The Community for Technology Leaders
RSS Icon
Issue No.02 - March-April (2014 vol.11)
pp: 168-180
Hussain M.J. Almohri , Virginia Tech, Blacksburg
Danfeng Yao , Virginia Tech, Blacksburg
Dennis Kafura , Virginia Tech, Blacksburg
This paper points out the need in modern operating system kernels for a process authentication mechanism, where a process of a user-level application proves its identity to the kernel. Process authentication is different from process identification. Identification is a way to describe a principal; PIDs or process names are identifiers for processes in an OS environment. However, the information such as process names or executable paths that is conventionally used by OS to identify a process is not reliable. As a result, malware may impersonate other processes, thus violating system assurance. We propose a lightweight secure application authentication framework in which user-level applications are required to present proofs at runtime to be authenticated to the kernel. To demonstrate the application of process authentication, we develop a system call monitoring framework for preventing unauthorized use or access of system resources. It verifies the identity of processes before completing the requested system calls. We implement and evaluate a prototype of our monitoring architecture in Linux. The results from our extensive performance evaluation show that our prototype incurs reasonably low overhead, indicating the feasibility of our approach for cryptographically authenticating applications and their processes in the operating system.
Authentication, Kernel, Monitoring, Runtime, Malware,system call monitoring, Operating system security, process authentication, secret application credential
Hussain M.J. Almohri, Danfeng Yao, Dennis Kafura, "Process Authentication for High System Assurance", IEEE Transactions on Dependable and Secure Computing, vol.11, no. 2, pp. 168-180, March-April 2014, doi:10.1109/TDSC.2013.29
[1] H.M.J. Almohri, D. Yao, and D. Kafura, "Identifying Native Applications with High Assurance," Proc. ACM Conf. Data and Application Security and Privacy (CODASPY '12), Feb. 2012.
[2] P. Loscocco and S. Smalley, "Integrating Flexible Support for Security Policies into the Linux Operating System," Proc. USENIX Ann. Technical Conf., 2001.
[3] "grsecurity," http:/, 2013.
[4] Z.M.H. Chen and N. Li, "Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems," Proc. 16th Ann. Network and Distributed System Security Symp., 2009.
[5] C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman, "Linux Security Module Framework," Proc. 11th Ottawa Linux Symp., 2002.
[6] K. Xu, H. Xiong, D. Stefan, C. Wu, and D. Yao, "Data-Provenance Verification for Secure Hosts," IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp. 173-183, Mar./Apr. 2012.
[7] W. Dai, T.P. Parker, H. Jin, and S. Xu, "Enhancing Data Trustworthiness via Assured Digital Signing," IEEE Trans. Dependable and Secure Computing, vol. 9, no. 6, pp. 838-851, Nov./Dec. 2012.
[8] G. Xu, C. Borcea, and L. Iftode, "Satem: Trusted Service Code Execution across Transactions," Proc. IEEE 25th Symp. Reliable Distributed Systems (SRDS '06), pp. 321-336, 2006.
[9] A.M. Fiskiran and R.B. Lee, "Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution," Proc. IEEE Int'l Conf. Computer Design: VLSI in Computers and Processors (ICCD '04), pp. 452-457, 2004.
[10] T. Jaeger and R. Sandhu, Operating System Security. Morgan & Claypool, 2008.
[11] K. Xu, P. Butler, S. Saha, and D. Yao, "DNS for Massive-Scale Command and Control," IEEE Trans. Dependable and Secure Computing, vol. 10, no. 3, pp. 143-153, May/June 2013.
[12] X. Shu and D. Yao, "Data-Leak Detection as a Service," Proc. Eighth Int'l Conf. Security and Privacy in Communication Networks (SECURECOMM '12), Sept. 2012.
[13] K. Xu, D. Yao, Q. Ma, and A. Crowell, "Detecting Infection Onset with Behavior-Based Policies," Proc. Fifth Int'l Conf. Network and System Security (NSS '11), Sept. 2011.
[14] H. Zhang, W. Banick, D. Yao, and N. Ramakrishnan, "User Intention-Based Traffic Dependence Analysis for Anomaly Detection," Proc. Workshop Semantics and Security (WSCS '12), May 2012.
[15] S.W. Smith, Trusted Computing Platforms: Design and Applications. Springer-Verlag, 2004.
[16] D. Stefan, C. Wu, D. Yao, and G. Xu, "Knowing Where Your Input Is From: Kernel-Level Provenance Verification," Proc. Eighth Int'l Conf. Applied Cryptography and Network Security (ACNS '10), pp. 71-87, 2010.
[17] K.O. Elish, D. Yao, and B.G. Ryder, "User-Centric Dependence Analysis for Identifying Malicious Mobile Apps," Proc. Workshop Mobile Security Technologies (MoST) in Conjunction with the IEEE Symp. Security and Privacy, May 2012.
[18] E. Chin, A.P. Felt, K. Greenwood, and D. Wagner, "Analyzing Inter-Application Communication in Android," Proc. ACM Int'l Conf. Mobile Systems, Applications, and Services (MobiSys '11), June 2011.
