Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Kernel-level Rootkits using Data Structure Invariants

Published byRashad Leete Modified over 10 years ago

Similar presentations

Presentation on theme: "Detecting Kernel-level Rootkits using Data Structure Invariants"— Presentation transcript:

1 Detecting Kernel-level Rootkits using Data Structure Invariants
Vinod Ganapathy Rutgers University

2 Rootkits = Stealthy malware
What are rootkits? Rootkits = Stealthy malware Tools used by attackers to conceal their presence on a compromised system Typically installed after attacker has obtained root privileges Stealth is achieved by hiding accompanying user level malicious programs December 4, 2009 Vinod Ganapathy - Rutgers University

3 Rootkit-based attack scenario
Rootkits hide malware from anti-malware tools Anti virus Key Logger Backdoor Applications Kernel Rootkit-infected kernel Kernel code Kernel data Internet Maintain long term control Use the system’s resources Spy on the system Involve system in malicious activities Make money Sensitive information Credit card: SSN: December 4, 2009 Vinod Ganapathy - Rutgers University

4 Significance of the problem
Alarming increase in number of rootkits 600% increase in three-year period from [MacAfee Avert Labs Report] 200 new rootkits in the first quarter of 2008 alone [antirootkit.com] Rootkits are the vehicle of choice for botnet-based attacks Stealth allows bot-masters to retain long-term control - What is malware ? You have all heard about worms/viruses – all referred to as malware - Shift in attackers motives – from mischief to profiteering December 4, 2009 Vinod Ganapathy - Rutgers University

5 Evolution of rootkits System binaries /usr/bin/ls /usr/bin/ps
Shared Libraries USER SPACE /usr/bin/login System call table IDT Process Lists Kernel Code KERNEL SPACE Hypervisor-based rootkits Subvirt, Bluepill BELOW THE KERNEL December 4, 2009 Vinod Ganapathy - Rutgers University

6 Evolution of rootkits System binaries /usr/bin/ls /usr/bin/ps
Shared Libraries USER SPACE /usr/bin/login System call table IDT Process Lists Kernel Code KERNEL SPACE Hypervisor-based rootkits Subvirt, Bluepill BELOW THE KERNEL December 4, 2009 Vinod Ganapathy - Rutgers University

7 Evolution of rootkits System binaries /usr/bin/ls /usr/bin/ps
Shared Libraries USER SPACE /usr/bin/login System call table IDT Process Lists Kernel Code KERNEL SPACE Hypervisor-based rootkits Subvirt, Bluepill BELOW THE KERNEL December 4, 2009 Vinod Ganapathy - Rutgers University

8 Evolution of rootkits Focus of this talk: Kernel-level rootkits
System binaries /usr/bin/ls /usr/bin/ps Shared Libraries USER SPACE /usr/bin/login System call table IDT Process Lists Kernel Code KERNEL SPACE Hypervisor-based rootkits Subvirt, Bluepill BELOW THE KERNEL December 4, 2009 Vinod Ganapathy - Rutgers University

9 Manipulating control data
Change function pointers: Linux Adore rootkit sys_open(...) { ... } int main() { open(…) ... return(0) } evil_open sys_open Mention that attacks are not only for control data, even for non-control data. evil_open(...) { ... } System call table USER SPACE KERNEL November 30, 2009 Vinod Ganapathy - Rutgers University 9

10 Manipulating non-control data (1)
Change non-control data: Windows Fu rootkit run-list Process A Hidden process Process B Process C run_list run_list run_list run_list next_task next_task next_task next_task all-tasks December 4, 2009 Vinod Ganapathy - Rutgers University

11 Manipulating non-control data (2)
Goal: Attack the kernel’s pseudorandom number generator (PRNG) [Baliga et al., 2007] Secondary Entropy Pool (128 bytes) /dev/random External Entropy Sources Primary Entropy Pool (512 bytes) Look up tcp syn attack – how generating poor sequence numbers can put the system at risk. Urandom Entropy Pool (128 bytes) /dev/urandom December 4, 2009 Vinod Ganapathy - Rutgers University

12 Many more attacks are possible
The operating system kernel presents a vast attack surface for rootkits Function pointer and system call hooking Modifying process management linked lists Entropy pool contamination Disabling firewalls Resource wastage Disable pseudo-random number generation Intrinsic denial of service Defeating in memory signature scans Altering real time clock behavior Routing cache pollution December 4, 2009 Vinod Ganapathy - Rutgers University

13 Detecting rootkits: Main idea
Observation: Rootkits operate by maliciously modifying kernel data structures Modify function pointers to hijack control flow Modify process lists to hide malicious processes Modify polynomials to corrupt output of PRNG Continuously monitor the integrity of kernel data structures Needs to change! December 4, 2009 Vinod Ganapathy - Rutgers University

