Graph-based signatures for kernel data structures
作者: Zhiqiang Lin , Junghwan Rhee , Xiangyu Zhang , Dongyan Xu , Xuxian Jiang
DOI:
关键词:
摘要: Brute force scanning of kernel memory images for finding data structure instances is an important function in many computer security and forensics applications. requires effective, robust signatures structures. Existing approaches often use the value invariants certain fields as signatures. However, they do not fully exploit rich points-to relations between In this work, we show that such can be leveraged to generate graph-based structural invariant More specifically, develop SigGraph, a framework systematically generates non-isomorphic structures OS kernel. Each signature graph rooted at subject with its edges reflecting other Our experiments range Linux kernels SigGraph-based achieve high accuracy recognizing via brute scanning. We further SigGraph achieves better robustness against pointer anomalies corruptions, without requiring global mapping object reachability. demonstrate applied forensics, rootkit detection, version inference.
参考文章(24)
Thomas Reps, Gogul Balakrishnan, Improved memory-access analysis for x86 executables compiler construction. pp. 16- 35 ,(2008) , 10.1007/978-3-540-78791-4_2
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, AAron Walters, An architecture for specification-based detection of semantic integrity violations in kernel dynamic data usenix security symposium. pp. 20- ,(2006)
Ryan Riley, Xuxian Jiang, Dongyan Xu, Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing recent advances in intrusion detection. pp. 1- 20 ,(2008) , 10.1007/978-3-540-87403-4_1
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, Jesus Molina, Copilot - a coprocessor-based kernel runtime integrity monitor usenix security symposium. pp. 13- 13 ,(2004)
Anthony Cozzie, Hui Xue, Frank Stratton, Samuel T. King, Digging for data structures operating systems design and implementation. pp. 255- 266 ,(2008) , 10.5555/1855741.1855759
Gogul Balakrishnan, Thomas Reps, Analyzing Memory Accesses in x86 Executables compiler construction. pp. 5- 23 ,(2006) , 10.1007/978-3-540-24723-4_2
Gogul Balakrishnan, Thomas Reps, DIVINE: DIscovering Variables IN Executables Lecture Notes in Computer Science. pp. 1- 28 ,(2007) , 10.1007/978-3-540-69738-1_1
Paul Movall, Shaun Wetzstein, Ward Nelson, Linux physical memory analysis usenix annual technical conference. pp. 39- 39 ,(2005)
Tal Garfinkel, Mendel Rosenblum, A Virtual Machine Introspection Based Architecture for Intrusion Detection. network and distributed system security symposium. ,(2003)
Iain Sutherland, Jon Evans, Theodore Tryfonas, Andrew Blyth, Acquiring volatile operating system data tools and techniques ACM SIGOPS Operating Systems Review. ,vol. 42, pp. 65- 73 ,(2008) , 10.1145/1368506.1368516