhances the teaching and learning experience and remains extensible and developer-friendly, unlike any commercial CRS currently available.

Published June 2009 by Dartmouth College, Computer Science

TR2009-650: A Computational Framework for Certificate Policy Operations

Sun, 07 Jun 2009 05:00:32 -0400

The trustworthiness of any Public Key Infrastructure (PKI) rests upon the expectations for trust, and the degree to which those ex- pectations are met. Policies, whether implicit as in PGP and SDSI/SPKI or explicitly required as in X.509, document expectations for trust in a PKI. The widespread use of X.509 in the context of global e-Science infrastructures, financial institutions, and the U.S. Federal government demands efficient, transparent, and reproducible policy decisions. Since current manual processes fall short of these goals, we designed, built, and tested computational tools to process the citation schemes of X.509 certificate policies defined in RFC 2527 and RFC 3647. Our PKI Policy Repository, PolicyBuilder, and PolicyReporter improve the consistency of certificate policy operations as actually practiced in compliance au- dits, grid accreditation, and policy mapping for bridging PKIs. Anecdotal and experimental evaluation of our tools on real-world tasks establishes their actual utility and suggests how machine-actionable policy might empower individuals to make informed trust decisions in the future.

Published June 2009 by Dartmouth College, Computer Science

TR2009-648: Surface Reconstruction through Time

Mon, 08 Jun 2009 16:04:40 -0400

Surface reconstruction is an area of computational geometry that has been progressing rapidly over the last decade. Current algorithms and their implementations can reconstruct surfaces from a variety of input and the accuracy and precision improve with each new development. These all make use of various heuristics to achieve a reconstruction. Much of this work consists of reconstructing a still object from point samples taken from the object's surface.

We examine reconstructing an n-dimensional object and its motion by treating time as an (n + 1)st axis. Our input consists of (n-1)-dimensional scans taken over time and at di?erent positions on the original object. This input is mapped into (n + 1) dimensions where the (n + 1)st dimension is a scaled time axis and then fed into an existing surface reconstruction algorithm. A cross section of the reconstructed surface perpendicular to the time axis yields an approximation to the shape of the n-dimensional surface at the corresponding point in time.

The intended application for this work is the reconstruction of medical images from scanning technology such as MRI or CT into moving 3d surfaces. We investigate reconstructing 2d moving surfaces through time as a preliminary step towards the moving 3d problem.

We spend most of our efforts in this thesis on the problem of computing a scaling factor for mapping time into the (n + 1)st axis to minimize the number of scans needed to meet the sampling requirements for an existing surface reconstruction algorithm. We give three bounds, based on features of the 2d moving object, that are necessary to accomplish this.

Published June 2009 by Dartmouth College, Computer Science

TR2009-647: Hawk: 3D Gestured-Based Interactive Bird Flight Simulation

Tue, 02 Jun 2009 23:16:45 -0400

Control interfaces provide the most tangible connection between human users and computer software. This link is especially important in interactive real-time applications, like games and simulations, because users desire efficient controls that allow them to maximize their interactivity and immersion with the software. Traditionally, interfaces have been largely limited to keyboards and mice. Recently, however, technological advances have made motion-sensitive devices not only available to mainstream consumers but have also lifted restrictions limiting devices to two-dimensional motion. This work presents a 3-dimensional motion-sensitive interface alongside a natural application. Players can control a soaring red-tailed hawk and perform various intuitive flight maneuvers using two Nintendo Wii Remotes (Wiimotes).

Published June 2009 by Dartmouth College, Computer Science

TR2009-646: An Information Complexity Approach to the Inner Product Problem

Fri, 19 Jun 2009 14:41:44 -0400

We prove a lower bound of the randomized communication complexity of the inner product function on the uniform distribution.

