Presentation is loading. Please wait.

Presentation is loading. Please wait.

SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures Zhiqiang Lin 1 Junghwan Rhee 1, Xiangyu Zhang 1, Dongyan.

Published byJeffry Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures Zhiqiang Lin 1 Junghwan Rhee 1, Xiangyu Zhang 1, Dongyan."— Presentation transcript:

1 SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures Zhiqiang Lin 1 Junghwan Rhee 1, Xiangyu Zhang 1, Dongyan Xu 1, Xuxian Jiang 2 1 Purdue University 2 North Carolina State University February 7 th, 2011 The 18 th Annual Network and Distributed System Security Symposium

2 Problem Statement  Given a kernel data structure definition  Identifying instances of this data structure in a kernel memory image at arbitrary location struct task { [0] struct thread *thread; [4] struct memory *mm; [8] struct signal *signal; [12] struct task *parent; [16] int magic_number; } task A simplified Linux Kernel task_struct

3 Security Applications: Memory Forensics Data structure signatures play a critical role in memory forensics IPaddr Password struct user_account { 00: short int u_type; 04: pid_t u_pid; 08: char u_line[32]; 40: char uid[4]; 44: char user[32]; 76: char password[128]; 204: char u_host[128]; 332: short int e_termination; 334: short int e_exit; 336: long int u_session; 340: struct timeval u_tv; 348: int32_t u_addr_v6[4]; }

4 Security Applications: Kernel Rootkit Defense mm task_struct prev thread next mm task_struct prev thread next mm task_struct prev thread next Process AProcess B Process C

5 State-of-the-art  Value-invariant signature schemes  Klist [Rutkowska,2003], GREPEXEC [bugcheck, 2006], Volatility [Walters, 2006], [Schuster, 2006], [Dolan-Gavitt et al., CCS’09] struct task { [0] struct thread *thread; [4] struct memory *mm; [8] struct signal *signal; [12] struct task *parent; [16] int magic_number; } task magic_number=0xabcdef0f Field w/o value invariant? Invariant value can be changed? [Dolan-Gavitt et al., CCS’09]

6 Key Idea struct task { [0] struct thread *thread; [4] struct memory *mm; [8] struct signal *signal; [12] struct task *parent; } struct thread { [0] struct task *task; } struct memory { [0] struct vma *mmap; [4] void (*map_area) (struct memory* mmap); } struct signal { [0] struct task_status *status; } task thread 0 12 04 4 8 mm signaltask 00 thread(*(x+0)) ∧ mm(*(x+4)) ∧ signal(*(x+8)) ∧ task(*(x+12)) task(x)   1 st layer 2 nd layer 3 rd layer A B x

7 How to Use SigGraph 0xc001c0a8: 0xc002c0a8 0xc002bee0 0xc002caa0 0xc00ddbb0... 0xc00ddbb0: 0xc12a0e7c 0xc727faa8 0xc001c114 0xc001c16c... 0xc002c0a8: 0xc12a0e7c 0xc727faa8 0xbfbb9195 0x00000009... task thread 0 12 0 4 4 8 mmsignaltask 0 0 0xc002bee0: 0xc001c114 0xc001c16c 0xffb29122 0x00201001... 0xc002caa0: 0xb002ca20 0xb021d00a 0xc05b9f5c 0x00000000... task( 0xc001c0a8 ) 0 12 4 8

8 SigGraph Overview Signature Generator Graph- Signatures OS Data Structure Definitions Profiler Memory Dump Brute-force Scanner Data structure Instances struct task { [0] struct thread *thread; [4] struct memory *mm; [8] struct signal *signal; [12] struct list_head *prev; [16] struct list_head *next; } (1) Compiler approach (2) Extracting from debug information (3) Reverse engineering kernel

9 Signature Generator  Challenge: Signatures must be unique, non- isomorphic among each other. task thread 0 12 04 4 8 mm signaltask 00 1 st layer 2 nd layer 3 rd layer

10 struct B { [0] E * b1; [4] B * b2; } struct BB { [0] EE * bb1; [4] BB * bb2; } struct E {... [12] G * e1;... [24] H * e3; } struct EE {... [12] GG * ee1;... [24] HH * ee3; } B E B G H 04 1224 EE BB GG HH 04 1224 BB struct G {... [10] int * g; } 10 struct GG {... [4] char * gg1; [8] char * gg2; } 4 8 Isomorphism

11 struct A { [0] struct B * a1;... [12] struct C * a2;... [18] struct D * a3; } struct X {... [8] struct Y * x1;... [36] struct BB * x2;... [48] struct CC * x3;... [54] struct DD * x4; } Y BB 8 54 DD 48 36 CC X B C 0 18 D 12 A Isomorphism

12 Our Solution  Immediate pointer pattern (IPP): one-layer pointer structure as a string  Pointer expansion ‘ ’ struct B { [0] E * b1; [4] B * b2; } IPP(B) =0·E·4·B T 0·E·4·(0·E·4·B) B IPP(B) E B 4 B 0 IPP(T )= f 1 · t 1 · (f 2 − f 1 ) · t 2 ·... · (f n − f n−1 ) · t n

