multi aspect profiling of kernel rootkit behavior
play

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, - PowerPoint PPT Presentation

Oct 06, 2022 •143 likes •674 views

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

  1. Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nürnberg, Germany

  2. Rootkits • Stealthy malware • Hide attacker • Modifying the OS kernel in memory • Injecting new code • Injecting new code • Threat model: – “Root” privileges – Full memory access 2

  3. In the news… 3

  4. Rootkit techniques 4

  5. Rootkit techniques adore-ng • • Linux 2.4/2.6 Linux 2.4/2.6 • Kernel module • Adds “custom” functions 5 5

  6. Rootkit techniques adore-ng hp • • Linux 2.4/2.6 Linux 2.4/2.6 • • Linux 2.4 Linux 2.4 • Kernel module • Kernel module • Adds “custom” • Modifies kernel functions objects 6 6

  7. Profiling a rootkit? • Quickly reveal behavior • Tool for malware investigators • Honeypot environment • This is hard, rootkits are highly privileged! • This is hard, rootkits are highly privileged! 7

  8. Profiling: Determining behavior 1. What code does it run? 2. What kernel objects does it modify? 3. How does it modify control flow? 4. What system calls are affected at user- level? 8 8

  9. PoKeR: Architecture Virtual Machine Kernel Symbols & Kernel Object Types User-level Applications User-level Applications Kernel Object Kernel Object Log Guest Kernel Interpretation Interpretation Logging and Logging and Right-Before Context Context Detection Tracking Tracking Profile Profile Virtual Machine Monitor 9

  10. PoKeR: Architecture Logging and Logging and Right-Before Context Context Detection Tracking Tracking 10

  11. “Right before” detection? VM Applications Guest OS VMM VMM NICKLE Module Standard Shadow 11 11

  12. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 12 12

  13. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Guest Kernel Instruction Fetch Standard Shadow 13 13

  14. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 14 14

  15. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Other Memory Access Standard Shadow 15 15

  16. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 16 16

  17. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Other Memory Access Guest Kernel Instruction Fetch Standard Shadow 17 17

  18. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Memory Access Standard Shadow 18 18

  19. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Memory Access Compare Standard Shadow 19 19

  20. What code does it run? • Compare standard and shadow memories – Extract code as – Extract code as you go 20 20

  21. PoKeR: Architecture Virtual Machine Kernel Symbols & Kernel Object Types User-level Applications User-level Applications Kernel Object Kernel Object Log Guest Kernel Interpretation Interpretation Logging and Logging and Right-Before Context Context Detection Tracking Tracking Profile Profile Virtual Machine Monitor 21

  22. Kernel Symbols & Kernel Object Types Kernel Object Kernel Object Log Interpretation Interpretation Logging and Logging and Context Context Tracking Tracking 22

  23. Logging and context tracking • Logging rootkit code… – Execution – Reads – Writes – Writes 23 23

  24. What kernel objects does it modify? • We have memory writes from rootkit code • Use static analysis to build a map – Kernel with debug symbols 24

  25. What about dynamic allocation? • Some objects are allocated dynamically 25 25

  26. What about dynamic allocation? • Some objects are allocated dynamically Static Objects Dynamic Objects task_struct task_struct init_task init_task 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11a0000 0xc11b0000 0xc11c0000 … … … 26 26

  27. Simple observation #1 Static Objects Dynamic Objects 27 27

  28. Simple observation #1 Static Objects Dynamic Objects 28 28

  29. Simple observation #2 • The rootkit is just as ignorant as we are • It will find dynamic objects by starting at static ones 29 29

  30. “Combat tracking” • Track rootkit reads • Build a map of dynamic memory • Reverse VMI 30 30

  31. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 31 31

  32. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid � 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 32 32

  33. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 33 33

  34. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 34 34

  35. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 35 35

  36. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 36 36

  37. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid � pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 37 37

  38. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 38 38

  39. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 39 39

  40. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 40 40

  41. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 41 41

  42. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 � pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 42 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tensor Decompositions for ensor Decompositions for Big Multi-aspect Data Big Multi-aspect Data

Tensor Decompositions for ensor Decompositions for Big Multi-aspect Data Big Multi-aspect Data

Tensor Decompositions for ensor Decompositions for Big Multi-aspect Data Big Multi-aspect Data Analytics Analytics Evangelos Evangelos (V (Vagelis) agelis) Papalexakis Papalexakis UC Riverside Second W Second Workshop of Mission-Critical

535 views • 42 slides
Profiling the Memory Usage of OCaml Applications without Changing their Behavior OCaml 2013

Profiling the Memory Usage of OCaml Applications without Changing their Behavior OCaml 2013

Profiling the Memory Usage of OCaml Applications without Changing their Behavior OCaml 2013 agdas Bozman 1 , 2 , 3 C Thomas Gazagnaire 1 Fabrice Le Fessant 2 Michel Mauny 3 OCamlPro 1 | INRIA 2 | ENSTA-ParisTech 3 Sept. 24 2013 - Boston (MA)

713 views • 18 slides
Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang,

Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang,

ACM SIGCOMM 2005 Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang, and Supratik Bhattacharyya University of Minnesota Sprint ATL August 24, 2005 Why profile traffic? Changes in

