http://chineseinput.net/에서 pinyin(병음)방식으로 중국어를 변환할 수 있습니다.
변환된 중국어를 복사하여 사용하시면 됩니다.
Architectural Supports to Protect OS Kernels from Code-Injection Attacks and Their Applications
Moon, Hyungon,Lee, Jinyong,Hwang, Dongil,Jung, Seonhwa,Seo, Jiwon,Paek, Yunheung Association for Computing Machinery 2017 Transactions on Design Automation of Electronic Sy Vol.23 No.1
<P>The kernel code injection is a common behavior of kernel-compromising attacks where the attackers aim to gain their goals by manipulating an OS kernel. Several security mechanisms have been proposed to mitigate such threats, but they all suffer from non-negligible performance overhead. This article introduces a hardware reference monitor, called Kargos, which can detect the kernel code injection attacks with nearly zero performance cost. Kargos monitors the behaviors of an OS kernel from outside the CPU through the standard bus interconnect and debug interface available with most major microprocessors. By watching the execution traces and memory access events in the monitored target system, Kargos uncovers attempts to execute malicious code with the kernel privilege. On top of this, we also applied the architectural supports for Kargos to the detection of ROP attacks. KS-Stack is the hardware component that builds and maintains the shadow stacks using the existing supports to detect this ROP attacks. According to our experiments, Kargos detected all the kernel code injection attacks that we tested, yet just increasing the computational loads on the target CPU by less than 1% on average. The performance overhead of the KS-Stack was also less than 1%.</P>
Detecting and Preventing Kernel Rootkit Attacks with Bus Snooping
Moon, Hyungon,Lee, Hojoon,Heo, Ingoo,Kim, Kihwan,Paek, Yunheung,Kang, Brent Byunghoon IEEE 2017 IEEE transactions on dependable and secure computi Vol.14 No.2
<P>To protect the integrity of operating system kernels, we present Vigilare system, a kernel integrity monitor that is architected to snoop the bus traffic of the host system from a separate independent hardware. This snoop-based monitoringenabled by the Vigilare system, overcomes the limitations of the snapshot-based monitoring employed in previous kernel integrity monitoring solutions. Being based on inspecting snapshots collected over a certain interval, the previous hardware-based monitoring solutions cannot detect transient attacks that can occur in between snapshots, and cannot protect the kernel against permanent damage. We implemented three prototypes of the Vigilare system by adding Snooper hardware connections module to the host system for bus snooping, and a snapshot-based monitor to be comared with, in order to evaluate the benefit of snoop-based monitoring. The prototypes of Vigilare system detected all the transient attacks and the second one protected the kernel with negligible performance degradation while the snapshot-based monitor could not detect all the attacks and induced considerable performance degradation as much as 10 percent in our tuned STREAM benchmark test.</P>
루트킷 탐지를 위한 리눅스 커널 감시 코드 삽입의 시스템 성능 부하에 관한 연구
문현곤 ( Hyungon Moon ),허인구 ( Ingoo Heo ),이진용 ( Jinyong Lee ),이용제 ( Yongje Lee ),백윤흥 ( Yunheung Paek ) 한국정보처리학회 2014 한국정보처리학회 학술대회논문집 Vol.21 No.1
시스템을 공격하는 악성코드 기술과 그 방어 기술이 발전하면서,최근의 많은 악성코드들이 운영체제를 직접 변조하는 커널 루트킷을 포함하고 있다. 이에 따라 커널 루트킷에 대한 여러 대응책들이 나오고 있으며,최근의 많은 연구들이 루트킷 탐지능력 향상을 위해 운영체제 커널에 코드를 삽입하고 있다. 이 논문에서는 앞으로 루트킷 탐지를 위해 커널에 대한 코드 삽입 기술이 지속적으로 사용될 것으로 보고,이와 같은 코드 삽입이 운영체제 커널이나 전체 시스템의 성능에 어떠한 영향을 주는지를 알아보았다
KI-Mon ARM: A Hardware-Assisted Event-triggered Monitoring Platform for Mutable Kernel Object
Lee, Hojoon,Moon, Hyungon,Heo, Ingoo,Jang, Daehee,Jang, Jinsoo,Kim, Kihwan,Paek, Yunheung,Kang, Brent Byunghoon IEEE 2019 IEEE transactions on dependable and secure computi Vol.16 No.2