[19] K.R. Butler, S. McLaughlin, and P.D. McDaniel, "Rootkit-Resistant Disks," Proc. 15th ACM Conf. Computer and Comm. Security (CCS '08), pp. 403-416, 2008.
[20] M.T. Jones, "Access the Linux Kernel Using the /proc Filesystem," libraryl-proc. html, 2006.
[21] B. Hicks, S. Rueda, L. St.Clair, T. Jaeger, and P. McDaniel, "A Logical Specification and Analysis for SELinux MLS Policy," ACM Trans. Information and Systems Security, vol. 13, no. 3,article 26, July 2010.
[22] L. Bauer, J. Ligatti, and D. Walker, "Composing Expressive Runtime Security Policies," ACM Trans. Software Eng. and Methodology, vol. 18, no. 3,article 9, June 2009.
[23] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "Stackguard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. Seventh USENIX Security Symp., pp. 63-78, 1998.
[24] L. Szekeres, M. Payer, T. Wei, and D. Song, "SoK: Eternal War in Memory," Proc. IEEE Symp. Security and Privacy, May 2013.
[25] R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn, "Design and Implementation of a TCG-Based Integrity Measurement Architecture," Proc. USENIX Security Symp., pp. 223-238, 2004.
[26] J.-L. Cooke and D. Bryson, "Strong Cryptography in the Linux Kernel," Proc. Linux Symp., pp. 139-144, 2003.
[27] D.P. Bovet and M. Cesati, Understanding the Linux Kernel. O'Reilly, 2006.
[28] L. McVoy and C. Staelin, "lmbench: Portable Tools for Performance Analysis," Proc. Ann. Conf. USENIX Ann. Technical Conf., p. 23, 1996.
[29] C. Kil, E.C. Sezer, A.M. Azab, P. Ning, and X. Zhang, "Remote Attestation to Dynamic System Properties: Towards Providing Complete System Integrity Evidence," Proc. IEEE/IFIP Int'l Conf. Dependable Systems and Networks, pp. 115-124, 2009.
[30] D. Muthukumaran, A. Sawani, J. Schiffman, B.M. Jung, and T. Jaeger, "Measuring Integrity on Mobile Phone Systems," Proc. 13th ACM Symp. Access Control Models and Technologies (SACMAT '08), pp. 155-164, 2008.
[31] R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn, "Design and Implementation of a TCG-Based Integrity Measurement Architecture," Proc. 13th USENIX Security Symp. (SSYM '04), p. 16, 2004.
[32] T. Jaeger, R. Sailer, and U. Shankar, "PRIMA: Policy-Reduced Integrity Measurement Architecture," Proc. 11th ACM Symp. Access Control Models and Technologies (SACMAT '06), pp. 19-28, 2006.
[33] B. Li, J. Li, T. Wo, C. Hu, and L. Zhong, "A VMM-Based System Call Interposition Framework for Program Monitoring," Proc. IEEE 16th Int'l Conf. Parallel and Distributed Systems (ICPADS '10), pp. 706-711, 2010.
[34] X. Jiang, X. Wang, and D. Xu, "Stealthy Malware Detection and Monitoring through VMM-Based "Out-of-the-Box" Semantic View Reconstruction," ACM Trans. Information Systems Security, vol. 13, article 12, Mar. 2010.
[35] B. Ford and R. Cox, "Vx32: Lightweight User-Level Sandboxing on the X86," Proc. USENIX Ann. Technical Conf., pp. 293-306, 2008.
[36] T. Kim and N. Zeldovich, "Making Linux Protection Mechanisms Egalitarian with UserFS," Proc. 19th USENIX Conf. Security, pp. 13-27, 2010.
[37] L. Lu, V. Yegneswaran, P. Porras, and W. Lee, "BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections," Proc. 17th ACM Conf. Computer and Communications Security (CCS '10), pp. 440-450, 2010.
[38] M. Fox, J. Giordano, L. Stotler, and A. Thomas, "SELinux and Grsecurity: A Case Study Comparing Linux Security Kernel Enhancements," , 2003.
[39] Z.C. Schreuders, T. McGill, and C. Payne, "Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing SELinux, AppArmor, and FBAC-LSM," ACM Trans. Information and System Security, vol. 14, no. 2,article 19, Sept. 2011.
[40] M. Rajagopalan, M. Hiltunen, T. Jim, and R. Schlichting, "Authenticated System Calls," Proc. Int'l Conf. Dependable Systems and Networks, pp. 358-367, June 2005.
[41] M. Rajagopalan, M.A. Hiltunen, T. Jim, and R.D. Schlichting, "System Call Monitoring Using Authenticated System Calls," IEEE Trans. Dependable and Secure Computing, vol. 3, no. 3, pp. 216-229, July 2006.
[42] S. Forrest, S. Hofmeyr, and A. Somayaji, "The Evolution of System-Call Monitoring," Proc. Ann. Computer Security Applications Conf. (ACSAC '08), pp. 418-430, 2008.
11 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool