Application-level reconnaissance: Timing channel attacks against antivirus software

Mohammed I. Al-Saleh, Jedidiah R. Crandall

Research output: Contribution to conferencePaperpeer-review

Abstract

Remote attackers use network reconnaissance techniques, such as port scanning, to gain information about a victim machine and then use this information to launch an attack. Current network reconnaissance techniques, that are typically below the application layer, are limited in the sense that they can only give basic information, such as what services a victim is running. Furthermore, modern remote exploits typically come from a server and attack a client that has connected to it, rather than the attacker connecting directly to the victim. In this paper, we raise this question and answer it: Can the attacker go beyond the traditional techniques of network reconnaissance and gain high-level, detailed information? We investigate remote timing channel attacks against ClamAV antivirus and show that it is possible, with high accuracy, for the remote attacker to check how up-to-date the victim’s antivirus signature database is. Because the strings the attacker uses to do this are benign (i.e., they do not trigger the antivirus) and the attack can be accomplished through many different APIs, the attacker has a large amount of flexibility in hiding the attack.

Original languageEnglish (US)
StatePublished - 2011
Externally publishedYes
Event4th USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2011 - Boston, United States
Duration: Mar 29 2011 → …

Conference

Conference4th USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2011
CountryUnited States
CityBoston
Period3/29/11 → …

ASJC Scopus subject areas

  • Information Systems
  • Artificial Intelligence
  • Computer Science Applications

Fingerprint Dive into the research topics of 'Application-level reconnaissance: Timing channel attacks against antivirus software'. Together they form a unique fingerprint.

Cite this