|
 ABSTRACT
Kernel rootkits, malicious software designed to compromise a running operating system kernel, are difficult to analyze and profile due to their elusive nature, the variety and complexity of their behavior, and the privilege level at which they run. However, a comprehensive kernel rootkit profile that reveals key aspects of the rootkit's behavior is helpful in aiding a detailed manual analysis by a human expert. In this paper we present PoKeR, a kernel rootkit profiler capable of producing multi-aspect rootkit profiles which include the revelation of rootkit hooking behavior, the exposure of targeted kernel objects (both static and dynamic), assessment of user-level impacts, as well as the extraction of kernel rootkit code. The system is designed to be deployed in scenarios which can tolerate high overheads, such as honeypots. Our evaluation results with a number of real-world kernel rootkits show that PoKeR is able to accurately profile a variety of rootkits ranging from traditional ones with system call hooking to more advanced ones with direct kernel object manipulation. The obtained profiles lead to unique insights into the rootkits' characteristics and demonstrate PoKeR's usefulness as a tool for rootkit investigators.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
 |
1
|
Martín Abadi , Mihai Budiu , Úlfar Erlingsson , Jay Ligatti, Control-flow integrity, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
[doi> 10.1145/1102120.1102165]
|
| |
2
|
|
| |
3
|
|
| |
4
|
Erik Buchanan , Ryan Roemer , Hovav Shacham , Stefan Savage, When good instructions go bad: generalizing return-oriented programming to RISC, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
[doi> 10.1145/1455770.1455776]
|
| |
5
|
|
| |
6
|
Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King. Digging for data structures. In OSDI, pages 255--266, 2008.
|
| |
7
|
Free Software Foundation. GDB: The GNU Project Debugger. http://www.gnu.org/software/gdb/. Last accessed October 2008.
|
| |
8
|
Tal Garfinkel , Keith Adams , Andrew Warfield , Jason Franklin, Compatibility is not transparency: VMM detection myths and realities, Proceedings of the 11th USENIX workshop on Hot topics in operating systems, p.1-6, May 07-09, 2007, San Diego, CA
|
| |
9
|
Tal Garfinkel and Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. Network and Distributed Systems Security Symposium (NDSS 2003), February 2003.
|
| |
10
|
Greg Hoglund. Kernel object hooking rootkits (KOH rootkits). http://www.rootkit.com/newsread.php?newsid=501, 2006. Last accessed November 2008.
|
| |
11
|
Innotek. Virtualbox. http://www.virtualbox.org/. Last accessed January 2009.
|
| |
12
|
|
| |
13
|
|
| |
14
|
Andrea Lanzi, Monirul Sharif, and Wenke Lee. K-Tracer: A System for Extracting Kernel Malware Behavior. In Network and Distributed System Security Symposium, February 2009.
|
| |
15
|
libdisasm. x86 Disassembler Library. http://bastard.sourceforge.net/libdisasm.html. Last accessed September 2008.
|
| |
16
|
Microsoft. Driver Signing for Windows. http://technet.microsoft.com/en-us/library/cc784714.aspx. Last accessed November 2008.
|
| |
17
|
|
| |
18
|
Bryan D. Payne, Martim Carbone, and Wenke Lee. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), December 2007.
|
| |
19
|
Nick L. Petroni, Jr. , Timothy Fraser , Jesus Molina , William A. Arbaugh, Copilot - a coprocessor-based kernel runtime integrity monitor, Proceedings of the 13th conference on USENIX Security Symposium, p.13-13, August 09-13, 2004, San Diego, CA
|
| |
20
|
Nick L. Petroni, Jr. , Timothy Fraser , AAron Walters , William A. Arbaugh, An architecture for specification-based detection of semantic integrity violations in kernel dynamic data, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
|
| |
21
|
|
| |
22
|
|
| |
23
|
|
| |
24
|
Arvind Seshadri , Mark Luk , Ning Qu , Adrian Perrig, SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
|
| |
25
|
|
| |
26
|
Peter Silberman and C.H.A.O.S. FUTo. Uninformed, 2006. http://uninformed.org/?v=3&a=7&t=sumry.
|
| |
27
|
VMware. Vmware workstation, multiple operating systems including linux on windows. http://www.vmware.com/products/ws/. Last accessed January 2009.
|
| |
28
|
|
| |
29
|
Zhi Wang , Xuxian Jiang , Weidong Cui , Xinyuan Wang, Countering Persistent Kernel Rootkits through Systematic Hook Discovery, Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, September 15-17, 2008, Cambridge, MA, USA
[doi> 10.1007/978-3-540-87403-4_2]
|
| |
30
|
Jeffrey Wilhelm and Tzi-cker Chiueh. A Forced Sampled Execution Approach to Kernel Rootkit Identification. In Proc. Recent Advances in Intrusion Detection (RAID 2007), pages 219--235, September 2007.
|
| |
31
|
Heng Yin , Dawn Song , Manuel Egele , Christopher Kruegel , Engin Kirda, Panorama: capturing system-wide information flow for malware detection and analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
[doi> 10.1145/1315245.1315261]
|
| |
32
|
Heng Yin, Zhenkai Liang, and Dawn Song. HookFinder: Identifying and understanding malware hooking behaviors. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
D.4