Garbage collection in an uncooperative environment
Software—Practice & Experience
Dynamic heap type inference for program understanding and debugging
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
Decoupling dynamic program analysis from execution in virtual environments
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Automatic Inference and Enforcement of Kernel Data Structure Invariants
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Multi-aspect profiling of kernel rootkit behavior
Proceedings of the 4th ACM European conference on Computer systems
Polymorphing Software by Randomizing Data Structure Layout
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Mapping kernel objects to enable systematic integrity checking
Proceedings of the 16th ACM conference on Computer and communications security
Toward Revealing Kernel Malware Behavior in Virtual Execution Environments
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Characterizing kernel malware behavior with kernel data access patterns
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Identifying OS kernel objects for run-time security analysis
NSS'12 Proceedings of the 6th international conference on Network and System Security
KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Dynamic kernel memory has been a popular target of recent kernel malware due to the difficulty of determining the status of volatile dynamic kernel objects. Some existing approaches use kernel memory mapping to identify dynamic kernel objects and check kernel integrity. The snapshot-based memory maps generated by these approaches are based on the kernel memory which may have been manipulated by kernel malware. In addition, because the snapshot only reflects the memory status at a single time instance, its usage is limited in temporal kernel execution analysis. We introduce a new runtime kernel memory mapping scheme called allocation-driven mapping, which systematically identifies dynamic kernel objects, including their types and lifetimes. The scheme works by capturing kernel object allocation and deallocation events. Our system provides a number of unique benefits to kernel malware analysis: (1) an un-tampered view wherein the mapping of kernel data is unaffected by the manipulation of kernel memory and (2) a temporal view of kernel objects to be used in temporal analysis of kernel execution. We demonstrate the effectiveness of allocation-driven mapping in two usage scenarios. First, we build a hidden kernel object detector that uses an un-tampered view to detect the data hiding attacks of 10 kernel rootkits that directly manipulate kernel objects (DKOM). Second, we develop a temporal malware behavior monitor that tracks and visualizes malware behavior triggered by the manipulation of dynamic kernel objects. Allocation-driven mapping enables a reliable analysis of such behavior by guiding the inspection only to the events relevant to the attack.