World Congress on Internet Security (WorldCIS-2013)

Securing Computer Networks by Networking

Multiple OS kernels. (Revisting Network Security: Protecting Computer Networks from Malwares)

Divyajyoti Das (Author) Bachelor in Technology, School of Computer Science &

Engineering Kalinga Institute of Industrial Technology( KIlT University)

Bhubaneswar, Orissa, India divyajyoti.21.92@gmail.com

Abstract- Only in the past decade, malwares have assumed

the identity of menace among the users of the information

security highway. With their populace gone up beyond measure

in the recent years, absolute protection from them is a question of

ongoing research. The problem becomes more serious when it is a

networked based environment. Starting from servers to clients,

malwares can certainly create havoc in a networked

environment. Networking among computer provides malwares

with an easy mode of transport. They can easily transfer from

one system to another, thus infecting several systems in no time.

Numerous technologies have been employed to counter their

threat. However, immunizations with these technologies keep

being devised. Present scenario calls for technologies that hit the

very base on which the spread of malwares in a networked

environment stands.

With the malware industry letting out new variants of

malwares to infect large computer networks at an incredible

pace, it has become imperative in the present to come up with

strategies so as to counter their threat. With every new malware

coming into picture, new technologies are designed to combat

them and the reverse unfortunately stands true. The present

scenario demands fresh technologies which strike the roots on

how malwares enter a network and consequently spread inside it.

The malwares have to be checked from the entry point itself

because once they find a place inside the network, they can create

innumerable places for them to hide.

The mechanism to counter malwares in a networked

environment proposed in this paper, checks the entry of

malwares right from the entry point of a network itself. The

architecture powered by networking among multiple OS kernels

and cloud computing will certainly be a progressive step in

controlling the malware menace among computer networks.

Keywords-network; rnalware; kernel; architecture; threat

I. INTRODUCTION

Computer Networks form the core pipeline of data transfer in many organizations across the globe. Starting from small corporate houses to multinational corporations, networking is the tool that keeps systems connected, thus making data from one system accessible to another. In the scenario where the

978-1-908320-22/3/$25.00©2013 IEEE

Somesh Nanda (Author) Bachelor in Technology, Department of Computer Science

& Engineering. C.V Raman College of Engineering

Bhubaneswar, Orissa, India

modern world cannot be imagined without computer networks, security of computer networks becomes a key issue. The growing size of computer networks further adds to the security of computer networks. Like the computer networks industry; the mal ware industry has also grown which continually challenges the security of computer networks across the globe. Malware writers continuously design mal wares to specifically affect large computer networks; correspondingly the cyber security industry. The proposed architecture in this paper is an attempt to design a mechanism that will bring this battle to an end, providing complete security to computer networks against malwares.

II. DEPENDANCE OF MALWARES ON OPERATING SYSTEMS

Having carried out extensive study of on mal ware behavior, we now come to a very simple observation, providing ample providence as a combating means. Our study on present malware scenario reveals the extensive use of as specific system and API calls carried by malicious codes for detection evasion and payload execution on client systems. For example, the Gnorug family variants make use of QueryInformationProcessO API while a few earlier ones used the IsDebuggerPresentO API to check for running debugger processes. Rootkits of all kinds similarly, extensively use as specific system calls(Raymond Roberts, 2008). Such are the methods employed by malwares to make unauthorized modifications to a system and to intercept a scanners' proper execution. In fact, information about the as and its version on the target system is a vital piece of information every attacker seeks prior to system invasion. It is this simple observation that can be used for file recovery from an infected system and which forms the base for our prototype to secure computers connected in a network, described in the rest of the paper.

III. PROPOSED SECURE ARCHITECTURE

The proposed secure architecture basically works upon the modeling of an external ( remote wall) which makes use of parallel scanning of malicious code over different as kernels, thus rendering replication, self- mutation and debugging interference ineffective. The simple reason being that

95

World Congress on Internet Security (WorldCIS-2013)

mal wares, Trojans, Rootkits etc. regularly make use of system calls, modification of System files and other such activities which are as specific. Operating on a different as kernel altogether, these call amount to nothing and all attempts to evade detection fail.

