1 / 22

Mapping Kernel Objects to Enable Systematic Integrity Checking

Mapping Kernel Objects to Enable Systematic Integrity Checking. Outline. Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions . Introduction. Basic : KOP (Kernel Object Pinpointer )

xue
Download Presentation

Mapping Kernel Objects to Enable Systematic Integrity Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mapping Kernel Objects to Enable Systematic Integrity Checking

  2. Outline • Introduction • Overview • Static analysis • Memory analysis • Kernel integrity checking • Implementation and evaluation • Limitations and future work • Conclusions

  3. Introduction • Basic : • KOP (Kernel Object Pinpointer) • Application: • SFPD (Subverted Function Pointer Detector) • GHOST (General Hidden Object Scanning Tool)

  4. Overviews • KOP has two main components: • A static analysis component • Points-to graph • Extended type graph (final) • A memory analysis component • Object graph

  5. Static analysis • Compute three set of information: • Object type definitions • Declared type and relative addresses of global variables • Candidate target type for generic pointers • Based on the medium-level intermediate representation (MIR) • 4 canonical forms of pointer assignments: • x = y • x = &y • *x = y • x = *y

  6. Static analysis

  7. Point-to analysis • Modify the algorithm to create points-to graph • an eage (src, dst) => (src, dst, n, ops) • n is a pointer offset (for field-sensitive) • op that specifies the call or return operation involved in the assignment (for context-sensitive) • For example: • _Entry = t286 due to the function call at line 25 => (_Entry, t286, 0, call@file : 25)

  8. Inferring Types for Generic Pointers

  9. Resolving type ambiguities • Type ambiguities com from two sources: • unions • generic pointers • Consider two constraints when determining the correct candidate type: • Size constraint • Based on the observation that the data stored by certain data types must have specific properties • Recursively for their child object up to a certain depth level.

  10. Recognizing dynamic arrays • The key idea is to leverage the kernel memory pool boundaries. • A dynamic array is usually allocated in to possible ways: • It may take up a whole pool block. • It may extend an object whose last field is defined as an array of size 0 or 1. • Check each allocated pool block to recognize dynamic arrays after the object traversal (without dynamic arrays) is completed.

  11. Controlling Object Identification Errors • May incorrectly identify an object for three main reasons: • Choosing the wrong candidate when resolving type ambiguities • Mistaking a dynamic array. • Program bugs. • To reduce identification errors, we employ the following two techniques: • Traverses the kernel memory in multiple rounds. • Use a safe-guard mechanism.

  12. Kernel Integrity Checking • Function pointer checking (SFPD) • A white list of trusted modules • Check every function pointer in the kernel objects found by KOP based on the following policy: • An explicit function pointer must point to trusted code; an implicit function pointer must point to either trusted code or a data object found by KOP; otherwise, the function pointer is marked as malicious.

  13. Kernel Integrity Checking • Hidden object discovery (GHOST) • Compare the list of all the objects of that type found b KOP in a memory snapshot with the list of objects returned by a program such as Task Manager.

  14. Implementation and Evaluation • KOP were implemented in C# with a total of 16000 lines of code. • Windows Vista SP1 with 63 kernel drivers. • Run in a Vmware virtual machine with 1GB RAM. • SFPD prototype has 1000 lines of C# code • GHOST prototype has 200 lines of C# code

  15. KOP • Static analysis • Source code of the Vista SP1 kernel and the 63 drivers with a total of 5 million lines of code. • Codebase contains 24423 data types and 9629 global variable definitions. • KOP needs less than 48 hours to complete its static analysis on a 2.2 GHz QuadCore AMD Opteron machine with 32 GB RAM.

  16. KOP • Coverage • VC (Verified Coverage) = • GC (Gross Coverage) =

  17. KOP • Performance • Use a 4GHz Intel Xeon Duo Core machine with 3GB RAM • Running time was 8 minutes, including the overhead of reading the memory snapshot stored on the disk.

  18. SFPD • Test SFPD with eight real-world kernel malware samples collected from a public database. • Running on a machine the same as previous page. • SFPD finishes a scan of a memory snapshot in less than two minutes. • Identified all the malicious function pointers for all eight malware samples with zero false alarms.

  19. SFPD

  20. GHOST • Test GHOST with two real-world kernel-mode malware samples: • FURootkit (ported the XP-based to Vista SP1) • Syzor.A • GHOST correctly identified all hidden objects in both tests with zero false alarms.

  21. Limitations and Future Work • Static analysis could be improved to automatically handle the kernel implementation corner cases in a more general way. • Increase the scope of our static analysis to determine domain constraints for other basic types in addition to pointers. • It’s will have error if a very large number of pointers inside an object is manipulated.

  22. Conclusions • Dynamic kernel data have become a common target for malware looking to evade traditional code and static data-based integrity monitors • KOP, a system that can map dynamic kernel objects with very high coverage and accuracy by leveraging a set of novel techniques in static source code analysis and memory analysis

More Related