SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures.
作者: Xuxian Jiang , Dongyan Xu , Zhiqiang Lin , Junghwan Rhee , Xiangyu Zhang
DOI:
关键词: Data structure 、 Rootkit 、 Inference 、 Invariant (mathematics) 、 Exploit 、 Theoretical computer science 、 Robustness (computer science) 、 Memory forensics 、 Reachability 、 Computer science
摘要: Brute force scanning of kernel memory images for finding data structure instances is an important function in many computer security and forensics applications. requires effective, robust signatures structures. Existing approaches often use the value invariants certain fields as signatures. However, they do not fully exploit rich pointsto relations between In this paper, we show that such points-to can be leveraged to generate graph-based structural invariant More specifically, develop SigGraph, a framework systematically generates non-isomorphic structures OS kernel. Each signature graph rooted at subject with its edges reflecting other Our experiments range Linux kernels SigGraph-based achieve high accuracy recognizing via brute scanning. We further SigGraph achieves better robustness against pointer anomalies corruptions, without requiring global mapping object reachability. demonstrate applied forensics, rootkit detection, version inference.
ndss-symposium.org
rhee.systems
utdallas.edu 参考文章(31)
Thomas Reps, Gogul Balakrishnan, Improved memory-access analysis for x86 executables compiler construction. pp. 16- 35 ,(2008) , 10.1007/978-3-540-78791-4_2
Farnam Jahanian, G. Robert Malan, Matthew Smart, Defeating TCP/IP stack fingerprinting usenix security symposium. pp. 17- 17 ,(2000)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, AAron Walters, An architecture for specification-based detection of semantic integrity violations in kernel dynamic data usenix security symposium. pp. 20- ,(2006)
Tavaris J. Thomas, Lloyd G. Greenwald, Toward undetected operating system fingerprinting WOOT '07 Proceedings of the first USENIX workshop on Offensive Technologies. pp. 6- ,(2007)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, Jesus Molina, Copilot - a coprocessor-based kernel runtime integrity monitor usenix security symposium. pp. 13- 13 ,(2004)
Anthony Cozzie, Hui Xue, Frank Stratton, Samuel T. King, Digging for data structures operating systems design and implementation. pp. 255- 266 ,(2008) , 10.5555/1855741.1855759
David Brumley, Thanassis Avgerinos, JongHyup Lee, TIE: Principled Reverse Engineering of Types in Binary Programs network and distributed system security symposium. ,(2011) , 10.1184/R1/6469466.V1
Junghwan Rhee, Ryan Riley, Dongyan Xu, Xuxian Jiang, Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory recent advances in intrusion detection. pp. 178- 197 ,(2010) , 10.1007/978-3-642-15512-3_10
Gogul Balakrishnan, Thomas Reps, Analyzing Memory Accesses in x86 Executables compiler construction. pp. 5- 23 ,(2006) , 10.1007/978-3-540-24723-4_2
Gogul Balakrishnan, Thomas Reps, DIVINE: DIscovering Variables IN Executables Lecture Notes in Computer Science. pp. 1- 28 ,(2007) , 10.1007/978-3-540-69738-1_1