Runtime Detection Of Userspace Implants

J. Aaron Pendergrass∗ , Nathan Hull∗ , John Clemens∗ , Sarah C. Helble∗ ,

Mark Thober∗ , Kathleen McGill∗ , Machon Gregory† , Peter Loscocco†
∗ Johns Hopkins University Applied Physics Laboratory
† National Security Agency

Abstract—Userspace integrity is a necessary and often- primary abstractions we consider are namespaces, filesystems,
overlooked component of overall system integrity. We present networking and inter-process communication channels, envi-
the concept of userspace integrity measurement to validate the ronment variables, virtual memory management, and runtime
state of the system against a set of carefully chosen invariants
based on the expected behavior of userspace and key behaviors linker/loaders. Implants take advantage of subtle divergences
of advanced malware. Userspace integrity measurement may be between application developers’ understandings of these ab-
combined with existing filesystem and kernel integrity measure- stractions and the actual behavior of the operating system.
ment approaches to both provide stronger guarantees that a These divergences may be caused by errors in the operating
platform is executing the expected software and that the software system implementation, ambiguities in the specification, or
is in an expected state. We also introduce the Userspace Integrity
Measurement (USIM) Toolkit, a preliminary set of integrity misunderstandings by the application developers. We assert
measurement tools to detect advanced malware threats, such as that these implant behaviors create observable effects in the
memory-only implants, that evade traditional defenses. point-in-time state of an infected system that are unlikely to
be caused by benign software.
I. I NTRODUCTION This paper introduces userspace measurement as a neces-
Modern malware relies on subtle subversions of the runtime sary component of full system integrity. Section II defines
environment of userspace processes to maintain an adver- userspace and what to include as part of userspace integrity
sary’s foothold on victim systems. These implants elude most measurement. Section III describes the adversary model. Sec-
traditional detection mechanisms while providing a range of tion IV describes a range of known implant techniques and
features such as execution of arbitrary programs, bulk data how they impact userspace. Section V describes the specific
transfers, victim monitoring, network discovery, persistent measurement and appraisal capabilities currently implemented
storage, proxied communications, and command and control. in the USIM Toolkit. Section VI briefly discusses the ef-
In particular, memory-only implants are able to avoid many fectiveness and performance impact of the toolkit. Section
popular defensive technologies based on filesystem scanning. VII considers our approach in the context of existing work
Userspace integrity measurement is based on a principled eval- combating malware. Section IX summarizes our findings and
uation of the userspace abstractions provided by an operating discusses areas for future research.
system and the violations of these abstractions that allow
implants to operate outside the visibility of traditional system II. W HAT I S U SERSPACE
monitoring tools. The primary contributions of this paper are Userspace refers to those aspects of a computer system that
the introduction of userspace integrity measurement to fill this are built using abstractions provided by an operating system’s
gap in malware defense, and an initial, proof-of-concept USIM kernel. The exact features and mechanisms of userspace may
Toolkit implementation with a demonstrated ability to detect vary from system to system. From an attacker’s perspective,
core techniques of advanced implants. userspace provides a rich set of opportunities to cause the
Motivation: Memory-only implants are active in the wild system to diverge from correct operation without requiring
and often undetected [5]. They are referred to by many direct modification of the kernel. Examples of these userspace
names: advanced volatile threat [40], fileless, living off the abstractions include:
land [41], malware-free, memory-only, and non-malware. A • Inter-process communication mechanisms including net-
notable example of such an attack is Evanescent Bat [39], work state, shared memory regions, files opened by
where the adversary injected a highly-sophisticated memory- processes, and pipes
only implant into the Procedure Linkage Table (PLT) of • The complete state of the file system including all sub-
running processes on several Linux servers. The intrusion trees, executable images, system libraries, data files, and
remained undetected until the adversary mistakenly revealed program configurations
their presence. • Configuration data needed for system administration, in-
Approach: Userspace integrity measurement and ap- cluding user accounts and application-specific configura-
praisal is the process of collecting evidence of the current tion semantics such as a webserver’s configuration file
state of the basic abstractions provided by an operating sys- • The set of configured devices and how they are exposed
tem, and evaluating this evidence for violations of invariants • Policies used for access control, network management,
that indicate deviations from expected runtime behavior. The boot-time process execution, or other system services