<P>External hardware-based kernel integrity monitors have been proposed to mitigate kernel-level malwares. However, the existing external approaches have been limited to monitoring the static regions of kernel while the latest rootkits manipulate the dynamic kernel objects. To address the issue, we present KI-Mon, a hardware-based platform that introduces event-triggered monitoring techniques for kernel dynamic objects. KI-Mon advances the bus traffic snooping technique to not only detect memory write traffic on the host bus but also filter out all but meaningful traffic to generate events. We show how kernel invariant verification software can be developed around these events, and also provide a set of APIs for additional invariant verification development. We also report our findings and considerations on the unique challenges for external monitors – such as cache coherency, dynamic object tracing. We introduce host-side kernel changes that alleviate these issues that involve changes in kernel's object allocation and cache policy control. We have built a prototype of KI-Mon on the ARM architecture to demonstrate the efficacy of KI-Mon's event-triggered mechanism in terms of performance overhead for the monitored host system and the processor usage of the KI-Mon processor.</P>
이지훈 ( Jihoon Lee ),문현곤 ( Hyungon Moon ),이진용 ( Jinyong Lee ),김용주 ( Yongjoo Kim ),백윤흥 ( Yunheung Paek ) 한국정보처리학회 2012 한국정보처리학회 학술대회논문집 Vol.19 No.1
스마트폰의 보급과 더불어 개인 정보를 유출하는 악성 프로그램의 위협 또한 증가하고 있다. 악성 프로그램의 위협으로부터 사용자의 데이터를 보호하기 위해 다양한 모바일용 백신이 시 중에 나와있는 상황이다. 하지만 일반 컴퓨팅환경의 경우를 보듯이 소프트웨어만으로는 모든 악성 프로그램의 위협에 대처하는 것은 상당히 어렵다. 이러한 단점을 극복하기 위해서 하드웨 어의 도움을 받는 선행연구들이 있었지만 스마트폰과 같은 SoC 구조에 적용하기에는 무리가 따른다. 따라서 본 논문에서는 임베디드 시스템의 보안성 향상을 위한 IP 를 개발/실험 할 수 있는 SoC 플랫폼을 구현하도록 한다.
Efficient Kernel Integrity Monitor Design for Commodity Mobile Application Processors
Heo, Ingoo,Jang, Daehee,Moon, Hyungon,Cho, Hansu,Lee, Seungwook,Kang, Brent Byunghoon,Paek, Yunheung The Institute of Electronics and Information Engin 2015 Journal of semiconductor technology and science Vol.15 No.1
In recent years, there are increasing threats of rootkits that undermine the integrity of a system by manipulating OS kernel. To cope with the rootkits, in Vigilare, the snoop-based monitoring which snoops the memory traffics of the host system was proposed. Although the previous work shows its detection capability and negligible performance loss, the problem is that the proposed design is not acceptable in recent commodity mobile application processors (APs) which have become de facto the standard computing platforms of smart devices. To mend this problem and adopt the idea of snoop-based monitoring in commercial products, in this paper, we propose a snoop-based monitor design called S-Mon, which is designed for the AP platforms. In designing S-Mon, we especially consider two design constraints in the APs which were not addressed in Vigilare; the unified memory model and the crossbar switch interconnect. Taking into account those, we derive a more realistic architecture for the snoop-based monitoring and a new hardware module, called the region controller, is also proposed. In our experiments on a simulation framework modeling a productionquality device, it is shown that our S-Mon can detect the rootkit attacks while the runtime overhead is also negligible.
Efficient Kernel Integrity Monitor Design for Commodity Mobile Application Processors
Ingoo Heo,Daehee Jang,Hyungon Moon,Hansu Cho,Seungwook Lee,Brent Byunghoon Kang,Yunheung Paek 대한전자공학회 2015 Journal of semiconductor technology and science Vol.15 No.1
In recent years, there are increasing threats of rootkits that undermine the integrity of a system by manipulating OS kernel. To cope with the rootkits, in Vigilare, the snoop-based monitoring which snoops the memory traffics of the host system was proposed. Although the previous work shows its detection capability and negligible performance loss, the problem is that the proposed design is not acceptable in recent commodity mobile application processors (APs) which have become de facto the standard computing platforms of smart devices. To mend this problem and adopt the idea of snoop-based monitoring in commercial products, in this paper, we propose a snoop-based monitor design called S-Mon, which is designed for the AP platforms. In designing S-Mon, we especially consider two design constraints in the APs which were not addressed in Vigilare; the unified memory model and the crossbar switch interconnect. Taking into account those, we derive a more realistic architecture for the snoop-based monitoring and a new hardware module, called the region controller, is also proposed. In our experiments on a simulation framework modeling a production-quality device, it is shown that our S-Mon can detect the rootkit attacks while the runtime overhead is also negligible.