Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, - - PowerPoint PPT Presentation

multi aspect profiling of kernel rootkit behavior
SMART_READER_LITE
LIVE PREVIEW

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, - - PowerPoint PPT Presentation

Oct 06, 2022 143 likes •679 views

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

slide-1
SLIDE 1

Multi-Aspect Profiling of Kernel Rootkit Behavior

Ryan Riley, Xuxian Jiang, Dongyan Xu

Purdue University, North Carolina State University

EuroSys 2009 Nürnberg, Germany

slide-2
SLIDE 2

Rootkits

  • Stealthy malware
  • Hide attacker
  • Modifying the OS kernel in memory
  • Injecting new code
  • Injecting new code
  • Threat model:

– “Root” privileges – Full memory access

2

slide-3
SLIDE 3

In the news…

3

slide-4
SLIDE 4

Rootkit techniques

4

slide-5
SLIDE 5

Rootkit techniques

adore-ng

  • Linux 2.4/2.6

5

  • Linux 2.4/2.6
  • Kernel module
  • Adds “custom”

functions

5

slide-6
SLIDE 6

Rootkit techniques

adore-ng

  • Linux 2.4/2.6

hp

  • Linux 2.4

6

  • Linux 2.4/2.6
  • Kernel module
  • Adds “custom”

functions

  • Linux 2.4
  • Kernel module
  • Modifies kernel
  • bjects

6

slide-7
SLIDE 7

Profiling a rootkit?

  • Quickly reveal behavior
  • Tool for malware investigators
  • Honeypot environment
  • This is hard, rootkits are highly privileged!
  • This is hard, rootkits are highly privileged!

7

slide-8
SLIDE 8

Profiling: Determining behavior

  • 1. What code does it run?
  • 2. What kernel objects does it modify?

8

  • 3. How does it modify control flow?
  • 4. What system calls are affected at user-

level?

8

slide-9
SLIDE 9

PoKeR: Architecture

User-level Applications

Virtual Machine Kernel Symbols & Kernel Object Types Virtual Machine Monitor

Logging and Context Tracking Logging and Context Tracking User-level Applications Guest Kernel Right-Before Detection

Profile Profile

Log Kernel Object Interpretation Kernel Object Interpretation

9

slide-10
SLIDE 10

PoKeR: Architecture

Logging and Context Tracking Logging and Context Tracking Right-Before Detection

10

slide-11
SLIDE 11

“Right before” detection?

Applications Guest OS VM VMM

11

VMM NICKLE Module

Standard Shadow

11

slide-12
SLIDE 12

“Right before” detection?

Applications Guest OS VM VMM

Memory Access

12

VMM NICKLE Module

Standard Shadow Memory Access

12

slide-13
SLIDE 13

“Right before” detection?

Applications Guest OS VM VMM

Memory Access

13

VMM NICKLE Module

Standard Shadow Memory Access Guest Kernel Instruction Fetch

13

slide-14
SLIDE 14

“Right before” detection?

Applications Guest OS VM VMM

Memory Access

14

VMM NICKLE Module

Standard Shadow Memory Access

14

slide-15
SLIDE 15

“Right before” detection?

Applications Guest OS VM VMM

Memory Access

15

VMM NICKLE Module

Standard Shadow Memory Access Memory Access Other

15

slide-16
SLIDE 16

“Right before” detection?

Applications Guest OS VM VMM

Memory Access

16

VMM NICKLE Module

Standard Shadow Memory Access

16

slide-17
SLIDE 17

“Right before” detection?

Applications Guest OS VM VMM

Memory Access

17

VMM NICKLE Module

Standard Shadow Memory Access Guest Kernel Instruction Fetch Memory Access Other

17

slide-18
SLIDE 18

“Right before” detection?

Applications Guest OS VM VMM

Memory Access

18

VMM NICKLE Module

Standard Shadow Memory Access Memory Access

18

slide-19
SLIDE 19

“Right before” detection?

Applications Guest OS VM VMM

Memory Access

19

VMM NICKLE Module

Standard Shadow Memory Access Memory Access Compare

19

slide-20
SLIDE 20

What code does it run?

  • Compare standard

and shadow memories

– Extract code as

20

– Extract code as you go

20

slide-21
SLIDE 21

PoKeR: Architecture

User-level Applications

Virtual Machine Kernel Symbols & Kernel Object Types Virtual Machine Monitor

Logging and Context Tracking Logging and Context Tracking User-level Applications Guest Kernel Right-Before Detection

Profile Profile

Log Kernel Object Interpretation Kernel Object Interpretation

21

slide-22
SLIDE 22

Kernel Symbols & Kernel Object Types

Logging and Context Tracking Logging and Context Tracking Log Kernel Object Interpretation Kernel Object Interpretation

22

slide-23
SLIDE 23

Logging and context tracking

  • Logging rootkit code…

– Execution – Reads – Writes

23

– Writes

23

slide-24
SLIDE 24

What kernel objects does it modify?