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 25,2023 at 07:04:02 UTC from IEEE Xplore. Restrictions apply
 • The state of kernel-level data reflecting the current config- Type 0 techniques rely on “hiding in plain sight” to evade
uration of the system such as date and time information, detection. They use system interfaces in a standard way to
process privileges, memory maps, and namespaces nefarious ends and succeed when users and administrators fail
Gathering all these components quickly becomes in- to carefully examine the primary state of the system. Such
tractable; therefore we explicitly choose to include certain techniques include replacing system binaries with malicious
properties and exclude others. Our userspace measurement binaries, file infections, and other file modifications. These
follows the following criteria: techniques have been well studied [2] and may be detected by
• Include: Well-formedness conditions that apply to all file integrity checkers or other security and system auditing
processes tools, including antivirus software (See: Section VII).
• Include: Relationships between executing processes Type I and Type II techniques use system interfaces in
• Include: Values of kernel-level data structures that di- unusual ways to evade detection. These techniques go unde-
rectly govern processes interaction with system resources tected without deeper examination of the primary state of the
• Include: Cryptographic hashes of critical system files system. While it is impossible to anticipate all conceivable
that must maintain bit-for-bit equality with a trusted techniques in this category, we identified several common
baseline for correct system operation, including system methods implants use to achieve execution:
executables, shared libraries, and configuration files • Process Text Segment Modification
• Exclude: Well-formedness of kernel-level data structures • Global Offset Table/Procedure Linkage Table Hooking
• Exclude: Application-specific semantics that are best • Shared Object Injection
verified by application-specific measurements • Thread Injection
• Namespace Manipulation
For example, we include measurements of the PLTs of
• File Descriptor Passing
running processes as part of userspace integrity measurement,
but exclude the content of data structures within a process’s These cover a core set of userspace effects that userspace
runtime heap. The correctness of the PLT is core to what it measurement needs to categorize as benign or malicious.
means to be a well-formed process, while the semantics of the The first three are common userland rootkit techniques that
data held inside the process heap is application-specific and co-opt existing processes [36] to achieve execution. Thread
excluded from our measurement. Similarly, data maintained injection is related to the previous techniques and has a distinct
by the kernel that define the privileges of processes, such as effect on userspace. Namespace manipulation is becoming
the user id associated with each process, should be included increasingly relevant as containers become more common [8].
in userspace measurement, but the details of how these data File descriptor passing is a long-standing feature of UNIX
are stored in the kernel should not. domain sockets that may enable an implant to acquire or
This model for userspace integrity supports detecting ad- transfer privileged resource access. Our understanding of these
vanced malware threats described in Section I, but does techniques directly informs the prioritization of measurements
not present the technical and adminsitrative challenges of included in the initial implementation of the USIM Toolkit.
representing the allowable internal states of all programs on A. Process Text Segment Modification
a system. While this work focuses solely on userspace mea-
surements, excluded properties can be verified by application- Text segment modification is one of the simplest approaches
specific and kernel-specific measurements respectively, that an implant can take to maintaining execution within a legiti-
may be bundled together with userspace measurements for a mate process. For most programs, executable code is mapped
more complete measurement. directly into the process memory space from the “.text”
sections of the program binary and supporting shared libraries.
III. A DVERSARY M ODEL Modifying executable code in memory gives the implant all
Userspace measurement alone targets an adversary that is the permissions of the host process, allows the implant to
able to arbitrarily modify the memory of any normal system intercept communications intended for the host process, and
process but is unable to modify the USIM Toolkit or its evades some basic detection approaches by not creating new
trusted computing base, including the operating system kernel, executable memory regions.
without detection. We expect userspace measurement to be By default most programs’ load segments are marked as
combined with careful composition of other measurement executable/non-writeable. Many implants overcome this lim-
evidence [18], [21], such as application introspection, static itation by employing a code-reuse attack, such as Return-
measurement [7], [15], [23], and kernel measurement [14], oriented Programming (ROP) [26], to remap part of the text
to provide robust protection against more sophisticated adver- segment then inject and jump to the implant payload.
saries. This approach is observable, even after the fact, because
it modifies memory pages that should be identical to the
IV. I MPLANT T ECHNIQUES on-disk representation in the program binary. Given the on-
Adversaries produce implants to achieve stealthy execution disk binaries of the program and all of its shared object
on a victim system. Rutkowska’s taxonomy [22] provides a dependencies, a simple comparison with process memory
way to categorize these techniques as types 0, I, and II. reveals any modifications [36].