Checksum viruses, though obsolete can provide grounds for a simple example. In the checksum mechanism of virus detection, a database of file sizes in the file system is maintained which are constantly monitored by Anti-virus software. A virus that might attach itself to another file, tends to increase its size by some amount. This increase when compared with database records can be detected. Now, the checksum viruses simply made apt changes to the file-size counter to shadow their presence. Now if the scanning procedure in this case was adopted on a UNIX kernel, the viruses would require a different code altogether, with variations in system calls for the same effect, and can hence be detected.

The proposed model consists of a remote system standing an intermediate between the host and the client systems much like an external firewall. Under this model, an intermediary data monitor is visible to the host as the client and vice versa . This monitoring system operates on the data being transferred among the two parties to "filter" it of malware files and to prohibit any illegal access to remote systems. The transfer of data is so done that the intervention from the data monitor is almost not felt.

This remote data monitor comprises of a central storage device connected to a high-speed internet pathway like a backbone. This storage device can be an external cache with a huge storage capacity sufficient enough to serve files to a bunch of local networks connected at the client end. Now , suppose a file transfer has been agreed upon by the client and the host, in normal terms the file would be broken down into data packets and would be sent over the internet to the client in random order where they would be reassembled into the original data with the help of packet sequence numbers attached to each packet header. However, better security can be achieved if the role of the client in this regard is transferred upon to the remote wall. The data would thus be transferred to the external cache of the remote server where it would temporarily reside before being redirected to the client system. This participation from the remote wall is not felt if high speed internet connection can be ensured for the remote storage device.

The external storage device resides in a server which has a fixed number of nodes or terminals radiating from it. Each of these terminals has different as kernels running. It may not be the as in its full functionality, but simply its core that runs on each of these ass running, the terminals access the transferred data simultaneously from the external cache. This file is then examined for the presence of malicious code. The examination techniques can involve signature detection, fmgerprint matching, decryption methods and other traditional procedures on these independent platforms. A relatively novel technique in this trade has been the use of VMs to monitor viral activities in file under real-timed environment. However, even this technology made way for malwares with escalated abilities to

978-1-908320-22/3/$25.00©2013 IEEE

sense if they are being run on virtual environment. They then may intercept the monitoring mechanisms being employed or may stop their execution all-together ( Ferrie, P,2006 ). This vulnerability can be done away with when the codes are not on virtual but on authentic platforms themselves. Their activity monitoring can hence be based on fully functional systems which lack the facilities of Virtual Machines. With the scans running on separate as kernels, these terminal systems can communicate with each other using a set of techniques described later in the paper.

Terminal I Running OS I

Tcnninal2 Running OS 2

bltermediate R-wall

. . . . . .

?l o v

..

..

. � Client 4

Fig 1- "Network Layout"

r )t

Server Running Coordinating OS

Terminal J Running OS 3 Tcnninal4

RunmngOS 4

Redirection to Client

Terminal 6 Running OS 6

Terminal 5 Running as 5

Fig 2- "Remote Wall Layout"

96

World Congress on Internet Security (WorldCIS-2013)

Once the scanning process arrives at completion, malicious action can be detected by monitoring the platform which the malware code affects. The code might then resist removal by intercepting the scanner's detection procedures. In that case, the file can simply be cleaned on a separate platform where it lacks leverage. As such, payload operations of newer and unknown viruses can be determined and their signatures obtained. Now, in another mode of operation, the results drawn from inspection by different terminals can be compared to check for discrepancies. In scenarios like the checksum viruses discussed above, the scan result under the susceptible OS would show disagreement with others giving away the presence of malicious program.

The file thus having been scanned is "filtered" by the above process by removing harmful parts of it. This would be done if which are noxious (which is a very general case). However, if the file in question is in itself some mal ware implementation, then the file itself is removed from the cache and all connections between the client and the host are terminated. With the whole process driven to completion, the file now free of malicious program, is redirected to the client. The whole mechanism works the other way round when the role of the host and client reverses i.e. the direction of data transfer reverses.