Published June 2009 by Dartmouth College, Computer Science

TR2009-645: Automated Tracking of Dividing Nuclei in Microscopy Videos of Living Cells

Thu, 18 Jun 2009 05:22:53 -0400

Many cell biologists perform analysis of multinucleated cell data in order to better under- stand the mechanisms that regulate cell division. Sbalzarini, et al., have developed methods for automatically tracking nuclei in cell data in order to aid in this time-consuming analysis. In this paper, we present an implementation of the Sbalzarini tracking algorithm, introduce a new algorithm we developed which is able to identify mitosis events, and present other software tools we have developed to aid in the automated detection of nucleus data.

Published June 2009 by Dartmouth College, Computer Science

TR2009-644: Autoscopy: Detecting Pattern-Searching Rootkits via Control Flow Tracing

Tue, 19 May 2009 21:49:28 -0400

Traditional approaches to rootkit detection assume the execution of code at a privilege level below that of the operating system kernel, with the use of virtual machine technologies to enable the detection system itself to be immune from the virus or rootkit code. In this thesis, we approach the problem of rootkit detection from the standpoint of tracing and instrumentation techniques, which work from within the kernel and also modify the kernel's run-time state to detect aberrant control flows. We wish to investigate the role of emerging tracing frameworks (Kprobes, DTrace etc.) in enforcing operating system security without the reliance on a full-blown virtual machine just for the purposes of such policing. We first build a novel rootkit prototype that uses pattern-searching techniques to hijack hooks embedded in dynamically allocated memory, which we present as a showcase of emerging attack techniques. We then build an intrusion detection system-- autoscopy, atop kprobes, that detects anomalous control flow patterns typically exhibited by rootkits within a running kernel. Furthermore, to validate our approach, we show that we were able to successfully detect 15 existing Linux rootkits. We also conduct performance analyses, which show the overhead of our system to range from 2% to 5% on a wide range of standard benchmarks. Thus by leveraging tracing frameworks within operating systems, we show that it is possible to introduce real-world security in devices where performance and resource constraints are tantamount to security considerations.

Published May 2009 by Dartmouth College, Computer Science

TR2009-643: Dynamic Universal Accumulators for DDH Groups and Their Application to Attribute-Based Anonymous Credential Systems

Wed, 22 Apr 2009 05:38:47 -0400

We present the first dynamic universal accumulator that allows (1) the accumulation of elements in a DDH-hard group G and (2) one who knows x such that y=g^x has --- or has not --- been accumulated, where g generates G, to efficiently prove her knowledge of such x in zero knowledge, and hence without revealing, e.g., x or y.

We introduce the Attribute-Based Anonymous Credential System (ABACS), which allows the verifier to authenticate anonymous users according to any access control policy expressible as a formula of possibly negated boolean user attributes. We construct the system from our accumulator.

Published April 2009 by Dartmouth College, Computer Science

TR2009-642: Approximability of the Unsplittable Flow Problem on Trees

Tue, 03 Mar 2009 21:05:54 -0500

We consider the approximability of the Unsplittable Flow Problem (UFP) on tree graphs, and give a deterministic quasi-polynomial time approximation scheme for the problem when the number of leaves in the tree graph is at most poly-logarithmic in $n$ (the number of demands), and when all edge capacities and resource requirements are suitably bounded. Our algorithm generalizes a recent technique that obtained the first such approximation scheme for line graphs. Our results show that the problem is not APX-hard for such graphs unless NP \subseteq DTIME(2^{polylog(n)}). Further, a reduction from the Demand Matching Problem shows that UFP is APX-hard when the number of leaves is Omega(n^\epsilon) for any constant \epsilon > 0.

Together, the two results give a nearly tight characterization of the approximability of the problem on tree graphs in terms of the number of leaves, and show the structure of the graph that results in hardness of approximation.