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 25,2023 at 07:04:02 UTC from IEEE Xplore. Restrictions apply
 B. GOT/PLT Hooking to the associated resource. This feature is commonly used as
The Global Offset Table (GOT) and Procedure Linkage a form of lightweight virtualization called containers [27]. An
Table (PLT) are structures created by the runtime linker/loader adversary can achieve stealthy execution by running an implant
that can be manipulated by malware to provide execution in in different namespaces from the rest of the system, as with
a victim process without modifying the text segment. Both Horse Pill [32].
the PLT and the GOT support dynamic library linking and A namespace is identified by its type and inode number.
position independent code (PIC) [33]. The GOT holds the These inode numbers begin at hard-coded default values that
runtime addresses of global data and functions that may not are distinct for each namespace type. If the init process has
be known at compile time. The PLT holds executable code a non-default namespace inode number, then there may be
used to make external function calls via the GOT. Depending processes operating in different namespaces than expected.
on how the program is linked, the GOT will be populated F. File Descriptor Passing
with the correct function addresses either at program load time
File descriptors may be passed between processes using
or on the first invocation of each function. Implants with the
UNIX domain sockets via ancillary data [29]. As such, an
ability to modify a process’s GOT or PLT can easily redirect
attacker can inject into a process and send file descriptors
all invocations of a shared library function to trigger a function
to other processes, bypassing access controls on any kernel
in an executable region controlled by the attacker.
abstraction with a file interface, including sockets.
These techniques are more difficult to detect than direct
As with thread injection there is nothing inherent to file
modifications to a process’s text section because the PLT and
descriptors that could indicate malicious origins, but peripheral
GOT values may be unique per execution of a program. On
artifacts may enable detection. A process should not have file
x86, detecting a PLT hook is equivalent to detecting a text
descriptors for objects unless the process meets the access
segment modification [33]. The GOT contents are predictable
requirements for those objects. Any deviation from this expec-
given the base load addresses of the process’s segments. A
tation is suspect. For example, if a file has attributes indicating
procedure for detecting some GOT overwrites has already been
only the root user can access it, we do not expect a non-
established for memory forensics [36].
root process to possess a file descriptor for that file. Similarly,
C. Shared Object Injection we do not expect a process without superuser privileges to
Programs that support a plugin API often include the ability have a TCP or UDP socket bound to a well-known port.
to load arbitrary shared object files to extend their built-in Additionally, the code that passed the file descriptor may reside
functionality. Pre-loading implants are a common special case in a suspicious memory mapping in either the sending or
of shared object injection. The runtime linker/loader supports receiving process.
specification of extra shared libraries that should be mapped V. I MPLEMENTATION
into every process based on the LD_PRELOAD environment
We implemented a proof-of-concept implementation of
variable or the contents of /etc/ld.so.preload. This
userspace integrity measurement called the USIM Toolkit.
can be directly exploited by implant authors to introduce
The toolkit consists of two components: a collection agent
malicious functionality into a process. Shared object injection
which gathers point-in-time information on both global and
is not strictly memory-only; it generally requires creation of
per-process system state, and an appraiser which evaluates
a file in the filesystem. Thus, implants based on shared object
the collected state and provides an integrity assessment. The
injections may be detected by hashing the images of files as
collection agent collects:
they are mapped (see Section VII), or by simply validating the
• System information: operating system, architecture, net-
set of files mapped by each process.
work name, and software inventory
D. Thread Injection • Hashes of various important files on the system

