countering kernel rootkits with lightweight hook
play

Countering Kernel Rootkits with Lightweight Hook Protection Michal - PowerPoint PPT Presentation

May 12, 2023 •37 likes •177 views

Countering Kernel Rootkits with Lightweight Hook Protection Michal Sekletar College of Engineering and Computer Science Orlando, FL April 2, 2012 Michal Sekletar (University of Central Florida) April 2, 2012 1 / 14 Acknowledgment

  1. Countering Kernel Rootkits with Lightweight Hook Protection Michal Sekletar College of Engineering and Computer Science Orlando, FL April 2, 2012 Michal Sekletar (University of Central Florida) April 2, 2012 1 / 14

  2. Acknowledgment ◮ Authors: ◮ Zhi Wang, NC State University ◮ Xuxian Jiang, NC State University ◮ Weidong Cui, Microsoft Research ◮ Peng Ning, NC State University ◮ 16th ACM Conference on Computer and Communications Security (CCS) ◮ November, 2009 Michal Sekletar (University of Central Florida) April 2, 2012 2 / 14

  3. Background – Rootkits ◮ Definition A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer ◮ Ways of installation ◮ Automated ◮ Manual ◮ Infects target machine typically exploiting vulnerabilities in some other applications Michal Sekletar (University of Central Florida) April 2, 2012 3 / 14

  4. Background – Hooking ◮ Definition - Hook Function pointers, return addresses, e.g. ext3 dir operations->readdir ◮ Definition - Hooking Techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Michal Sekletar (University of Central Florida) April 2, 2012 4 / 14

  5. Contributions ◮ Design, implementation, and evaluation of HookSafe ◮ Hooksafe - Hypervisor-based lightweight system that can protect thousands of kernel hooks from being hijacked by kernel rootkits. ◮ Efficiency of defense against rootkits using HookSafe ◮ Low overhead introduced using the tool Michal Sekletar (University of Central Florida) April 2, 2012 5 / 14

  6. Problem Overview ◮ Classification of kernel rootkits 1. Kernel Object Hooking (KOH) - hijack kernel control flow 2. Dynamic Kernel Object Manipulation (DKOM) - modify dynamic data objects ◮ Majority of kernel rootkits are KOH rootkits (96%) ◮ Rootkit of type 1) can gain control over kernel execution 1. Code hooks 2. Data hooks - most common type ◮ Kernel hooks are scattered across kernel space ◮ Prior techniques are not suitable for protecting significant amount of hooks Michal Sekletar (University of Central Florida) April 2, 2012 6 / 14

  7. HookSafe Architecture Figure: The HookSafe Architecture ◮ Offline hook profiler ◮ Online hook protector Michal Sekletar (University of Central Florida) April 2, 2012 7 / 14

  8. Offline hook profiler ◮ Component profiles the guest kernel execution and outputs a hook access profile for each protected hook ◮ Dynamic analysis runs the target system on top of an emulator (e.g., QEMU) and monitors every memory access to derive the hook access instructions. ◮ Output of this analysis is hook access profile Figure: Hook access profile Michal Sekletar (University of Central Florida) April 2, 2012 8 / 14

  9. Online hook protector ◮ Multiple tasks ◮ Initialization ◮ Creates shadow copy of kernel hooks and loads indirection code layer ◮ Online patching of guest OS kernel ◮ Run-Time Read/Write Indirection ◮ Reads are indirected to shadow copy and returned ◮ On write hypervisor will validate record and update shadow hook if request is valid ◮ Run-Time tracking of dynamically allocated objects ◮ Hardware register protection ◮ Developed on Xen hypervisor Michal Sekletar (University of Central Florida) April 2, 2012 9 / 14

  10. Online hook protector - overview Figure: The architecture of online hook protection Michal Sekletar (University of Central Florida) April 2, 2012 10 / 14

  11. Online hook protector - overview Figure: The implementation of hook indirection Michal Sekletar (University of Central Florida) April 2, 2012 11 / 14

  12. Evaluation ◮ HookSafe tested against nine real-world rootkits ◮ HookSafe successfully prevented these rootkits from modifying the protected kernel hooks ◮ Very little overhead, around 6% Figure: Results of benchmarks Michal Sekletar (University of Central Florida) April 2, 2012 12 / 14

  13. Discussion ◮ Two major drawbacks 1. Coverage of dynamic analysis done by offline hook profiler 2. HookSafe assumes the prior knowledge of the set of kernel hooks that should be protected ◮ Solutions 1. Combine dynamic analysis with complementary approach - static analysis 2. Combine HookSafe with some other hook discovering tool, e.g. HookFinder, HookMap Michal Sekletar (University of Central Florida) April 2, 2012 13 / 14

  14. Questions? Michal Sekletar (University of Central Florida) April 2, 2012 14 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too seriously, I fuzz the Human brain! The capitalist "pig" degrees: Economics & MBA. Worked for the evil banking system! Security

833 views • 80 slides
-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics & MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides
Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To

Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To

Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To get it to do (potentially illicit) work for you for free! E.g., send spam Stages of an attack Get on the system Get administrator

449 views • 16 slides
Enabling System Transactions via Lightweight Kernel Extensions R.P. Spillane, S. Gaikwad. M.

Enabling System Transactions via Lightweight Kernel Extensions R.P. Spillane, S. Gaikwad. M.