Published March 2009 by Dartmouth College, Computer Science

TR2009-641: A Combined Routing Method for Ad Hoc Wireless Networks

Thu, 12 Feb 2009 00:27:50 -0500

Several simulation and real world studies show that certain ad hoc routing protocols perform better than others under specific mobility and traffic patterns. In order to exploit this phenomena, we propose a novel approach to adapt a network to changing conditions; we introduce "a combined routing method" that allows the network to seamlessly swap from one routing protocol to another protocol dynamically, while routing continues uninterrupted. By creating a thin new virtual layer, we enable each node in the ad hoc wireless network notify each other about the protocol swap and we do not make any changes to existing routing protocols. To ensure that routing works efficiently after the protocol swap, we reuse information from the previous protocol's routing table while initializing the data structures for the new routing protocol. We study the feasibility of our technique and the overheads incurred while swapping between AODV, ODMRP and APRL under different network topologies and traffic patterns through detailed simulations. Our results show that the swap latency is related to the nature of the destination protocol and the topology of the network. We also find that the control packet ratio of a routing protocol during and after a swap is close to that of the protocol running before a swap, thus indicating that our approach does not add excessive overhead.

Published February 2009 by Dartmouth College, Computer Science

TR2009-640: Authenticated Streamwise On-line Encryption

Thu, 26 Mar 2009 23:21:07 -0400

In Blockwise On-line Encryption, encryption and decryption return an output block as soon as the next input block is received. In this paper, we introduce Authenticated Streamwise On-line Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fixed-sized blocks), and thus significantly reduces message expansion and end-to-end latency. Also, ASOE provides data authenticity as an option. ASOE can therefore be used to efficiently secure resource-constrained communications with real-time requirements such as those in the electric power grid and wireless sensor networks.

We investigate and formalize ASOE's strongest achievable notion of security, and present a construction that is secure under that notion. An instantiation of our construction incurs zero end-to-end latency due to buffering and only 48 bytes of message expansion, regardless of the plaintext-size.

Published March 2009 by Dartmouth College, Computer Science

TR2008-639: Functional Monitoring Without Monotonicity

Wed, 24 Dec 2008 12:08:58 -0500

The notion of distributed functional monitoring was recently introduced by Cormode, Muthukrishnan and Yi to initiate a formal study of the communication cost of certain fundamental problems arising in distributed systems, especially sensor networks. In this model, each of k sites reads a stream of tokens and is in communication with a central coordinator, who wishes to continuously monitor some function f of \sigma, the union of the k streams. The goal is to minimize the number of bits communicated by a protocol that correctly monitors f(\sigma), to within some small error. As in previous work, we focus on a threshold version of the problem, where the coordinator's task is simply to maintain a single output bit, which is 0 whenever f(\sigma) \leq \tau(1 - \epsilon) and 1 whenever f(\sigma) \geq \tau. Following Cormode et al., we term this the (k, f, \tau, \epsilon) functional monitoring problem.

In previous work, some upper and lower bounds were obtained for this problem, with f being a frequency moment function, e.g., F_0, F_1, F_2. Importantly, these functions are monotone. Here, we further advance the study of such problems, proving three new classes of results. First, we prove new lower bounds on this problem when f = F_p, for several values of p. Second, we study the effect of non-monotonicity of f on our ability to give nontrivial monitoring protocols, by considering f = F_p with deletions allowed, as well as f = H, the empirical Shannon entropy of a stream. Third, we provide nontrivial monitoring protocols when f is either H, or any of a related class of entropy functions (Tsallis entropies). These are the first nontrivial algorithms for distributed monitoring of non-monotone functions.

Published December 2008 by Dartmouth College, Computer Science

TR2008-638: Digital Image Ballistics from JPEG Quantization: A Followup Study

Wed, 24 Dec 2008 12:07:43 -0500

The lossy JPEG compression scheme employs a quantization table that controls the amount of compression achieved. Because different cameras typically employ different tables, a comparison of an image's quantization scheme to a database of known cameras affords a simple technique for confirming or denying an image's source. This report describes the analysis of quantization tables extracted from 1,000,000 images downloaded from Flickr.com.

