Arati Baliga

Automatic Inference and Enforcement of Kernel Data Structure Invariants

Kernel-level rootkits affect system security by modifying key kernel data structures to achieve a variety of malicious goals. While early rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated rootkits that maliciously modify non-control data. Prior techniques for rootkit detection fail to identify such rootkits either because they focus solely on detecting control data modifications or because they require elaborate, manually-supplied specifications to detect modifications of non-control data. This paper presents a novel rootkit detection technique that automatically detects rootkits that modify both control and non-control data. The key idea is to externally observe the execution of the kernel during a training period and hypothesize invariants on kernel data structures. These invariants are used as specifications of data structure integrity during an enforcement phase; violation of these invariants indicates the presence of a rootkit. We present the design and implementation of Gibraltar, a tool that uses the above approach to infer and enforce invariants. In our experiments, we found that Gibraltar can detect rootkits that modify both control and non-control data structures, and that its false positive rate and monitoring overheads are negligible.

An identity-based security framework For VANETs

We present a security framework for Vehicular Ad hoc Networks (VANETs), using identity-based cryptography, to provide authentication, confidentiality, non-repudiation and message integrity. Additionally it provides scalable security and privacy using short-lived, authenticated and unforgeable, pseudonyms. This feature can be used by VANET applications that require quantifiable trust and privacy to provide differentiated service based on various levels of trust and privacy thresholds.

Rootkits on smart phones: attacks, implications and opportunities

Smart phones are increasingly being equipped with operating systems that compare in complexity with those on desktop computers. This trend makes smart phone operating systems vulnerable to many of the same threats as desktop operating systems. In this paper, we focus on the threat posed by smart phone rootkits. Rootkits are malware that stealthily modify operating system code and data to achieve malicious goals, and have long been a problem for desktops. We use three example rootkits to show that smart phones are just as vulnerable to rootkits as desktop operating systems. However, the ubiquity of smart phones and the unique interfaces that they expose, such as voice, GPS and battery, make the social consequences of rootkits particularly devastating. We conclude the paper by identifying the challenges that need to be addressed to effectively detect rootkits on smart phones.

Lurking in the Shadows: Identifying Systemic Threats to Kernel Data

The integrity of kernel code and data is fundamental to the integrity of the computer system. Tampering with the kernel data is an attractive venue for rootkit writers since malicious modifications in the kernel are harder to identify compared to their user-level counterparts. So far however, the pattern followed for tampering is limited to hiding malicious objects in user-space. This involves manipulating a subset of kernel data structures that are related to intercepting user requests or affecting the users view of the system. Hence, defense techniques are built around detecting such hiding behavior. The contribution of this paper is to demonstrate a new class of stealthy attacks that only exist in kernel space and do not employ any hiding techniques traditionally used by rootkits. These attacks are stealthy because the damage done to the system is not apparent to the user or intrusion detection systems installed on the system and are symbolic of a more systemic problem present throughout the kernel. Our goal in building these attack prototypes was to show that such attacks are not only realistic, but worse; they cannot be detected by the current generation of kernel integrity monitors, without prior knowledge of the attack signature.

Detecting Kernel-Level Rootkits Using Data Structure Invariants

Rootkits affect system security by modifying kernel data structures to achieve a variety of malicious goals. While early rootkits modified control data structures, such as the system call table and values of function pointers, recent work has demonstrated rootkits that maliciously modify noncontrol data. Most prior techniques for rootkit detection have focused solely on detecting control data modifications and, therefore, fail to detect such rootkits. This paper presents a novel technique to detect rootkits that modify both control and noncontrol data. The main idea is to externally observe the execution of the kernel during an inference phase and hypothesize invariants on kernel data structures. A rootkit detection phase uses these invariants as specifications of data structure integrity. During this phase, violation of invariants indicates an infection. We have implemented Gibraltar, a prototype tool that infers kernel data structure invariants and uses them to detect rootkits. Experiments show that Gibraltar can effectively detect previously known rootkits, including those that modify noncontrol data structures.

VPMN: virtual private mobile network towards mobility-as-a-service

In this paper we present our vision for a mobile network infrastructure that embraces advances in virtualization to dynamically create private, resource isolated, customizable, end-to-end mobile networks. We describe an architecture for such a virtual private mobile network (VPMN) infrastructure and present a number of use cases that illustrate the requirements and trade-offs to consider in their realization and the benefits that can be achieved.

Secure, pseudonymous, and auditable communication in vehicular ad hoc networks

Vehicular ad hoc networks (VANETs) represent a promising new communication technology that can facilitate many new forms of automotive applications. Many of the applications that will run on these networks will require a high degree of security and privacy. In this paper, we present a robust and efficient security framework for vehicular networks suited for both inter-vehicular and vehicle-to-infrastructure communication. Our system uses identity-based cryptography (IBC) to provide authentication, confidentiality, non-repudiation, and message integrity. It exploits the implicit authentication provided by IBC to significantly reduce the security/privacy-related communication overhead. Additionally, it provides scalable, user-customizable security and privacy using short-lived, authenticated, and unforgeable, pseudonyms. This feature can be used by VANET applications that require quantifiable trust and privacy to provide differentiated service based on various levels of trust and privacy thresholds. Copyright

Automated containment of rootkits attacks

Rootkit attacks are a serious threat to computer systems. Packaged with other malwares such as worms, viruses and spyware, rootkits pose a more potent threat than ever before by allowing malware to evade detection. In the absence of appropriate tools to counter such attacks, compromised machines stay undetected for extended periods of time. Leveraging virtual machine technology, we propose a solution for real-time automated detection and containment of rootkit attacks. We have developed a prototype using VMware Workstation to illustrate the solution. Our analysis and experimental results indicate that this approach can very successfully detect and contain the effects of a large percentage of rootkits found for Linux today. We also demonstrate with an example, how this approach is particularly effective against malwares that use rootkits to hide.

On covert collaboration

In the conventional steganographic framework, a covert message is hidden within a larger, seemingly innocent message. We argue that this framework must be extended in order to adequately model the means and goals of modern collaborative systems. Whereas messages are static objects with a single creator, collaborative systems are dynamically changed by multiple entities according to rules and patterns specific to the given system. The primary contribution of this paper is to frame the general question: When can one steganographically embed collaborative system A into collaborative system B? As a case study, we develop a system for embedding a simple wiki into the Flickr photo sharing service. We develop techniques for steganographically embedding a collaborative system whose update rules are quite different than those of the host service.

An efficient security framework for mobile WiMAX

WiMAX is a technology that provides continuous high data throughput with low delays for various user types and modes of operation. The security protocols proposed for WiMAX impose a heavy performance overhead, especially on mobile subscribers running real time applications, such as VoIP and IPTV. We propose a hybrid security framework for WiMAX combining Hierarchical Identity-Based Cryptography (HIBC) and certificate based approaches to achieve lower bandwidth usage and higher reliability for stationary as well as mobile subscribers. Our security architecture efficiently resolves the performance issues existing with the current WiMAX security standards and can perform fast handovers. Our framework provides upto a 87% improvement in bandwidth compared to WiMAXs current security standard.