1 / 28

Countering Kernel Rootkits with Lightweight Hook Protection

ACM CCS’09. Countering Kernel Rootkits with Lightweight Hook Protection. Zhi Wang @ NCSU Xuxian Jiang @ NCSU Weidong Cui @ Microsoft Research Peng Ning @ NCSU. Outline. Introduction HookSafe Design Implementation Evaluation Related Work & Conclusion. Introduction.

brooklyn
Download Presentation

Countering Kernel Rootkits with Lightweight Hook Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACM CCS’09 Countering Kernel Rootkits with Lightweight Hook Protection ZhiWang @ NCSU Xuxian Jiang @ NCSU Weidong Cui @ Microsoft Research PengNing@ NCSU

  2. Outline • Introduction • HookSafe Design • Implementation • Evaluation • Related Work & Conclusion Advanced Defense Lab @ National Central Univ.

  3. Introduction • Prior research: • Behaviors • Symptoms • Kernel code integrity • Return-oriented rootkits • Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms @ Usenix Security ‘09 Advanced Defense Lab @ National Central Univ.

  4. Introduction • Better solution… • Preserve kernel code integrity by preserving the kernel control flow integrity • Kernel control data: • Return addresses • Function pointers • Function pointers == kernel hooks (in this paper) Advanced Defense Lab @ National Central Univ.

  5. Introduction • Hardware-based page-level protection • Limited number of kernel hooks • Hooks are not co-located together with frequently modified memory data Advanced Defense Lab @ National Central Univ.

  6. Introduction • HookSafe • Hypervisor-based • Lightweight • Protect all kernel hooks • Byte-level granularity Advanced Defense Lab @ National Central Univ.

  7. Introduction Distribution of 5881 kernel hooks in a running Ubuntu system Advanced Defense Lab @ National Central Univ.

  8. HookSafe Design • Offline Hook Profiler • Profile the guest kernel execution and output a hook access profile for each protected hook • Hook Access Points(HAPs) • Online Hook Protector • Create a shadow copy of all protected hooks • Implement HAPs • Redirection Advanced Defense Lab @ National Central Univ.

  9. HookSafe Design The HookSafe architecture Advanced Defense Lab @ National Central Univ.

  10. HookSafe Design • Offline Hook Profiling • Static analysis • More complete; less precise • Dynamic analysis • More precise • QEMU – monitoring every memory access instruction Advanced Defense Lab @ National Central Univ.

  11. HookSafe Design • Online Hook Protection Advanced Defense Lab @ National Central Univ.

  12. HookSafe Design • Online Hook Protection – Initialization • At Boot time • Create shadow copy • Patch the HAPs(requires the support of the hypervisor) Advanced Defense Lab @ National Central Univ.

  13. HookSafe Design • Online Hook Protection – Runtime R/W Indirection • Read : read from the shadow copy and return • Write : • Make a hypercall • Validate the request • Update the shadow copy if valid Advanced Defense Lab @ National Central Univ.

  14. HookSafe Design • Online Hook Protection – Runtime Tracking of Dynamic Allocated Hooks • A dynamic allocated hook is embedded in a dynamic kernel object • Hypercall while a kernel object containing a hook is allocated • Create the shadow copy of the hook Advanced Defense Lab @ National Central Univ.

  15. HookSafe Design • Hardware Register Protection • GDTR, IDTR, DR0-DR7 • Hardware-based page-level protection Advanced Defense Lab @ National Central Univ.

  16. Implementation • Offline Hook Profiler • QEMU – binary translation • If an instruction accesses any kernel hook in the given list, mark it as an HAP and log the value • Dynamic allocated kernel hook: • Track the creation of the kernel object and locate the location • Hook access profile Advanced Defense Lab @ National Central Univ.

  17. Implementation An example access profile related to ext3_dir_operations->readdir kernel hook Advanced Defense Lab @ National Central Univ.

  18. Implementation • Hook Indirection • HAP Patching • Overwrite the instruction of HAP with a 5-byte jmp instruction • Jump to trampoline code • > 5 bytes : Fill the space with NOP instructions • < 5 bytes : overwrite the subsequent instruction Advanced Defense Lab @ National Central Univ.

  19. Implementation The implementation of hook indirection Advanced Defense Lab @ National Central Univ.

  20. Implementation Advanced Defense Lab @ National Central Univ.

  21. Implementation • Hook Indirection - HAP Patching • HAP after HAP • The second instruction is a target of jump instruction Advanced Defense Lab @ National Central Univ.

  22. Implementation • Read/Write Indirection • Detection: Read – compare the original hook with shadow copy • Write – update both Advanced Defense Lab @ National Central Univ.

  23. Implementation • Runtime LKM and Hook Tracking • SLAB interface • LKM • Virtual machine introspection • Memory Protection • Shadow page table (SPT) in Xen Advanced Defense Lab @ National Central Univ.

  24. Evaluation • Test with 9 real-world rootkits • UnixBench and ApacheBench Advanced Defense Lab @ National Central Univ.

  25. Evaluation Advanced Defense Lab @ National Central Univ.

  26. Evaluation Advanced Defense Lab @ National Central Univ.

  27. Evaluation • Performance Advanced Defense Lab @ National Central Univ.

  28. Advanced Defense Lab @ National Central Univ.

More Related