Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.

Slides:

Advertisements

Similar presentations

Advertisements

Intermediate Code Generation

1 Write Barrier Elision for Concurrent Garbage Collectors Martin T. Vechev Cambridge University David F. Bacon IBM T.J.Watson Research Center.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Dynamic Memory Allocation I Topics Basic representation and alignment (mainly for static memory allocation, main concepts carry over to dynamic memory.

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.

Analyzing and Improving Linux Kernel Memory Protection A Model Checking Approach ACSAC 2010 Siarhei Liakh, North Carolina State University Michael Grace,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

Chapter 7: User-Defined Functions II Instructor: Mohammad Mojaddam.

Kernighan/Ritchie: Kelley/Pohl:

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.

11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.

Java Programming, 3e Concepts and Techniques Chapter 5 Arrays, Loops, and Layout Managers Using External Classes.

Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.

Run time vs. Compile time

The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:

1 An Efficient On-the-Fly Cycle Collection Harel Paz, Erez Petrank - Technion, Israel David F. Bacon, V. T. Rajan - IBM T.J. Watson Research Center Elliot.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

Guide To UNIX Using Linux Third Edition

Programming Logic and Design, Introductory, Fourth Edition1 Understanding Computer Components and Operations (continued) A program must be free of syntax.

Modeling & Designing the Database

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

INTRODUCTION TO TRANSACTION PROCESSING CHAPTER 21 (6/E) CHAPTER 17 (5/E)

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 11 Case Study 2: Windows Vista Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

1 Chapter 5: Names, Bindings and Scopes Lionel Williams Jr. and Victoria Yan CSci 210, Advanced Software Paradigms September 26, 2010.

Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者：張逸文 1.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.

Compiler course 1. Introduction. Outline Scope of the course Disciplines involved in it Abstract view for a compiler Front-end and back-end tasks Modules.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Comp 245 Data Structures Linked Lists. An Array Based List Usually is statically allocated; may not use memory efficiently Direct access to data; faster.

Introduction A variable can be characterized by a collection of properties, or attributes, the most important of which is type, a fundamental concept in.

Tracking Rootkit Footprints with Pratical Memory Analysis System Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Unit-1 Introduction Prepared by: Prof. Harish I Rathod

Lecture 8 February 29, Topics Questions about Exercise 4, due Thursday? Object Based Programming (Chapter 8) –Basic Principles –Methods –Fields.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.

1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.

Runtime Organization (Chapter 6) 1 Course Overview PART I: overview material 1Introduction 2Language processors (tombstone diagrams, bootstrapping) 3Architecture.

Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.

12/22/ Thread Model for Realizing Concurrency B. Ramamurthy.

GARBAGE COLLECTION IN AN UNCOOPERATIVE ENVIRONMENT Hans-Juergen Boehm Computer Science Dept. Rice University, Houston Mark Wieser Xerox Corporation, Palo.

Concepts of programming languages Chapter 5 Names, Bindings, and Scopes Lec. 12 Lecturer: Dr. Emad Nabil 1-1.

ISBN Object-Oriented Programming Chapter Chapter

Session 1 Module 1: Introduction to Data Integrity

Chapter 1 C++ Basics Review (Section 1.4). Classes Defines the organization of a data user-defined type. Members can be  Data  Functions/Methods Information.

1 C# - Inheritance and Polymorphism. 2 1.Inheritance 2.Implementing Inheritance in C# 3.Constructor calls in Inheritance 4.Protected Access Modifier 5.The.

Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.

Whole Test Suite Generation. Abstract Not all bugs lead to program crashes, and not always is there a formal specification to check the correctness of.

LECTURE 19 Subroutines and Parameter Passing. ABSTRACTION Recall: Abstraction is the process by which we can hide larger or more complex code fragments.

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

Virtualization.

Global Register Allocation Based on

Compilers Principles, Techniques, & Tools Taught by Jing Zhang

Real-time Software Design

Verification and Validation Unit Testing

Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.

