Presentation is loading. Please wait.

Presentation is loading. Please wait.

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

Published byLesley Golden Modified over 9 years ago

Similar presentations

Presentation on theme: "Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011."— Presentation transcript:

1 Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011

2 2 Acknowledgements Title: Countering Kernel Rootkits with Lightweight Hook Protection Authors: –North Carolina State University Zhi Wang Xuxian Jiang Peng Ning –Microsoft Research Weidong Cui Published at: CCS '09 Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009 Sponsored by: –NSF 0852131, 0855297, 0855036, and 0910767

3 3 Rootkits HookSafe Design and Implementation Performance Closing Remarks

4 4 Rootkits HookSafe Design and Implementation Performance Closing Remarks

5 5 Kernel Space Where the core of the OS resides May be accessed through system calls Has full access to the system Like running in real mode assembly language, but at a higher level (i.e. easier programming)

6 6 Kernel Rootkits Hide presence and activities –Hijack control by modifying kernel space Types: –Kernel Object Hooking (most of the rootkits) –Dynamic Kernel Object Manipulation Tamper OS to launch attacks –System backdoor –Stealing private information –Escalating privileges of malicious process –Disabling defense mechanisms

7 7 Example of Rootkit (TDL4) From the Rootkit.Win32.TDSS family Installs in Master Boot Record Runs before the Operating System Blocks programs from running Delivers advertisements Google redirects Keeps a copy of payload in MBR so it can be reinstalled Best way to get rid of it is by replacing the MBR Previous versions (infecting drivers) could be removed with TDSSKiller from Kasperry group

8 8 Rootkits HookSafe Design and Implementation Performance Closing Remarks

9 9 Traditional Defense Approaches Analyzing rootkits behaviors –Examples: Panorama, HookFinder, K-Tracer Search common symptoms on infected computers –Examples: Copilot, SBCFI, VMwatcher Preserve kernel code integrity –Examples: SecVisor, Patagonix, NICKLE –Can be bypassed by return-oriented rootkits Hijack function pointers or return addresses Utilize kernel code snippets

10 10 HookSafe Challenge: Protection granularity gap –Hook protection requires byte granularity –Hardware only provides page level protection Kernel hooks (function pointers), after initialized have frequent read access, less write access (less than 1%) Move hooks to page-aligned memory and protect with traditional page protection –Any write access can be monitored Small overhead effect

11 11 Hooks per Page Histogram [1]

12 12 What are Pages? Fundamental to use non-continuous memory blocks Creates a mapping between a physical address and a virtual ones Provides virtual RAM

13 13 Paging Process [2]

14 14 Paging Mapping [2]

15 15 Rootkits HookSafe Design and Implementation Performance Closing Remarks

16 16 Assumptions A hypervisor will be used to monitor virtual machines –From Wikipedia: “In computing, a hypervisor, also called virtual machine monitor (VMM), is one of many virtualization techniques which allow multiple operating systems, termed guests, to run concurrently on a host computer, a feature called hardware virtualization.” A bootstrap like tboot exists to establish a static root of trust of the system –A hypervisor can be securely loaded –Protect the kernel at boot time Runtime integrity of hypervisor is maintained

17 17 HookSafe Architecture [1]

18 18 Offline Hook Profiler Set of functions that read/write the hook –Hook Access Points (HAPs) Set of values assign to a hook Enables transparent hook indirection

19 19 Offline Hook Profiler Design Static Analysis –Performed on kernel’s source code –Automatically collect hook profiles using 3 rd party program techniques (e.g. points-to analysis) Dynamic Analysis –Does not need the source code (good for Windows) –Run target system on an emulator and monitor memory access to derive hook profiles Tradeoff –Coverage (static) vs Precision (dynamic) HookSafe choses precision over coverage

20 20 Offline Hook Profiler Implementation Run in emulation and hooks are recorded with set of read/write (HAPs) and values [1]

21 21 Online Hook Protector Its input is the Hook Access Profiles Creates a shadow copy of all protected hooks Instruments HAP instructions so that the access is redirected to the shadow copy Shadow copies are moved into a centralized location to be protected from unauthorized modifications (i.e. page level protection)

22 22 Online Hook Protector Design Initialization –Temporary kernel module to create shadow copy of hooks and load the code for indirection layer –Patch the HAPs for redirection to copy Run-Time Read/Write Indirection –Read: reads from copy and returns to HAPs –Write: control is passed to hypervisor for validation check. New value seen in the offline profiling phase. Run-Time Tracking of Dynamically Allocated Hooks –Embedded in Dynamic Kernel Object (i.e. heap) –Size is fixed because it can only be know at runtime Hardware abstraction intercept register access

23 23 Online Hook Protector Implementation 5 bytes jmp instruction 1 byte opcode (0xE9) 32-bit integer offset operand Variable length instructions in x86 jmps are padded with NOP (0x90) old instructions are re-written and moved [1]

24 24 Rootkits HookSafe Design and Implementation Performance Closing Remarks

25 25 Detecting Rootkits At read periodically the hook indirection checks for consistency between the original hook, and the shadow copy Any discrepancy is caused by a compromised original hook At write if action is legitimate both original and copy of the hook is written

26 26 Evaluation [1]

27 27 Evaluation Example [1]

28 28 Rootkits HookSafe Design and Implementation Performance Closing Remarks

29 29 Strengths (Remarks) Rootkit protection without the need of going to the source code Low overhead of 6% of runtime Works with variable instruction length architecture (e.g. x86) Byte equivalent protection using page protection of the hypervisor

30 30 Weakness Doesn’t record what caused the rootkit infection. It can detect, but not defend against future attempts When discrepancy is found it automatically assumes the original hook was compromised. This was not the case with mood-nt Legitimate values need to be inside of hook profile Memory usage for creating shadow copies

31 31 Suggestions Test HookSafe on Windows Add mechanisms to restore MBR or VBR in case of multiple OS present Instead of checking discrepancy between hooks and their copy, check against a hash value to find out which is compromised Incorporate static analysis or broader dynamic analysis (e.g. adaptive analysis)

32 32 References 1.Z. Wang, X. Jiang, W. Cui, and P. Ning, “Countering kernel rootkits with lightweight hook protection”, Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009, pp. 545 – 554 2.http://www.wikipedia.orghttp://www.wikipedia.org 3.http://www.bleepingcomputer.comhttp://www.bleepingcomputer.com 4.http://support.kaspersky.com/viruses/solutions ?qid=208280684http://support.kaspersky.com/viruses/solutions ?qid=208280684

33 33 QUESTIONS

Download ppt "Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011."

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.

Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Memory Management 2010.

Memory Management 2010.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Computer Organization

Computer Organization
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Similar presentations

Ads by Google