TY - GEN
T1 - Robust signatures for kernel data structures
AU - Dolan-Gavitt, Brendan
AU - Srivastava, Abhinav
AU - Traynor, Patrick
AU - Giffin, Jonathon
PY - 2009
Y1 - 2009
N2 - Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditional malware and found processes hidden with our prototype rootkit that all current signatures missed. Our techniques significantly increase the difficulty of hiding objects from signature scanning.
AB - Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditional malware and found processes hidden with our prototype rootkit that all current signatures missed. Our techniques significantly increase the difficulty of hiding objects from signature scanning.
KW - Data structures
KW - Memory analysis
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=74049118754&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=74049118754&partnerID=8YFLogxK
U2 - 10.1145/1653662.1653730
DO - 10.1145/1653662.1653730
M3 - Conference contribution
AN - SCOPUS:74049118754
SN - 9781605583525
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 566
EP - 577
BT - CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security
T2 - 16th ACM Conference on Computer and Communications Security, CCS'09
Y2 - 9 November 2009 through 13 November 2009
ER -