Operating System Kernel Data Disambiguation to Support Security Analysis

It is very challenging to verify the integrity of Operating System (OS) kernel data because of its complex layout. In this paper, we address the problem of systematically generating an accurate kernel data definition for OSes without any prior knowledge of the OS kernel data. This definition accurately reflects the kernel data layout by resolving the pointer-based relations ambiguities between kernel data, in order to support systemic kernel data integrity checking. We generate this definition by performing static points-to analysis on the kernel's source code. We have designed a new points-to analysis algorithm and have implemented a prototype of our system. We have performed several experiments with real-world applications and OSes to prove the scalability and effectiveness of our approach for OS security applications.

[1]  Mohamed Almorsy,et al.  CloudSec: A security monitoring appliance for Virtual Machines in the IaaS cloud model , 2011, 2011 5th International Conference on Network and System Security.

[2]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[3]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[4]  Mohamed Almorsy,et al.  Supporting operating system kernel data disambiguation using points-to analysis , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[5]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[6]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[7]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[8]  Ziyad Abdul-Mehdi,et al.  A model for transaction management in mobile databases , 2010, IEEE Potentials.

[9]  Hongtao Yu,et al.  Level by level: making flow- and context-sensitive pointer analysis scalable for millions of lines of code , 2010, CGO '10.

[10]  Stephen A. Edwards,et al.  Pointer analysis for source-to-source transformations , 2005, Fifth IEEE International Workshop on Source Code Analysis and Manipulation (SCAM'05).

[11]  Markus Mock,et al.  Program slicing with dynamic points-to sets , 2005, IEEE Transactions on Software Engineering.

[12]  A. Salah,et al.  Surviving cyber warfare with a hybrid multiagent-base intrusion prevention system , 2010, IEEE Potentials.

[13]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[14]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[15]  Ben Hardekopf,et al.  The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code , 2007, PLDI '07.

[16]  Arati Baliga,et al.  Automatic Inference and Enforcement of Kernel Data Structure Invariants , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[17]  Ramarathnam Venkatesan,et al.  Oblivious Hashing: A Stealthy Software Integrity Verification Primitive , 2002, Information Hiding.

[18]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[19]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[20]  Michael Hind,et al.  Which pointer analysis should I use? , 2000, ISSTA '00.

[21]  Olivier Tardieu,et al.  Ultra-fast aliasing analysis using CLA: a million lines of C code in a second , 2001, PLDI '01.