towards automatic inference of kernel object semantics
play

Towards Automatic Inference of Kernel Object Semantics from Binary - PowerPoint PPT Presentation

Sep 03, 2022 •204 likes •738 views

Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang Lin Department of Computer Science

  1. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang Lin Department of Computer Science University of Texas at Dallas RAID 2015 1 / 29

  2. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Kernel Data Structure (or Object) Semantics Concerning the meaning and the behavior of kernel data structures task_struct : process descriptor mm_struct : memory address space descriptor 2 / 29

  3. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Kernel Data Structure (or Object) Semantics Concerning the meaning and the behavior of kernel data structures task_struct : process descriptor mm_struct : memory address space descriptor Useful for a number of security applications. Virtual machine introspection [GR03] Kernel function reverse engineering 2 / 29

  4. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Why This is Challenging Challenges Semantics concern the meaning, which is even vague for 1 human beings. Kernel tends to have a large number of kernel objects. 2 Up to tens of thousands of dynamically created kernel objects. Hundreds of different semantics types. 3 / 29

  5. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Why This is Challenging Challenges Semantics concern the meaning, which is even vague for 1 human beings. Kernel tends to have a large number of kernel objects. 2 Up to tens of thousands of dynamically created kernel objects. Hundreds of different semantics types. Current Practice Merely relying on human beings to manually inspect kernel source code, kernel symbols, or kernel APIs to derive and annotate the semantics of the kernel objects. 3 / 29

  6. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Introducing A RGOS A RGOS : A utomatic R everse en G ineering of kernel O bject S emantics 4 / 29

  7. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Introducing A RGOS A RGOS : A utomatic R everse en G ineering of kernel O bject S emantics Key Features Recognizing and uncovering important kernel data 1 structures with semantics, directly from binary code General, working with a variety of (Linux) operating system 2 kernels. 4 / 29

  8. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Introducing A RGOS A RGOS : A utomatic R everse en G ineering of kernel O bject S emantics Key Features Recognizing and uncovering important kernel data 1 structures with semantics, directly from binary code General, working with a variety of (Linux) operating system 2 kernels. Key Principle Data use tells data semantics 4 / 29

  9. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Key Insights Starting from well-known knowledge 1 User level system call (syscall for short) specification Kernel level exported API specification Using execution context differencing 2 e.g., task_struct vs. mm_struct Encoding the semantics using a bit-vector 3 Which syscall (e.g., fork , open , mmap ) accessed How the object was accessed: 5 / 29

  10. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Key Insights Starting from well-known knowledge 1 User level system call (syscall for short) specification Kernel level exported API specification Using execution context differencing 2 e.g., task_struct vs. mm_struct Encoding the semantics using a bit-vector 3 Which syscall (e.g., fork , open , mmap ) accessed How the object was accessed: read write create destroy 5 / 29

  11. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References How A RGOS Works User space Kernel space Guest OS VMM 6 / 29

  12. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References How A RGOS Works Test cases User space Kernel space Guest OS VMM 6 / 29

  13. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References How A RGOS Works Test cases User space Kernel space Guest OS Syscall y Kernel API Specification Specification VMM 6 / 29

  14. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References How A RGOS Works Test cases User space Kernel space Guest OS Syscall y Kernel API Specification Specification Syscall Execution Syscall Context Identification VMM 6 / 29

  15. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References How A RGOS Works Test cases User space Kernel space Guest OS Syscall y Kernel API Specification Specification Syscall Object Creation, Execution Deletion Syscall Context Object Identification Tracking VMM 6 / 29

  16. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References How A RGOS Works Test cases User space Kernel space Guest OS Syscall y Kernel API Specification Specification Syscall Object Creation, Execution Deletion Syscall Context Object Identification Tracking Bit Vector Bit ‐ Vector Generation VMM 6 / 29

  17. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References How A RGOS Works Test cases User space Kernel space Guest OS Syscall y Kernel API Specification Specification Syscall Object Creation, Execution Deletion Syscall Context Object Identification Tracking Bit ‐ Vector Bit Vector Generation VMM Bit V Bit ‐ Vector t Result Bit ‐ vectors Interpreter 6 / 29

  18. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Object Tracking Test cases User space Kernel space Guest OS Syscall y Kernel API Specification Specification Syscall Object Creation, Execution Deletion Syscall Context Object Identification Tracking Bit ‐ Vector Bit Vector Generation VMM Bit V Bit ‐ Vector t Result Bit ‐ vectors Interpreter 7 / 29

  19. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Object Tracking Test cases User space Kernel space Guest OS Tracking the object life 1 Syscall y Kernel API Specification Specification Syscall Object Creation, time. Execution Deletion Assigning a static type to 2 Syscall Context Object Identification Tracking the dynamic object. Tracking the object size. Bit ‐ Vector Bit Vector 3 Generation VMM Tracking object relations. 4 Bit ‐ Vector Bit V t Result Bit ‐ vectors Interpreter 7 / 29

  20. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Object Tracking: Object Life Time An easy problem by hooking the corresponding kernel APIs Creation 1 kmem_cache_alloc kmalloc vmalloc Deletion 2 kmem_cache_free kfree vfree 8 / 29

  21. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Object Tracking: Object Life Time An easy problem by hooking the corresponding kernel APIs Creation 1 kmem_cache_alloc kmalloc vmalloc Deletion 2 kmem_cache_free kfree vfree We will use kmalloc/kfree to denote these functions. 8 / 29

  22. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Object Tracking: Assigning a Static Type The problem What we observe: each dynamic data structure (object) instance and their virtual addresses What we want: a static type associated to each instance 9 / 29

  23. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Object Tracking: Assigning a Static Type The problem What we observe: each dynamic data structure (object) instance and their virtual addresses What we want: a static type associated to each instance Typical approaches Using the call-site-chain from the top callers to kmalloc 1 (e.g., f → g → h → kmalloc ) May over-classify an object type Using the program counter (PC) that invokes kmalloc 2 (i.e., PC kmalloc ) May under-classify an object type (because of wrapper) 9 / 29

  24. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Object Tracking: Assigning a Static Type PC kmalloc approach A single kernel object (e.g., task_struct ) can often be 1 allocated in different calling contexts (e.g., vfork , clone ) → over-classify Experimental data 2 80.3% of the kernel objects have a direct mapping with PC kmalloc approach 97.5% of the objects over-classified with call-chain approach 10 / 29

  25. Introduction A RGOS Design Experimental Results Discussions & Related Work Summary & References Object Tracking: the Object Size The problem No size argument to many other kernel object allocation functions (e.g., kmem_cache_alloc ) 11 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Location Object Semantics James M. Polk draft-polk-geopriv-loc-object-semantics-00 18 Nov 02

Location Object Semantics James M. Polk draft-polk-geopriv-loc-object-semantics-00 18 Nov 02

Location Object Semantics James M. Polk draft-polk-geopriv-loc-object-semantics-00 18 Nov 02 Purpose of ID Give semantic intent of the Location Object described in: draft-polk-dhcp-geo-loc-option-00.txt Immediate Practical Use Emergency

219 views • 11 slides
Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

CSE340 Principles of Programming Languages Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x from this definition? f(x) = x Automatic Type Inference f(x) = x f is a function that takes a single

1.31k views • 73 slides
Aperitif: Relational semantics of loops Automatic program verification x by

Aperitif: Relational semantics of loops Automatic program verification x by

1 Aperitif: Relational semantics of loops Automatic program verification x by Lagrangian relaxation and x semidefinite programming Patrick Cousot 3 cole normale suprieure Relational semantics of

176 views • 13 slides
Defining the Semantics of Object-Oriented Languages Using Graph Transformations Daniele Sgandurra

Defining the Semantics of Object-Oriented Languages Using Graph Transformations Daniele Sgandurra

Introduction Semantics of a Object-Oriented Language Summary Defining the Semantics of Object-Oriented Languages Using Graph Transformations Daniele Sgandurra Department of Computer Science University of Pisa A Seminar for the Ph.D. Course

1.08k views • 79 slides
System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

CSCE Intro to Computer Systems System Programming in Windows System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles Processes, Jobs, Threads Synchronization Kernel Objects Whenever you want to

416 views • 13 slides
Outline First-order logic Syntax and semantics Inference First-order Logic

