Theses and Dissertations from UMD

Permanent URI for this communityhttp://hdl.handle.net/1903/2

New submissions to the thesis/dissertation collections are added automatically as they are received from the Graduate School. Currently, the Graduate School deposits all theses and dissertations from a given semester after the official graduation date. This means that there may be up to a 4 month delay in the appearance of a give thesis/dissertation in DRUM

More information is available at Theses and Dissertations at University of Maryland Libraries.

Browse

Subject: search.filters.subject.kernel

Search Results

Now showing 1 - 3 of 3
  • Thumbnail Image
    Item
    Systematic Analysis of Adversaries' Exploitations of the End-host
    (2024) Avllazagaj, Erin; Dumitras, Tudor; Kwon, Yonghwi; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)
    In the pipeline of a cyber attack, the malicious actor will first gain a foothold in the target system through a malware. The malware detection is still a challenging problem, as the malware authors are constantly evolving their techniques to evade detection. Therefore, it is important for us to understand why that is the case and what can the defenders do to improve the detection of the malware. In this thesis, I explore the behavior of the malware in the real users’ machines and how it changes across different executions. I show that the malware exhibits more variability than benign samples and that certain actions are often more prone to variability than others. This is the first study that quantitatively analyzes the behavior of the malware in the wildI leverage an observation from the first project, where variability in the malware samples happens due to running privilege escalation exploits. The variability in behavior is due to the fact that the malware sometimes runs in non-privileged mode and tries to run an exploit to escalate its privileges. For these reasons, I propose a new methodology to systematically discover sensitive memory corruption targets that cause privilege escalation. At last, I explore the sensitive memory corruption targets in the Linux kernel. Specifically, I propose a methodology to systematically discover sensitive fields in the Linux kernel that, when corrupted, lead the system into an exploitable state. This system, called SCAVY, is based on a novel definition of the exploitable state that allows the attacker to read and write into files and memory locations that they would normally. SCAVY explores the exploitable states based on the threat model of a local unprivileged attacker with the ability to issue system calls and with the capability to read/write into a limited location in the kernel memory. The framework revealed that there are 17 sensitive fields across 12 Linux kernel C structs that, when overwritten with the correct value, lead the system into an exploitable state. In this definition, unlike prior work, I consider the system to be in an exploitable state when the weird machine allows the attacker to read and/or write into files and memory locations that they would normally not be able to. This state can be used to write into sensitive files such as //etc//passwd where the exploit author can create a new root account on the vulnerable host and log in as that. Additionally, if the attacker can read unreadable files such as //etc//shadow they can leak passwords of root accounts, de-hash them and log in as the root account. I utilize these targets to develop 6 exploits for 5 CVE vulnerabilities. I also demonstrated the severity of these fields and the applicability of the exploitable state by exploiting CVE-2022-27666. I overwrote the f mapping pointer in struct file and caused a write into //etc//passwd. Unlike the original exploit, ours didn’t need to break KASLR, modify global variables or require support of FUSE-fs from the vulnerable host. This makes our methodology more extensible and more stable, since the exploit requires fewer corruption in the kernel memory and it doesn’t rely on the need to have the addresses of the kernel’s symbols for calculating the KASLR offset. Additionally, our exploit doesn’t modify global variables, which makes it more stable and less likely to crash the kernel, during its runtime. Our findings show that new memory corruption targets can change the security implications of vulnerabilities, urging researchers to proactively discover memory corruption targets.
  • Thumbnail Image
    Item
    Semiparametric Regression and Mortality Rate Prediction
    (2011) Voulgaraki, Anastasia; Kedem, Benjamin; Mathematics; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)
    This dissertation is divided into two parts. In the first part we consider the general multivariate multiple sample semiparametric density ratio model. In this model one distribution serves as a reference or baseline, and all other distributions are weighted tilts of the reference. The weights are considered known up to a parameter. All the parameters in the model, as well as the reference distribution, are estimated from the combined data from all samples. A kernel-based density estimator can be constructed based on the semiparametric model. In this dissertation we discuss the asymptotic theory and convergence properties for the semiparametric kernel density estimator. The estimator is shown to be not only consistent, but also more efficient than the general kernel density estimator. Several ways for selecting the bandwidth are also discussed. This opens the door to regression analysis with random covariates from a semiparametric perspective where information is combined from multiple multivariate sources. Accordingly, each multivariate distribution and a corresponding conditional expectation (or regression) of interest is then estimated from the combined data from all sources. Graphical and quantitative diagnostic tools are suggested to assess model validity. The method is applied to real and simulated data. Comparisons are made with multiple regression, generalized additive models (GAM) and nonparametric kernel regression. In the second part we study mortality rate prediction. The National Center for Health Statistics (NCHS) uses observed mortality data to publish race-gender specific life tables for individual states decennially. At ages over 85 years, the reliability of death rates based on these data is compromised to some extent by age misreporting. The eight-parameter Heligman-Pollard parametric model is then used to smooth the data and obtain estimates/extrapolation of mortality rates for advanced ages. In States with small sub-populations the observed mortality rates are often zero, particularly among young ages. The presence of zero death rates makes the fitting of the Heligman-Pollard model difficult and at times outright impossible. In addition, since death rates are reported on a log scale, zero mortality rates are problematic. To overcome observed zero death rates, appropriate probability models are used. Using these models, observed zero mortality rates are replaced by the corresponding expected values. This enables using logarithmic transformations, and the fitting of the Heligman-Pollard model to produce mortality estimates for ages 0 - 130 years.
  • Thumbnail Image
    Item
    PROPERTY-BASED INTEGRITY MONITORING OF OPERATING SYSTEM KERNELS
    (2008-04-03) Petroni, Jr., Nick Louis; Hicks, Michael; Computer Science; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)
    As the foundation of the trusted computing base, the operating system kernel is a valuable target for attackers of a computer system seeking maximum control and privilege. Furthermore, because the majority of modern security solutions rely on the correctness of at least some portion of the operating system kernel, skilled attackers who successfully infiltrate kernel memory can remain undetected indefinitely. In this dissertation, we present an approach for detecting attacks against the kernel's integrity (commonly referred to as "rootkits"). Our approach, which we call property-based integrity monitoring, works by monitoring and analyzing the kernel's state at runtime. Unlike traditional security solutions, our monitor operates in isolation of, and independently from, the protected operating system and has direct access to the kernel's runtime state. The basic strategy behind property-based monitoring is to identify a set of properties that are practical to check, yet are effective at detecting the types of changes an attacker might make - both known and yet-to-be-discovered. In this work, we describe a practical and effective property for detecting persistent control-flow modifications in running kernels, called state-based control-flow integrity (SBCFI). Furthermore, to address those data-only attacks that do not violate the kernel's control-flow, we introduce a high-level policy language system for enforcing semantic integrity constraints in runtime kernel data. To evaluate the feasibility and effectiveness of our system, we have implemented two property-based integrity monitors for the Linux kernel - one using a virtual machine monitor and the other using a PCI-based coprocessor. We demonstrate that property-based monitoring is capable of detecting all publicly-available kernel integrity threats while imposing less than 1% overhead on the protected system. We conclude that property-based kernel integrity monitoring can be both practical and effective.