Abstract
As dynamic kernel runtime objects are a significant source of security and reliability problems in Operating Systems (OSes), having a complete and accurate understanding of kernel dynamic data layout in memory becomes crucial. In this paper, we address the problem of systemically uncovering all OS dynamic kernel runtime objects, without any prior knowledge of the OS kernel data layout in memory. We present a new hybrid approach to uncover kernel runtime objects with nearly complete coverage, high accuracy and robust results against generic pointer exploits. We have implemented a prototype of our approach and conducted an evaluation of its efficiency and effectiveness. To demonstrate our approach’s potential, we have also developed three different proof-of-concept OS security tools using it.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ibrahim, A.S., Hamlyn-Harris, J., Grundy, J., Almorsy, M.: Supporting Virtualization-Aware Security Solutions using a Systematic Approach to Overcome the Semantic Gap. In: Proc. of 5th IEEE International Conference on Cloud Computing, Hawaii, USA (2012)
Baliga, A., Ganapathy, V., Iftode, L.: Automatic Inference and Enforcement of Kernel Data Structure Invariants. In: Proc. of 2008 Annual Computer Security Applications Conference, pp. 77–86 (2008)
Andreas, S.: Searching for processes and threads in Microsoft Windows memory dumps. Digital Investigation 3(1), 10–16 (2006)
Lin, Z., Rhee, J., Zhang, X.: SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures. In: Proc. of 18th Network and Distributed System Security Symposium, San Diego, CA (2011)
Ibrahim, A.S., Hamlyn-Harris, J., Grundy, J., Almorsy, M.: CloudSec: A Security Monitoring Appliance for Virtual Machines in the IaaS Cloud Model. In: Proc. of 2011 International Conference on Network and System Security (NSS 2011), Milan, Italy (2011)
Yin, H., Liang, Z., Song, D.: HookFinder: Identifying and understanding malware hooking behaviors. In: Network and Distributed Systems Security Symposium, NDSS (2008)
Carbone, M., Cui, W., Lu, L., Lee, W.: Mapping kernel objects to enable systematic integrity checking. In: Proc. of 16th ACM Conference on Computer and Communications Security, Chicago, USA, pp. 555–565 (2009)
Hofmann, O.S., Dunn, A.M., Kim, S.: Ensuring operating system kernel integrity with OSck. In: Proc. of 16th International Conference on Architectural Support for Programming Languages and Operating Systems, California, USA, pp. 279–290 (2011)
Liang, B., You, W., Shi, W., Liang, Z.: Detecting stealthy malware with inter-structure and imported signatures. In: Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, China, pp. 217–227 (2011)
Lin, Z., Rhee, J., Wu, C., Zhang, X., Xu, D.: Discovering Semantic Data of Interest from Un-mappable Memory with Confidence. In: Proc. of the 19th Network and Distributed System Security Symposium, San Diego, CA (2012)
Ibrahim, A.S., Hamlyn-Harris, J., Grundy, J.: Emerging Security Challenges of Cloud Virtual Infrastructure. In: Proc. of 2010 Asia Pacific Cloud Workshop Co-located with APSEC 2010, Sydney, Australia (2010)
Petroni, N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proc. of 15th Conference on USENIX Security Symposium, Canada, vol. 15 (2006)
Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 178–197. Springer, Heidelberg (2010)
Ibrahim, A.S., Grundy, J.C., Hamlyn-Harris, J., Almorsy, M.: Supporting Operating System Kernel Data Disambiguation using Points-to Analysis. In: Proc. of 27th IEEE/ACM International Conference on Automated Software Engineering, Essen, Germany (2012)
Ibrahim, A.S., Hamlyn-Harris, J., Grundy, J., Almorsy, M.: Operating System Kernel Data Disambiguation to Support Security Analysis”. In: Proc. of 6th International Conference on Network and System Security (NSS 2012), Fujian, China. Springer (2012)
Russinovich, M., Solomon, D., Ionescu, A.: Windows Internals, 5th edn. Microsoft Press (2009)
Nanavati, M., Kothari, B.: Hidden Processes Detection using the PspCidTable. In: MIEL Labs (2010) (accessed November 2010)
Riley, R., Jiang, X., Xu, D.: Multi-aspect profiling of kernel rootkit behavior. In: Proc. of the 4th ACM European Conference on Computer Systems, Germany, pp. 47–60 (2009)
Xuan, C., Copeland, J., Beyah, R.: Toward Revealing Kernel Malware Behavior in Virtual Execution Environments. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 304–325. Springer, Heidelberg (2009)
Jones, S., Arpaci-Dusseau, A., Arpaci, R.: Antfarm: tracking processes in a virtual machine environment. In: Proc. of USENIX 2006 Annual Technical Conference, Boston (2006)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: Proc. of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, USA, pp. 91–100 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ibrahim, A.S., Hamlyn-Harris, J., Grundy, J., Almorsy, M. (2012). Identifying OS Kernel Objects for Run-Time Security Analysis. In: Xu, L., Bertino, E., Mu, Y. (eds) Network and System Security. NSS 2012. Lecture Notes in Computer Science, vol 7645. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34601-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-34601-9_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34600-2
Online ISBN: 978-3-642-34601-9
eBook Packages: Computer ScienceComputer Science (R0)