14 Continuously monitor the integrity
of kernel data structures Process lists Kernel Code Kernel Data PRNG pools System call table Data structure integrity monitor Challenge: Data structure integrity monitor must be independent of the monitored system Solution: Use external hardware, such as a coprocessor, or a hypervisor to build the monitor Needs to change! December 4, 2009 Vinod Ganapathy - Rutgers University

15 Solution: Periodically fetch and monitor all of kernel memory
Continuously monitor the integrity of kernel data structures Process lists Kernel Code Kernel Data PRNG pools System call table Data structure integrity monitor Challenge: Must monitor kernel code, control and non-control data structures Solution: Periodically fetch and monitor all of kernel memory Needs to change! December 4, 2009 Vinod Ganapathy - Rutgers University

16 Challenge: Specifying properties to monitor
Continuously monitor the integrity of kernel data structures Process lists Kernel Code Kernel Data PRNG pools System call table Data structure integrity monitor Challenge: Specifying properties to monitor Solution: Use anomaly detection Inference phase: Infer data structure invariants Detection phase: Enforce data structure invariants Needs to change! December 4, 2009 Vinod Ganapathy - Rutgers University

17 Rootkit detection using invariants (1)
sys_open(...) { ... } int main() { open(…) ... return(0) } evil_open evil_open(...) { ... } Mention that attacks are not only for control data, even for non-control data. System call table Invariant: Function pointer values in system call table should not change November 30, 2009 Vinod Ganapathy - Rutgers University 17

18 Rootkit detection using invariants (2)
run-list Process A Hidden process Process B Process C run_list run_list run_list run_list next_task next_task next_task next_task all-tasks Invariant: run-list all-tasks December 4, 2009 Vinod Ganapathy - Rutgers University

19 Rootkit detection using invariants (3)
Urandom Entropy Pool (128 bytes) Secondary Primary (512 bytes) /dev/random /dev/urandom External Entropy Sources Look up tcp syn attack – how generating poor sequence numbers can put the system at risk. Invariants poolinfo.tap1 is one of {26, 103} poolinfo.tap2 is one of {20, 76} poolinfo.tap3 is one of {14, 51} poolinfo.tap4 is one of {7, 25} poolinfo.tap5 == 1 December 4, 2009 Vinod Ganapathy - Rutgers University

20 A new rootkit detection tool
Gibraltar Identifies rootkits that modify control and non-control data Automatically infers specifications of data structure integrity Is physically isolated from the target machine December 4, 2009 Vinod Ganapathy - Rutgers University Image courtesy of Wikipedia

21 Architecture of Gibraltar
December 4, 2009 Vinod Ganapathy - Rutgers University

22 Components of Gibraltar
Invariant Templates Root Symbols Kernel Data Definitions Invariant Generator run-list all-tasks Invariants Page Fetcher Data Structure Extractor Training Run-list All-tasks Enforcement Physical Memory Address Enforcer run-list all-tasks? lmbench December 4, 2009 Vinod Ganapathy - Rutgers University 22

23 Data structure extractor
Inputs: Memory pages from target machine Root symbols: Entry-points into target’s kernel Type definitions of target’s kernel Output: snapshot of target data structures Main idea: Traverse memory pages using root symbols and type definitions and extract data structures November 30, 2009 Vinod Ganapathy - Rutgers University 23

24 Operation of data structure extractor
BFS Queue Root symbols Root 1 Root 2 struct foo { struct bar * b1; struct list_head * CONTAINER(struct foo, p) p.next; struct list_head * CONTAINER(struct foo, p) p.prev; } struct foo { struct bar * b1; struct list_head * p.next; struct list_head * p.prev; } struct foo { struct bar * b1; struct list_head p; } Root 3 Root b1 Also mention dynamic arrays, void pointers and unions not handled in the current prototype b1 next_task prev_task Linked list of objects of type “struct foo” struct list_head { struct list_head * next; struct list_head * prev; } Root n December 4, 2009 Vinod Ganapathy - Rutgers University 24

25 Invariants serve as specifications of data structure integrity
Invariant generator Executes during a controlled, training phase Inputs: Memory snapshots from a benign (uninfected) kernel Output: Likely data structure invariants Invariants serve as specifications of data structure integrity November 30, 2009 Vinod Ganapathy - Rutgers University 25

26 Vinod Ganapathy - Rutgers University
Invariant generator Used an off-the-shelf tool: Daikon [Ernst et al., 2000] Daikon observes execution of user-space programs and hypothesizes likely invariants We adapted Daikon’s front-end to reason about snapshots Obtain snapshots at different times during training Hypothesize likely invariants across snapshots November 30, 2009 Vinod Ganapathy - Rutgers University 26 Image courtesy of the Daikon project

