{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T08:24:12Z","timestamp":1743063852776,"version":"3.40.3"},"publisher-location":"Berlin, Heidelberg","reference-count":46,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783642224232"},{"type":"electronic","value":"9783642224249"}],"license":[{"start":{"date-parts":[[2011,1,1]],"date-time":"2011-01-01T00:00:00Z","timestamp":1293840000000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2011]]},"DOI":"10.1007\/978-3-642-22424-9_13","type":"book-chapter","created":{"date-parts":[[2011,6,20]],"date-time":"2011-06-20T02:37:35Z","timestamp":1308537455000},"page":"214-233","source":"Crossref","is-referenced-by-count":12,"title":["Operating System Interface Obfuscation and the Revealing of Hidden Operations"],"prefix":"10.1007","author":[{"given":"Abhinav","family":"Srivastava","sequence":"first","affiliation":[]},{"given":"Andrea","family":"Lanzi","sequence":"additional","affiliation":[]},{"given":"Jonathon","family":"Giffin","sequence":"additional","affiliation":[]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"13_CR1","doi-asserted-by":"crossref","unstructured":"Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: Principles, implementations, and applications. In: 12th ACM Conference on Computer and Communications Security, CCS (2005)","DOI":"10.1145\/1102120.1102165"},{"key":"13_CR2","doi-asserted-by":"crossref","unstructured":"Baliga, A., Kamat, P., Iftode, L.: Lurking in the shadows: Identifying systemic threats to kernel data. In: IEEE Symposium on Security and Privacy (May 2007)","DOI":"10.1109\/SP.2007.25"},{"key":"13_CR3","unstructured":"Blorge. Faulty drivers bypass Vistas kernel protection, http:\/\/vista.blorge.com\/2007\/08\/02\/faulty-drivers-bypass-vistas-kernel-protection\/ (last accessed 15 Jan 2011)"},{"key":"13_CR4","unstructured":"Chew, M., Song, D.: Mitigating buffer overflows by operating system randomization. In: Technical Report CMU-CS-02-197, Carnegie Mellon University, Pittsburg (December 2002)"},{"key":"13_CR5","doi-asserted-by":"crossref","unstructured":"David, F., Chan, E., Carlyle, J., Campbell, R.: Cloaker: hardware supported rootkit concealment. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2008)","DOI":"10.1109\/SP.2008.8"},{"key":"13_CR6","doi-asserted-by":"crossref","unstructured":"Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: 15th ACM Conference on Computer and Communications Security, CCS (October 2008)","DOI":"10.1145\/1455770.1455779"},{"key":"13_CR7","doi-asserted-by":"crossref","unstructured":"Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy (May 1996)","DOI":"10.1109\/SECPRI.1996.502675"},{"key":"13_CR8","doi-asserted-by":"crossref","unstructured":"Ganapathy, V., Jaeger, T., Jha, S.: Automatic placement of authorization hooks in the Linux security modules framework. In: 12th ACM Conference on Computer and Communications Security (CCS), Alexandria, Virginia (November 2005)","DOI":"10.1145\/1102120.1102164"},{"key":"13_CR9","unstructured":"Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2004)"},{"issue":"3","key":"13_CR10","doi-asserted-by":"publisher","first-page":"151","DOI":"10.3233\/JCS-980109","volume":"6","author":"S.A. Hofmeyr","year":"1998","unstructured":"Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security\u00a06(3), 151\u2013180 (1998)","journal-title":"Journal of Computer Security"},{"key":"13_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"198","DOI":"10.1007\/978-3-540-74320-0_11","volume-title":"Recent Advances in Intrusion Detection","author":"X. Jiang","year":"2007","unstructured":"Jiang, X., Wang, X.: \u201cOut-of-the-box\u201d monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol.\u00a04637, pp. 198\u2013218. Springer, Heidelberg (2007)"},{"key":"13_CR12","unstructured":"Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: Tracking processes in a virtual machine environment. In: USENIX Annual Technical Conference (June 2006)"},{"key":"13_CR13","unstructured":"Kasslin, K.: Kernel malware: The attack from within. http:\/\/www.f-secure.com\/weblog\/archives\/kasslin_AVAR2006_KernelMalware_paper.pdf (last accessed January 15, 2011)"},{"key":"13_CR14","doi-asserted-by":"crossref","unstructured":"Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Symposium on Operating System Principles, SOSP (October 2007)","DOI":"10.1145\/1294261.1294293"},{"key":"13_CR15","unstructured":"Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating mimicry attacks using static binary analysis. In: USENIX Security Symposium, Baltimore, MD (August 2005)"},{"key":"13_CR16","unstructured":"Last, J.\u00a0V.: Stuxnet versus the iranian nuclear program. http:\/\/www.sfexaminer.com\/opinion\/op-eds\/2010\/12\/stuxnet-versusiranian-nuclear-program (last accessed January 15, 2011)"},{"key":"13_CR17","unstructured":"Linn, C.M., Rajagopalan, M., Baker, S., Collberg, C., Debray, S.K., Hartman, J.H.: Protecting against unexpected system calls. In: 14th USENIX Security Symposium (August 2005)"},{"key":"13_CR18","doi-asserted-by":"crossref","unstructured":"Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, generic, and safe unpacking of malware. In: Annual Computer Security Applications Conference, ACSAC, Miami, FL (December 2007)","DOI":"10.1109\/ACSAC.2007.15"},{"key":"13_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1007\/978-3-540-87403-4_5","volume-title":"Recent Advances in Intrusion Detection","author":"L. Martignoni","year":"2008","unstructured":"Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol.\u00a05230, pp. 78\u201397. Springer, Heidelberg (2008)"},{"key":"13_CR20","unstructured":"Mavinakayanahalli, A., Panchamukhi, P., Keniston, J., Keshavamurthy, A., Hiramatsu, M.: Probing the guts of kprobes. In: Linux Symposium (July 2006)"},{"key":"13_CR21","unstructured":"McAfee Security. System call interception, http:\/\/www.crswann.com\/3-NetworkSupport\/SystemCall-IinterceptionMcAfee.pdf (last accessed January 15, 2011)"},{"key":"13_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-74320-0_1","volume-title":"Recent Advances in Intrusion Detection","author":"D. Mutz","year":"2007","unstructured":"Mutz, D., Robertson, W., Vigna, G., Kemmerer, R.A.: Exploiting execution context for the detection of anomalous system calls. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol.\u00a04637, pp. 1\u201320. Springer, Heidelberg (2007)"},{"key":"13_CR23","doi-asserted-by":"crossref","unstructured":"Onoue, K., Oyama, Y., Yonezawa, A.: Control of system calls from outside of virtual machines. In: ACM Symposium on Applied Computing (March 2008)","DOI":"10.1145\/1363686.1364196"},{"key":"13_CR24","unstructured":"packetstormsecurity. Adore rootkit, http:\/\/packetstormsecurity.org\/files\/view\/29692\/adore-0.42.tgz (last accessed January 15, 2011)"},{"key":"13_CR25","unstructured":"packetstormsecurity. Knark rootkit, http:\/\/packetstormsecurity.org\/files\/view\/24853\/knark-2.4.3.tgz (last accessed January 15, 2011)"},{"key":"13_CR26","doi-asserted-by":"crossref","unstructured":"Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An architecture for secure active monitoring using virtualization. In: IEEE Symposium on Security and Privacy (May 2008)","DOI":"10.1109\/SP.2008.24"},{"key":"13_CR27","unstructured":"PCNews. Verisign working to mitigate stuxnet digital signature theft, http:\/\/pcnews.uni.cc\/verisign-working-to-mitigate-stuxnet-digital-signature-theft.html (last accessed January 15, 2011)"},{"key":"13_CR28","unstructured":"Petroni Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: 15th USENIX Security Symposium (August 2006)"},{"key":"13_CR29","doi-asserted-by":"crossref","unstructured":"Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: ACM Conference on Computer and Communications Security, CCS (November 2007)","DOI":"10.1145\/1315245.1315260"},{"key":"13_CR30","unstructured":"Provos, N.: Improving host security with system call policies. In: 12th USENIX Security Symposium (August 2003)"},{"key":"13_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-87403-4_1","volume-title":"Recent Advances in Intrusion Detection","author":"R. Riley","year":"2008","unstructured":"Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol.\u00a05230, pp. 1\u201320. Springer, Heidelberg (2008)"},{"key":"13_CR32","unstructured":"Rootkit.com. Rootkit.com, http:\/\/www.rootkit.com\/ (last accessed January 15, 2011)"},{"key":"13_CR33","doi-asserted-by":"crossref","unstructured":"Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy (May 2001)","DOI":"10.1109\/SECPRI.2001.924295"},{"key":"13_CR34","doi-asserted-by":"crossref","unstructured":"Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: ACM Symposium on Operating Systems Principles, SOSP (October 2007)","DOI":"10.1145\/1294261.1294294"},{"key":"13_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-540-74320-0_2","volume-title":"Recent Advances in Intrusion Detection","author":"M. Sharif","year":"2007","unstructured":"Sharif, M., Singh, K., Giffin, J.T., Lee, W.: Understanding precision in host based intrusion detection. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol.\u00a04637, pp. 21\u201341. Springer, Heidelberg (2007)"},{"key":"13_CR36","doi-asserted-by":"crossref","unstructured":"Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: BitVisor: A thin hypervisor for enforcing I\/O device security. In: ACM VEE, Washington, DC (March 2009)","DOI":"10.1145\/1508293.1508311"},{"key":"13_CR37","unstructured":"Some Observations on Rootkits. Microsoft Malware Protection Center, http:\/\/blogs.technet.com\/b\/mmpc\/archive\/2010\/01\/07\/some-observations-on-rootkits.aspx (last accessed January 15, 2011)"},{"key":"13_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"97","DOI":"10.1007\/978-3-642-15512-3_6","volume-title":"Recent Advances in Intrusion Detection","author":"A. Srivastava","year":"2010","unstructured":"Srivastava, A., Giffin, J.: Automatic discovery of parasitic malware. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol.\u00a06307, pp. 97\u2013117. Springer, Heidelberg (2010)"},{"key":"13_CR39","unstructured":"Srivastava, A., Giffin, J.: Efficient monitoring of untrusted kernel-mode execution. In: NDSS, San Diego, California (February 2011)"},{"key":"13_CR40","unstructured":"Sun Microsystem. Dtrace, http:\/\/wikis.sun.com\/display\/DTrace\/DTrace (last accessed January 15, 2011)"},{"key":"13_CR41","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/3-540-36084-0_4","volume-title":"Recent Advances in Intrusion Detection","author":"K.M.C. Tan","year":"2002","unstructured":"Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol.\u00a02516, p. 54. Springer, Heidelberg (2002)"},{"key":"13_CR42","unstructured":"Tan, L., Zhang, X., Ma, X., Xiong, W., Zhou, Y.: AutoISES: Automatically inferring security specifications and detecting violations. In: USENIX Security Symposium (August 2008)"},{"key":"13_CR43","doi-asserted-by":"crossref","unstructured":"Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: ACM CCS (November 2002)","DOI":"10.1145\/586110.586145"},{"key":"13_CR44","doi-asserted-by":"crossref","unstructured":"Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: ACM CCS, Chicago, IL (November 2009)","DOI":"10.1145\/1653662.1653728"},{"key":"13_CR45","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-540-30143-1_2","volume-title":"Recent Advances in Intrusion Detection","author":"H. Xu","year":"2004","unstructured":"Xu, H., Du, W., Chapin, S.J.: Context sensitive anomaly monitoring of process control flow to detect mimicry attacks and impossible paths. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol.\u00a03224, pp. 21\u201338. Springer, Heidelberg (2004)"},{"key":"13_CR46","doi-asserted-by":"crossref","unstructured":"Xu, M., Jiang, X., Sandhu, R., Zhang, X.: Towards a VMM-based usage control framework for OS kernel integrity protection. In: ACM SACMAT (June 2007)","DOI":"10.1145\/1266840.1266852"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-22424-9_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,11]],"date-time":"2019-06-11T21:41:55Z","timestamp":1560289315000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-22424-9_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011]]},"ISBN":["9783642224232","9783642224249"],"references-count":46,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-22424-9_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2011]]}}}