Published December 2008 by Dartmouth College, Computer Science

TR2008-637: Nymble: Blocking Misbehaving Users in Anonymizing Networks

Sun, 07 Dec 2008 20:13:08 -0500

Anonymizing networks such as Tor allow users to access Internet services privately by using a series of routers to hide the client's IP address from the server. The success of such networks, however, has been limited by users employing this anonymity for abusive purposes such as defacing popular websites. Website administrators routinely rely on IP-address blocking for disabling access to misbehaving users, but blocking IP addresses is not practical if the abuser routes through an anonymizing network. As a result, administrators block \emph{all} known exit nodes of anonymizing networks, denying anonymous access to misbehaving and behaving users alike. To address this problem, we present Nymble, a system in which servers can ``blacklist'' misbehaving users, thereby \emph{blocking users without compromising their anonymity}. Our system is thus agnostic to different servers' definitions of misbehavior --- servers can blacklist users for whatever reason, and the privacy of blacklisted users is maintained.

Published December 2008 by Dartmouth College, Computer Science

TR2008-636: Toward Evaluating Lighting Design Interface Paradigms for Novice Users

Fri, 01 May 2009 05:33:03 -0400

Lighting design is a complex and fundamental task in computer cinematography, involving adjustment of light parameters to define final scene appearance. Many lighting interfaces have been proposed to improve lighting design work flow. These paradigms exist in three paradigm categories: direct light parameter manipulation, indirect light feature manipulation (e.g., shadow dragging), and goal-based optimization of light through painting. To this date, no formal evaluation of the relative effectiveness of these methods has been performed. In this paper, we present a first step toward evaluating the three paradigms in the form of a user study with novice users. We focus our evaluation on simple tasks that directly affect lighting features, such as highlights, shadows and intensity gradients, in scenes with up to 2 point lights and 5 objects under direct illumination. We perform quantitative experiments to measure relative efficiency between interfaces together with qualitative input to explore the intuitiveness of the paradigms. Our results indicate that paint-based goal specification is more cumbersome than either direct or indirect manipulation. Furthermore, our investigation suggests improvements to not only the implementation of the paradigms, but also overall paradigm structure for further exploration.

Published November 2008 by Dartmouth College, Computer Science

TR2008-635: BLAC: Revoking Repeatedly Misbehaving Anonymous Users Without Relying on TTPs

Tue, 30 Sep 2008 23:21:13 -0400

Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user's privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, systems have been proposed in which users are deanonymized if they authenticate ``too many times,'' such as ``double spending'' with electronic cash. While useful in some applications, it is not possible to generalize such techniques to more subjective definitions of misbehavior, e.g., it is not possible to block users who ``deface too many webpages'' on a website.

We present BLAC, the first anonymous credential system in which service providers can revoke the credentials of repeatedly misbehaving users without relying on a TTP. Since revoked users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP. Finally, our construction supports a $d$-strikes-out revocation policy, whereby users who have been subjectively judged to have repeatedly misbehaved at least $d$ times are revoked from the system.

Published October 2008 by Dartmouth College, Computer Science

TR2008-634: LZfuzz: a fast compression-based fuzzer for poorly documented protocols

Fri, 26 Sep 2008 20:21:47 -0400

Real-world infrastructure offers many scenarios where protocols (and other details) are not released due to being considered too sensitive or for other reasons. This situation makes it hard to apply fuzzing techniques to test their security and reliability, since their full documentation is only available to their developers, and domain developer expertise does not necessarily intersect with fuzz-testing expertise (nor deployment responsibility). State-of-the-art fuzzing techniques, however, work best when protocol specifications are available. Still, operators whose networks include equipment communicating via proprietary protocols should be able to reap the benefits of fuzz-testing them.

In particular, administrators should be able to test proprietary protocols in the absence of end-to-end application-level encryption to understand whether they can withstand injection of bad traffic, and thus be able to plan adequate network protection measures. Such protocols can be observed in action prior to fuzzing, and packet captures can be used to learn enough about the structure of the protocol to make fuzzing more efficient.

Various machine learning approaches, e.g. bioinformatics methods, have been proposed for learning models of the targeted protocols. The problem with most of these approaches to date is that, although sometimes quite successful, they are very computationally heavy and thus are hardly practical for application by network administrators and equipment owners who cannot easily dedicate a compute cluster to such tasks.