27 Experimental evaluation
Three main goals: How effective is Gibraltar at detecting rootkits? i.e., what is the false negative rate? What is the quality of automatically-generated invariants? i.e., what is the false positive rate? What is the runtime performance overhead of Gibraltar? November 30, 2009 Vinod Ganapathy - Rutgers University 27

28 Vinod Ganapathy - Rutgers University
Experimental setup Implemented on a Intel Xeon 2.80GHz, 1GB machine, running Linux Fetched memory pages using Myrinet PCI card Obtained invariants by training the system using several benign workloads November 30, 2009 Vinod Ganapathy - Rutgers University 28

29 Vinod Ganapathy - Rutgers University
False negative rate Conducted experiments with 23 Linux rootkits 14 rootkits from PacketStorm 9 advanced rootkits, discussed in the literature All rootkits modify kernel control and non-control data Installed rootkits one at a time and tested effectiveness of Gibraltar at detecting the infection November 30, 2009 Vinod Ganapathy - Rutgers University 29

30 Data structures affected Detected?
Sl. # Rootkit name Data structures affected Detected? 1. Adore-0.42 System call table (from PacketStorm) 2. All-root 3. Kbd 4. Kis-0.9 5. Linspy2 6. Modhide 7. Phide 8. Rial 9. Rkit-1.01 10. Shtroj2 11. Synapsys-0.4 12. THC Backdoor 13. Adore-ng VFS hooks/UDP recvmsg (from PacketStorm) 14. Knark-2.4.3 System call table, proc hooks (from PacketStorm) 15. Disable Firewall Netfilter hooks (Baliga et al., 2007) 16. Disable PRNG VFS hooks (Baliga et al., 2007) 17. Altering RTC 18. Defeat signature scans 19. Entropy pool struct poolinfo (Baliga et al., 2007) 20. Hidden process Process lists (Petroni et al., 2006) 21. Linux Binfmt Shellcode.com 22. Resource waste struct zone_struct (Baliga et al., 2007) 23. Intrinsic DOS int max_threads (Baliga et al., 2007) November 30, 2009 30

31 False positive evaluation
Ran a benign workload for 42 minutes Copying Linux kernel source code Editing a text document Compiling the Linux kernel Downloading eight videos from Internet Perform file system operations using the IOZone benchmark Measured how many invariants were violated November 30, 2009 Vinod Ganapathy - Rutgers University 31

32 False positive evaluation
Invariant Type # Invariants False positives Persistent 236, 444 0.035% Transient 482, 496 0.65% Persistent invariants: Those that persist across machine reboots Transient invariants: Those that hold only until the next reboot run_list all_tasks init_fs->root->d_sb->s_dirty.next->i_dentry.next-> d_child.prev->d_inode->i_fop.read == 0xeff9bf60 November 30, 2009 Vinod Ganapathy - Rutgers University 32

33 Performance evaluation
Training time: total of 56 minutes 25 mins to collect snapshots (total 15 snapshots) 31 minutes to infer invariants Detection time Ranges from 15 seconds up to 132 seconds PCI Overhead 0.49%, measured using the stream benchmark December 4, 2009 Vinod Ganapathy - Rutgers University

34 Vinod Ganapathy - Rutgers University
Future work Reducing the number of false positives Automated filtering techniques Longer training time, better training workload Usefulness of invariants generated Other invariant templates Feasibility versus complexity Portability of invariants across different systems December 4, 2009 Vinod Ganapathy - Rutgers University

35 Detecting Kernel-level Rootkits using Data Structure Invariants
Thank you Detecting Kernel-level Rootkits using Data Structure Invariants “Automatic Inference and Enforcement of Kernel Data Structure Invariants” Arati Baliga, Vinod Ganapathy and Liviu Iftode Published in Proc. 24th ACSAC, December 2008.

Download ppt "Detecting Kernel-level Rootkits using Data Structure Invariants"

Similar presentations

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.
Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
3rd Annual Plex/2E Worldwide Users Conference 13A Batch Processing in 2E Jeffrey A. Welsh, STAR BASE Consulting, Inc. September 20, 2007.

3rd Annual Plex/2E Worldwide Users Conference 13A Batch Processing in 2E Jeffrey A. Welsh, STAR BASE Consulting, Inc. September 20, 2007.
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 2 Introduction to XHTML Programming the World Wide Web Fourth edition.

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 2 Introduction to XHTML Programming the World Wide Web Fourth edition.
1

1
Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.

Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.
Chapter 1: The Database Environment

Chapter 1: The Database Environment
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
Towards Automating the Configuration of a Distributed Storage System Lauro B. Costa Matei Ripeanu {lauroc, NetSysLab University of British.

Towards Automating the Configuration of a Distributed Storage System Lauro B. Costa Matei Ripeanu {lauroc, NetSysLab University of British.
© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.

© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 10 second questions

Year 6 mental test 10 second questions

Similar presentations

Ads by Google