Mapping Kernel Objects to Enable Systematic Integrity Checking by pptfiles


									 Introduction
 Overview
 Static analysis
 Memory analysis
 Kernel integrity checking
 Implementation and evaluation
 Limitations and future work
 Conclusions
 Basic :
   KOP (Kernel Object Pinpointer)

 Application:
   SFPD (Subverted Function Pointer Detector)
   GHOST (General Hidden Object Scanning Tool)
 KOP has two main
   A static analysis
      Points-to graph
      Extended type graph
   A memory analysis
      Object graph
 Compute three set of         4 canonical forms of
 information:                  pointer assignments:
   Object type definitions      x=y
   Declared type and            x = &y
    relative addresses of        *x = y
    global variables             x = *y
   Candidate target type
    for generic pointers
 Based on the medium-
 level intermediate
 representation (MIR)
 Modify the algorithm to         For example:
 create points-to graph             _Entry = t286 due to the
   an eage (src, dst)               function call at line 25
    => (src, dst, n, ops)          => (_Entry, t286, 0,
   n is a pointer offset (for       call@file : 25)
   op that specifies the call
    or return operation
    involved in the
    assignment (for context-
 Type ambiguities com from two sources:
   unions
   generic pointers

 Consider two constraints when determining the
 correct candidate type:
   Size constraint
   Based on the observation that the data stored by certain
    data types must have specific properties
   Recursively for their child object up to a certain depth
 The key idea is to leverage the kernel memory pool
 A dynamic array is usually allocated in to possible ways:
   It may take up a whole pool block.
   It may extend an object whose last field is defined as an
    array of size 0 or 1.
 Check each allocated pool block to recognize dynamic
 arrays after the object traversal (without dynamic
 arrays) is completed.
 May incorrectly identify an object for three main
   Choosing the wrong candidate when resolving type
   Mistaking a dynamic array.
   Program bugs.
 To reduce identification errors, we employ the
 following two techniques:
   Traverses the kernel memory in multiple rounds.
   Use a safe-guard mechanism.
 Function pointer checking (SFPD)
   A white list of trusted modules
   Check every function pointer in the kernel objects found
    by KOP based on the following policy:
      An explicit function pointer must point to trusted code; an
       implicit function pointer must point to either trusted code or
       a data object found by KOP; otherwise, the function pointer
       is marked as malicious.
 Hidden object discovery (GHOST)
   Compare the list of all the objects of that type found b
    KOP in a memory snapshot with the list of objects
    returned by a program such as Task Manager.
 KOP were implemented in C# with a total of 16000
    lines of code.
   Windows Vista SP1 with 63 kernel drivers.
   Run in a Vmware virtual machine with 1GB RAM.
   SFPD prototype has 1000 lines of C# code
   GHOST prototype has 200 lines of C# code
 Static analysis
   Source code of the Vista SP1 kernel and the 63 drivers
    with a total of 5 million lines of code.
   Codebase contains 24423 data types and 9629 global
    variable definitions.
   KOP needs less than 48 hours to complete its static
    analysis on a 2.2 GHz QuadCore AMD Opteron machine
    with 32 GB RAM.
 Coverage

   VC (Verified Coverage) =

   GC (Gross Coverage) =
 Performance
   Use a 4GHz Intel Xeon Duo Core machine with 3GB
   Running time was 8 minutes, including the overhead of
    reading the memory snapshot stored on the disk.
 Test SFPD with eight real-world kernel malware
  samples collected from a public database.

 Running on a machine the same as previous page.

 SFPD finishes a scan of a memory snapshot in less
  than two minutes.

 Identified all the malicious function pointers for all
  eight malware samples with zero false alarms.
 Test GHOST with two real-world kernel-mode
 malware samples:
   FURootkit (ported the XP-based to Vista SP1)
   Syzor.A

 GHOST correctly identified all hidden objects in both
 tests with zero false alarms.
 Static analysis could be improved to automatically
  handle the kernel implementation corner cases in a
  more general way.
 Increase the scope of our static analysis to determine
  domain constraints for other basic types in addition to
 It’s will have error if a very large number of pointers
  inside an object is manipulated.
 Dynamic kernel data have become a common target
 for malware looking to evade traditional code and
 static data-based integrity monitors

 KOP, a system that can map dynamic kernel objects
 with very high coverage and accuracy by leveraging a
 set of novel techniques in static source code analysis
 and memory analysis

To top