Mapping kernel objects to enable systematic integrity checking

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 555-565

  Carbone, Martim ^a   Cui, Weidong ^b   Lu, Long ^a   Lee, Wenke ^a   Peinado, Marcus ^b   Jiang, Xuxian ^c  

^a GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

^b MICROSOFT RESEARCH   (United States)

^c NORTH CAROLINA STATE UNIVERSITY   (United States)

Author keywords

Introspection; Kernel integrity; Malware; Memory analysis; Pointer analysis

Indexed keywords

DYNAMIC DATA; FALSE ALARMS; FUNCTION POINTERS; HIDDEN OBJECTS; INTEGRITY CHECKING; INTER-PROCEDURAL; KERNEL MEMORY; MALWARES; MEMORY ANALYSIS; PATTERN MATCHING ALGORITHMS; POINTER ANALYSIS; POINTS-TO ANALYSIS; REAL-WORLD; WINDOWS VISTA;

COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; KNOWLEDGE MANAGEMENT; NETWORK SECURITY; PATTERN MATCHING;

QUALITY ASSURANCE;

EID: 74049158180     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1653662.1653729     Document Type: Conference Paper

References (31)

1. L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, 1994.
2. D. Avots, M. Dalton, B. Livshits, and M. S. Lam. Improving Software Security with a C Pointer Analysis. In Proceedings of the 27th International Conference on Software Engineering (ICSE), May 2005.
3. A. Baliga, V. Ganapathy, and L. Iftode. Automatic Inference and Enforcement of Kernel Data Structure Invariants. In Proceedings of the 24th Annual Computer Security Applications Conference, 2008.
4. Microsoft Corporation. Windows Research Kernel. http://www.microsoft.com/ resources/sharedsource/windowsacademic/researchkernelkit.mspx.
5. A. Cozzie, F. Stratton, H. Xue, and S. T. King. Digging for Data Structures. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation, 2008.
6. M. Das. Unification-based pointer analysis with directional assignments. In Programming Language Design and Implementation (PLDI), 2000.
7. B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust Signatures for Kernel Data Structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), November 2009.
8. T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the Tenth ISOC Symposium on Network and Distributed Systems Security (NDSS), February 2003.
9. B. Hardekopf and C. Lin. The Ant and the Grasshopper: Fast and Accurate Pointer Analysis for Millions of Lines of Code. In Programming Language Design and Implementation (PLDI), 2007.
10. N. Heintze and O. Tardieu. Ultra-Fast Aliasing Analysis using CLA - A Million Lines of C Code in a Second. In Programming Language Design and Implementation (PLDI), 2001.
11. G. Hoglund and J. Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, 2005.
12. S. Hultquist. Rootkits: The Next Big Enterprise Threat? http://www.infoworld.com/article/07/04/30/18FErootkit-1.html.
13. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor Support for Identifying Covertly Executing Binaries. In Proceedings of the 17th USENIX Security Symposium, 2008.
14. Microsoft Corporation. Debugger engine and extensions api. http://msdn.microsoft.com/en-us/library/cc267863.aspx.
15. Microsoft Corporation. Overview of Memory Dump File Options for Windows Server 2003, Windows XP, and Windows 2000. http://support.microsoft.com/kb/ 254649.
16. Microsoft Corporation. Phoenix compiler framework. http://connect. microsoft.com/Phoenix.
17. Offensive Computing. Public malware database. http://www. offensivecomputing.net.
18. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy, 2008.
19. D. J. Pearce, P. H. J. Kelly, and C. Hankin. Efficient Field-Sensitive Pointer Analysis for C. In Proceedings of the 5th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE), 2004.
20. N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In Proceedings of the 13th USENIX Security Symposium, 2004.
21. N. L. Petroni Jr., T. Fraser, A. Walters, and W. A. Arbaugh. An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In Proceedings of the 15th USENIX Security Symposium, 2006.
22. N. L. Petroni Jr. and M. Hicks. Automated Detection of Persistent Kernel Control-Flow Attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), October 2007.
23. M. Polishchuk, B. Liblit, and C. W. Schulze. Dynamic Heap Inference for Program Understanding and Debugging. In Proceedings of the 34th Annual Symposium on Principles of Programming Languages, 2007.
24. R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID), 2008.
25. Rootkit.com. http://www.rootkit.com.
26. M. Russinovich. WinObj v2.15. http://technet.microsoft.com/en-us/ sysinternals/bb896657.aspx.
27. M. E. Russinovich and D. A. Solomon. Microsoft Windows Internals (4th Edition). Microsoft Press, 2005.
28. J. Rutkowska. klister. http://www.rootkit.com/board-project-fused.php? did=proj14.
29. A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, 2007.
30. B. Steensgaard. Points-to analysis in almost linear time. In Symposium on Principles of Programming Languages (POPL), 1996.
31. R. P. Wilson and M. S. Lam. Efficient Context-Sensitive Pointer Analysis for C Programs. In Programming Language Design and Implementation (PLDI), 1995.