An empirical study of the reliability of UNIX utilities
Communications of the ACM
Cache-conscious structure definition
Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An empirical study of the robustness of Windows NT applications using random testing
WSS'00 Proceedings of the 4th conference on USENIX Windows Systems Symposium - Volume 4
Antfarm: tracking processes in a virtual machine environment
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
The Daikon system for dynamic detection of likely invariants
Science of Computer Programming
VMM-based hidden process detection and identification using Lycosid
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Automatic Inference and Enforcement of Kernel Data Structure Invariants
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Mapping kernel objects to enable systematic integrity checking
Proceedings of the 16th ACM conference on Computer and communications security
HyperSentry: enabling stealthy in-context measurement of hypervisor integrity
Proceedings of the 17th ACM conference on Computer and communications security
A control point for reducing root abuse of file-system privileges
Proceedings of the 17th ACM conference on Computer and communications security
Characterizing kernel malware behavior with kernel data access patterns
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Detecting stealthy malware with inter-structure and imported signatures
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Hello rootKitty: a lightweight invariance-enforcing framework
ISC'11 Proceedings of the 14th international conference on Information security
A survey of main memory acquisition and analysis techniques for the windows operating system
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Treasure and tragedy in kmem_cache mining for live forensics investigation
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Forensic carving of network packets and associated data structures
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Virtual machine introspection in a hybrid honeypot architecture
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
OS-Sommelier: memory-only operating system fingerprinting in the cloud
Proceedings of the Third ACM Symposium on Cloud Computing
Assessing the trustworthiness of drivers
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Operating system kernel data disambiguation to support security analysis
NSS'12 Proceedings of the 6th international conference on Network and System Security
Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM
Proceedings of the 40th Annual International Symposium on Computer Architecture
Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection
ACM Transactions on Information and System Security (TISSEC)
Real-time deep virtual machine introspection and its applications
Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Hi-index | 0.00 |
Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditional malware and found processes hidden with our prototype rootkit that all current signatures missed. Our techniques significantly increase the difficulty of hiding objects from signature scanning.