We propose a simple method that, despite its roughness, allowed us to learn facts useful for fuzzing from protocol traces at much smaller CPU and time costs. Our fuzzing approach proved itself empirically in testing actual proprietary SCADA protocols in an isolated control network test environment, and was also successful in triggering flaws in implementations of several popular commodity Internet protocols. Our fuzzer, LZfuzz (pronounced ``lazy-fuzz'') relies on a variant of Lempel--Ziv compression algorithm to guess boundaries between the structural units of the protocol, and builds on the well-known free software GPF fuzzer.

Published September 2008 by Dartmouth College, Computer Science

TR2008-633: Attribute-Based, Usefully Secure Email

Fri, 15 Aug 2008 08:04:10 -0400

A secure system that cannot be used by real users to secure real-world processes is not really secure at all. While many believe that usability and security are diametrically opposed, a growing body of research from the field of Human-Computer Interaction and Security (HCISEC) refutes this assumption. All researchers in this field agree that focusing on aligning usability and security goals can enable the design of systems that will be more secure under actual usage.

We bring to bear tools from the social sciences (economics, sociology, psychology, etc.) not only to help us better understand why deployed systems fail, but also to enable us to accurately characterize the problems that we must solve in order to build systems that will be secure in the real world. Trust, a critically important facet of any socio-technical secure system, is ripe for analysis using the tools provided for us by the social sciences.

There are a variety of scopes in which issues of trust in secure systems can be stud- ied. We have chosen to focus on how humans decide to trust new correspondents. Current secure email systems�such as S/MIME and PGP/MIME�are not expressive enough to capture the real ways that trust flows in these sorts of scenarios. To solve this problem, we begin by applying concepts from social science research to a variety of such cases from interesting application domains; primarily, crisis management in the North American power grid. We have examined transcripts of telephone calls made between grid manage- ment personnel during the August 2003 North American blackout and extracted several different classes of trust flows from these real-world scenarios. Combining this knowl- edge with some design patterns from HCISEC, we develop criteria for a system that will enable humans apply these same methods of trust-building in the digital world. We then present Attribute-Based, Usefully Secure Email (ABUSE) and not only show that it meets our criteria, but also provide empirical evidence that real users are helped by the system.

Published August 2008 by Dartmouth College, Computer Science

TR2008-632: TwoKind Authentication: Protecting Private Information in Untrustworthy Environments (Extended Version)

Sun, 17 Aug 2008 08:00:00 -0400

We propose and evaluate TwoKind Authentication, a simple and effective technique that allows users to limit access to their private information in untrustworthy environments. Users often log in to Internet sites from insecure computers, and more recently have started divulging their email passwords to social-networking sites, thereby putting their private communications at risk. To mitigate this problem, we explore the use of multiple authenticators for the same account that are associated with specific sets of privileges. In its simplest form, TwoKind features two modes of authentication, a low and a high authenticator. By using a low authenticator, users can signal to the server they are in an untrusted environment, following which the server restricts the user's actions, including access to private data.

In this paper, we seek to evaluate the effectiveness of multiple authenticators in promoting safer behavior in users. We demonstrate the effectiveness of this approach through a user experiment --- we find that users make a distinction between the two authenticators and generally behave in a security-conscientious way, protecting their high authenticator a majority of the time. Our study suggests that TwoKind will be beneficial to several Internet applications, particularly if the privileges can be customized to a user's security preferences.

Published August 2008 by Dartmouth College, Computer Science

TR2008-631: Pas de Deux avec les Microrobots (Video)

Tue, 05 Aug 2008 11:36:12 -0400

Video captured through an optical microscope, showing simultaneous control and operation of two stress-engineered microrobots. The dimensions of our microrobots are 260 x 60 x 10 micrometers; each robot consists of an unthetered scratch-drive actuator that provides forward motion, and a steering-arm actuator that controls whether the robot moves in a straight line or turns.

Our stress-engineered microrobots are electrostatically powered via a global control signal transmitted to all the robots regardless of the their position and orientation within their operating environment. Hence, a single control and power-delivery signal must be used to simultaneously control all robots within the same operating environment, resulting in a highly underactuated system. Despite this high level of underactution we are able to achieve independent control of the individual microrobots by designing their steering-arms to respond to different voltage levels of the supplied control signal.

