Application-level reconnaissance: timing channel attacks against antivirus software

Authors:
Mohammed I. Al-Saleh;Jedidiah R. Crandall
Affiliations:
University of New Mexico, Department of Computer Science, Albuquerque, NM;University of New Mexico, Department of Computer Science, Albuquerque, NM
Venue:
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Year:
2011

Citing 14
Cited 1

Timing attacks on Web privacy

Proceedings of the 7th ACM conference on Computer and communications security
A fast string searching algorithm

Communications of the ACM
Efficient string matching: an aid to bibliographic search

Communications of the ACM
A note on the confinement problem

Communications of the ACM
A Timing Attack against RSA with the Chinese Remainder Theorem

CHES '00 Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems
Testing malware detectors

ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
The Art of Computer Virus Research and Defense

The Art of Computer Virus Research and Defense
Exposing private information by timing web applications

Proceedings of the 16th international conference on World Wide Web
Timing analysis of keystrokes and timing attacks on SSH

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Remote timing attacks are practical

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Static analysis of executables to detect malicious patterns

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Remote detection of virtual machine monitors with fuzzy benchmarking

ACM SIGOPS Operating Systems Review
Opportunities and Limits of Remote Timing Attacks

ACM Transactions on Information and System Security (TISSEC)
Predictive black-box mitigation of timing channels

Proceedings of the 17th ACM conference on Computer and communications security

The impact of the antivirus on the digital evidence

International Journal of Electronic Security and Digital Forensics

Quantified Score

Hi-index	0.00

Visualization

Abstract

Remote attackers use network reconnaissance techniques, such as port scanning, to gain information about a victim machine and then use this information to launch an attack. Current network reconnaissance techniques, that are typically below the application layer, are limited in the sense that they can only give basic information, such as what services a victim is running. Furthermore, modern remote exploits typically come from a server and attack a client that has connected to it, rather than the attacker connecting directly to the victim. In this paper, we raise this question and answer it: Can the attacker go beyond the traditional techniques of network reconnaissance and gain high-level, detailed information? We investigate remote timing channel attacks against ClamAV antivirus and show that it is possible, with high accuracy, for the remote attacker to check how up-to-date the victim's antivirus signature database is. Because the strings the attacker uses to do this are benign (i.e., they do not trigger the antivirus) and the attack can be accomplished through many different APIs, the attacker has a large amount of flexibility in hiding the attack.