Given the ability to run arbitrary code in a process, it is • Meta-data for each process on the system

trivial for an attacker to spawn a new thread via the clone() • Memory mappings, including permissions, addresses, and

system call. This provides stealthy execution and gives the backing files and offsets for root-owned processes
implant ongoing access to the victim process’s resources. • Namespaces in use on the system, and a map of which

A maliciously injected thread of this nature is difficult processes belong to which namespace
to detect because multi-threaded programs are common and • The number, type, and owning process of each open file

threads do not carry state explaining their genesis. However descriptor in all root-owned processes
the thread or the code used to spawn the thread may reside in • Per-process relocations (i.e. GOT/PLT entries) for each

a memory region with suspicious permissions. root-owned process

• Hashes of each executable memory segment currently
E. Namespace Manipulation mapped in a root-owned process
Namespaces provide isolation between processes with re- The choice to focus on root-owned processes is intended to
spect to a global system resource. If two processes are in dif- limit the performance impact of the USIM Toolkit while pro-
ferent namespaces, they are invisible to each other with respect viding adequate detection capabilities. This is a configuration

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 25,2023 at 07:04:02 UTC from IEEE Xplore. Restrictions apply
 TABLE I
S UMMARY OF EFFECTIVENESS AGAINST EACH CLASS OF IMPLANTS

Implant Class Example Implant Rules Triggered

Text Segment Mod Userland Exec [9] 1, 4, 5
GOT/PLT Hooking custom 7
Shared Object Injection custom & HiddenWasp [24] 2
Thread Injection PureLinuxThreads [38] 1, 3, 4
Namespace Manipulation Horse Pill [13] 6
FD Passing custom 8

7) Resolved GOT entries should not change (e.g., the

resolved address of printf should not change across
snapshots once it has been resolved).
8) A socket in use by one process should not later be used
in a different, non-child process.
The USIM appraiser determines whether the collected data
conforms to the defined policy and alerts the administrator
Fig. 1. Example measurement graph subgraph showing the relationship
between processes, process memory mappings, file memory mappings, and
with the result. Separating the collection component from
files. Shaded nodes can be used by multiple processes, while unshaded ones the appraisal piece achieves two goals: 1) adherence to the
are unique to each process. principle of least privilege: while the collection agent(s) may
require elevated privileges to collect data, the evaluation
component often does not; and 2) flexibility: the two compo-
option that can be trivially changed to include measurement of nents can be executed on separate machines, and additional
all or an expanded subset of processes. The USIM Toolkit is appraisal constraints can easily be added to more tightly
designed to be extensible; we expect to incorporate additional confine the allowable states of the measured platform. Indeed,
tools for measuring new aspects of system state. it is envisioned that in most scenarios the USIM evaluator
The collected information is gathered into a single graph- component will be run on a remote appraisal server, with only
based data structure that captures the complex relationship the collection agent running on the client.
between the individual data. A graph also allows for multiple We implemented both components of the USIM Toolkit
collection agents to collect different sets of data in parallel, op- using C99 with minimal external library dependencies. The
tionally with different permissions. The collection agent then collection agent is implemented as a collection of separate
bundles this “measurement graph” into a portable format for programs that are executed by a central control process. This
evaluation. An example subgraph showing memory-mapped allows each program to be run with a minimal set of privileges
regions of a process is shown in Figure 1. The USIM Toolkit targets the GNU/Linux operating system,
The appraiser evaluates the measurement graph to appraise but can be retargeted to other operating systems by porting the
the integrity of userspace based on a set of rules in a policy relevant collection subprograms. More details about the inter-
defined by an administrator. The number and complexity of nal workings of our prototype are available in our technical
these rules is limited only by the resources and data available report [19].
to appraise. For this evaluation, our implementation defines
the following set of rules: VI. E VALUATION
1) Only a defined subset of programs can have mem- We evaluated a proof-of-concept version of the USIM
ory mappings that are both writable and executable (a Toolkit both for its ability to detect common implant tech-
whitelist). niques described in Section IV, and recorded the impact of
2) Only a defined subset of programs can arbitrarily have these measurements on the system. The full details of this
file-backed executable memory mappings that do not evaluation are available in [19]. We used existing proof-of-
map to a direct or transitive dependency of the binary. concept malware when possible; otherwise we implemented
3) Only a defined subset of programs can have anonymous custom implants from well-known literature. The results are
executable memory mappings. summarized in Table I. Our prototype detected each technique.
4) The original executable for a process must be in the We also evaluated the USIM Toolkit against a recently
file-backed mappings for the process. discovered and active Linux rootkit dubbed “Hidden Wasp”
5) Read-only executable memory mappings for processes [24]. Hidden Wasp uses the Shared Object Injection technique
should hash to the same values as the respective sections described in Section IV-C to achieve execution. The USIM
of the associated on-disk files. Toolkit successfully detects the newly mapped shared library.
6) The init process that is the ultimate parent of all other Impact on the system from our early, non-optimized pro-
processes should be in the default PID namespace. totype ranged from negligible to 20%, depending on the

