introduction overview static analysis memory analysis kernel integrity checking implementation and...
Post on 28-Dec-2015
220 Views
Preview:
TRANSCRIPT
Mapping Kernel Objects to Enable Systematic Integrity
Checking
IntroductionOverviewStatic analysisMemory analysisKernel integrity checkingImplementation and evaluationLimitations and future workConclusions
Outline
Basic :KOP (Kernel Object Pinpointer)
Application:SFPD (Subverted Function Pointer Detector)GHOST (General Hidden Object Scanning Tool)
Introduction
OverviewsKOP has two main
components:A static analysis
componentPoints-to graphExtended type graph
(final)A memory analysis
componentObject graph
Static analysisCompute three set of
information:Object type
definitionsDeclared type and
relative addresses of global variables
Candidate target type for generic pointers
Based on the medium-level intermediate representation (MIR)
4 canonical forms of pointer assignments:x = yx = &y*x = yx = *y
Static analysis
Point-to analysisModify the algorithm
to create points-to graphan eage (src, dst)
=> (src, dst, n, ops)n is a pointer offset
(for field-sensitive)op that specifies the
call or return operation involved in the assignment (for context-sensitive)
For example:_Entry = t286 due to
the function call at line 25
=> (_Entry, t286, 0, call@file : 25)
Inferring Types for Generic Pointers
Type ambiguities com from two sources:unionsgeneric pointers
Consider two constraints when determining the correct candidate type:Size constraintBased on the observation that the data stored
by certain data types must have specific properties
Recursively for their child object up to a certain depth level.
Resolving type ambiguities
The key idea is to leverage the kernel memory pool boundaries.
A dynamic array is usually allocated in to possible ways:It may take up a whole pool block.It may extend an object whose last field is
defined as an array of size 0 or 1.Check each allocated pool block to recognize
dynamic arrays after the object traversal (without dynamic arrays) is completed.
Recognizing dynamic arrays
May incorrectly identify an object for three main reasons:Choosing the wrong candidate when resolving
type ambiguitiesMistaking a dynamic array.Program bugs.
To reduce identification errors, we employ the following two techniques:Traverses the kernel memory in multiple
rounds.Use a safe-guard mechanism.
Controlling Object Identification Errors
Function pointer checking (SFPD)A white list of trusted modulesCheck every function pointer in the kernel
objects found by KOP based on the following policy:An explicit function pointer must point to trusted
code; an implicit function pointer must point to either trusted code or a data object found by KOP; otherwise, the function pointer is marked as malicious.
Kernel Integrity Checking
Hidden object discovery (GHOST)Compare the list of all the objects of that type
found b KOP in a memory snapshot with the list of objects returned by a program such as Task Manager.
Kernel Integrity Checking
KOP were implemented in C# with a total of 16000 lines of code.
Windows Vista SP1 with 63 kernel drivers.Run in a Vmware virtual machine with 1GB
RAM.SFPD prototype has 1000 lines of C# codeGHOST prototype has 200 lines of C# code
Implementation and Evaluation
Static analysisSource code of the Vista SP1 kernel and the 63
drivers with a total of 5 million lines of code.Codebase contains 24423 data types and 9629
global variable definitions.KOP needs less than 48 hours to complete its
static analysis on a 2.2 GHz QuadCore AMD Opteron machine with 32 GB RAM.
KOP
Coverage
VC (Verified Coverage) =
GC (Gross Coverage) =
KOP
PerformanceUse a 4GHz Intel Xeon Duo Core machine with
3GB RAMRunning time was 8 minutes, including the
overhead of reading the memory snapshot stored on the disk.
KOP
Test SFPD with eight real-world kernel malware samples collected from a public database.
Running on a machine the same as previous page.
SFPD finishes a scan of a memory snapshot in less than two minutes.
Identified all the malicious function pointers for all eight malware samples with zero false alarms.
SFPD
SFPD
GHOSTTest GHOST with two real-world kernel-mode
malware samples:FURootkit (ported the XP-based to Vista SP1)Syzor.A
GHOST correctly identified all hidden objects in both tests with zero false alarms.
Static analysis could be improved to automatically handle the kernel implementation corner cases in a more general way.
Increase the scope of our static analysis to determine domain constraints for other basic types in addition to pointers.
It’s will have error if a very large number of pointers inside an object is manipulated.
Limitations and Future Work
Dynamic kernel data have become a common target for malware looking to evade traditional code and static data-based integrity monitors
KOP, a system that can map dynamic kernel objects with very high coverage and accuracy by leveraging a set of novel techniques in static source code analysis and memory analysis
Conclusions
top related