User Tools

Site Tools


livedm

This is an old revision of the document!


LiveDM: Reliable Kernel Malware Defense using a Safe and Temporal View of Dynamic Kernel Memory

Dynamic kernel memory has been a favorite target of recent kernel malware due to the difficulty of determining the status of volatile dynamic kernel objects. Previous defense approaches used kernel memory mapping to identify dynamic kernel objects and check kernel integrity. The snapshot-based memory maps generated by these approaches are based on a view of kernel memory that may have been modified by kernel malware. In order to analyze sophisticated attacks such as data hiding via direct kernel object manipulation (DKOM), they make use of additional schemes such as data invariants in order to reveal anomalous memory states. Also, since the map generated from a memory snapshot reflects the memory status of only a single time instance, its usage is limited in dynamic analysis of kernel execution. We introduce a new mapping mechanism called allocation mapping which can systematically identify dynamic kernel objects, their types, and lifetimes by capturing kernel memory allocation and deallocation events. This system provides unique benefits in kernel malware detection and analysis: (1) a safe view wherein the identification of kernel data is resistant to the manipulation of memory contents and (2) a temporally accurate view that enables a map of all kernel objects to be used in temporal analysis of kernel execution. We demonstrate the effectiveness of this mapping in two application scenarios. First, we built a hidden kernel object detector that automatically detects challenging DKOMdata hiding attacks of 10 kernel rootkits by using a safe view. Second, we present a temporal malware behavior monitor that systematically inspects and visualizes advanced malware behavior triggered by the manipulated dynamic kernel objects. Allocation mapping enables a reliable analysis of such behavior by guiding the inspection to the events only relevant to the attack.

Publications

  • “Reliable Kernel Malware Defense using a Safe and Temporal View of Kernel Memory”. Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. To appear in the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010), Ottawa, Canada, September 2010
  • “LiveDM: Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging”. Junghwan Rhee and Dongyan Xu. CERIAS Technical Report 2010-02, February 2010.

People

livedm.1275073158.txt.gz · Last modified: 2010/05/28 14:59 by dxu