KQguard: Binary-Centric Defense against Kernel Queue Injection Attacks

Kernel callback queues (KQs) are the mechanism of choice for handling events in modern kernels. KQs have been misused by real-world malware to run malicious logic. Current defense mechanisms for kernel code and data integrity have difficulties with kernel queue injection (KQI) attacks, since they work without necessarily changing legitimate kernel code or data. In this paper, we describe the design, implementation, and evaluation of KQguard, an efficient and effective protection mechanism of KQs. KQguard uses static and dynamic analysis of kernel and device drivers to learn the legitimate event handlers. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We implement KQguard on the Windows Research Kernel (WRK) and Linux and extensive experimental evaluation shows that KQguard is efficient (up to ~5% overhead) and effective (capable of achieving zero false positives against representative benign workloads after appropriate training and very low false negatives against 125 real-world malware and nine synthetic attacks). KQguard protects 20 KQs in WRK, can accommodate new device drivers, and through dynamic analysis of binary code can support closed source device drivers.

[1]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[2]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[3]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[4]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[5]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[6]  Ken Chiang,et al.  A Case Study of the Rustock Rootkit and Spam Bot , 2007, HotBots.

[7]  Zhi Wang,et al.  Comprehensive and Efficient Protection of Kernel Control Data , 2011, IEEE Transactions on Information Forensics and Security.

[8]  Xuxian Jiang,et al.  On the Expressiveness of Return-into-libc Attacks , 2011, RAID.

[9]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[10]  Peng Ning,et al.  Remote attestation to dynamic system properties: Towards providing complete system integrity evidence , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[11]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[12]  Calton Pu,et al.  Toward a general defense against kernel queue hooking attacks , 2012, Comput. Secur..

[13]  Calton Pu,et al.  KQguard: Protecting Kernel Callback Queues , 2012 .

[14]  Arati Baliga,et al.  Automatic Inference and Enforcement of Kernel Data Structure Invariants , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[15]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[16]  David Brumley Invisible Intruders: Rootkits in Practice , 2015, login Usenix Mag..

[17]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[18]  Eric Chien,et al.  W32.Duqu: The Precursor to the Next Stuxnet , 2012, LEET.

[19]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[20]  Rachit Mathur,et al.  PREDICTING THE FUTURE OF STEALTH ATTACKS , 2011 .

[21]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[22]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.