@ NCSU Zhi Wang @ NCSU @ NCSU Xuxian Jiang @ NCSU @ Microsoft Research Weidong Cui @ Microsoft Research @ NCSU Peng Ning @ NCSU ACM CCS’09

Countering Kernel Rootkits with Lightweight Hook Protection

Zhi Wang @ NCSUXuxian Jiang @ NCSU

Weidong Cui @ Microsoft ResearchPeng Ning @ NCSU

ACM CCS’09

Advanced Defense Lab @ National Central Univ.

2

OutlineIntroductionHookSafe DesignImplementationEvaluationRelated Work & Conclusion


3

IntroductionPrior research:

BehaviorsSymptomsKernel code integrity

Return-oriented rootkitsReturn-Oriented Rootkits

: Bypassing Kernel Code Integrity Protection Mechanisms @ Usenix Security ‘09

http://www.usenix.org/events/sec09/tech/full_papers/hund.pdf





4

IntroductionBetter solution…

Preserve kernel code integrity by preserving the kernel control flow integrity

Kernel control data: Return addresses Function pointers

Function pointers == kernel hooks (in this paper)


5

IntroductionHardware-based page-level protection

Limited number of kernel hooksHooks are not co-located together with

frequently modified memory data


6

IntroductionHookSafe

Hypervisor-basedLightweightProtect all kernel hooksByte-level granularity


7

Introduction

Distribution of 5881 kernel hooks in a running Ubuntu system


8

HookSafe DesignOffline Hook Profiler

Profile the guest kernel execution and output a hook access profile for each protected hook

Hook Access Points(HAPs)Online Hook Protector

Create a shadow copy of all protected hooksImplement HAPsRedirection


9

HookSafe Design

The HookSafe architecture


10

HookSafe DesignOffline Hook Profiling

Static analysis More complete; less precise

Dynamic analysis More precise

QEMU – monitoring every memory access instruction


11

HookSafe DesignOnline Hook Protection


12

HookSafe DesignOnline Hook Protection – Initialization

At Boot timeCreate shadow copyPatch the HAPs(requires the support of the

hypervisor)


13

HookSafe DesignOnline Hook Protection – Runtime R/W

IndirectionRead : read from the shadow copy and returnWrite :

Make a hypercall Validate the request Update the shadow copy if valid


14

HookSafe DesignOnline Hook Protection – Runtime Tracking

of Dynamic Allocated HooksA dynamic allocated hook is embedded in a

dynamic kernel objectHypercall while a kernel object containing a

hook is allocatedCreate the shadow copy of the hook


15

HookSafe DesignHardware Register Protection

GDTR, IDTR, DR0-DR7 Hardware-based page-level protection


16

ImplementationOffline Hook Profiler

QEMU – binary translationIf an instruction accesses any kernel hook in

the given list, mark it as an HAP and log the value

Dynamic allocated kernel hook: Track the creation of the kernel object and locate

the locationHook access profile


17

Implementation

An example access profile related to ext3_dir_operations->readdirkernel hook


18

ImplementationHook Indirection

HAP Patching Overwrite the instruction of HAP with a 5-byte jmp

instruction Jump to trampoline code > 5 bytes : Fill the space with NOP instructions < 5 bytes : overwrite the subsequent instruction


19

Implementation

The implementation of hook indirection


20

Implementation


21

ImplementationHook Indirection - HAP Patching

HAP after HAPThe second instruction is a target of jump

instruction


22

ImplementationRead/Write Indirection

Detection: Read – compare the original hook with shadow copy

Write – update both


23

ImplementationRuntime LKM and Hook Tracking

SLAB interfaceLKM

Virtual machine introspection

Memory ProtectionShadow page table (SPT) in Xen


24

EvaluationTest with 9 real-world rootkitsUnixBench and ApacheBench


25

Evaluation


26

Evaluation


27

EvaluationPerformance


28

Documents

@ NCSU Zhi Wang @ NCSU @ NCSU Xuxian Jiang @ NCSU @ Microsoft Research Weidong Cui @ Microsoft Research @ NCSU Peng Ning @ NCSU ACM CCS’09