CS510 Operating System Foundations

Course Overview PART I: overview material PART II: inside a compiler

RUN-TIME STORAGE Chuen-Liang Chen Department of Computer Science

Structure of Processes

Rohan Yadav and Charles Yuan (rohany) (chenhuiy)

Presentation transcript:

Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions

Basic : KOP (Kernel Object Pinpointer) Application: SFPD (Subverted Function Pointer Detector) GHOST (General Hidden Object Scanning Tool)

KOP has two main components: A static analysis component Points-to graph Extended type graph (final) A memory analysis component Object graph

Compute three set of information: Object type definitions Declared type and relative addresses of global variables Candidate target type for generic pointers Based on the medium- level intermediate representation (MIR) 4 canonical forms of pointer assignments: x = y x = &y *x = y x = *y

Modify the algorithm to create points-to graph an eage (src, dst) => (src, dst, n, ops) n is a pointer offset (for field-sensitive) op that specifies the call or return operation involved in the assignment (for context- sensitive) For example: _Entry = t286 due to the function call at line 25 => (_Entry, t286, 0, : 25)

Type ambiguities com from two sources: unions generic pointers Consider two constraints when determining the correct candidate type: Size constraint Based on the observation that the data stored by certain data types must have specific properties Recursively for their child object up to a certain depth level.

The key idea is to leverage the kernel memory pool boundaries. A dynamic array is usually allocated in to possible ways: It may take up a whole pool block. It may extend an object whose last field is defined as an array of size 0 or 1. Check each allocated pool block to recognize dynamic arrays after the object traversal (without dynamic arrays) is completed.

May incorrectly identify an object for three main reasons: Choosing the wrong candidate when resolving type ambiguities Mistaking a dynamic array. Program bugs. To reduce identification errors, we employ the following two techniques: Traverses the kernel memory in multiple rounds. Use a safe-guard mechanism.

Function pointer checking (SFPD) A white list of trusted modules Check every function pointer in the kernel objects found by KOP based on the following policy: An explicit function pointer must point to trusted code; an implicit function pointer must point to either trusted code or a data object found by KOP; otherwise, the function pointer is marked as malicious.

Hidden object discovery (GHOST) Compare the list of all the objects of that type found b KOP in a memory snapshot with the list of objects returned by a program such as Task Manager.

KOP were implemented in C# with a total of lines of code. Windows Vista SP1 with 63 kernel drivers. Run in a Vmware virtual machine with 1GB RAM. SFPD prototype has 1000 lines of C# code GHOST prototype has 200 lines of C# code

Static analysis Source code of the Vista SP1 kernel and the 63 drivers with a total of 5 million lines of code. Codebase contains data types and 9629 global variable definitions. KOP needs less than 48 hours to complete its static analysis on a 2.2 GHz QuadCore AMD Opteron machine with 32 GB RAM.

Coverage VC (Verified Coverage) = GC (Gross Coverage) =

Performance Use a 4GHz Intel Xeon Duo Core machine with 3GB RAM Running time was 8 minutes, including the overhead of reading the memory snapshot stored on the disk.

Test SFPD with eight real-world kernel malware samples collected from a public database. Running on a machine the same as previous page. SFPD finishes a scan of a memory snapshot in less than two minutes. Identified all the malicious function pointers for all eight malware samples with zero false alarms.

Test GHOST with two real-world kernel-mode malware samples: FURootkit (ported the XP-based to Vista SP1) Syzor.A GHOST correctly identified all hidden objects in both tests with zero false alarms.

Static analysis could be improved to automatically handle the kernel implementation corner cases in a more general way. Increase the scope of our static analysis to determine domain constraints for other basic types in addition to pointers. It’s will have error if a very large number of pointers inside an object is manipulated.

Dynamic kernel data have become a common target for malware looking to evade traditional code and static data-based integrity monitors KOP, a system that can map dynamic kernel objects with very high coverage and accuracy by leveraging a set of novel techniques in static source code analysis and memory analysis