IV. TECHNICAL ISSUES

For the proposed model to assume some credibility a few short-comings have to be addressed.

Clearly, the procedures described above would require a great deal of computational power for it to avoid delay in data transfer for various reasons. The first being, the parallel scanning of every transferred file over multiple networks which would consume most of the processing power. Now this would again depend on the size of the file being scanned which may vary from a few KBs to some GBs. Hence keeping the performance insufficient would considerably hamper transfer rate, while keeping performance level immensely high would mean a waste wherein smaller file sizes are being considered. However, with new age "Cloud computing" now at our disposal, this situation is no more a bane. Depending on the file size, computing power can be obtained "On demand" and released with completion of required operations.

Another quandary that we [md ourselves in is the ability to handle the networking of various operating systems sice it requires distributed parallel processing in each of the kernels as well as a common platform linking the kernel for efficient results. For this purpose we have employed the use of a virtual machine control program which includes a data transfer mechanism. The different kernels comprising our system shall possess a storage and communications region along with a buffer memory. The data transfer mechanism shall handle communications by data transfer from buffer areas of the storage regions of the kernels on the basis of requests made by any kernel. The communications between the operating systems require the actual connection of the communication units of the different OS to the virtual machine or simulating the communication unit by a virtual machine control program. This design efficiency handles parallel processing between the

978-1-908320-22/3/$25.00©2013 IEEE

operating systems with high speed communication as is required by our proposition. The system block diagrams explaining the mechanism of read and write functions of two operating systems separately have been included. These mechanisms handle the communication part based on the read/write requests or queries from one OS to another. For example in the I sl figure, a write request is generated in the lSI operating system. The communication procedure part in the first OS converts the request in the form of proper protocols and transfers it.

On receiving the request, the data transfer mechanism in the virtual machine control system transfers data from the buffer regions of the I sl and 2nd OS. On the complete of the transfer, the data transfer mechanism issues a notification of the same to the first operating system. If the first OS holds a read request from the second operating system, it communicates the same with the data transfer mechanism, which then makes a transfer between the buffers of OS2 and OS!. On completion of the transfer, the data transfer mechanism notifies the operating systems of the same. In this manner the read/write mechanisms operate in conformance with the communication procedure. In this manner, the communication between the different operating systems can be achieved for the purpose of scanning the user's system on various platforms simultaneously. The virtual machine control program enables actual operating systems to efficiently communicate rapidly, providing the passage for the detection of any mal ware present in the system written for any OS platform. The example provided can be extended to any number of OS keeping a single virtual machine control program. Since the design doesn't require the installation or network generation for each OS to make a communication, it can effectively handle the numerous OS.

z '-

REOEPTION

OSI21

REAO .. tlF 22 � I '---62 AEAO PROclSSS

--INT OOMMUNlCATION HANOl.oa:n PROCEOURS nl1Q

( OA"A REtQ) ---- G 'fr

ot.\mmsg INSTAUCTIOti

r-----}l. � RcOU£sr COMPlEr[

FIG.lA

32 -'

31,

tlt"NJ�I$jtDN

,42 41_

.52 51-

8 OAT" 'l'f1MISI�ElR � 8� MEC!!

OS(IJ APPLH I BUFF' ,--- r-f!!!ill!- COMPLS'fJON

WRITE NOTIPICA'rI -

-'-t _ 21

wnn'g PROCESS ,-.L COi.4MUNICATION INT PAOCSounB REQ HANOJ,.]?!R ( DATA TRAtlSMrT 1

JI. \J- '--:---OTAONOSIl: INSTRUCTION

n iJ ===n R£Q 1'101.0 I-!-

ON

I ACTf.VII'TF.