709 views • 25 slides
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses

638 views • 52 slides
Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens

Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens

Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens Gustafsson and Mikhail Chalabine Outline: Aspect-Oriented Programming New concepts introduced Crosscutting concern Aspect Dynamic aspect

1.12k views • 50 slides
Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador

Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador

Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador Morales Robotic & Tech of Computers Lab, University of Seville ricardo@atc.us.es Convolutional neural networks ricardo@atc.us.es 2

370 views • 12 slides
ProfileDroid: Multi-layer Profiling of Android Applications Xuetao Wei Lorenzo Gomez Iulian

ProfileDroid: Multi-layer Profiling of Android Applications Xuetao Wei Lorenzo Gomez Iulian

ProfileDroid: Multi-layer Profiling of Android Applications Xuetao Wei Lorenzo Gomez Iulian Neamtiu Michalis Faloutsos How do we know what is occuring in an app? Description, connections, services? >550 000 apps on Goal - Complete app

723 views • 24 slides
Profiling Go Code FLAME GRAPHS Ram Nadella Online Marketplace CPU Flame Graph of Linux Kernel

Profiling Go Code FLAME GRAPHS Ram Nadella Online Marketplace CPU Flame Graph of Linux Kernel

Profiling Go Code FLAME GRAPHS Ram Nadella Online Marketplace CPU Flame Graph of Linux Kernel Flame Graphs Function call stacks Each cell => Function Width => cost of the function Colors have no meaning Flame Graphs

775 views • 28 slides
Ark: A Kernel For Multi-Paradigm Modeling MSDL Summer Presentation 2009 Xiaoxi Dong, MSDL,

Ark: A Kernel For Multi-Paradigm Modeling MSDL Summer Presentation 2009 Xiaoxi Dong, MSDL,

Ark: A Kernel For Multi-Paradigm Modeling MSDL Summer Presentation 2009 Xiaoxi Dong, MSDL, McGill University Content Intention of A kernel for multi-paradigm modeling Ark Overview: hierarchical modeling environment Ark breakdown:

540 views • 27 slides
Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in recovering and development processes Natalia Krynsky Baal , Coordinator, Joint IDP Profiling Service WHAT IS PROFILING? Defining profiling A

439 views • 12 slides
Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do Virtualization 101 Vitriol/Hyperjacking (and other HVM Rootkits) Why detecting HVMs arent as difficult as you think Pro Forma Punditry

428 views • 41 slides
PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ PROFESSOR I U LI AN N EAM T I U PROFESSOR M I CH ALI S FALOU T SOS U N I V ERSI T Y OF CALI FORN I A, RI V ERSI DE WE DEPEND ON SMARTPHONES MORE AND

316 views • 29 slides
Advanced Computer Graphics CS 525M: ProfileDroid: Multi layer Profiling of Android Applications

Advanced Computer Graphics CS 525M: ProfileDroid: Multi layer Profiling of Android Applications

Advanced Computer Graphics CS 525M: ProfileDroid: Multi layer Profiling of Android Applications Cheng Cheng Computer Science Dept. Worcester Polytechnic Institute (WPI) Motivation More and more people Android is an very use smartphones

548 views • 23 slides
Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of algorithms. Profiling techniques fall into two main categories: Instruction counting the number of times which particular instruction(s)

672 views • 19 slides
Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit

Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit

Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking

297 views • 17 slides
COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling Issues with current profilers Causal profiling COZ Overview and Implementation COZ Evaluation Comparison with Pivot Tracing

660 views • 23 slides
Do voluntary codes work? Whale-watching on the west coast August 2018 Hebridean Whale &

Do voluntary codes work? Whale-watching on the west coast August 2018 Hebridean Whale &

Do voluntary codes work? Whale-watching on the west coast August 2018 Hebridean Whale & Dolphin Trust 16 continuous years of boat-based survey effort 120,000 km surveyed 30,000 animals recorded Contributed to the identification and

413 views • 12 slides
Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts & Sciences Ubani A Balogun & Justin Klein Keane Security Intelligence HECTOR was developed out of a desire to leverage security

751 views • 25 slides
Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs

Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs

Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs Lorraine Rafferty Mrs Carly Skippins Ms Sarah Blakey Mrs Penny Woodman Nursery Nurse Nursery Nurse

477 views • 24 slides
Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community

Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community

Automatic Ontology-Based Document Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community College Faculty of Information Technology Khan Younis, Gaza Strip Islamic University of Gaza 1 The 3rd Palestinian

536 views • 31 slides
Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

IBWAS 2010 From Risk Awareness to Security Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December 2010 About me Senior Information Security Consultant / Auditor University Professor: Security,

447 views • 23 slides
CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running

CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running

CLOUD VENDORS CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running startup Doing cloud since 2009 2 cloud-based products JFrog Bintray JFrog Artifactory Cloud THE JFROG EXPERIENCE

406 views • 26 slides
WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this

WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this

WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this presentation provides you with some understanding of who we are and why were able to keep our clients so happy. While 2020 is off to a tumultuous

515 views • 20 slides
7 strategies for scaling product security QCon 2018 New York City Angelo Prado, Senior

7 strategies for scaling product security QCon 2018 New York City Angelo Prado, Senior

7 strategies for scaling product security QCon 2018 New York City Angelo Prado, Senior Director Jet.com | Walmart about me 12+ years of experience in software development and Leading Product Security teams at Jet.com, Salesforce and

895 views • 78 slides

More recommend