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 25,2023 at 07:04:02 UTC from IEEE Xplore. Restrictions apply
 benchmark being run. Measurement evidence graphs ranged should exhibit. The specific techniques used by antivirus
from 13 to 30 megabytes in size, and contained between 6000 products are proprietary, but are based on fingerprinting files
(when idle) and 14800 (under load) nodes. These early results and monitoring runtime process behavior such as system
show the technique is effective, but our implementation needs call tracing [11], [31]. Fingerprinting has been shown to be
to be optimized to lessen its impact on the system being ineffective, as implant authors are able to quickly adapt and
measured. deploy variants with previously unknown signatures [16], [42].
Enterprise defense frameworks have similar goals to tra-
VII. R ELATED W ORK ditional antivirus tools, but at a larger scale. These include
Userspace measurement is related to many previous efforts Trusted Network Connect (TNC) [34] and SAMSON [10].
in computer defense research. Defensive strategies include Similar to the limitations with antivirus tools, these frame-
active mitigations, runtime integrity measurement, hardware- works have a narrow focus and would generally not detect
based trust mechanisms, and traditional antivirus and enter- the attacks evaluated in this paper. Recent enterprise de-
prise client management tools. fense products are incorporating integrity measurement-like
Active Mitigations: Many defensive measures, such functionality. Forcepoint Linux Security has had success in
as W ⊕ X [6] and Address Space Layout Randomization detecting Horse Pill [32]. However, it remains to be seen how
(ASLR) [17], introduce challenges to initial exploitation, effective these systems are against the breadth of techniques
but these techniques are ineffective against adversary tech- userspace measurement targets.
niques such as memory disclosures [30], information side-
channels [25], and return-oriented programming [3], [26]. Op- VIII. F UTURE W ORK
erating system controls such as access-control based sandbox- Our concept of userspace integrity includes measurements
ing [28], [35] and code signing attempt to mitigate implants by of process environments, runtime structures, and access to OS
limiting what executables can be run from different security resources. It is unlikely that these measurements are compre-
contexts, but various attacks have shown that these too can be hensive; continued study of userspace invariants and how they
circumvented [4], [12], [37]. are violated by advanced malware remains an important area
Static/Dynamic Integrity Measurement Agents: Integrity of research.
measurement tools detect implants by attesting to the integrity Performance evaluation of our prototype showed a signif-
of a system. Implants often intentionally have lasting effects on icant performance impact. Work continues to streamline the
a victim platform, such as providing a command and control prototype, reduce the data collected for the measurements,
channel for the adversary. and adding caches and local checks to minimize the data
Linux Kernel Integrity Measurement (LKIM) [14] and Se- transmitted to the remote appraiser.
mantic Integrity [20] are dynamic measurement techniques Userspace measurement is only one part of producing
that can measure kernel data structures at any time during a comprehensive integrity measurement of a modern platform.
platform’s execution. Like userspace measurement, these tools Prior work largely focuses on kernel-level measurements.
work by inspecting their target’s runtime state to identify vio- Future work may introduce strategies for measurements of
lations of key invariants that may indicate compromise. Unlike individual security-critical applications and measurement of
the USIM Toolkit, these tools focus on implants that operate lower-level components such as hypervisors. To fully benefit
by modifying data structures in the kernel’s memory space. from these components, significant additional work is needed
Combining these kernel integrity measurement solutions with to understand how measurements can be combined to ensure
userspace integrity measurement can significantly reduce the that the correct appraisal of a lower-level measurement justifies
opportunities for an implant to hide in a modern system. trust in higher-level measurements.
Static measurement tools, such as Linux’s Integrity Mea-
surement Architecture (IMA) [23] and Cb Protection [1], IX. C ONCLUSION
guarantee integrity by taking a cryptographic hash of files at This paper defines userspace integrity measurement and
load time. Static measurement is of limited utility outside of discusses how it can detect advanced malware threats not
embedded, single-purpose environments where a whitelist is addressed by existing methods. We also show that our existing
tractable, and is ineffective at memory-only implants which do USIM Toolkit prototype is capable of detecting a variety of
not use the filesystem. Userspace measurement complements sophisticated implant techniques. Although work is needed to
these approaches by extending integrity to other key aspects improve the toolkit’s completeness and performance, it is a
of the userspace runtime environment such as environment general mechanism to detect a broad class of integrity viola-
variables, interprocess communication channels, and runtime tions with myriad security implications. Because the userspace
linker-loader behavior. measurement is based on invariants of well-behaved systems,
Antivirus: Antivirus tools take the opposite approach it is part of a workable integrity strategy that requires no
from integrity measurement. While integrity measurement preknowledge of specific attacks. By combining the userspace
attempts to enforce a set of invariants to which any well- measurement with other integrity verification techniques, trust
behaved system should conform, antivirus tools define specific could be extended from a root of trust through the application
static or behavioral signatures that only malicious software level to form a comprehensive verification solution.

