Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Defense method for kernel-level return-oriented rootkits

A kernel-level, instruction-based technology, applied in computer science and malware protection fields, can solve problems such as difficult to deal with, and achieve high performance and protection from infringement.

Inactive Publication Date: 2012-03-14
XIDIAN UNIV
View PDF2 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Return-less uses three sub-techniques: return indirection, peephole optimization and register allocation algorithm to remove all return opcode bytes in the operating system kernel, so that attackers cannot choose available instruction fragments to construct attacks
However, the latest return-oriented rootkits variants no longer rely on the return instruction, but instead use return-like instructions to concatenate instruction fragments, such as using the "pop+jump" instruction sequence [Checkoway et al., ACM CCS 2010 ] or indirect jump instructions [Bletsch et al., ACM ASIACCS 2011], very difficult to deal with

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Defense method for kernel-level return-oriented rootkits
  • Defense method for kernel-level return-oriented rootkits
  • Defense method for kernel-level return-oriented rootkits

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0062] refer to figure 1 , the present invention includes two parts: instruction conversion based on compiler and construction of function pointer table and return address table. Among them, the instruction conversion based on the compiler mainly includes parameter initialization and conversion of instructions related to control data. After the instruction conversion is completed, the function pointer table and the return address table are constructed.

[0063] 1. Compiler-based instruction conversion

[0064] refer to figure 2 , the specific implementation of this part is as follows:

[0065] Step 1, initialize the return index ret_index to 0.

[0066] The present invention allocates a unique return index ret_index for each return address, and the ret_index starts counting from 0 and adds 1 every time it is allocated.

[0067] Step 2, create an empty function pointer index file fpindex_file.

[0068] The present invention generates an empty function pointer index file f...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a defense method for kernel-level return-oriented rootkits, which mainly solves the problem of incapability of defending the latest kernel-level return-oriented rootkits attack in the prior art. The method comprises the following implementation steps of: distributing an index for each piece of control data by a compiler and converting a related instruction so as not to directly use the control data during program skip but search a certain skip table by using the index distributed by the compiler to obtain a really effective skip address to indirectly perform; and then collecting all effective skip addresses, namely control data, in a system to a function pointer table and returning to an address table for protection. By adopting the method, a second step of conducting attack cannot be finished by the kernel-level return-oriented rootkits, namely the original execution flow of the system is required to be changed by rewriting a certain piece of control data, and the method can be used for protecting safety of an operating system.

Description

technical field [0001] The invention belongs to the field of computer science and technology, and relates to the protection of malicious software, in particular to a compiler-based defense method for kernel-level return-oriented rootkits, which can be used to protect the safety of an operating system. Background technique [0002] As a kind of contemporary malicious software, kernel-level rootkits can hide the traces of attackers and fundamentally subvert the entire operating system, which poses a huge threat to the security of users' computer systems. Rootkits can obtain and maintain unrestricted access rights on compromised computers, including stealing sensitive user information, upgrading system privileges of malicious programs, and opening backdoor access channels. To make matters worse, all of these malicious operations are able to evade detection by antivirus software. [0003] Traditional kernel-level rootkits usually need to execute newly injected code, and users c...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/22G06F21/56
Inventor 李金库马建峰谢琨杨超
Owner XIDIAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com