13 Problem Formulation B C 0 18 D 12 Y BB 8 54 DD 48 36 CC X A IPP(A)=0·B·12·C·6·D IPP(X)=8·Y·28·BB·12·CC·6·DD Substring IPP(T )= f 1 ·t 1 ·(f 2 −f 1 )·t 2 ·...·(f n − f n−1 )·t n “If IPP(A) is a substring of IPP(X) ” Ignore the symbol type at specific layer

14 Profiler  Practical pointer issues  null Pointer  void Pointer  Special Pointer  LIST_POISON1 (0x00100100)  LIST_POISON2 (0x00200200)  SPINLOCK_MAGIC (0xdead4ead) Pruning a few noisy pointer fields does not degenerate the uniqueness of the graph-based signatures LiveDM [Rhee et al., RAID’10]

15 Evaluation  Memory snapshot collection  QEMU  Ground truth acquisition  RedHat crash utility  Symbolic information  system.map  Profiling run  Long runs with typical workload crash-utility.redhat.com

16 Evaluation on Memory Forensics Data Structures of Interest “True” Instance SigGraphValue-invariant FP%FN%FP%FN% task_struct 880.00 thread_info 880.00 6.451.08 mm_struct 520.00 vm_area_struct 21740.400.007.520.00 files_struct 530.00 fs_struct 520.00 dentry 318160.010.000.010.00 sysfs_dirent 21060.520.0097.630.00 socket 550.00 12.24 sock 550.00 27.90 user_struct 100.00 99.910.00 crash-utility.redhat.com

17 Application: Rootkit Detection Rootkit Name Target Object Inside ViewCrash ToolSigGraph #obj.s detected#obj.sdetected adore-ng-2.6module23 adore-ng-2.6’task_struct62 cleaner-2.6module22 enyelkm 1.0module23 hp-2.6task_struct56 linuxfu-2.6task_struct59 modhide-2.6module22 overridetask_struct58 rmrootstask_struct56 rmroots’module23 ps lsmod 23 63 22 23 57 60 22 59 N/A 24 63 23 24 57 60 23 59 55 24

18 Related Work  Kernel memory mapping and analysis  Copilot [Petroni et al., Security’04], [Petroni et al., CCS’07]  Gibraltar [Baliga et al., ACSAC’08]  KOP [Carbone et al.,CCS’09]  Memory forensics  Memory graph-based: Redhat crash utility, KOP  Value-invariant Signature: Klist [Rutkowska,2003], GREPEXEC [bugcheck, 2006], Volatility [Walters, 2006], [Schuster, 2006], [Dolan-Gavitt et al., CCS’09]  Dynamic heap type inference [Polishchuk et al., 2007]

19 Conclusion  Points-to relations can be leveraged to generate graph-based signatures for brute force scanning  SigGraph, a framework that generates non- isomorphic structural-invariant signatures  Complements value-invariant signatures  Applications:  Kernel memory forensics  Kernel rootkit detection

20 Q&A Thank you For more information {zlin,rhee,xyzhang,dxu}@cs.purdue.edu

Download ppt "SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures Zhiqiang Lin 1 Junghwan Rhee 1, Xiangyu Zhang 1, Dongyan."

Similar presentations

Effective Static Deadlock Detection

Effective Static Deadlock Detection
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
INTROPERF: TRANSPARENT CONTEXT- SENSITIVE MULTI-LAYER PERFORMANCE INFERENCE USING SYSTEM STACK TRACES Chung Hwan Kim*, Junghwan Rhee, Hui Zhang, Nipun.

INTROPERF: TRANSPARENT CONTEXT- SENSITIVE MULTI-LAYER PERFORMANCE INFERENCE USING SYSTEM STACK TRACES Chung Hwan Kim*, Junghwan Rhee, Hui Zhang, Nipun.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Android architecture overview

Android architecture overview
Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.

Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.
The ‘process’ abstraction

The ‘process’ abstraction
Linux Memory Management High-Level versus Low-Level.

Linux Memory Management High-Level versus Low-Level.
Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.

Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.
Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.

Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#

Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
KinWrite: Handwriting-Based Authentication Using Kinect Proceedings of the 20th Annual Network & Distributed System Security Symposium, NDSS 2013 Jing.

KinWrite: Handwriting-Based Authentication Using Kinect Proceedings of the 20th Annual Network & Distributed System Security Symposium, NDSS 2013 Jing.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
CS 6560 Operating System Design Lecture 13 Finish File Systems Block I/O Layer.

CS 6560 Operating System Design Lecture 13 Finish File Systems Block I/O Layer.
Microsoft Research Asia Ming Wu, Haoxiang Lin, Xuezheng Liu, Zhenyu Guo, Huayang Guo, Lidong Zhou, Zheng Zhang MIT Fan Long, Xi Wang, Zhilei Xu.

Microsoft Research Asia Ming Wu, Haoxiang Lin, Xuezheng Liu, Zhenyu Guo, Huayang Guo, Lidong Zhou, Zheng Zhang MIT Fan Long, Xi Wang, Zhilei Xu.
Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.

Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.
Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS.

Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS.

Similar presentations

Ads by Google