Efficient context-sensitive pointer analysis for C programs
PLDI '95 Proceedings of the ACM SIGPLAN 1995 conference on Programming language design and implementation
Points-to analysis in almost linear time
POPL '96 Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Unification-based pointer analysis with directional assignments
PLDI '00 Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation
Ultra-fast aliasing analysis using CLA: a million lines of C code in a second
Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
Efficient field-sensitive pointer analysis for C
Proceedings of the 5th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Improving software security with a C pointer analysis
Proceedings of the 27th international conference on Software engineering
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
Dynamic heap type inference for program understanding and debugging
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
Lares: An Architecture for Secure Active Monitoring Using Virtualization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Automatic Inference and Enforcement of Kernel Data Structure Invariants
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Hypervisor support for identifying covertly executing binaries
SS'08 Proceedings of the 17th conference on Security symposium
Robust signatures for kernel data structures
Proceedings of the 16th ACM conference on Computer and communications security
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
A control point for reducing root abuse of file-system privileges
Proceedings of the 17th ACM conference on Computer and communications security
HookScout: proactive binary-centric hook detection
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Forenscope: a framework for live forensics
Proceedings of the 26th Annual Computer Security Applications Conference
Characterizing kernel malware behavior with kernel data access patterns
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Detecting stealthy malware with inter-structure and imported signatures
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Hello rootKitty: a lightweight invariance-enforcing framework
ISC'11 Proceedings of the 14th international conference on Information security
Supporting operating system kernel data disambiguation using points-to analysis
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
kGuard: lightweight kernel protection against return-to-user attacks
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Tracking rootkit footprints with a practical memory analysis system
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Verifying system integrity by proxy
TRUST'12 Proceedings of the 5th international conference on Trust and Trustworthy Computing
Blacksheep: detecting compromised hosts in homogeneous crowds
Proceedings of the 2012 ACM conference on Computer and communications security
JMF: Java measurement framework: language-supported runtime integrity measurement
Proceedings of the seventh ACM workshop on Scalable trusted computing
Trusted VM snapshots in untrusted cloud infrastructures
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Secure and robust monitoring of virtual machines through guest-assisted introspection
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Kernel mode API spectroscopy for incident response and digital forensics
PPREW '13 Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop
Identifying OS kernel objects for run-time security analysis
NSS'12 Proceedings of the 6th international conference on Network and System Security
Operating system kernel data disambiguation to support security analysis
NSS'12 Proceedings of the 6th international conference on Network and System Security
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
Proceedings of the 40th Annual International Symposium on Computer Architecture
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
ACM Transactions on Information and System Security (TISSEC)
KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Dynamic kernel data have become an attractive target for kernel-mode malware. However, previous solutions for checking kernel integrity either limit themselves to code and static data or can only inspect a fraction of dynamic data, resulting in limited protection. Our study shows that previous solutions may reach only 28% of the dynamic kernel data and thus may fail to identify function pointers manipulated by many kernel-mode malware. To enable systematic kernel integrity checking, in this paper we present KOP, a system that can map dynamic kernel data with nearly complete coverage and nearly perfect accuracy. Unlike previous approaches, which ignore generic pointers, unions and dynamic arrays when locating dynamic kernel objects, KOP (1) applies inter-procedural points-to analysis to compute all possible types for generic pointers (e.g., void*), (2) uses a pattern matching algorithm to resolve type ambiguities (e.g., unions), and (3) recognizes dynamic arrays by leveraging knowledge of kernel memory pool boundaries. We implemented a prototype of KOP and evaluated it on a Windows Vista SP1 system loaded with 63 kernel drivers. KOP was able to accurately map 99% of all the dynamic kernel data. To demonstrate KOP's power, we developed two tools based on it to systematically identify malicious function pointers and uncover hidden kernel objects. Our tools correctly identified all malicious function pointers and all hidden objects from nine real-world kernel-mode malware samples as well as one created by ourselves, with no false alarms.