Security Laboratory

Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Other Related Articles in Security Laboratory: Methods of Attack Series


Interrupts


By Stephen Northcutt

System interrupts are any sort of call to software or hardware to have it do something else, that is, something it is not already doing. Interrupts can occur when a system's hardware is accessed for some reason (perhaps a hard disk is being read or written to), a user makes a system call as a request for some type of service, or an error is detected in a currently executing process. Interrupts can often improve processing capabilities; for example, rather than wait on a slow I/O device, the CPU will perform an interrupt.

"Most modern general purpose microprocessors handle the interrupts the same way. When a hardware interrupt occurs the CPU stops executing the instructions that it was executing and jumps to a location in memory that either contains the interrupt handling code or an instruction branching to the interrupt handling code. This code usually operates in a special mode for the CPU interrupt mode, and normally, no other interrupts can happen in this mode."[1]

"Interrupts have numbers, and there can be up to 256 different interrupts. When an interrupt occurs (like a keypress or a mouse click), the application running is stopped and the contents of the [Code Segment Instruction Pointer] CS/IP/ flags are pushed into the stack, and the routine that has to handle the interrupting event is executed. After execution of the routine, using an IRET call, execution returns to the application. The locations of all the interrupt handling routines are maintained at the beginning (0000:0000) of memory, and it is called the Interrupt Service Routine table."[2]

On a linux system we can see the interrupts by listing their file (proc/interrupts); interrupt numbers are on the left:[3]

 [msoulier@lupus msoulier]$ cat /proc/interrupts
CPU0
0: 3791558 XT-PIC timer
1: 18949 XT-PIC keyboard
2: 0 XT-PIC cascade
8: 2 XT-PIC rtc
10: 16098 XT-PIC eth0
11: 160265 XT-PIC EMU10K1
12: 85654 XT-PIC PS/2 Mouse
13: 1 XT-PIC fpu
14: 1511685 XT-PIC ide0
15: 74 XT-PIC ide1
NMI: 0

What are the security implications of interrupts?

An attacker could use an interrupt simply by having the OS execute a particular system call that would perform a malicious action. A classic example was the boot sector virus that would issue an interrupt to execute a write to a specific portion of the disk, the boot sector.

However, from a security perspective, that means we can use the information in some cases to identify malware and compromised applications. If notepad.exe issues an interrupt call to use the ethernet interface, eth0, something could be amiss; why does a text editor need to access the network? Over the next few years this is likely to be a common capability we see in security software.

Over time, we expect operating system police software to become even more available to look for these types of actions and quarantine the malicious software. An early commercial example was Okena, purchased by Cisco and rebranded the Cisco Security Agent[4].

1. http://tldp.org/LDP/tlk/dd/interrupts.html
2. http://www.mohanraj.info/josh5.jsp
3. http://lists.debian.org/debian-user/2000/10/msg00499.html
4. http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html