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 25,2023 at 07:04:02 UTC from IEEE Xplore. Restrictions apply
 R EFERENCES [24] I. Sanmillan. Hiddenwasp malware stings targeted linux systems.
https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-
[1] Cb protection. https://www.carbonblack.com/products/cb-protection/, systems/, May 2019. [Online; accessed: 2019-08-21].
2018. Accessed: 2018-03-07. [25] J. Seibert, H. Okhravi, and E. Söderström. Information leaks without
[2] A. Bunten. Unix and linux based rootkits techniques and memory disclosures: Remote side channel attacks on diversified code.
countermeasures. In 16th Annual First Conference on Computer In Proceedings of the 2014 ACM SIGSAC Conference on Computer
Security Incident Handling, Budapest, 2004. and Communications Security, CCS ’14, pages 54–65, New York, NY,
[3] N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern USA, 2014.
defenses. In 23rd USENIX Security Symposium (USENIX Security 14), [26] H. Shacham. The geometry of innocent flesh on the bone:
pages 385–399, San Diego, CA, 2014. Return-into-libc without function calls (on the x86). In Proceedings of
[4] A. Chuvakin. Using chroot securely. the 14th ACM Conference on Computer and Communications Security,
http://www.linuxsecurity.com/content/view/117632/49/, November CCS ’07, pages 552–561, New York, NY, USA, 2007.
2007. [Online; accessed: 2018-02-28]. [27] S. Soltesz, H. Pötzl, M. E. Fiuczynski, A. Bavier, and L. Peterson.
[5] CrowdStrike. Crowdstrike releases annual cyber intrusion services Container-based operating system virtualization: A scalable,
casebook. https://www.crowdstrike.com/resources/news/crowdstrike- high-performance alternative to hypervisors. In Proceedings of the 2Nd
releases-annual-cyber-intrusion-services-casebook/, December 2017. ACM SIGOPS/EuroSys European Conference on Computer Systems
[Online; accessed: 2018-03-12]. 2007, EuroSys ’07, pages 275–287, New York, NY, USA, 2007.
[28] R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and
[6] T. de Raadt. WˆX - the mechanism.
J. Lepreau. The flask security architecture: System support for diverse
http://www.openbsd.org/papers/ven05-deraadt/mgp00009.html, May
security policies. In Proceedings of the 8th Conference on USENIX
2006. [Online; accessed: 2018-02-26].
Security Symposium - Volume 8, SSYM’99, pages 11–11, Berkeley,
[7] Dice. Trusted boot (tboot). http://tboot.sourceforge.net, 2015.
CA, USA, 1999.
Accessed: 2015-03-20.
[29] W. R. Stevens and S. A. Rago. Advanced Programming in the UNIX
[8] R. Dua, A. R. Raja, and D. Kakadia. Virtualization vs containerization Environment, Third Edition. Addison-Wesley Professional, 2013.
