Countering Kernel Rootkits with Lightweight Hook Protection
description
Transcript of Countering Kernel Rootkits with Lightweight Hook Protection
![Page 1: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/1.jpg)
Countering Kernel Rootkits with Lightweight Hook Protection
Zhi Wang @ NCSUXuxian Jiang @ NCSU
Weidong Cui @ Microsoft ResearchPeng Ning @ NCSU
ACM CCS’09
![Page 2: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/2.jpg)
Advanced Defense Lab @ National Central Univ.
2
OutlineIntroductionHookSafe DesignImplementationEvaluationRelated Work & Conclusion
![Page 3: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/3.jpg)
Advanced Defense Lab @ National Central Univ.
3
IntroductionPrior research:
BehaviorsSymptomsKernel code integrity
Return-oriented rootkitsReturn-Oriented Rootkits
: Bypassing Kernel Code Integrity Protection Mechanisms @ Usenix Security ‘09
![Page 4: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/4.jpg)
Advanced Defense Lab @ National Central Univ.
4
IntroductionBetter solution…
Preserve kernel code integrity by preserving the kernel control flow integrity
Kernel control data: Return addresses Function pointers
Function pointers == kernel hooks (in this paper)
![Page 5: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/5.jpg)
Advanced Defense Lab @ National Central Univ.
5
IntroductionHardware-based page-level protection
Limited number of kernel hooksHooks are not co-located together with
frequently modified memory data
![Page 6: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/6.jpg)
Advanced Defense Lab @ National Central Univ.
6
IntroductionHookSafe
Hypervisor-basedLightweightProtect all kernel hooksByte-level granularity
![Page 7: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/7.jpg)
Advanced Defense Lab @ National Central Univ.
7
Introduction
Distribution of 5881 kernel hooks in a running Ubuntu system
![Page 8: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/8.jpg)
Advanced Defense Lab @ National Central Univ.
8
HookSafe DesignOffline Hook Profiler
Profile the guest kernel execution and output a hook access profile for each protected hook
Hook Access Points(HAPs)Online Hook Protector
Create a shadow copy of all protected hooksImplement HAPsRedirection
![Page 9: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/9.jpg)
Advanced Defense Lab @ National Central Univ.
9
HookSafe Design
The HookSafe architecture
![Page 10: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/10.jpg)
Advanced Defense Lab @ National Central Univ.
10
HookSafe DesignOffline Hook Profiling
Static analysis More complete; less precise
Dynamic analysis More precise
QEMU – monitoring every memory access instruction
![Page 11: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/11.jpg)
Advanced Defense Lab @ National Central Univ.
11
HookSafe DesignOnline Hook Protection
![Page 12: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/12.jpg)
Advanced Defense Lab @ National Central Univ.
12
HookSafe DesignOnline Hook Protection – Initialization
At Boot timeCreate shadow copyPatch the HAPs(requires the support of the
hypervisor)
![Page 13: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/13.jpg)
Advanced Defense Lab @ National Central Univ.
13
HookSafe DesignOnline Hook Protection – Runtime R/W
IndirectionRead : read from the shadow copy and returnWrite :
Make a hypercall Validate the request Update the shadow copy if valid
![Page 14: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/14.jpg)
Advanced Defense Lab @ National Central Univ.
14
HookSafe DesignOnline Hook Protection – Runtime Tracking
of Dynamic Allocated HooksA dynamic allocated hook is embedded in a
dynamic kernel objectHypercall while a kernel object containing a
hook is allocatedCreate the shadow copy of the hook
![Page 15: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/15.jpg)
Advanced Defense Lab @ National Central Univ.
15
HookSafe DesignHardware Register Protection
GDTR, IDTR, DR0-DR7 Hardware-based page-level protection
![Page 16: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/16.jpg)
Advanced Defense Lab @ National Central Univ.
16
ImplementationOffline Hook Profiler
QEMU – binary translationIf an instruction accesses any kernel hook in
the given list, mark it as an HAP and log the value
Dynamic allocated kernel hook: Track the creation of the kernel object and locate
the locationHook access profile
![Page 17: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/17.jpg)
Advanced Defense Lab @ National Central Univ.
17
Implementation
An example access profile related to ext3_dir_operations->readdirkernel hook
![Page 18: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/18.jpg)
Advanced Defense Lab @ National Central Univ.
18
ImplementationHook Indirection
HAP Patching Overwrite the instruction of HAP with a 5-byte jmp
instruction Jump to trampoline code > 5 bytes : Fill the space with NOP instructions < 5 bytes : overwrite the subsequent instruction
![Page 19: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/19.jpg)
Advanced Defense Lab @ National Central Univ.
19
Implementation
The implementation of hook indirection
![Page 20: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/20.jpg)
Advanced Defense Lab @ National Central Univ.
20
Implementation
![Page 21: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/21.jpg)
Advanced Defense Lab @ National Central Univ.
21
ImplementationHook Indirection - HAP Patching
HAP after HAPThe second instruction is a target of jump
instruction
![Page 22: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/22.jpg)
Advanced Defense Lab @ National Central Univ.
22
ImplementationRead/Write Indirection
Detection: Read – compare the original hook with shadow copy
Write – update both
![Page 23: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/23.jpg)
Advanced Defense Lab @ National Central Univ.
23
ImplementationRuntime LKM and Hook Tracking
SLAB interfaceLKM
Virtual machine introspectionMemory Protection
Shadow page table (SPT) in Xen
![Page 24: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/24.jpg)
Advanced Defense Lab @ National Central Univ.
24
EvaluationTest with 9 real-world rootkitsUnixBench and ApacheBench
![Page 25: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/25.jpg)
Advanced Defense Lab @ National Central Univ.
25
Evaluation
![Page 26: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/26.jpg)
Advanced Defense Lab @ National Central Univ.
26
Evaluation
![Page 27: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/27.jpg)
Advanced Defense Lab @ National Central Univ.
27
EvaluationPerformance
![Page 28: Countering Kernel Rootkits with Lightweight Hook Protection](https://reader033.fdocuments.in/reader033/viewer/2022051317/56816022550346895dcf2477/html5/thumbnails/28.jpg)
Advanced Defense Lab @ National Central Univ.
28