Robust signatures for kernel data structures

Brendan Dolan-Gavitt, Abhinav Srivastava, Patrick Traynor, Jonathon Giffin

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditional malware and found processes hidden with our prototype rootkit that all current signatures missed. Our techniques significantly increase the difficulty of hiding objects from signature scanning.

    Original languageEnglish (US)
    Title of host publicationCCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security
    Pages566-577
    Number of pages12
    DOIs
    StatePublished - 2009
    Event16th ACM Conference on Computer and Communications Security, CCS'09 - Chicago, IL, United States
    Duration: Nov 9 2009Nov 13 2009

    Other

    Other16th ACM Conference on Computer and Communications Security, CCS'09
    CountryUnited States
    CityChicago, IL
    Period11/9/0911/13/09

    Fingerprint

    Data structures
    Scanning
    Dynamic analysis
    Data storage equipment
    Malware
    Experiments

    Keywords

    • Data structures
    • Memory analysis
    • Security

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Software

    Cite this

    Dolan-Gavitt, B., Srivastava, A., Traynor, P., & Giffin, J. (2009). Robust signatures for kernel data structures. In CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security (pp. 566-577) https://doi.org/10.1145/1653662.1653730

    Robust signatures for kernel data structures. / Dolan-Gavitt, Brendan; Srivastava, Abhinav; Traynor, Patrick; Giffin, Jonathon.

    CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009. p. 566-577.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Dolan-Gavitt, B, Srivastava, A, Traynor, P & Giffin, J 2009, Robust signatures for kernel data structures. in CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security. pp. 566-577, 16th ACM Conference on Computer and Communications Security, CCS'09, Chicago, IL, United States, 11/9/09. https://doi.org/10.1145/1653662.1653730
    Dolan-Gavitt B, Srivastava A, Traynor P, Giffin J. Robust signatures for kernel data structures. In CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009. p. 566-577 https://doi.org/10.1145/1653662.1653730
    Dolan-Gavitt, Brendan ; Srivastava, Abhinav ; Traynor, Patrick ; Giffin, Jonathon. / Robust signatures for kernel data structures. CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009. pp. 566-577
    @inproceedings{e198866e68f6482ba0916139b25436c0,
    title = "Robust signatures for kernel data structures",
    abstract = "Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditional malware and found processes hidden with our prototype rootkit that all current signatures missed. Our techniques significantly increase the difficulty of hiding objects from signature scanning.",
    keywords = "Data structures, Memory analysis, Security",
    author = "Brendan Dolan-Gavitt and Abhinav Srivastava and Patrick Traynor and Jonathon Giffin",
    year = "2009",
    doi = "10.1145/1653662.1653730",
    language = "English (US)",
    isbn = "9781605583525",
    pages = "566--577",
    booktitle = "CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security",

    }

    TY - GEN

    T1 - Robust signatures for kernel data structures

    AU - Dolan-Gavitt, Brendan

    AU - Srivastava, Abhinav

    AU - Traynor, Patrick

    AU - Giffin, Jonathon

    PY - 2009

    Y1 - 2009

    N2 - Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditional malware and found processes hidden with our prototype rootkit that all current signatures missed. Our techniques significantly increase the difficulty of hiding objects from signature scanning.

    AB - Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditional malware and found processes hidden with our prototype rootkit that all current signatures missed. Our techniques significantly increase the difficulty of hiding objects from signature scanning.

    KW - Data structures

    KW - Memory analysis

    KW - Security

    UR - http://www.scopus.com/inward/record.url?scp=74049118754&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=74049118754&partnerID=8YFLogxK

    U2 - 10.1145/1653662.1653730

    DO - 10.1145/1653662.1653730

    M3 - Conference contribution

    SN - 9781605583525

    SP - 566

    EP - 577

    BT - CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security

    ER -