to support paas. In 2014 IEEE International Conference on Cloud [30] R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and
Engineering, pages 610–614, March 2014. T. Walter. Breaking the memory secrecy assumption. In Proceedings
[9] B. Edinger. Modern userland exec. of the Second European Workshop on System Security, EUROSEC ’09,
http://stratigery.com/userlandexec.html, 2014. [Online; accessed: pages 1–8, New York, NY, USA, 2009.
2018-01-29]. [31] O. Sukwong, H. Kim, and J. Hoe. Commercial antivirus software
[10] C. Fisher, D. Bukovick, R. Bourquin, and R. Dobry. Samson - secure effectiveness: An empirical study. Computer, 44(3):63–70, March
authentication modules. 2011.
http://sourceforge.net/p/secureauthentic/wiki/Home/, 2015. Accessed: [32] A. Tappert and T. O’Connor. The horse pill rootkit vs. forcepoint
2015-04-02. threat protection for linux. https://blogs.forcepoint.com/security-
[11] G. Jacob, H. Debar, and E. Filiol. Behavioral detection of malware: labs/horse-pill-rootkit-vs-forcepoint-threat-protection-linux, November
From a survey towards an established taxonomy. Journal in Computer 2016. [Online; accessed: 2018-01-11].
Virology, 4(3):251–266, Aug 2008. [33] TIS Committee. Tool Interface Standard (TIS) Executable and Linking
[12] D. Kim, B. J. Kwon, and T. Dumitraş. Certified malware: Measuring Format (ELF) Specification Version 1.2, May 1995. [Online].
breaches of trust in the windows code-signing pki. In Proceedings of [34] T. TNC. Tnc architecture for interoperability version 1.5, revision 3.
the 2017 ACM SIGSAC Conference on Computer and Communications TCG specification, 1, 2012.
Security, CCS ’17, pages 1435–1448, New York, NY, USA, 2017. [35] A. Viswanathan and B. Neuman. A survey of isolation techniques.
[13] M. Leibowitz. Horse pill. https://github.com/r00tkillah/HORSEPILL, Draft Copy, Information Sciences Institute, University of Southern
2016. [Online; accessed: 2018-01-29]. California, 2009.
[14] P. A. Loscocco, P. W. Wilson, J. A. Pendergrass, and C. D. McDonell. [36] A. Walters, J. Levy, A. Case, and M. H. Ligh. The Art of Memory
Linux kernel integrity measurement using contextual inspection. In Forensics: Detecting Malware and Threats in Windows, Linux, and
Proceedings of the 2007 ACM workshop on Scalable trusted Mac Memory. John Wiley & Sons, Indianapolis, 2014. [Online]
computing, pages 21–29. ACM, 2007. Available: Safari e-book.
[15] T. Morris. Trusted platform module. In Encyclopedia of Cryptography [37] R. N. Watson. Exploiting concurrency vulnerabilities in system call
and Security, pages 1332–1335. Springer, 2011. wrappers. In Proceedings of the first USENIX Workshop On Offensive
[16] P. OKane, S. Sezer, and K. McLaughlin. Obfuscation: The hidden Technologies, pages 2:1–2:8, Berkeley, CA, USA, 2007.
