Countering Kernel Rootkits with Lightweight Hook Protection
Zhi Wang @ NCSUXuxian Jiang @ NCSU
Weidong Cui @ Microsoft ResearchPeng Ning @ NCSU
ACM CCS’09
Advanced Defense Lab @ National Central Univ.
2
OutlineIntroductionHookSafe DesignImplementationEvaluationRelated Work & Conclusion
Advanced Defense Lab @ National Central Univ.
3
IntroductionPrior research:
BehaviorsSymptomsKernel code integrity
Return-oriented rootkitsReturn-Oriented Rootkits
: Bypassing Kernel Code Integrity Protection Mechanisms @ Usenix Security ‘09
Advanced Defense Lab @ National Central Univ.
4
IntroductionBetter solution…
Preserve kernel code integrity by preserving the kernel control flow integrity
Kernel control data: Return addresses Function pointers
Function pointers == kernel hooks (in this paper)
Advanced Defense Lab @ National Central Univ.
5
IntroductionHardware-based page-level protection
Limited number of kernel hooksHooks are not co-located together with
frequently modified memory data
Advanced Defense Lab @ National Central Univ.
6
IntroductionHookSafe
Hypervisor-basedLightweightProtect all kernel hooksByte-level granularity
Advanced Defense Lab @ National Central Univ.
7
Introduction
Distribution of 5881 kernel hooks in a running Ubuntu system
Advanced Defense Lab @ National Central Univ.
8
HookSafe DesignOffline Hook Profiler
Profile the guest kernel execution and output a hook access profile for each protected hook
Hook Access Points(HAPs)Online Hook Protector
Create a shadow copy of all protected hooksImplement HAPsRedirection
Advanced Defense Lab @ National Central Univ.
9
HookSafe Design
The HookSafe architecture
Advanced Defense Lab @ National Central Univ.
10
HookSafe DesignOffline Hook Profiling
Static analysis More complete; less precise
Dynamic analysis More precise
QEMU – monitoring every memory access instruction
Advanced Defense Lab @ National Central Univ.
11
HookSafe DesignOnline Hook Protection
Advanced Defense Lab @ National Central Univ.
12
HookSafe DesignOnline Hook Protection – Initialization
At Boot timeCreate shadow copyPatch the HAPs(requires the support of the
hypervisor)
Advanced Defense Lab @ National Central Univ.
13
HookSafe DesignOnline Hook Protection – Runtime R/W
IndirectionRead : read from the shadow copy and returnWrite :
Make a hypercall Validate the request Update the shadow copy if valid
Advanced Defense Lab @ National Central Univ.
14
HookSafe DesignOnline Hook Protection – Runtime Tracking
of Dynamic Allocated HooksA dynamic allocated hook is embedded in a
dynamic kernel objectHypercall while a kernel object containing a
hook is allocatedCreate the shadow copy of the hook
Advanced Defense Lab @ National Central Univ.
15
HookSafe DesignHardware Register Protection
GDTR, IDTR, DR0-DR7 Hardware-based page-level protection
Advanced Defense Lab @ National Central Univ.
16
ImplementationOffline Hook Profiler
QEMU – binary translationIf an instruction accesses any kernel hook in
the given list, mark it as an HAP and log the value
Dynamic allocated kernel hook: Track the creation of the kernel object and locate
the locationHook access profile
Advanced Defense Lab @ National Central Univ.
17
Implementation
An example access profile related to ext3_dir_operations->readdirkernel hook
Advanced Defense Lab @ National Central Univ.
18
ImplementationHook Indirection
HAP Patching Overwrite the instruction of HAP with a 5-byte jmp
instruction Jump to trampoline code > 5 bytes : Fill the space with NOP instructions < 5 bytes : overwrite the subsequent instruction
Advanced Defense Lab @ National Central Univ.
19
Implementation
The implementation of hook indirection
Advanced Defense Lab @ National Central Univ.
20
Implementation
Advanced Defense Lab @ National Central Univ.
21
ImplementationHook Indirection - HAP Patching
HAP after HAPThe second instruction is a target of jump
instruction
Advanced Defense Lab @ National Central Univ.
22
ImplementationRead/Write Indirection
Detection: Read – compare the original hook with shadow copy
Write – update both
Advanced Defense Lab @ National Central Univ.
23
ImplementationRuntime LKM and Hook Tracking
SLAB interfaceLKM
Virtual machine introspectionMemory Protection
Shadow page table (SPT) in Xen
Advanced Defense Lab @ National Central Univ.
24
EvaluationTest with 9 real-world rootkitsUnixBench and ApacheBench
Advanced Defense Lab @ National Central Univ.
25
Evaluation
Advanced Defense Lab @ National Central Univ.
26
Evaluation
Advanced Defense Lab @ National Central Univ.
27
EvaluationPerformance
Advanced Defense Lab @ National Central Univ.
28
Top Related