Outline First-order logic Syntax and semantics Inference First-order Logic

Outline First-order logic Syntax and semantics Inference First-order Logic Propositionalization with ground inference Lifted resolution CS 486/686 Sept 25, 2008 University of Waterloo 1 2 CS486/686 Lecture Slides (c)

81 views • 6 slides
Semantics S E T O N T F A R D Gabriele Keller Where we are So far - Judgements and

Semantics S E T O N T F A R D Gabriele Keller Where we are So far - Judgements and

Concepts of Program Design Semantics S E T O N T F A R D Gabriele Keller Where we are So far - Judgements and inference rules - Rule induction - Inference rules - Grammars specified using inference rules - Judgements and relations -

465 views • 18 slides
Knowledge Representation and Inference Recall semantics: Work with possible worlds and an

Knowledge Representation and Inference Recall semantics: Work with possible worlds and an

1 2 Knowledge Representation and Inference Recall semantics: Work with possible worlds and an accessibility relation between them. Thus: Soundness for modal inference a set S of possible worlds (states); Decision precedure for

337 views • 5 slides
First Order Logic B: Semantics, Inference, Proof CS171, Winter Quarter, 2019 Introduction to

First Order Logic B: Semantics, Inference, Proof CS171, Winter Quarter, 2019 Introduction to

First Order Logic B: Semantics, Inference, Proof CS171, Winter Quarter, 2019 Introduction to Artificial Intelligence Prof. Richard Lathrop Read Beforehand: R&N 8, 9.1-9.2, 9.5.1-9.5.5 Semantics: Worlds The world consists of objects

444 views • 43 slides
First Order Logic B: Semantics, Inference, Proof CS271P, Fall Quarter, 2018 Introduction to

First Order Logic B: Semantics, Inference, Proof CS271P, Fall Quarter, 2018 Introduction to

First Order Logic B: Semantics, Inference, Proof CS271P, Fall Quarter, 2018 Introduction to Artificial Intelligence Prof. Richard Lathrop Read Beforehand: R&N 8, 9.1-9.2, 9.5.1-9.5.5 Semantics: Worlds The world consists of objects that

1.12k views • 42 slides
Towards a Computer Algebra System with Automatic Differentiation for use with object-oriented

Towards a Computer Algebra System with Automatic Differentiation for use with object-oriented

3rd International Workshop on Equation-Based Object-Oriented Modeling Languages and Tools Oslo, 3 October 2010 Towards a Computer Algebra System with Automatic Differentiation for use with object-oriented modelling languages Joel Andersson

583 views • 44 slides
Monte Carlo Semantics McPIET at RTE-4: Robust Inference and Logical Pattern Processing Based on

Monte Carlo Semantics McPIET at RTE-4: Robust Inference and Logical Pattern Processing Based on

Monte Carlo Semantics McPIET at RTE-4: Robust Inference and Logical Pattern Processing Based on Integrated Deep and Shallow Semantics Richard Bergmair University of Cambridge Computer Laboratory Natural Language Information Processing Text

640 views • 39 slides
Monte Carlo Semantics Robust Inference and Logical Pattern Processing Based on Integrated Deep

Monte Carlo Semantics Robust Inference and Logical Pattern Processing Based on Integrated Deep

Monte Carlo Semantics Robust Inference and Logical Pattern Processing Based on Integrated Deep and Shallow Semantics Richard Bergmair University of Cambridge Computer Laboratory Natural Language Information Processing Flatlands Meeting, Jun-06

465 views • 20 slides
Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang

Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang

Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang Lin University of Texas at Dallas RAID 2016 Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary &

694 views • 58 slides
Automatic Realizations of Statically Safe Intra-Object Synchronization Schemes in MP-Eiffel

Automatic Realizations of Statically Safe Intra-Object Synchronization Schemes in MP-Eiffel

Motivation Basic Definitions MP-Eiffel Brief Presentation Intra-Object Synchronization Inter-Object Synchronization Other Issues Automatic Realizations of Statically Safe Intra-Object Synchronization Schemes in MP-Eiffel Miguel Oliveira e

379 views • 19 slides
Outline Introduction Object-Relationship-Attribute (ORA) Semantics in ER Model

