In the areas of operating system security the SRG group has recently worked in three projects: BootJacker, Cloaker and MemCrawler.
BOOTJACKER: COMPROMISING COMPUTERS USING FORCED RESTARTS
BootJacker is a proof-of-concept attack tool which demonstrates that authentication mechanisms employed by an operating system can be bypassed by obtaining physical access and simply forcing a restart. The key insight that enables this attack is that the contents of memory on some machines are fully preserved across a warm boot. Upon a reboot, BootJacker uses this residual memory state to revive the original host operating system environment and run malicious payloads. Using BootJacker, an attacker can break into a locked user session and gain access to open encrypted disks, web browser sessions or other secure network connections. BootJacker's non-persistent design makes it possible for an attacker to leave no traces on the victim machine.
Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar and Roy H. Campbell. BootJacker: Compromising Computers using Forced Restarts. In ACM Conference on Computer and Communications Security (CCS'08), Oct, 2008 (18% acceptance rate, 51/281)
CLOAKER: HARDWARE-ASSISTED MALWARE
Rootkits are used by malicious attackers who desire to run software on a compromised machine without being detected. They have become stealthier over the years as a consequence of the ongoing struggle between attackers and system defenders. In order to explore the next step in rootkit evolution and to build strong defenses, we look at this issue from the point of view of an attacker. We construct Cloaker, a proof-of-concept rootkit for the ARM platform, that is non-persistent and only relies on hardware state modifications for concealment and operation. A primary goal in the design of Cloaker is to not alter any part of the host operating system (OS) code or data, thereby achieving immunity to all existing rootkit detection techniques which perform integrity, behavior and signature checks of the host OS. Cloaker also demonstrates that a self-contained execution environment for malicious code can be provided without relying on the host OS for any services. Integrity checks of hardware state in each of the machine's devices are required in order to detect rootkits such as Cloaker. We present a framework for the Linux kernel that incorporates integrity checks of hardware state performed by device drivers in order to counter the threat posed by rootkits such as Cloaker. The integrity check framework is available [here] as a patch against Linux 2.6.23.1
Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell. Cloaker: Hardware Supported Rootkit Concealment. Best Student Paper Award. In IEEE Symposium on Security and Privacy (SP'08), May, 2008 (11% acceptance rate, 28/249)
MEMCRAWLER
We present a tool which analyzes the memory of an executing system to identify data structures through the use of semantic constraints. The direct analysis of a system's memory allows us to reveal important information
about the state of the system which may not be available through normal means of evaluation. Our prototype tool, MemCrawler, is focused on analysis of a Linux kernel running in a virtual machine; however, these techniques should be equally applicable to other systems.