Presentation is loading. Please wait.

Presentation is loading. Please wait.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

Published byShauna Melanie Kennedy Modified over 9 years ago

Similar presentations

Presentation on theme: "@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09."— Presentation transcript:

1 @ NCSU Zhi Wang @ NCSU @ NCSU Xuxian Jiang @ NCSU @ Microsoft Research Weidong Cui @ Microsoft Research @ NCSU Peng Ning @ NCSU ACM CCS’09

2 Outline Introduction HookSafe Design Implementation Evaluation Related Work & Conclusion 2Advanced Defense Lab @ National Central Univ.

3 Introduction Prior research: Behaviors Symptoms Kernel code integrity Return-oriented rootkits Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms @ Usenix Security ‘09 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Advanced Defense Lab @ National Central Univ.3

4 Introduction Better solution… Preserve kernel code integrity by preserving the kernel control flow integrity Kernel control data: Return addresses Function pointers Function pointers == kernel hooks (in this paper) Advanced Defense Lab @ National Central Univ.4

5 Introduction Hardware-based page-level protection Limited number of kernel hooks Hooks are not co-located together with frequently modified memory data Advanced Defense Lab @ National Central Univ.5

6 Introduction HookSafe Hypervisor-based Lightweight Protect all kernel hooks Byte-level granularity Advanced Defense Lab @ National Central Univ.6

7 Introduction Advanced Defense Lab @ National Central Univ.7 Distribution of 5881 kernel hooks in a running Ubuntu system

8 HookSafe Design Offline Hook Profiler Profile the guest kernel execution and output a hook access profile for each protected hook Hook Access Points(HAPs) Online Hook Protector Create a shadow copy of all protected hooks Implement HAPs Redirection Advanced Defense Lab @ National Central Univ.8

9 HookSafe Design Advanced Defense Lab @ National Central Univ.9 The HookSafe architecture

10 HookSafe Design Offline Hook Profiling Static analysis More complete; less precise Dynamic analysis More precise QEMU – monitoring every memory access instruction Advanced Defense Lab @ National Central Univ.10

11 HookSafe Design Online Hook Protection Advanced Defense Lab @ National Central Univ.11

12 HookSafe Design Online Hook Protection – Initialization At Boot time Create shadow copy Patch the HAPs(requires the support of the hypervisor) Advanced Defense Lab @ National Central Univ.12

13 HookSafe Design Online Hook Protection – Runtime R/W Indirection Read : read from the shadow copy and return Write : Make a hypercall Validate the request Update the shadow copy if valid Advanced Defense Lab @ National Central Univ.13

14 HookSafe Design Online Hook Protection – Runtime Tracking of Dynamic Allocated Hooks A dynamic allocated hook is embedded in a dynamic kernel object Hypercall while a kernel object containing a hook is allocated Create the shadow copy of the hook Advanced Defense Lab @ National Central Univ.14

15 HookSafe Design Hardware Register Protection GDTR, IDTR, DR 0 -DR 7 Hardware-based page-level protection Advanced Defense Lab @ National Central Univ.15

16 Implementation Offline Hook Profiler QEMU – binary translation If an instruction accesses any kernel hook in the given list, mark it as an HAP and log the value Dynamic allocated kernel hook: Track the creation of the kernel object and locate the location Hook access profile Advanced Defense Lab @ National Central Univ.16

17 Implementation Advanced Defense Lab @ National Central Univ.17 An example access profile related to ext3_dir_operations->readdir kernel hook

18 Implementation Hook Indirection HAP Patching Overwrite the instruction of HAP with a 5-byte jmp instruction Jump to trampoline code > 5 bytes : Fill the space with NOP instructions < 5 bytes : overwrite the subsequent instruction Advanced Defense Lab @ National Central Univ.18

19 Implementation Advanced Defense Lab @ National Central Univ.19 The implementation of hook indirection

20 Implementation Advanced Defense Lab @ National Central Univ.20

21 Implementation Hook Indirection - HAP Patching HAP after HAP The second instruction is a target of jump instruction Advanced Defense Lab @ National Central Univ.21

22 Implementation Read/Write Indirection Detection: Read – compare the original hook with shadow copy Write – update both Advanced Defense Lab @ National Central Univ.22

23 Implementation Runtime LKM and Hook Tracking SLAB interface LKM Virtual machine introspection Memory Protection Shadow page table (SPT) in Xen Advanced Defense Lab @ National Central Univ.23

24 Evaluation Test with 9 real-world rootkits UnixBench and ApacheBench Advanced Defense Lab @ National Central Univ.24

25 Evaluation Advanced Defense Lab @ National Central Univ.25

26 Evaluation Advanced Defense Lab @ National Central Univ.26

27 Evaluation Performance Advanced Defense Lab @ National Central Univ.27

28 Advanced Defense Lab @ National Central Univ.28

Download ppt "@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09."

Similar presentations

Virtualization Technology

Virtualization Technology
CS533 Concepts of Operating Systems Class 14 Virtualization and Exokernels.

CS533 Concepts of Operating Systems Class 14 Virtualization and Exokernels.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang Department of Computer Science, North Carolina State University Xiaolan Zhang IBM T.J. Watson Research.

Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang Department of Computer Science, North Carolina State University Xiaolan Zhang IBM T.J. Watson Research.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
InkTag: Secure Applications on an Untrusted Operating system

InkTag: Secure Applications on an Untrusted Operating system
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.

Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.

Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.

Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Zen and the Art of Virtualization Paul Barham, et al. University of Cambridge, Microsoft Research Cambridge Published by ACM SOSP’03 Presented by Tina.

Zen and the Art of Virtualization Paul Barham, et al. University of Cambridge, Microsoft Research Cambridge Published by ACM SOSP’03 Presented by Tina.
Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang

Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

Similar presentations

Ads by Google