DAt!A TrlANSF'ftn I'l'1.'EAFWI'· LlE:CfI

97

World Congress on Internet Security (WorldCIS-2013) COMPI-ETION NOTIFICATION 22

OS(�� . r 1flo't BUFF -

READ

IfCC£PrtON

f- -62, nEAD PROCESS

INT COMMUNICATION HANDI-ER PROCSDURB RBQ

( DATA RgQ)

�' --�-1f

FIG. IS 32 31 --...,

MAIN sro/YJIJ£ .r;t;;!!.r' �!'I,('$!JCN

42 4/ -

__ 52 5/ --

21

OSO) ) ----, fWOU oo� f WRITt

...---' It

WRITE PROCESS

CO�MUNIOATION PRoc.oune REQ ( DATA TRANSMIT

{). if DIAO"OSI!: DIAONOSO

L61

IN'!: JiANDLER

,-- __ �I�NS ���U���l�O�H ______________ �IN�S�TR�U���I�ON� ____ --. ACTIVATE �_�_-_1f __ -=--=--=--=--=-.--- ----- {).-if INTERRUPT �R [�O !!..HO�L :':O __ """:=I ___ �fI�[0r:...:::C O�"P':.L�O':.E_ -I

���� TRANSFER _ 8 8 ���� TRANSPER

VIRTUA� MACHINE CONTno� PRoonA.

V. ADV ANT AGES

?

With the suggested diagnosis, a system over a network can experience better levels of security for the following reasons:

There is no direct connection established between the client and the host systems. This takes away a good leverage from a malicious user over a remote system. With the remote wall inspecting the file before it even reaches the destination, the security of the packets which arrive at the receiving end can be ensured. In certain cases, mal ware code even though detectable, delivers its payload well before detection i.e. on the instance of its entry into the target system. Such a scene in this case can be avoided.

One reason behind the propagation of malwares despute escalations in newer methods and virus databases is lack of effort from the client's end. Virus databases need to be updated every now and then to register latest [mdings. However, not every system over the internet updates its antivirus software at required frequency. Now with the systems connected to the remote wall server which would regularly update its database, this need on the user's part is a swept away.

Ordinary systems over a network can exploit advanced scanning facilities without having to install anti-virus software or compromising their system performance.

978-1-908320-22/3/$25.00©2013 IEEE

VI. EXPERIMENTAL RES UL TS

A prototype of the architecture discussed above was designed and implemented on a network of computers. Initially a network of five computers was connected and gradually the number of computers was increased. The client systems were used to access the internet and data was also transferred from one system to another. The client systems were not protected by any anti-virus software and their security totally depended on the architecture proposed above. The systems were checked for infection after every 24 hours. The process was continued for a fortnight. In the end, basing on the observations the success rate was found to be 99%. The I % infection that was observed in the systems was very weak.

VII. CONCLUSION

There's no lock which cannot be cracked, but a one with a fewer faults is always reliable. With the malware authors digging out brand new methods to bypass the security of computer networks every passing hour, an absolute protection to computer networks can be little assured. However, technology to hinder their attacks to a sustainable degree by preventing malware outbreaks before they occur can prove a surpassing step in the battle. The secured architecture mentioned is a new and innovative solution in this aspect. From the experiments that we have conducted and the research that has been done while designing the secured architecture to protect computer networks, we firmly believe that it can be the next generation answer in securing computer networks from cyber criminals.

VIII. REFERENCES

[I] MAL WARE DEVELOPMENT LIFE CYCLE by Raymond Roberts

[2] Ferrie, P. Attacks on virtual machine emulators. Proceedings of the A V AR Conference, 2006.

[3] The Unofficial guide to ethical hacking ,by Ankit Fadia.

[4] G. Dhillion, S. Moores, 2001 "Computer crimes: theorizing about the enemy within", In Computers & Security, volume 20, number 8,pp. 715-723.

[5] Hinde, S. "Spyware: the spy in computer", Computer Fraud & Security, Vol. 2004, Issue 12, ppI5-16.

[6] NETWORK SECURITY & CRYPOGRAPHY by Fourouzan.

98