Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Rootkit Detection with RAI

Published byAlejandro Peña Lucero Modified over 6 years ago

Similar presentations

Presentation on theme: "Practical Rootkit Detection with RAI"— Presentation transcript:

1 Practical Rootkit Detection with RAI
Christoph Csallner, University of Texas at Arlington Joint work with: Shabnam Aboughadareh This material is based upon work supported by the National Science Foundation under Grants No , , and Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

2 Practical Detection Challenges
C1: Malware detection app = Attack surface Current AV very large C2: Signature-based is slow Deployment typically needs app restart New attack signature not yet in black list What if legacy app infected before white-listed? C3: Can’t trust legacy platforms No TPM, intel VT-x, etc.

3 Threat Model: Many machines like:
App#1 App#N …. User Kernel Operating System Kernel Module#1 …. Kernel Module#M

4 Threat Model Monitored app / OS may be kernel- or user-mode
OS may be on hardware, container, VM System may already be under attack Adversary has full ongoing access to OS & apps Inject code Manipulate binaries on disk & in memory Obtain higher privilege level: Root, .. Hook sys call table, overwrite code & read-only data

5 RAI Setup App 1 .... App N App 1 .... App N Operating system
Kernel module 1 Kernel module 1 .... .... RAI kernel module Hashes RAI kernel module Machine 1 Machine 3 RAI Back-end App 1 .... App N App 1 .... App N Operating system Operating system Kernel module 1 Kernel module 1 .... .... RAI kernel module RAI kernel module Machine 2 Machine 4

6 RAI Design RAI component is tiny kernel module
Easier to install / test / port / hide Small attack surface No need for special hardware / virtualization Offload almost everything to RAI server On-demand (“real-time”) detection No restart of monitored system / app needed No need to disable current AV No need to black / white list

7 RAI Design Deploy on running applications
Get dynamic white / black list via voting scheme Client: Periodically monitor (hash) physical memory Server: Request & compare hashes in random intervals If only minority of apps infected Server voting scheme: Hash outliers are suspicious Attack usually spreads relatively slowly across sites

8 Implementation: Physical Memory (RAM) Hashing
Hash of pages’ hashes Different machines may swap out different pages If comparison fails: Compare page-level hashes

9 Monitoring Dynamically Loaded Code
Problem: Two instances of application can be in two different execution states Example: A benign dynamic library is loaded into one instance but not into the other instance Solution: Hashing each executable segment separately .text libc.so benign_lib1.so ld.so Hash_T1 Application A in state S1 Hash_T2 Application A in state S2 benign_lib2.so

10 De-relocate Addresses
Virtual addresses of kernel module / app library may differ across executions: Load order, etc. Position Dependent Code: In kernel module / legacy libraries OS loader “relocates” relative with absolute virtual address Different absolute address  Code hashes will differ Don’t want to rely on disk contents to resolve problem Heuristic Approach: Disassemble memory contents, find addresses and de-relocate them Use Distorm disassembler: Provides convenient access to opcodes and operands

11 Evaluation: Two Setups
“Local” setup All clients on same physical machine 40 VMware Ubuntu Linux instances Two groups with the same kernel versions (2.6 and 3), 512 MB RAM, 32 and 64 bits processors 100 user-mode applications and 41 kernel modules One VM dedicated server: Ubuntu LTS, 64 bits AWS setup Sets of 6—60 clients equally distributed over 10 AWS regions Similar setups to local experiment 90 user-mode applications Ubuntu LTS, 30 GB RAM server running in Oregon

12 RAI evaluation: Slowdown
Test-bed: 20 Ubuntu Linux VMWare virtual machines, kernel version 2.6, 3, 32-bit or 64-bit Intel processor, 512 MB RAM Server: Debian Linux, 2.33 GHz Xeon, 64-bit, 32 GB RAM 100 user-mode applications and 41 kernel modules RAI Activity Target Loc Slowdown (%) Hash User-mode app Client 8 Kernel (OS) 3 Hash + de-relocate Kernel module 20 Compare hashes 20 VMS Server 15

13 RAI evaluation: False positives
- False positive rate for user-mode applications and OS: 0% - False positive rate for kernel-mode modules: below %10 Reason: Disassembly errors for de-relocation of dynamic addresses. Kernel Module Number of Pages False Hash False Positive(%) e1000 22 3 13.6 vmwgfx 18 2 11.1 ttm 11 1 9.0 drm 33 3.0 bluetooth 55 5.4 rfcomm 9 psmouse 16 12.5 All 41 modules 314 13 4.1

14 RAI Evaluation Example detected rootkits Rootkit Exec Mode
Kernel Version CPU Loc Attack LD_PRELOAD User 3, 2.6 32-bit, 64-bit Memory Exchange Libraries Jynxkit 2.6 32-bit Patch dynamic loader Disk Inject code Attach to process Divert Execution System call hooking Kernel 3 64-bit Change kernel data Suterusu Change kernel code

Download ppt "Practical Rootkit Detection with RAI"

Similar presentations

Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
Part IV: Memory Management

Part IV: Memory Management
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.

Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?

V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?
Memory Management (II)

Memory Management (II)
Operating System Support Focus on Architecture

Operating System Support Focus on Architecture
2 Copyright © 2009, Oracle. All rights reserved. Installing your Oracle Software.

2 Copyright © 2009, Oracle. All rights reserved. Installing your Oracle Software.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
ATIF MEHMOOD MALIK KASHIF SIDDIQUE Improving dependability of Cloud Computing with Fault Tolerance and High Availability.

ATIF MEHMOOD MALIK KASHIF SIDDIQUE Improving dependability of Cloud Computing with Fault Tolerance and High Availability.
SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Appendix B Planning a Virtualization Strategy for Exchange Server 2010.

Appendix B Planning a Virtualization Strategy for Exchange Server 2010.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.

Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.

Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.

Similar presentations

Ads by Google