Outline Introduction Object-Relationship-Attribute (ORA) Semantics in ER Model

Improving the Correctness of Some Database Research using ORA-Semantics Tok Wang Ling, Zhong Zeng, Mong Li Lee, Thuy Ngoc Le National University of Singapore ER 2016, Gifu, Japan Outline Introduction Object-Relationship-Attribute (ORA)

2k views • 132 slides
TCP/Generic Segmentation Offload and Its Application in Xen Herbert Xu Principal Software

TCP/Generic Segmentation Offload and Its Application in Xen Herbert Xu Principal Software

TCP/Generic Segmentation Offload and Its Application in Xen Herbert Xu Principal Software Engineer Red Hat Asia Pacific What is TSO? Faster Ethernet (Gigabit) => higher CPU load: 1500-byte Ethernet MTU set in 70's. Amount of data

279 views • 13 slides
Using TCP Through So c k ets Da vid Mazi eres dm@amsterdam.lcs.mit.edu 1 File

Using TCP Through So c k ets Da vid Mazi eres dm@amsterdam.lcs.mit.edu 1 File

Using TCP Through So c k ets Da vid Mazi eres dm@amsterdam.lcs.mit.edu 1 File descriptors 1 Most I/O on Unix systems tak es place through the and system calls . Before read write discussing net w ork I/O,

454 views • 24 slides
VK Multimedia Information Systems Mathias Lux, mlux@itec.uni-klu.ac.at Dienstags, 16.oo Uhr

VK Multimedia Information Systems Mathias Lux, mlux@itec.uni-klu.ac.at Dienstags, 16.oo Uhr

VK Multimedia Information Systems Mathias Lux, mlux@itec.uni-klu.ac.at Dienstags, 16.oo Uhr c.t., E.2.69 This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 2.0 License. See

1.08k views • 88 slides
Elites Tweet? Characterizing Verified Twitter Users Indraneil Paul (IIIT Hyderabad), Abhinav

Elites Tweet? Characterizing Verified Twitter Users Indraneil Paul (IIIT Hyderabad), Abhinav

Elites Tweet? Characterizing Verified Twitter Users Indraneil Paul (IIIT Hyderabad), Abhinav Khattar (IIIT Delhi), Shaan Chopra (IIIT Delhi), Ponnurangam Kumaraguru (IIIT Delhi), Manish Gupta (Microsoft India) Outline A: PROBLEM AND MOTIVATION

525 views • 33 slides
Formalisation in Constructive Type Theory of Barendregts Variable Convention for Generic

Formalisation in Constructive Type Theory of Barendregts Variable Convention for Generic

Formalisation in Constructive Type Theory of Barendregts Variable Convention for Generic Structures with Binders Ernesto Copello 1 Nora Szasz 2 lvaro Tasistro 2 1 Department of Computer Science The University of Iowa, USA 2 Facultad de

723 views • 55 slides
Learning Spatiotemporal Features with 3D Convolutional Networks Du Tran, Lubomir Bourdev, Rob

Learning Spatiotemporal Features with 3D Convolutional Networks Du Tran, Lubomir Bourdev, Rob

Learning Spatiotemporal Features with 3D Convolutional Networks Du Tran, Lubomir Bourdev, Rob Fergus, Lorenzo Torresani, Manohar Paluri ada BAK 29.03.16 Effective Video Descriptor Generic Can represent different types Compact

355 views • 20 slides
Change Tracking in Knowledge Organization Systems with skos-history Joachim Neubert & Osma

Change Tracking in Knowledge Organization Systems with skos-history Joachim Neubert & Osma

Change Tracking in Knowledge Organization Systems with skos-history Joachim Neubert & Osma Suominen ZBW Leibniz Information Centre for Economics, Kiel/Hamburg & The National Library of Finland, Helsinki DCMI/ASIST/AIMS Webinar

436 views • 40 slides
User-Defined Distributions and Layouts in Chapel Philosophy and Framework Brad Chamberlain,

User-Defined Distributions and Layouts in Chapel Philosophy and Framework Brad Chamberlain,

User-Defined Distributions and Layouts in Chapel Philosophy and Framework Brad Chamberlain, Steve Deitz, David Iten, Sung Choi Cray Inc. HotPAR 10 June 15, 2010 What is Chapel? A new parallel language being developed by Cray Inc.

670 views • 42 slides

More recommend