LiveDM : Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging

Dynamic kernel memory is difficult to analyze due to its volatile status; numer ous kernel objects are frequently allocated or freed in a kernel’s heap, and their data types are missing in the m emory systems of current commodity operating systems. Since the majority of kernel data is stored dynamically, this memory has been a favorite target of many malicious software and kernel bugs. In order to analyze dynam ic kernel memory, a global technique that systematically translates a given memory address into a data type is essential. Previous approaches had a limited focus in the analysis of either a malware’ s ex cution or a snapshot of kernel memory. We present here a new memory interpretation system called Live DM that can automatically translate dynamic kernel memory addresses into data types. 1 This system enables the accurate memory analysis of the entire kernel execution, ranging from malware activity to legitimate kernel co de execution, over a period of time beyond the instant of a snapshot by using these two novel techniques. ( 1) The system identifies an individual dynamic kernel object with its systematically-determined runtime identifier tha t points to the code where the object is allocated. (2) The data type then can be automatically extracted from the cod e using static code analysis offline. We have implemented a prototype of LiveDM that supports three Linux kern els where LiveDM dynamically tracks tens of thousands of dynamic kernel memory objects that can be ccurately translated into data types in the offline process. We have evaluated and validated its general applicab ility nd effectiveness in extensive case studies of kernel malware analysis and kernel debugging.

[1]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[2]  Keith J. Jones,et al.  Loadable Kernel Modules , 2001, Login: The Usenix Magazine.

[3]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[4]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[5]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[6]  Vivek Goyal Kdump, A Kexec-based Kernel Crash Dumping Mechanism , 2005 .

[7]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[8]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[9]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[10]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[11]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[12]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[13]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[14]  Tal Garfinkel,et al.  VMwareDecoupling Dynamic Program Analysis from Execution in Virtual Environments , 2008, USENIX Annual Technical Conference.

[15]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[16]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[17]  Samuel T. King,et al.  Digging for Data Structures , 2008, OSDI.

[18]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[19]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[20]  Xuxian Jiang,et al.  Multi-aspect profiling of kernel rootkit behavior , 2009, EuroSys '09.

[21]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[22]  Xuxian Jiang,et al.  Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring , 2009, 2009 International Conference on Availability, Reliability and Security.

[23]  Wenke Lee,et al.  K-Tracer: A System for Extracting Kernel Malware Behavior , 2009, NDSS.