This example uses nested hysteresis gaps. A hysteresis gap is the difference between the snap-down and release voltages for a steering-arm actuator. Nested hysteresis gaps allow us to set the states of the steering-arms (up or down) to any configuration. As shown in this video, all four states of the two microrobot steering-arms are used to choreograph their motion.

A disadvantage of nested hysteresis gaps is that they are control-voltage bandwidth intensive, limiting the number of simultaneously-controllable devices. An alternative multi-microrobot control scheme that minimizes control-bandwidth is described in [1].

Published August 2008 by Dartmouth College, Computer Science

TR2008-630: Planar Microassembly by Parallel Actuation of MEMS Microrobots (Microassembly Video)

Tue, 05 Aug 2008 11:35:21 -0400

Movie of a representative microassembly experiment using devices from species 1,3,4 and 5, recorded through an optical microscope. The robots are initially arranged along the corners of a rectangle with sides 1 by 0.9 mm. The assembly experiment is divided into three stages. During stage 1, devices 4 and 5 dock together to form the initial stable shape. In stage 2, device 3 docks with the initial stable shape, while during stage 3, device 1 docks with the stable shape, forming the final assembly.

Published August 2008 by Dartmouth College, Computer Science

TR2008-629: Lighting and Optical Tools for Image Forensics

Tue, 08 Jul 2008 11:53:51 -0400

We present new forensic tools that are capable of detecting traces of tampering in digital images without the use of watermarks or specialized hardware. These tools operate under the assumption that images contain natural properties from a variety of sources, including the world, the lens, and the sensor. These properties may be disturbed by digital tampering and by measuring them we can expose the forgery. In this context, we present the following forensic tools: (1) illuminant direction, (2) specularity, (3) lighting environment, and (4) chromatic aberration. The common theme of these tools is that they exploit lighting or optical properties of images. Although each tool is not applicable to every image, they add to a growing set of image forensic tools that together will complicate the process of making a convincing forgery.

Published July 2008 by Dartmouth College, Computer Science

TR2008-628: Key Management for Secure Power SCADA

Fri, 13 Jun 2008 22:23:13 -0400

This thesis proposes a key management protocol for secure power SCADA systems that seeks to take advantage of the full security capacity of a given network by allowing devices to use public key cryptography for key management if they are capable of doing so and reverting to symmetric key cryptography only when such use is necessitated by the weakness of a given device. Allowing devices to obtain different levels of security permits SCADA networks to maximize their security in the decades before such networks are capable of implementing fully public key-based key management protocols. Such a system is obtained through the use of a protocol based on a modified version of SSL using X.509 certificates containing encrypted symmetric keys that allow master devices the option of using the symmetric keys for encrypting the shared secret used to create keying material, instead of using a slave device's public key. This thesis presents the protocol and uses proof-of-concept code to carry out a performance evaluation of the key management scheme.

Published June 2008 by Dartmouth College, Computer Science

TR2008-627: Detecting kernel rootkits

Sat, 20 Sep 2008 22:42:58 -0400

Kernel rootkits are a special category of malware that are deployed directly in the kernel and hence have unmitigated reign over the functionalities of the kernel itself. We seek to detect such rootkits that are deployed in the real world by first observing how the majority of kernel rootkits operate. To this end, comparable to how rootkits function in the real world, we write our own kernel rootkit that manipulates the network driver, thus giving us control over all packets sent into the network. We then implement a mechanism to thwart the attacks of such rootkits by noticing that a large number of the rootkits deployed today rely heavily on the redirection of function pointers within the kernel. By overwriting the desired function pointer to its own function, a rootkit can perform a proverbial man-in-the-middle attack. Our goal is not just the detection of kernel rootkits, but also to levy as little an impact on system performance as possible. Hence our technique is to leverage existing kernel functionalities (in the case of Linux) such as kprobes to identify potential attack scenarios from within the sytem rather than from outside it (such as a VMM). We hope to introduce real-world security in devices where performance and resource constraints are tantamount to security considerations.

Published September 2008 by Dartmouth College, Computer Science