countering kernel rootkits with lightweight hook protection

Countering Kernel Rootkits with Lightweight Hook Protection

Zhi Wang @ NCSUXuxian Jiang @ NCSU

Weidong Cui @ Microsoft ResearchPeng Ning @ NCSU

ACM CCS’09

Advanced Defense Lab @ National Central Univ.

2

OutlineIntroductionHookSafe DesignImplementationEvaluationRelated Work & Conclusion


3

IntroductionPrior research:

BehaviorsSymptomsKernel code integrity

Return-oriented rootkitsReturn-Oriented Rootkits

: Bypassing Kernel Code Integrity Protection Mechanisms @ Usenix Security ‘09

http://www.usenix.org/events/sec09/tech/full_papers/hund.pdf





4

IntroductionBetter solution…

Preserve kernel code integrity by preserving the kernel control flow integrity

Kernel control data: Return addresses Function pointers

Function pointers == kernel hooks (in this paper)


5

IntroductionHardware-based page-level protection

Limited number of kernel hooksHooks are not co-located together with

frequently modified memory data


6

IntroductionHookSafe

Hypervisor-basedLightweightProtect all kernel hooksByte-level granularity


7

Introduction

Distribution of 5881 kernel hooks in a running Ubuntu system


8

HookSafe DesignOffline Hook Profiler

Profile the guest kernel execution and output a hook access profile for each protected hook

Hook Access Points(HAPs)Online Hook Protector

Create a shadow copy of all protected hooksImplement HAPsRedirection


9

HookSafe Design

The HookSafe architecture


10

HookSafe DesignOffline Hook Profiling

Static analysis More complete; less precise

Dynamic analysis More precise

QEMU – monitoring every memory access instruction


11

HookSafe DesignOnline Hook Protection


12

HookSafe DesignOnline Hook Protection – Initialization

At Boot timeCreate shadow copyPatch the HAPs(requires the support of the

hypervisor)


13

HookSafe DesignOnline Hook Protection – Runtime R/W

IndirectionRead : read from the shadow copy and returnWrite :

Make a hypercall Validate the request Update the shadow copy if valid


14

HookSafe DesignOnline Hook Protection – Runtime Tracking

of Dynamic Allocated HooksA dynamic allocated hook is embedded in a

dynamic kernel objectHypercall while a kernel object containing a

hook is allocatedCreate the shadow copy of the hook


15

HookSafe DesignHardware Register Protection

GDTR, IDTR, DR0-DR7 Hardware-based page-level protection


16

ImplementationOffline Hook Profiler

QEMU – binary translationIf an instruction accesses any kernel hook in

the given list, mark it as an HAP and log the value

Dynamic allocated kernel hook: Track the creation of the kernel object and locate

the locationHook access profile


17

Implementation

An example access profile related to ext3_dir_operations->readdirkernel hook


18

ImplementationHook Indirection

HAP Patching Overwrite the instruction of HAP with a 5-byte jmp

instruction Jump to trampoline code > 5 bytes : Fill the space with NOP instructions < 5 bytes : overwrite the subsequent instruction


19

Implementation

The implementation of hook indirection


20

Implementation


21

ImplementationHook Indirection - HAP Patching

HAP after HAPThe second instruction is a target of jump

instruction


22

ImplementationRead/Write Indirection

Detection: Read – compare the original hook with shadow copy

Write – update both


23

ImplementationRuntime LKM and Hook Tracking

SLAB interfaceLKM

Virtual machine introspectionMemory Protection

Shadow page table (SPT) in Xen


24

EvaluationTest with 9 real-world rootkitsUnixBench and ApacheBench


25

Evaluation


26

Evaluation


27

EvaluationPerformance


28

countering kernel rootkits with lightweight hook protection

Documents

hook advanced defense

national central univ

validadvanced defense

paperadvanced defense

dynamic kernel objecthypercall

countering kernel rootkits

guest kernel execution

example access profile