{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:37:12Z","timestamp":1759091832454,"version":"3.40.3"},"publisher-location":"Cham","reference-count":48,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319406664"},{"type":"electronic","value":"9783319406671"}],"license":[{"start":{"date-parts":[[2016,1,1]],"date-time":"2016-01-01T00:00:00Z","timestamp":1451606400000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2016]]},"DOI":"10.1007\/978-3-319-40667-1_1","type":"book-chapter","created":{"date-parts":[[2016,6,11]],"date-time":"2016-06-11T11:19:03Z","timestamp":1465643943000},"page":"3-24","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Subverting Operating System Properties Through Evolutionary DKOM Attacks"],"prefix":"10.1007","author":[{"given":"Mariano","family":"Graziano","sequence":"first","affiliation":[]},{"given":"Lorenzo","family":"Flore","sequence":"additional","affiliation":[]},{"given":"Andrea","family":"Lanzi","sequence":"additional","affiliation":[]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2016,6,12]]},"reference":[{"key":"1_CR1","unstructured":"Tripwire. http:\/\/www.tripwire.com\/"},{"key":"1_CR2","doi-asserted-by":"crossref","unstructured":"Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 340\u2013353 (2005)","DOI":"10.1145\/1102120.1102165"},{"key":"1_CR3","doi-asserted-by":"crossref","unstructured":"Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC 2008, pp. 77\u201386 (2008)","DOI":"10.1109\/ACSAC.2008.29"},{"key":"1_CR4","doi-asserted-by":"crossref","unstructured":"Baliga, A., Kamat, P., Iftode, L.: Lurking in the shadows: identifying systemic threats to kernel data. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 246\u2013251(2007)","DOI":"10.1109\/SP.2007.25"},{"key":"1_CR5","doi-asserted-by":"crossref","unstructured":"Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 555\u2013565. ACM, New York (2009)","DOI":"10.1145\/1653662.1653729"},{"key":"1_CR6","unstructured":"Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, HOTOS (2001)"},{"issue":"2","key":"1_CR7","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/s10207-011-0124-7","volume":"10","author":"G Coker","year":"2011","unstructured":"Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2), 63\u201381 (2011)","journal-title":"Int. J. Inf. Secur."},{"key":"1_CR8","unstructured":"Cui, W., Peinado, M., Xu, Z., and Chan, E. Tracking rootkit footprints with a practical memory analysis system. In: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 601\u2013615. USENIX, Bellevue (2012)"},{"key":"1_CR9","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2011","DOI":"10.1109\/SP.2011.11"},{"key":"1_CR10","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1016\/j.cose.2015.03.007","volume":"52","author":"A Fattori","year":"2015","unstructured":"Fattori, A., Lanzi, A., Balzarotti, D., Kirda, E.: Hypervisor-based malware protection with accessminer. Comput. Secur. 52, 33\u201350 (2015)","journal-title":"Comput. Secur."},{"key":"1_CR11","doi-asserted-by":"crossref","unstructured":"Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the 25$$^{th}$$ International Conference on Automated Software Engineering (ASE), Antwerp, Belgium, September 2010. https:\/\/code.google.com\/p\/hyperdbg\/","DOI":"10.1145\/1858996.1859085"},{"key":"1_CR12","doi-asserted-by":"crossref","unstructured":"Fedler, R., Kulicke, M., Schtte, J.: An antivirus api for android malware recognition. In: MALWARE (2013)","DOI":"10.1109\/MALWARE.2013.6703688"},{"key":"1_CR13","unstructured":"Garfinkel, T.: Traps and pitfalls: practical problems in in system call interposition based security tools. In: Proceedings of the Network and Distributed Systems Security Symposium, February 2003"},{"key":"1_CR14","unstructured":"Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed Systems Security Symposium, pp. 191\u2013206 (2003)"},{"key":"1_CR15","doi-asserted-by":"crossref","unstructured":"Grill, B., Platzer, C., Eckel, J.: A practical approach for generic bootkit detection and prevention. In: EuroSec (2014)","DOI":"10.1145\/2592791.2592795"},{"issue":"4","key":"1_CR16","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1145\/54289.871709","volume":"22","author":"N Hardy","year":"1988","unstructured":"Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22(4), 36\u201338 (1988)","journal-title":"SIGOPS Oper. Syst. Rev."},{"key":"1_CR17","unstructured":"Haukli, L.: Exposing bootkits with bios emulation. In: Blackhat US, August 2014"},{"key":"1_CR18","doi-asserted-by":"crossref","unstructured":"Hofmann, O., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ASPLOS (2011)","DOI":"10.1145\/1950365.1950398"},{"key":"1_CR19","volume-title":"Rootkits: Subverting the Windows Kernel","author":"G Hoglund","year":"2005","unstructured":"Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)"},{"key":"1_CR20","unstructured":"Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Presented as Part of the 18th USENIX Security Symposium (USENIX Security 2009). USENIX, Montreal (2009)"},{"key":"1_CR21","doi-asserted-by":"crossref","unstructured":"Jang, D., Lee, H., Kim, M., Kim, D., Kim, D., Kang, B.B.: Atra: address translation redirection attack against hardware-based external monitors. