Identifying OS kernel objects for run-time security analysis

Authors:
Amani S. Ibrahim;James Hamlyn-Harris;John Grundy;Mohamed Almorsy
Affiliations:
Centre for Computing and Engineering Software Systems Faculty of ICT, Swinburne University of Technology, Melbourne, Australia;Centre for Computing and Engineering Software Systems Faculty of ICT, Swinburne University of Technology, Melbourne, Australia;Centre for Computing and Engineering Software Systems Faculty of ICT, Swinburne University of Technology, Melbourne, Australia;Centre for Computing and Engineering Software Systems Faculty of ICT, Swinburne University of Technology, Melbourne, Australia
Venue:
NSS'12 Proceedings of the 6th international conference on Network and System Security
Year:
2012

Citing 15
Cited 0

An architecture for specification-based detection of semantic integrity violations in kernel dynamic data

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Antfarm: tracking processes in a virtual machine environment

ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
VMM-based hidden process detection and identification using Lycosid

Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Automatic Inference and Enforcement of Kernel Data Structure Invariants

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Multi-aspect profiling of kernel rootkit behavior

Proceedings of the 4th ACM European conference on Computer systems
Mapping kernel objects to enable systematic integrity checking

Proceedings of the 16th ACM conference on Computer and communications security
Toward Revealing Kernel Malware Behavior in Virtual Execution Environments

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Ensuring operating system kernel integrity with OSck

Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems
Detecting stealthy malware with inter-structure and imported signatures

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Searching for processes and threads in Microsoft Windows memory dumps

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Supporting operating system kernel data disambiguation using points-to analysis

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Supporting Virtualization-Aware Security Solutions Using a Systematic Approach to Overcome the Semantic Gap

CLOUD '12 Proceedings of the 2012 IEEE Fifth International Conference on Cloud Computing
Windows Internals - Parts 1 and 2

Windows Internals - Parts 1 and 2
Operating system kernel data disambiguation to support security analysis

NSS'12 Proceedings of the 6th international conference on Network and System Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

As dynamic kernel runtime objects are a significant source of security and reliability problems in Operating Systems (OSes), having a complete and accurate understanding of kernel dynamic data layout in memory becomes crucial. In this paper, we address the problem of systemically uncovering all OS dynamic kernel runtime objects, without any prior knowledge of the OS kernel data layout in memory. We present a new hybrid approach to uncover kernel runtime objects with nearly complete coverage, high accuracy and robust results against generic pointer exploits. We have implemented a prototype of our approach and conducted an evaluation of its efficiency and effectiveness. To demonstrate our approach's potential, we have also developed three different proof-of-concept OS security tools using it.