DIGGER: identifying operating system dynamic kernel objects for run-time security analysis

In operating systems, we usually refer to a running instance of a data structure (data type) as an object. Locating runtime dynamic kernel objects in physical memory is the most difficult step towards enabling implementation of robust operating system security solutions. In this paper, we address the problem of systemically uncovering all operating system runtime dynamic kernel objects, without any prior knowledge of the operating system kernel data layout in memory. We present a new hybrid approach - called DIGGER - that enables uncovering kernel runtime objects with nearly complete coverage, high accuracy and robust results. Unlike previous approaches, DIGGER is designed to address the challenges of indirect points-to relations between kernel data structures. DIGGER employs a hybrid approach that combines a new value-invariant approach and a systematic memory mapping technique in order to get accurate results. We have implemented a prototype of DIGGER and conducted an evaluation of its efficiency and effectiveness. To demonstrate our approach's potential, we have also developed three different proof-of-concept operating system security tools based on DIGGER approach.

[1]  Olivier Tardieu,et al.  Ultra-fast aliasing analysis using CLA: a million lines of C code in a second , 2001, PLDI '01.

[2]  Roberto Di Pietro,et al.  KvmSec: a security extension for Linux kernel virtual machines , 2009, SAC '09.

[3]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[4]  Matt Bishop,et al.  Virtual Machine Introspection: Observation or Interference? , 2008, IEEE Security & Privacy.

[5]  Xuxian Jiang,et al.  Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory , 2010, RAID.

[6]  Xuxian Jiang,et al.  Multi-aspect profiling of kernel rootkit behavior , 2009, EuroSys '09.

[7]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[8]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[9]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[10]  Ramarathnam Venkatesan,et al.  Oblivious Hashing: A Stealthy Software Integrity Verification Primitive , 2002, Information Hiding.

[11]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[12]  Wei You,et al.  Detecting stealthy malware with inter-structure and imported signatures , 2011, ASIACCS '11.

[13]  Mohamed Almorsy,et al.  CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model , 2011, 2011 5th International Conference on Network and System Security.

[14]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[15]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[16]  Bernhard Jansen,et al.  Architecting Dependable and Secure Systems Using Virtualization , 2007, WADS.

[17]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[18]  Chao Wu,et al.  Discovering Semantic Data of Interest from Un-mappable Memory with Confidence , 2012, NDSS.

[19]  Ewa Huebner,et al.  User data persistence in physical memory , 2007, Digit. Investig..

[20]  Claudia Eckert,et al.  Exploiting the x86 Architecture to Derive Virtual Machine State Information , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[21]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[22]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[23]  Adit Ranadive,et al.  IBMon: monitoring VMM-bypass capable InfiniBand devices using memory introspection , 2009, HPCVirt '09.

[24]  Arati Baliga,et al.  Automatic Inference and Enforcement of Kernel Data Structure Invariants , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[25]  Manu Sridharan,et al.  Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis , 2009, ECOOP.

[26]  Daniele Sgandurra,et al.  PsycoTrace: Virtual and Transparent Monitoring of a Process Self , 2009, 2009 17th Euromicro International Conference on Parallel, Distributed and Network-based Processing.

[27]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[28]  Huaimin Wang,et al.  Implicit Detection of Hidden Processes with a Local-Booted Virtual Machine , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[29]  Mohamed Almorsy,et al.  Operating System Kernel Data Disambiguation to Support Security Analysis , 2012, NSS.

[30]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[31]  Mohamed Almorsy,et al.  Supporting operating system kernel data disambiguation using points-to analysis , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[32]  Raheem A. Beyah,et al.  Toward Revealing Kernel Malware Behavior in Virtual Execution Environments , 2009, RAID.

[33]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[34]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[35]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[36]  John C. Grundy,et al.  Emerging Security Challenges of Cloud Virtual Infrastructure , 2016, APSEC 2010.

[37]  Mohamed Almorsy,et al.  Supporting Virtualization-Aware Security Solutions Using a Systematic Approach to Overcome the Semantic Gap , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.