automatic uncovering of tap points from kernel executions
play

Automatic Uncovering of Tap Points From Kernel Executions Junyuan - PowerPoint PPT Presentation

Feb 27, 2023 •108 likes •694 views

Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang Lin University of Texas at Dallas RAID 2016 Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary &

  1. Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang Lin University of Texas at Dallas RAID 2016

  2. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Kernel Tap Point An execution point , e.g., ◮ an instruction ◮ a function call ◮ a function called in a particular context where active kernel execution monitoring, e.g., creation, traversal, or deletion of ◮ processes ◮ sockets ◮ files ◮ other kernel objects can be performed 2 / 29

  3. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Why Uncoverying Them sys_fork(){ ... create_process(); ... } 3 / 29

  4. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Why Uncoverying Them sys_fork(){ ... create_process(); ... } Increasingly, kernel malware is using the internal functions (e.g., create_process ) to create kernel objects 3 / 29

  5. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Why Uncoverying Them sys_fork(){ ... create_process(); ... } Increasingly, kernel malware is using the internal functions (e.g., create_process ) to create kernel objects Identifying the internal functions or instructions will be useful in applications: ◮ Virtual machine introspection ◮ Kernel malware detection ◮ Kernel malware profiling 3 / 29

  6. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c14f33fd c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  7. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c14f33fd c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  8. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  9. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  10. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  11. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  12. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  13. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  14. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c24e0fe4 c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  15. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: Switched- ... to task c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c24e0fe4 c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  16. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: Switched- ... to task c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax Switched- ... from task c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c24e0fe4 c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  17. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Why Uncovering the Tap Points is Challenging Large code base of an OS kernel 1 ◮ Millions of instructions ◮ Hundrends of thousands of functions ◮ Tens of thousands of kernel objects Complicated control flow 2 ◮ Asynchronized events ⋆ Interrupts (e.g., timer, keystrokes) ◮ Non standard control flow ⋆ Exceptions (e.g., page fault) 5 / 29

  18. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Introducing A UTO T AP A UTO T AP : a system for A UTO matic uncovering of T AP points directly from kernel executions. 6 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Where the executions are Frank R. Baumgartner Introduction Data compiled on all US executions

Where the executions are Frank R. Baumgartner Introduction Data compiled on all US executions

Where the executions are Frank R. Baumgartner Introduction Data compiled on all US executions since 1976 as of April 11 2011, 1245 executions in total. Maps by county do not include 3 executions by the federal government not assigned to

371 views • 21 slides
Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie

Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie

Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie David Notkin Dept. of Computer Science &amp; Engineering University of Washington, Seattle Nov. 2004 ICFEM 04, Seattle 1 of 24 Motivation

477 views • 25 slides
Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang

Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang

Introduction A RGOS Design Experimental Results Discussions &amp; Related Work Summary &amp; References Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang Lin Department of Computer Science

738 views • 53 slides
The Kernel Abstrac/on Main Points Process concept A

The Kernel Abstrac/on Main Points Process concept A

The Kernel Abstrac/on Main Points Process concept A process is the OS abstrac/on for execu/ng a program with limited privileges Dual-mode

785 views • 61 slides
Kernel matching with automatic bandwidth selection Ben Jann University of Bern,

Kernel matching with automatic bandwidth selection Ben Jann University of Bern,

Kernel matching with automatic bandwidth selection Ben Jann University of Bern, ben.jann@soz.unibe.ch 2017 London Stata Users Group meeting London, September 78, 2017 Ben Jann (University of Bern) Kernel matching London, 07.09.2017 1

943 views • 61 slides
Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec.

Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec.

Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec. 12, 2015 Joint work with Bo Xiao, Chenhan Yu, Sameer Tharakan, and George Biros Kernel Matrix Approximation x i R d i = 1 , . . . , N points

617 views • 26 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

240 views • 5 slides
CSCI 6730 / 4730 Really, the part of the system that runs in kernel mode (or need

CSCI 6730 / 4730 Really, the part of the system that runs in kernel mode (or need

Review : What is An Operating System? Key Points Software ( kernel ) that runs at all times CSCI 6730 / 4730 Really, the part of the system that runs in kernel mode (or need to). Operating Systems But note - there

192 views • 15 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Uncovering Interactions Between Moving Objects Gennady Andrienko &amp; Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko &amp; Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko &amp; Natalia Andrienko http://geoanalytics.net Monica Wachowicz &amp; Daniel Orellana Uncovering Interactions between Moving Objects Research Topic Research focus: interactions (

