introduction overview static analysis memory analysis kernel integrity checking implementation and...
TRANSCRIPT
![Page 1: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/1.jpg)
Mapping Kernel Objects to Enable Systematic Integrity
Checking
![Page 2: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/2.jpg)
IntroductionOverviewStatic analysisMemory analysisKernel integrity checkingImplementation and evaluationLimitations and future workConclusions
Outline
![Page 3: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/3.jpg)
Basic :KOP (Kernel Object Pinpointer)
Application:SFPD (Subverted Function Pointer Detector)GHOST (General Hidden Object Scanning Tool)
Introduction
![Page 4: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/4.jpg)
OverviewsKOP has two main
components:A static analysis
componentPoints-to graphExtended type graph
(final)A memory analysis
componentObject graph
![Page 5: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/5.jpg)
Static analysisCompute three set of
information:Object type
definitionsDeclared type and
relative addresses of global variables
Candidate target type for generic pointers
Based on the medium-level intermediate representation (MIR)
4 canonical forms of pointer assignments:x = yx = &y*x = yx = *y
![Page 6: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/6.jpg)
Static analysis
![Page 7: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/7.jpg)
Point-to analysisModify the algorithm
to create points-to graphan eage (src, dst)
=> (src, dst, n, ops)n is a pointer offset
(for field-sensitive)op that specifies the
call or return operation involved in the assignment (for context-sensitive)
For example:_Entry = t286 due to
the function call at line 25
=> (_Entry, t286, 0, call@file : 25)
![Page 8: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/8.jpg)
Inferring Types for Generic Pointers
![Page 9: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/9.jpg)
Type ambiguities com from two sources:unionsgeneric pointers
Consider two constraints when determining the correct candidate type:Size constraintBased on the observation that the data stored
by certain data types must have specific properties
Recursively for their child object up to a certain depth level.
Resolving type ambiguities
![Page 10: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/10.jpg)
The key idea is to leverage the kernel memory pool boundaries.
A dynamic array is usually allocated in to possible ways:It may take up a whole pool block.It may extend an object whose last field is
defined as an array of size 0 or 1.Check each allocated pool block to recognize
dynamic arrays after the object traversal (without dynamic arrays) is completed.
Recognizing dynamic arrays
![Page 11: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/11.jpg)
May incorrectly identify an object for three main reasons:Choosing the wrong candidate when resolving
type ambiguitiesMistaking a dynamic array.Program bugs.
To reduce identification errors, we employ the following two techniques:Traverses the kernel memory in multiple
rounds.Use a safe-guard mechanism.
Controlling Object Identification Errors
![Page 12: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/12.jpg)
Function pointer checking (SFPD)A white list of trusted modulesCheck every function pointer in the kernel
objects found by KOP based on the following policy:An explicit function pointer must point to trusted
code; an implicit function pointer must point to either trusted code or a data object found by KOP; otherwise, the function pointer is marked as malicious.
Kernel Integrity Checking
![Page 13: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/13.jpg)
Hidden object discovery (GHOST)Compare the list of all the objects of that type
found b KOP in a memory snapshot with the list of objects returned by a program such as Task Manager.
Kernel Integrity Checking
![Page 14: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/14.jpg)
KOP were implemented in C# with a total of 16000 lines of code.
Windows Vista SP1 with 63 kernel drivers.Run in a Vmware virtual machine with 1GB
RAM.SFPD prototype has 1000 lines of C# codeGHOST prototype has 200 lines of C# code
Implementation and Evaluation
![Page 15: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/15.jpg)
Static analysisSource code of the Vista SP1 kernel and the 63
drivers with a total of 5 million lines of code.Codebase contains 24423 data types and 9629
global variable definitions.KOP needs less than 48 hours to complete its
static analysis on a 2.2 GHz QuadCore AMD Opteron machine with 32 GB RAM.
KOP
![Page 16: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/16.jpg)
Coverage
VC (Verified Coverage) =
GC (Gross Coverage) =
KOP
![Page 17: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/17.jpg)
PerformanceUse a 4GHz Intel Xeon Duo Core machine with
3GB RAMRunning time was 8 minutes, including the
overhead of reading the memory snapshot stored on the disk.
KOP
![Page 18: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/18.jpg)
Test SFPD with eight real-world kernel malware samples collected from a public database.
Running on a machine the same as previous page.
SFPD finishes a scan of a memory snapshot in less than two minutes.
Identified all the malicious function pointers for all eight malware samples with zero false alarms.
SFPD
![Page 19: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/19.jpg)
SFPD
![Page 20: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/20.jpg)
GHOSTTest GHOST with two real-world kernel-mode
malware samples:FURootkit (ported the XP-based to Vista SP1)Syzor.A
GHOST correctly identified all hidden objects in both tests with zero false alarms.
![Page 21: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/21.jpg)
Static analysis could be improved to automatically handle the kernel implementation corner cases in a more general way.
Increase the scope of our static analysis to determine domain constraints for other basic types in addition to pointers.
It’s will have error if a very large number of pointers inside an object is manipulated.
Limitations and Future Work
![Page 22: Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions](https://reader030.vdocuments.us/reader030/viewer/2022032708/56649e585503460f94b50d85/html5/thumbnails/22.jpg)
Dynamic kernel data have become a common target for malware looking to evade traditional code and static data-based integrity monitors
KOP, a system that can map dynamic kernel objects with very high coverage and accuracy by leveraging a set of novel techniques in static source code analysis and memory analysis
Conclusions