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 167\u2013178. ACM, New York (2014)","DOI":"10.1145\/2660267.2660303"},{"key":"1_CR22","doi-asserted-by":"crossref","unstructured":"Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2007)","DOI":"10.1145\/1315245.1315262"},{"key":"1_CR23","unstructured":"Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the USENIX 2006 Annual Technical Conference, USENIX 2006, Boston, MA, June 2006"},{"key":"1_CR24","doi-asserted-by":"crossref","unstructured":"Kim, G.H., Spafford, E.H.: The design, implementation of tripwire: a file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, CCS 1994, pp. 18\u201329 (1994)","DOI":"10.1145\/191177.191183"},{"key":"1_CR25","unstructured":"Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can\u2019t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security, EuroSec, Prague, Czech Republic, April 2013"},{"key":"1_CR26","unstructured":"Lee, H., Moon, H., Jang, D., Kim, K., Lee, J., Paek, Y., Kang, B.B.: Ki-mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: Presented as Part of the 22nd USENIX Security Symposium, pp. 511\u2013526. USENIX, Washington, D.C. (2013)"},{"key":"1_CR27","unstructured":"Litty, L., Lagar-Cavilla, H.A., Lie, D.: Hypervisor support for identifying covertly executing binaries. In: Proceedings of the 17th Usenix Security Symposium, San Jose, CA, July 2008"},{"key":"1_CR28","unstructured":"Love, R.: intro to inotify. http:\/\/www.linuxjournal.com\/article\/8478"},{"key":"1_CR29","unstructured":"Microsoft. PatchGuard - Kernel Patch Protection. https:\/\/technet.microsoft.com\/en-us\/library\/cc759759"},{"key":"1_CR30","doi-asserted-by":"crossref","unstructured":"Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 28\u201337. ACM, New York (2012)","DOI":"10.1145\/2382196.2382202"},{"key":"1_CR31","unstructured":"Peter Silberman and C.H.A.O.S. FUTo. http:\/\/uninformed.org\/index.cgi?v=3&a=7&p=7"},{"key":"1_CR32","unstructured":"Petroni, J., Fraser, T., Molina, J., Arbaugh, W. A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium - vol. 13, SSYM 2004, p. 13. USENIX Association, San Diego (2004)"},{"key":"1_CR33","doi-asserted-by":"crossref","unstructured":"Petroni, Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 103\u2013115, October 2007","DOI":"10.1145\/1315245.1315260"},{"key":"1_CR34","unstructured":"Petroni Jr., N.L., Fraser, T., Walters, A.A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th Conference on USENIX Security Symposium, p. 20 (2006)"},{"key":"1_CR35","doi-asserted-by":"crossref","unstructured":"Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2009), Fukuoka, Japan, March 2009","DOI":"10.1109\/ARES.2009.116"},{"key":"1_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1007\/978-3-642-15512-3_10","volume-title":"Recent Advances in Intrusion Detection","author":"J Rhee","year":"2010","unstructured":"Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178\u2013197. Springer, Heidelberg (2010)"},{"key":"1_CR37","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-87403-4_1","volume-title":"Recent Advances in Intrusion Detection","author":"R Riley","year":"2008","unstructured":"Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1\u201320. Springer, Heidelberg (2008)"},{"key":"1_CR38","doi-asserted-by":"crossref","unstructured":"Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to guarantee lifetime kernel code integrity for commodity oses. In: Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), October 2007","DOI":"10.1145\/1294261.1294294"},{"key":"1_CR39","unstructured":"Seshadri, A., Perrig, A., Doorn, L.V., Khosla, P.: Swatt: software-based attestation for embedded devices. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)"},{"key":"1_CR40","doi-asserted-by":"crossref","unstructured":"Srivastava, A., Giffin, J.: Efficient protection of kernel data structures via object partitioning. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 429\u2013438 (2012)","DOI":"10.1145\/2420950.2421012"},{"key":"1_CR41","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"421","DOI":"10.1007\/978-3-540-87403-4_36","volume-title":"Recent Advances in Intrusion Detection","author":"A Srivastava","year":"2008","unstructured":"Srivastava, A., Lanzi, A., Giffin, J.T.: System call API obfuscation (extended abstract). In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 421\u2013422. Springer, Heidelberg (2008)"},{"key":"1_CR42","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"214","DOI":"10.1007\/978-3-642-22424-9_13","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"A Srivastava","year":"2011","unstructured":"Srivastava, A., Lanzi, A., Giffin, J., Balzarotti, D.: Operating system interface obfuscation and the revealing of hidden operations. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 214\u2013233. Springer, Heidelberg (2011)"},{"key":"1_CR43","unstructured":"Vogl, S., Gawlik, R., Garmany, B., Kittel, T., Pfoh, J., Eckert, C., Holz, T.: Dynamic hooks: hiding control flow changes within non-control data. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 813\u2013328. USENIX Association, San Diego, August 2014"},{"key":"1_CR44","doi-asserted-by":"crossref","unstructured":"Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS), February 2014","DOI":"10.14722\/ndss.2014.23019"},{"key":"1_CR45","unstructured":"Volatility Foundation. psxview Volatility command. https:\/\/github.com\/volatilityfoundation\/volatility\/wiki\/Command"},{"key":"1_CR46","doi-asserted-by":"crossref","unstructured":"Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 545\u2013554 (2009)","DOI":"10.1145\/1653662.1653728"},{"key":"1_CR47","doi-asserted-by":"crossref","unstructured":"Wei, J., Payne, B. D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: ACSAC (2008)","DOI":"10.1109\/ACSAC.2008.40"},{"key":"1_CR48","doi-asserted-by":"crossref","unstructured":"Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure coprocessor-based intrusion detection. In: Proceedings of the Tenth ACM SIGOPS European Workshop, September 2002","DOI":"10.1145\/1133373.1133423"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-40667-1_1","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,13]],"date-time":"2024-03-13T10:24:09Z","timestamp":1710325449000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-40667-1_1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016]]},"ISBN":["9783319406664","9783319406671"],"references-count":48,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-40667-1_1","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2016]]},"assertion":[{"value":"12 June 2016","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}