Scalable High-Assurance Technology for Detecting Compromised Host Computers

J. McDermott, W. Snook, and J. Luo Information Technology Division Rootkits: Th e most common use of deceptive interpreters is in association with a rootkit. After attackers gain root or administrative access to the system, they can install malicious tools including backdoors, sniff ers, and tools to cover their tracks. Th ese tools will run with root privilege and have the ability to fully control the system. However, backdoors and sniff ers by themselves tend to have large signatures that could be easily detected. What makes rootkits exceptionally dangerous is the incorporation of deceptive interpreters that hide their presence. Deceptive interpretation can fool both automated tools and human system administrators into thinking their systems are safe. Th ey enable a rootkit and its malicious payload to operate for an extended period of time, thus drastically prolonging the system compromise and escalating the damage. Th e constant stream of new security vulnerabilities demonstrates that much of our technology is exploitable and at risk from deceptive interpretation. To inject deceptive interpretation into a military information system, it is only necessary to tamper with one link in the entire chain of computation (Fig. 1); preventing deceptive interpretation requires every link to be made tamper-proof. On the other hand, the eff ort for detecting deceptive interpretation is somewhere in the middle of those two extremes. Successful detection depends on monitoring the link that gets tampered with and recognizing that the tampering has occurred. Th e fundamental consequence of deceptive interpretation is that the host can no longer be trusted to inspect itself. A new technology is needed.