Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tracking Rootkit Footprints with Pratical Memory Analysis System Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute.

Published byAmy Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Tracking Rootkit Footprints with Pratical Memory Analysis System Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute."— Presentation transcript:

1 Tracking Rootkit Footprints with Pratical Memory Analysis System Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute of Technology; Ellick Chan, University of Illinois at Urbana-Champaign

2 Kernel Rootkit Footprints Memory changes a kernel rootkit makes for Hijacking code execution Hiding its activities

3 Kernel Rootkit in Memory A needle in a haystack! – A typical Windows 7 kernel has – 100+ loaded modules – 100K to 1M+ data objects – 100K+ function pointers How to find all the data and function pointers?

4 Memory Analysis System MAS – a pratical memory analysis system Identify all memory changes – Static Analysis Identify candidate types for generic pointers – Memory Traversal Identify dynamic data objects – Integrity Checking Detect two kinds of violations

5 Demand-Driven Pointer Analysis Program Expression Graph – Assignment Edge (A): if e1=e2, then e1 ← e2 – Dereference Edge (D): *e ← e, e ← &e

6 Demand-Driven Pointer Analysis (Cont.) Two relations between expressions – Value Alias (V): aVb – Memory Alias (M): aMb Context-Free Grammar – aVbAcMd → aVbMd → aVd → V ::= VAM Path from b to c with label sequence – b = c, Given

7 Demand-Driven Pointer Analysis (Cont.) Field Sensitivity – p+f to denote &(p→f) – *(p+f) to denote p→f – *(&a+f) to denote a.f

8 Type Candidate Interface Generic pointer – FOO* q; void* p; p = q, we get p’s candidate type as FOO* – A pointer field fi of void* fi’s candidate types are the set of types of all the value aliases of the pointer field’s instances in the form of X → fi.

9 Memory Traversal MAS first locates static data objects in each loaded module. Then recursively follow the pointers in these objects and in all newly identified data objects, until no new data object can be added.

10 Pointer Uncertainty is Unavoidable Ambiguous pointers – Generic pointers with multiple candidate types – Pointers in unions – MAS ignores all ambiguous pointers Invalid pointers – Uninitialized pointers – Corrupted pointers

11 Constraints for Data Objects Size Constraint – a data object must lie completely within a memory block. Pointer Constraint – a data object’s pointer fields must either be null or point to the kernel address range.

12 Constraints for Data Objects (Cont.) Enum Constraint – a data object’s enum fields must take a valid enum value which is stored in the PDB files. Pool Tag Constraint – the type of a data object must be in the set of data types associated with the pool block in which the data object is located.

13 Integrity Checking Code Integrity – trusted code in memory should match with the image file on disk. Function Pointer Integrity – function pointers should point to the trusted code. Visibility Integrity – data objects found by MAS should be visible to system tools (e.g., those available in a debugger for listing processes and modules).

14 Implementation Static analysis – 12K lines of C++ code – Developed a PREfast plugin to extract information Memory traversal and integrity checking – 24K lines of C/C++ code – Worked as a debugger extension for WinDbg

15 Real-World Data Sets 11 Windows Vista SP1 crash dumps 837 Window 7 crash dumps 154,768 memory snapshots derived from our large scale kernel malware analysis

16 154,768 kernel malware samples MAS reported kernel behaviors for only 89,474 of the samples.

17 Function Pointer Hooking Windows Kernel and 5 drivers (ntfs, fastfat, ndis, fltmgr, null) – 191 unique function pointers – 31 different data structures

18 Windows Vista SP1 Crash Dump Results on eleven Windows Vista SP1

19 Accuracy For 10 Windows Vista SP1 crash dumps – All suspicious function pointers found by MAS are true function pointers – All true suspicious function pointers found by KOP are found by MAS For 837 Windows 7 crash dumps – We verified that all but 24 out of 400K suspicious function pointers are true function pointers

20 Performance

21 Detecting Rootkits in Crash Dumps Cannot fully automate it because of third- party drivers – Ignore suspicious function pointers to unknown modules

22 Summary MAS is a practical memory analysis system for detecting and analyzing kernel rootkits – Handles pointer uncertainty effectively Applied MAS to 848 real-world crash dumps – Found 95 of them have rootkits Large-scale study of 150K malware samples – Hooked 191 unique functions pointers in 31 data structures of 6 modules

Download ppt "Tracking Rootkit Footprints with Pratical Memory Analysis System Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute."

Similar presentations

Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.

Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.

Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
CS 104 Introduction to Computer Science and Graphics Problems Operating Systems (4) File Management & Input/Out Systems 10/14/2008 Yang Song (Prepared.

CS 104 Introduction to Computer Science and Graphics Problems Operating Systems (4) File Management & Input/Out Systems 10/14/2008 Yang Song (Prepared.
A Type-Checked Restrict Qualifier Jeff Foster OSQ Retreat May 9-10, 2001.

A Type-Checked Restrict Qualifier Jeff Foster OSQ Retreat May 9-10, 2001.
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.
1 I/O Management in Representative Operating Systems.

1 I/O Management in Representative Operating Systems.
. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.

. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.
Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#

Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#
2 Debugging Performance Issues, Memory Issues and Crashes in.net Applications Tess Ferrandez - Norlander Support Escalation Engineer Microsoft Session.

2 Debugging Performance Issues, Memory Issues and Crashes in.net Applications Tess Ferrandez - Norlander Support Escalation Engineer Microsoft Session.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Debugging Print And Imaging Drivers. Print driver team philosophy on driver quality There are tools to detect violations Wrongful development assumptions.

Debugging Print And Imaging Drivers. Print driver team philosophy on driver quality There are tools to detect violations Wrongful development assumptions.
1 Introduction to Parsing Lecture 5. 2 Outline Regular languages revisited Parser overview Context-free grammars (CFG’s) Derivations.

1 Introduction to Parsing Lecture 5. 2 Outline Regular languages revisited Parser overview Context-free grammars (CFG’s) Derivations.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.

Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.

Similar presentations

Ads by Google