The goal of this dissertation is to answer the question: can side channel information from a multi-core CPU be used to detect the presence of malware on the system. Following is a summary of the research presented.
The logical first step when this research began was to first identify how to collect side channel information. Two different methods were considered, both of which are explained in detail in following sections: (1) Use the same approach used by popular cache timing attacks that are used to break encryption algorithms on multi-core CPUs (2) Leverage the CPU's debugging facilities called performance monitor counters (PMC)
Suppose a dual-core CPU is used (a CPU with two processing cores). Both of the following methods allow code executing in one core to ascertain information about what the other core is executing. Specifically, one can (1) identify which portions of the CPU's cache were used by the code executing on the first core. (2) program a counter to record different supported events such as total number of cache misses, instruction fetches, or instructions retired. This counter can then be read at any time and can record information from any processing core.
Both of these methods provide a means to acquire side channel information, defined as information gained from observing the physical implementation of something, rather than directly analyzing the implementation itself. As will be discussed in following sections, the second method was chosen as it proved to be the more reliable approach.
Using this approach a tool was devised (called the Collection Utility) that is capable of recording this side channel information. The CU sets up the first core in a multi-core CPU to run an OS API function that is potentially hooked by malware. The second core records the CPU's pre-programmed performance monitor counters. Example results are shown in Figure 1 that compares the resulting side channel information of the "FindFirstFile" OS API function before and after it has been hooked by the Vanquish rootkit. As shown, there is a discernible difference between the two. That is, the side channel information collected changes when malware is present and one could conclude that when a change is detected, malware might be present.
The CU exploits the difference in side-channel information to detect the presence of malware. To accomplish this, the side channel information from specific OS API functions was recorded to create data sets, like the data shown in the left graphic of Figure 1. This data represents the "clean" state of the system and was used to train a classifier for anomaly detection. From that point on (considered the provisioning stage), side channel information was periodically recorded. This periodically collected data was compared to the known "clean" state to identify if the side channel information has changed using the previously trained classifier. If a change is detected, it is assumed that malware was installed.
The above-summarized approach presents some interesting questions: (a) What is the best method for collecting side channel information? (b) What is the best classifier to use for detection? (c) How effective is this approach, and what are all of the possible use cases?
This dissertation will answer these questions, as well as provide the background information needed to fully understand and duplicate the results. To this end, the overall approach to detecting malware is as follows: (a) Use the Collection Utility to record side channel information and save the results into a data set (it is important to understand that this tool itself is not the focus of the research, but rather how this tool was constructed). (b) Apply appropriate pre-processing on the data set. (c) Extract features from the data set. (d) Use the extracted features as input to a classifier for detection.
This approach was used to train a classifier so that it accurately models the initial "clean" state of the system. To accomplish this, the “clean” state was acquired when the system was in a known, good state. The CU is then executed periodically during the lifecycle of the system and the subsequent results are compared to the known “clean” state to determine if malware has been installed.
As will be shown, the CU is capable of detecting all of the rootkits presented, including: (a) OS level rootkits such as Agony, Vanquish and HackerDefender (b) VMX Rootkits such as VMXCPU (c) SMM Rootkits
The CU capable of detecting malware on many platforms including Windows and Linux and while the system is heavily used. The CU is also capable of working on many CPU architectures, and is even capable of detecting the location of hidden files.
|Commitee:||Chen, Yu, Madden, Patrick, Zahorian, Stephen|
|School:||State University of New York at Binghamton|
|School Location:||United States -- New York|
|Source:||DAI-B 74/02(E), Dissertation Abstracts International|
|Keywords:||Detection, Information, Malware, Rootkit, Side, Side channels|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be