  • We have memory writes from rootkit code
  • Use static analysis to build a map

– Kernel with debug symbols

24

slide-25
SLIDE 25

What about dynamic allocation?

  • Some objects are allocated dynamically

25 25

slide-26
SLIDE 26

What about dynamic allocation?

  • Some objects are allocated dynamically

init_task task_struct 0xc11a0000 task_struct 0xc11b0000 Static Objects Dynamic Objects

26

next_task 0xc11a0000 pid … init_task 0xc0300000 next_task 0xc11b0000 pid 1 … 0xc11a0000 next_task 0xc11c0000 pid 2 … 0xc11b0000

26

slide-27
SLIDE 27

Simple observation #1

Static Objects Dynamic Objects

27 27

slide-28
SLIDE 28

Simple observation #1

Static Objects Dynamic Objects

28 28

slide-29
SLIDE 29

Simple observation #2

  • The rootkit is just as ignorant as we are
  • It will find dynamic objects by starting at

static ones

29 29

slide-30
SLIDE 30

“Combat tracking”

  • Track rootkit reads
  • Build a map of dynamic memory
  • Reverse VMI

30 30

slide-31
SLIDE 31

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

31

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct Output

31

slide-32
SLIDE 32

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

  • 32

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct Output

32

slide-33
SLIDE 33

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

33

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct Output

33

slide-34
SLIDE 34

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

  • 34

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct Output

34

slide-35
SLIDE 35

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

  • 35

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct Output

35

slide-36
SLIDE 36

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

36

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct Output

36

slide-37
SLIDE 37

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

  • 37

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct Output

37

slide-38
SLIDE 38

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

38

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct Output

38

slide-39
SLIDE 39

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

  • 39

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct Output

39

slide-40
SLIDE 40

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

  • 40

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct Output

40

slide-41
SLIDE 41

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

41

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct Output

41

slide-42
SLIDE 42

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

  • 42

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct Output

42

slide-43
SLIDE 43

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

43

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct Output

43

slide-44
SLIDE 44

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

44

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct Output

  • 44
slide-45
SLIDE 45

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

45

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct Output Write to 0xc11b0056

  • 45
slide-46
SLIDE 46

Combat tracking example

next_task 0xc11a0000 pid init_task 0xc0300000 next_task 0xc11b0000 pid 1 task_struct 0xc11a0000 next_task 0xc11c0000 pid 2 task_struct 0xc11b0000 Static Objects Dynamic Objects

46

0xc11a0000 0xc11b0000

0xc11c0000

… … Memory Map 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct Output Write to 0xc11b0056

  • task_struct->euid

46

slide-47
SLIDE 47

How does it modify control flow?

  • Kernel hooks

– Function pointers – Part of existing data objects – Could be statically or dynamically allocated

47

– Could be statically or dynamically allocated – This is a subset of the previous point…

47

slide-48
SLIDE 48

Results – adore

Name Code Kernel Objects Modified adore 0.42 770 instr

  • adore

0.53 733 instr

  • !"""# $%

48

0.53 !"""# $% &' adore-ng 0.56 785 instr !"""# $% &

  • %(

$)*)$

48

slide-49
SLIDE 49

Results – hp rootkit

Action Value Kernel Object R 0xc677c000 pidhash[600] R 0x0000025a pidhash[600]->pid

49

R 0xc76d8000 pidhash[600]->next_task R 0xc6780000 pidhash[600]->prev_task W 0xc6780000 pidhash[600]->next_task->prev_task W 0xc76d8000 pidhash[600]->prev_task->next_task

49

slide-50
SLIDE 50

Performance

5.88 4 5 6 7 low-down

QEMU PoKeR not profiling PoKeR profiling

1 1 1.28 1.17 2.96 1 2 3 4 UnixBench Kernel Compile Normalized Slow

50

slide-51
SLIDE 51

Limitations

  • Lack of formal completeness
  • Cannot reveal the reason for modifications
  • Combat tracking evasion

51

  • Combat tracking evasion
  • Assume VMM isolation
  • Kernel rootkits only

51

slide-52
SLIDE 52

Related work

Panorama CCS ‘07 HookFinder NDSS ‘08

52

HookFinder NDSS ‘08 HookMap RAID ’08 K-Tracer NDSS ‘09

52

slide-53
SLIDE 53

Your three take aways…

  • PoKeR: Virtualization based rootkit profiler
  • Combat Tracking allows us to track

dynamic data objects dynamic data objects

  • Tells what a rootkit does in order to help

an expert determine why it does it

53