grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

first draft of intro

Browse source
This commit is contained in:
Arthur 2024-11-24 01:01:30 +01:00
parent f305cb206b
commit 42b1299512
2 changed files with 36 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
procver/ACNS/acronyms.tex
View file

@ -2,13 +2,20 @@
short={IDS}, short={IDS},
long={Intrusion Detection System} long={Intrusion Detection System}
} }
\DeclareAcronym{hids}{ \DeclareAcronym{hids}{
short={HIDS}, short={HIDS},
long={Host-Based Intrusion Detection System} long={Host-Based Intrusion Detection System}
} }
\DeclareAcronym{os}{ \DeclareAcronym{os}{
short={OS}, short={OS},
long={Operating System} long={Operating System}
} }
\DeclareAcronym{sci}{
short={SCI},
long={Side-Channel Information}
}
\DeclareAcronym{cpu}{
short={CPU},
long={Central Processing Unit}
}

28
procver/ACNS/main.tex
View file

@ -104,9 +104,35 @@ For the purpose of this study, we do not differentiate between Unix-based OSs an
Of course, many methods have been proposed and implemented to detect or counter process list tampering. Of course, many methods have been proposed and implemented to detect or counter process list tampering.
These methods --- although they leverage different mechanisms --- are all host-based. These methods --- although they leverage different mechanisms --- are all host-based.
This create a circular dependency where the \ac{ids} rely on the host system to provide the very information leveraged to assess its integrity. This create a circular dependency where the \ac{ids} rely on the host system to provide the very information leveraged to assess its integrity.
As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide adequate protection. In this situation, an attacker that succesfully compromises a machine can employ evasion technics that manipulate the data used for detection.
As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide complete protection.
% is it a bird? is it a plane? No its the good old power consumption! % is it a bird? is it a plane? No its the good old power consumption!
One possible alternate method for detecting process list manipulation is using a secondary source of information to corroborate the process list.
To avoid bypass, the secondary source must be independent from the \ac{os} and not require its cooperation to enable protection.
However, the source must also provide information correlated with process presence and activity on the machine.
\ac{sci} are compeling as the secondary source.
As involuntary emissions, they are intrisecely independent from the origin system.
No communication is required with the system to access these information.
As physical by-product of the computation, they are hard to forge from an attacker point of view.
A program can somewhat controle its computation intensity but it is difficult to precisely controle the generated emission and impossible to fully supress them.
If the attacker wish to perform any computation on the compromised machine, it will result in some form of physical emission.
The most common \ac{sci} leveraged for attack or defense is energy consumption.
Due to its ease of capture, high reliability, large range of application, and good informative potential about the activity of the system.
Of course, there are drawbacks to using power consumption as a source of information.
First, the raw power consumption of a machine is not an actionable piece of information.
A step of information mining --- for example pattern recognition, anomaly detection, or even a simple thresholding --- is always required to take a decision.
Then, measuring true independent power consumption data require additional hardware.
Although software estimations of power consumption are available, they bear the same issue as other host-based source of information.
Finaly, the power consumption of a mchine only ontains a small subset of all information related to processes activity.
A \ac{cpu} are capable or hundreds to thousands of millions operations per seconds.
Each intruction triggers multiple consumptions patterns acrosses multiple components of the system.
Although --- in theory --- the power consumption is a sum of all these sub-consumptions, the reality of measurement --- in terms of resolution, accuracy, and sampling rate --- make single-instruction measurement unrealistic at a global scale of the \ac{cpu}.
Taking all these limitations into account, the power consumption of a machine --- and more specifically the global power consuption of its \ac{cpu} --- is a valuable complementary source of information.
The correlation between a list of processes and the power consumption can enable the detection of process list tampering, evidence of malware activity.
% Thank you king of sweden. No it was nothing you are welcome. Ok get home safe now. Byeeee. % Thank you king of sweden. No it was nothing you are welcome. Ok get home safe now. Byeeee.