malware. IEEE Security Privacy, 9(5):41–47, Sept 2011. [38] C. Wellons. Pure linux threads demo. https://github.com/skeeto/pure-
[17] PaX Team. Address space layout randomization. linux-threads-demo/blob/master/threads-x86 64.s, 2015. [Online;
https://pax.grsecurity.net/docs/aslr.txt, March 2003. [Online; accessed: accessed: 2018-01-29].
2018-02-26]. [39] G. Wicherski. Syscan’14 singapore: Linux memory forensics a real
[18] J. A. Pendergrass, S. Helble, J. Clemens, and P. Loscocco. A platform life case study by georg wicherski.
service for remote integrity measurement and attestation. In MILCOM https://www.youtube.com/watch?v=JpY88tnqPhw, May 2014. [Online;
2018 - 2018 IEEE Military Communications Conference (MILCOM), accessed: 2018-01-29].
pages 1–6, Oct 2018. [40] T. Wilson. Move over, apts – the ram-based advanced volatile threat is
[19] J. A. Pendergrass, N. Hull, J. Clemens, S. Helble, M. Thober, spinning up fast. https://www.darkreading.com/vulnerabilities---
K. McGill, M. Gregory, and P. Loscocco. Technical report: A toolkit threats/move-over-apts----the-ram-based-advanced-volatile-threat-is-
for runtime detection of userspace implants. arXiv preprint spinning-up-fast/d/d-id/1139211?, February 2013. [Online; accessed:
arXiv:1904.12896, 2019. 2018-03-25].
[20] N. L. Petroni Jr, T. Fraser, A. Walters, and W. A. Arbaugh. An [41] C. Wueest and H. Anand. Internet security threat report: Living off the
architecture for specification-based detection of semantic integrity land and fileless attack techniques. an istr special report.
violations in kernel dynamic data. In Usenix Security, 2006. https://www.symantec.com/content/dam/symantec/docs/security-
[21] P. D. Rowe. Bundling evidence for layered attestation. In M. Franz center/white-papers/istr-living-off-the-land-and-fileless-attack-
and P. Papadimitratos, editors, Trust and Trustworthy Computing, techniques-en.pdf, July 2017. [Online; accessed: 2018-01-11].
pages 119–139, Cham, 2016. Springer International Publishing. [42] I. You and K. Yim. Malware obfuscation techniques: A brief survey.
[22] J. Rutkowska. Introducing stealth malware taxonomy. https://blog. In 2010 International Conference on Broadband, Wireless Computing,
invisiblethings.org/papers/2006/rutkowska malware taxonomy.pdf, Communication and Applications, pages 297–300, Nov 2010.
November 2006. [Online; accessed: 2017-11-20].
[23] R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and
implementation of a tcg-based integrity measurement architecture. In
Proceedings of the 13th Conference on USENIX Security Symposium -
Volume 13, SSYM’04, pages 16–16, Berkeley, CA, USA, 2004.

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 25,2023 at 07:04:02 UTC from IEEE Xplore. Restrictions apply