Enabling System Transactions via Lightweight Kernel Extensions R.P. Spillane, S. Gaikwad. M. Chinni, C.P. Wright, E. Zadok Stony Brook University http://www.fsl.cs.sunysb.edu/ Summary What is the design complexity of system transactions

288 views • 26 slides
SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk

SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk

SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk Swidowski, Rohan Bhutkar, Jia Ma, Wenbo Shen, Ruowen Wang, Peng Ning Samsung KNOX R&D, Samsung Research America Motivation Operating system kernels

543 views • 25 slides
Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN

Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN

Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN Computer Security Team EGI Technical Forum 2011, Lyon, France Outline Rootkits: Introduction Linux rootkits History Detection and monitoring

423 views • 26 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a

Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a

Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a nonprofit Timothy Makris Executive Director organization led by several family members who lost loved ones at the Sandy Hook Elementary

340 views • 22 slides
Ana Barjasic CEO of Connectology How to hook an investor #StartupLighthouse @eu_lighthouse

Ana Barjasic CEO of Connectology How to hook an investor #StartupLighthouse @eu_lighthouse

Ana Barjasic CEO of Connectology How to hook an investor #StartupLighthouse @eu_lighthouse @startuplighthouse How to hook an investor Why investors dont invest? How to hook an investor RISK! How to hook an investor Source: European

109 views • 9 slides
Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Dealing with Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com Utrecht, 19 March 2016 Agenda Today 1. How do they get in 2. Why? 3. Malware types 4. In-depth: rootkits 5. Defenses 2

546 views • 35 slides
Strongly Coupled Physics and the Strong CP problem Anson Hook Stanford Anson Hook -

Strongly Coupled Physics and the Strong CP problem Anson Hook Stanford Anson Hook -

Strongly Coupled Physics and the Strong CP problem Anson Hook Stanford Anson Hook - hep-ph/1411.3325 + work in progress w/ S. Dimopoulos, G. Marques-Tavares, J. Huang Classical Strong CP problem Neutron contains an up quark and two down

801 views • 42 slides
Catcher Hook Up & Commissioning 23 rd October 2017 Executive Summary Vessel arrived in

Catcher Hook Up & Commissioning 23 rd October 2017 Executive Summary Vessel arrived in

Catcher Hook Up & Commissioning 23 rd October 2017 Executive Summary Vessel arrived in Nigg on 8 th October and was deployed in the field on 18 th October Removal of cone plate and hook-up with the buoy have been completed Hook-up

115 views • 7 slides
Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher

Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher

Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher Demystifying Modern Windows Rootkits Black Hat USA 2020 1 Who Am I? 18 years old Sophomore at the Rochester Institute of Technology Windows

847 views • 73 slides
Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

674 views • 53 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
French Fuel Cycle Strategy and Transition Scenario Studies Frank Carr Jean-Michel Delbecq

French Fuel Cycle Strategy and Transition Scenario Studies Frank Carr Jean-Michel Delbecq

French Fuel Cycle Strategy and Transition Scenario Studies Frank Carr Jean-Michel Delbecq Outlook Outlook What are scenario studies? World scenario studies French scenario studies The French fuel cycle French strategy for

342 views • 33 slides
DESIGN OF LOW POWER VOLTAGE REGULATOR FOR RFID APPLICATIONS Josip Mikulic Niko Bako Adrijan

DESIGN OF LOW POWER VOLTAGE REGULATOR FOR RFID APPLICATIONS Josip Mikulic Niko Bako Adrijan

10.12.2015. UNIVERSITY OF ZAGREB FACULTY OF ELECTRICAL ENGINEERING AND COMPUTING DESIGN OF LOW POWER VOLTAGE REGULATOR FOR RFID APPLICATIONS Josip Mikulic Niko Bako Adrijan Baric MIDEM 2015, Bled Overview Introduction Voltage

409 views • 10 slides
Eddy Home Inc. www.eddyhome.com Take control of your water Eddy IQ meter Cellular technology

Eddy Home Inc. www.eddyhome.com Take control of your water Eddy IQ meter Cellular technology

Take control of your water Eddy Home Inc. www.eddyhome.com Take control of your water Eddy IQ meter Cellular technology that monitors your home's water usage to save you money, and protect your home from costly water damage. This

595 views • 12 slides
$ Circumventing Forensic Live-acquisition Tools > Rootkits for

$ Circumventing Forensic Live-acquisition Tools > Rootkits for

$ Circumventing Forensic Live-acquisition Tools > Rootkits for dubious defensive purposes > Yonne de Bruijn (yonne.debruijn@os3.nl) Digital Forensics $ retrieve

304 views • 27 slides
Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17

Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17

Outline Introduction & theory Research question Peacomm case study Detection Conclusion & future work Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17 Outline Introduction & theory

570 views • 17 slides
Vol., No., Article Title Authors Date Journal/Conference Name

Vol., No., Article Title Authors Date Journal/Conference Name

Vol., No., Article Title Authors Date Journal/Conference Name / Pages Vol. 2 , Password Memorability and Security A. Blackwell, R. Anderson, Sept.-Oct. 1 2020/06/01 Issue 5 , 25 - IEEE Security

342 views • 3 slides
What is all that crap? Analysis of DNS root server bogus queries Authors: Danil Snchez

What is all that crap? Analysis of DNS root server bogus queries Authors: Danil Snchez

RIPE Network Coordination Centre What is all that crap? Analysis of DNS root server bogus queries Authors: Danil Snchez & Joost Pijnaker Education: System & Network Engineering Supervisors: Cees de Laat (UvA) Daniel

959 views • 47 slides
Technology Neutrality, Technology Sovereignty and the Architect of Technology of 21st Century

Technology Neutrality, Technology Sovereignty and the Architect of Technology of 21st Century

Technology Neutrality, Technology Sovereignty and the Architect of Technology of 21st Century (High Level) Policy Dialogue Technology and Innovation Policy in the Age of Global Value Chain International Institute for Trade and Development

840 views • 22 slides

More recommend