Chipset Backdoor-AsiaCCS09

Chipset Backdoor-AsiaCCS09 - A Chipset Level Network...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
A Chipset Level Network Backdoor: Bypassing Host-Based Firewall & IDS Sherri Sparks, Shawn Embleton, Cliff C. Zou School of Electrical Engineering and Computer Science University of Central Florida 4000 Central Florida Blvd., Orlando, FL USA 32816-2362 +1-407-823-5015 {sparks, embleton}@clearhatconsulting.com, czou@eecs.ucf.edu ABSTRACT Chipsets refer to a set of specialized chips on a computer's motherboard or an expansion card [12]. In this paper we present a proof of concept chipset level rootkit/network backdoor. It interacts directly with network interface card hardware based on a widely deployed Intel chipset 8255x, and we tested it successfully on two different Ethernet cards with this chipset. The network backdoor has the ability to both covertly send out packets and receive packets, without the need to disable security software installed in the compromised host in order to hide its presence. Because of its low-level position in a computer system, the backdoor is capable of bypassing virtually all commodity firewall and host-based intrusion detection software, including popular, widely deployed applications like Snort and Zone Alarm Security Suite. Such network backdoors, while complicated and hardware specific, are likely to become serious threats in high profile attacks like corporate espionage or cyber terrorist attacks. Categories and Subject Descriptors D.4.6 [ Operating Systems ]: Security and Protection – invasive software, security kernels General Terms Security Keywords Rootkit, network backdoor, hardware security 1. INTRODUCTION Host-based firewalls and intrusion detection systems have made significant advances in both technology and scope of deployment within the past few years. Despite these advances, two challenges remain: they focus mostly on defending against outside attacks instead of inside information exfiltration, and they are mostly relying on the underlying Operating System’s support for data gathering and monitoring. In this paper, we present a network rootkit / backdoor that exploits these two problems. This network backdoor is capable of bypassing virtually all commodity, host-based firewall and intrusion detetection software on the market today, including popular, widely deployed products like Snort and Zone alarm. Traditionally, firewalls, network based intrusion detection systems (IDS) and intrusion prevention systems (IPS have been focused on outsider threats. These types of systems monitor incoming network traffic or system behavior for malicious code or attacks. When an attack is detected, the system reacts in real-time to block or prevent it (e.g. by dropping the malicious packets while allowing other network traffic to pass). Unfortunately, many of these systems only filter inbound traffic, still leaving the protected machine vulnerable to a large class of insider threats resulting from the free flow of unauthorized, outbound traffic. The firewall provided with the Windows XP operating system is one such example [11]. The
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 10

Chipset Backdoor-AsiaCCS09 - A Chipset Level Network...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online