Manufacturing cheap, resilient, and stealthy opaque constructs
POPL '98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Protection of Software-Based Survivability Mechanisms
DSN '01 Proceedings of the 2001 International Conference on Dependable Systems and Networks (formerly: FTCS)
Detecting Kernel-Level Rootkits Through Binary Analysis
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Static analysis of executables to detect malicious patterns
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Mining specifications of malicious behavior
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Automatic Inference and Enforcement of Kernel Data Structure Invariants
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Multi-aspect profiling of kernel rootkit behavior
Proceedings of the 4th ACM European conference on Computer systems
Mapping kernel objects to enable systematic integrity checking
Proceedings of the 16th ACM conference on Computer and communications security
Robust signatures for kernel data structures
Proceedings of the 16th ACM conference on Computer and communications security
Toward Revealing Kernel Malware Behavior in Virtual Execution Environments
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Effective and efficient malware detection at the end host
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
SegSlice: towards a new class of secure programming primitives for trustworthy platforms
TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Hi-index | 0.00 |
Characterizing malware behavior using its control flow faces several challenges, such as obfuscations in static analysis and the behavior variations in dynamic analysis. This paper introduces a new approach to characterizing kernel malware's behavior by using kernel data access patterns unique to the malware. The approach neither uses malware's control flow consisting of temporal ordering of malware code execution, nor the code-specific information about the malware. Thus, the malware signature based on such data access patterns is resilient in matching malware variants. To evaluate the effectiveness of this approach, we first generated the signatures of three classic rootkits using their data access patterns, and then matched them with a group of kernel execution instances which are benign or compromised by 16 kernel rootkits. The malware signatures did not trigger any false positives in benign kernel runs; however, kernel runs compromised by 16 rootkits were detected due to the data access patterns shared with the compared signature(s). We further observed similar data access patterns in the signatures of the tested rootkits and exposed popular rootkit attack operations by ranking common data behavior across rootkits. Our experiments show that our approach is effective not only to detect the malware whose signature is available, but also to determine its variants which share kernel data access patterns.