This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
livedm [2010/05/28 15:03] dxu |
livedm [2010/09/27 14:54] (current) dxu |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== LiveDM: Reliable Kernel Malware Defense using a Safe and Temporal View of Dynamic Kernel Memory ====== | + | ====== Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory ====== |
- | Dynamic kernel memory has been a favorite target of recent kernel | + | Dynamic kernel memory has been a popular target of recent kernel |
malware due to the difficulty of determining the status of volatile dynamic kernel | malware due to the difficulty of determining the status of volatile dynamic kernel | ||
- | objects. Previous defense approaches used kernel memory mapping to identify | + | objects. Some existing approaches use kernel memory mapping to identify |
dynamic kernel objects and check kernel integrity. The snapshot-based memory | dynamic kernel objects and check kernel integrity. The snapshot-based memory | ||
- | maps generated by these approaches are based on a view of kernel memory that | + | maps generated by these approaches are based on the kernel memory which may |
- | may have been modified by kernel malware. In order to analyze sophisticated | + | have been manipulated by kernel malware. In addition, because the snapshot only |
- | attacks such as data hiding via direct kernel object manipulation (DKOM), they | + | reflects the memory status at a single time instance, its usage is limited in temporal |
- | make use of additional schemes such as data invariants in order to reveal anomalous | + | kernel execution analysis. We introduce a new runtime kernel memory mapping |
- | memory states. Also, since the map generated from a memory snapshot reflects | + | scheme called allocation-driven mapping, which systematically identifies |
- | the memory status of only a single time instance, its usage is limited in | + | dynamic kernel objects, including their types and lifetimes. The scheme works by |
- | dynamic analysis of kernel execution. We introduce a new mapping mechanism | + | capturing kernel object allocation and deallocation events. Our system provides a |
- | called allocation mapping which can systematically identify dynamic kernel objects, | + | number of unique benefits to kernel malware analysis: (1) an un-tampered view |
- | their types, and lifetimes by capturing kernel memory allocation and deallocation | + | wherein the mapping of kernel data is unaffected by the manipulation of kernel |
- | events. This system provides unique benefits in kernel malware detection | + | memory and (2) a temporal view of kernel objects to be used in temporal analysis |
- | and analysis: (1) a safe view wherein the identification of kernel data is resistant | + | of kernel execution. We demonstrate the effectiveness of allocation-driven mapping |
- | to the manipulation of memory contents and (2) a temporally accurate view | + | in two usage scenarios. First, we build a hidden kernel object detector that |
- | that enables a map of all kernel objects to be used in temporal analysis of kernel | + | uses an un-tampered view to detect the data hiding attacks of 10 kernel rootkits |
- | execution. We demonstrate the effectiveness of this mapping in two application | + | that directly manipulate kernel objects (DKOM). Second, we develop a temporal |
- | scenarios. First, we built a hidden kernel object detector that automatically detects | + | malware behavior monitor that tracks and visualizes malware behavior triggered |
- | challenging DKOMdata hiding attacks of 10 kernel rootkits by using a safe view. | + | by the manipulation of dynamic kernel objects. Allocation-driven mapping enables |
- | Second, we present a temporal malware behavior monitor that systematically inspects | + | a reliable analysis of such behavior by guiding the inspection only to the |
- | and visualizes advanced malware behavior triggered by the manipulated | + | events relevant to the attack. |
- | dynamic kernel objects. Allocation mapping enables a reliable analysis of such | + | |
- | behavior by guiding the inspection to the events only relevant to the attack. | + | |
===== Publications ===== | ===== Publications ===== | ||
- | * "Reliable Kernel Malware Defense using a Safe and Temporal View of Kernel Memory". Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. To appear in the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010), Ottawa, Canada, September 2010 | + | * "Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory". Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. In proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010), Ottawa, Canada, September 2010 |
- | * "LiveDM: Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging". Junghwan Rhee and Dongyan Xu. CERIAS Technical Report 2010-02, February 2010. | + | * [[http://www.springerlink.com/content/a3w252328185412h/fulltext.pdf|Paper]] |
- | * [[https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2010-02.pdf|Paper]] in PDF format. | + | * [[http://www.cs.purdue.edu/homes/rhee/pubs/raid2010_slides.pdf|Slides]] |
+ | ===== Demo ===== | ||
+ | This video demonstrates dynamic changes of the kernel memory map and detection of kernel rootkits that hide dynamic kernel objects by manipulating pointers. | ||
+ | * Main technique: Live kernel object map | ||
+ | * Applications: Hidden PCB and kernel driver detector | ||
+ | * Note: some parts of a video clip are trimmed to reduce its play time. | ||
+ | * [[http://www.cs.purdue.edu/homes/rhee/pubs/raid2010_livedm.avi|Demo]] in AVI format | ||
+ | |||
===== People ===== | ===== People ===== |