376 views • 26 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, David Herrmann, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started

1.35k views • 111 slides
Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda mulix@mulix.org IBM Haifa Research Lab Kernel Debugging, Haifux 2003 p.1/19 Kernel Debugging - Why? Why would we want to debug the kernel? after

308 views • 19 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
WARWICKSHIRE POLICE BUDGET 2020/21 and MTFP Police and Crime Panel Meeting 3 rd February 2020

WARWICKSHIRE POLICE BUDGET 2020/21 and MTFP Police and Crime Panel Meeting 3 rd February 2020

WARWICKSHIRE POLICE BUDGET 2020/21 and MTFP Police and Crime Panel Meeting 3 rd February 2020 A safer, more secure Warwickshire Budget 2020/21 2020/21 Home Office police finance settlement released 22 nd January 2020. Headline

188 views • 8 slides
Community Information and Consultation Session Environment Effect Statement draft Technical

Community Information and Consultation Session Environment Effect Statement draft Technical

Community Information and Consultation Session Environment Effect Statement draft Technical Studies Tuesday 17 July 2018 Welcome and Overview Time Item Presenter / Lead 7.00 pm - 7.15 pm Welcome and Overview of Proceedings Stephanie

1.31k views • 90 slides
COVID-19 Mitigation Overview NSCF VIRTUAL BOD MEETING 9 MAY 2020 COVID-19 Mitigation Overview

COVID-19 Mitigation Overview NSCF VIRTUAL BOD MEETING 9 MAY 2020 COVID-19 Mitigation Overview

COVID-19 Mitigation Overview NSCF VIRTUAL BOD MEETING 9 MAY 2020 COVID-19 Mitigation Overview As of April 30 COVID-19 Mitigation Portfolio Current financial status (Corpus); $5.5M; -$.8M (12%) YTD Foundation Financial Solvency Froze all

210 views • 4 slides
My Care, My Way Home First Newcastle under Lyme Health and Wellbeing Scrutiny Committee

My Care, My Way Home First Newcastle under Lyme Health and Wellbeing Scrutiny Committee

My Care, My Way Home First Newcastle under Lyme Health and Wellbeing Scrutiny Committee Scrutiny Committee Wednesday 30 th September 2015 Marcus Warnes, Interim Accountable Officer, North Staffordshire CCG Background My Care, My Way

480 views • 16 slides
Using 2 nd generation annual, hardseeded pasture legumes to meat lamb production targets in

Using 2 nd generation annual, hardseeded pasture legumes to meat lamb production targets in

Using 2 nd generation annual, hardseeded pasture legumes to meat lamb production targets in southern Australian mixed farming zone Lucy Watt 1,2 1 School of Animal and Veterinary Sciences, Charles Sturt University, Wagga Wagga 2 Graham

421 views • 18 slides
Intercropping in Scotland Why do it? Alison Karley Intercropping research in Scotland Funded

Intercropping in Scotland Why do it? Alison Karley Intercropping research in Scotland Funded

Intercropping in Scotland Why do it? Alison Karley Intercropping research in Scotland Funded by: The Scottish Governments Rural and Environment Science and Analytical Services Division The EU via the Horizon2020 Research and

317 views • 16 slides
THE DEVELOPMENT OF PLANT PROTEINS IN THE EUROPEAN UNION OPPORTUNITIES AND CHALLENGES 22 &amp; 23

THE DEVELOPMENT OF PLANT PROTEINS IN THE EUROPEAN UNION OPPORTUNITIES AND CHALLENGES 22 &amp; 23

THE DEVELOPMENT OF PLANT PROTEINS IN THE EUROPEAN UNION OPPORTUNITIES AND CHALLENGES 22 &amp; 23 NOVEMBER 2018 - VIENNA Commission Report on The Development of Plant Proteins in the European Union Rudolf Mgele, Deputy Director-

494 views • 13 slides
Umatilla County Adaptive Farms: An Economic Analysis Profile current agricultural production

Umatilla County Adaptive Farms: An Economic Analysis Profile current agricultural production

Umatilla County Adaptive Farms: An Economic Analysis Profile current agricultural production by region Describe likely adaptive farming operations Estimate the financial feasibility and economic effects of each type of adaptive

240 views • 10 slides

More recommend