1 / 20

S igGraph : Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures

The 18 th Annual Network and Distributed System Security Symposium. S igGraph : Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures Zhiqiang Lin 1 Junghwan Rhee 1 , Xiangyu Zhang 1 , Dongyan Xu 1 , Xuxian Jiang 2. 1 Purdue University

neylan
Download Presentation

S igGraph : Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The 18th Annual Network and Distributed System Security Symposium SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures ZhiqiangLin1 Junghwan Rhee1, Xiangyu Zhang1, Dongyan Xu1, Xuxian Jiang2 1Purdue University 2North Carolina State University February 7th, 2011

  2. Problem Statement • Given a kernel data structure definition • Identifying instances of this data structure in a kernel memory image at arbitrary location structtask{ [0] structthread*thread; [4] structmemory*mm; [8] structsignal*signal; [12] structtask*parent; [16] intmagic_number; } task A simplified Linux Kernel task_struct

  3. Security Applications: Memory Forensics structuser_account { 00: short intu_type; 04: pid_tu_pid; 08: char u_line[32]; 40: char uid[4]; 44: char user[32]; 76: char password[128]; 204: char u_host[128]; 332: short inte_termination; 334: short inte_exit; 336: long intu_session; 340: structtimevalu_tv; 348: int32_t u_addr_v6[4]; } Password Password IPaddr Data structure signatures play a critical role in memory forensics

  4. Security Applications: Kernel Rootkit Defense Process A Process B Process C task_struct task_struct task_struct thread thread thread mm mm mm prev prev prev next next next

  5. State-of-the-art • Value-invariant signature schemes • Klist[Rutkowska,2003],GREPEXEC[bugcheck, 2006], Volatility [Walters, 2006], [Schuster, 2006], [Dolan-Gavitt et al., CCS’09] Invariant value can be changed? structtask{ [0] structthread*thread; [4] structmemory*mm; [8] structsignal*signal; [12] structtask*parent; [16] intmagic_number; } Field w/o value invariant? task [Dolan-Gavitt et al., CCS’09] magic_number=0xabcdef0f magic_number=0xabcdef0f

  6. Key Idea thread(*(x+0)) ∧mm(*(x+4)) ∧signal(*(x+8))∧task(*(x+12)) structtask{ [0] structthread*thread; [4] structmemory*mm; [8] structsignal*signal; [12] structtask*parent; }   task(x) task A x 12 0 1st layer 4 structthread{ [0] structtask*task; } 8 signal task thread mm B structmemory{ [0]structvma *mmap; [4] void (*map_area) (struct memory* mmap); } 0 0 0 4 2nd layer task structsignal { [0] structtask_status *status; } 3rd layer

  7. How to Use SigGraph 0xc001c0a8: 0xc002c0a8 0xc002bee0 0xc002caa0 0xc00ddbb0 ... 0xc002c0a8: 0xc12a0e7c 0xc727faa8 0xbfbb9195 0x00000009 ... 0xc002bee0: 0xc001c1140xc001c16c 0xffb29122 0x00201001 ... 0xc002caa0: 0xb002ca200xb021d00a0xc05b9f5c 0x00000000 ... 0xc00ddbb0: 0xc12a0e7c 0xc727faa8 0xc001c1140xc001c16c ... task task(0xc001c0a8) 12 0 4 8 thread signal task mm 0 0 4 0 12 0 4 8

  8. SigGraph Overview Signature Generator OS Data Structure Definitions Memory Dump Data structure Instances Graph- Signatures • structtask{ • [0] structthread*thread; • [4] structmemory*mm; • [8] structsignal*signal; • [12] structlist_head *prev; • [16] structlist_head *next; • } Brute-force Scanner Profiler (1) Compiler approach (2) Extracting from debug information (3) Reverse engineering kernel

  9. Signature Generator task • Challenge: Signatures must be unique, non-isomorphic among each other. 12 0 1st layer 4 8 signal task thread mm 0 0 0 4 2nd layer task 3rd layer

  10. Isomorphism structG{ ... [10] int* g; } structB { [0] E * b1; [4] B * b2; } structBB { [0] EE * bb1; [4] BB * bb2; } structEE { ... [12] GG * ee1; ... [24] HH * ee3; } structE { ... [12] G * e1; ... [24] H * e3; } structGG{ ... [4] char * gg1; [8] char * gg2; } BB B 0 4 BB 0 4 EE B E 12 24 12 24 GG HH G H 8 4 10

  11. Isomorphism A X 54 18 8 0 12 36 48 DD CC B Y C D BB structA { [0] structB * a1; ... [12] structC * a2; ... [18] structD * a3; } structX { ... [8] structY * x1; ... [36] structBB * x2; ... [48] structCC * x3; ... [54] structDD * x4; }

  12. Our Solution • Immediate pointer pattern (IPP): one-layer pointer structure as a string • Pointer expansion ‘ ’ IPP(T)= f1 · t1 · (f2 − f1) · t2 · ... · (fn − fn−1) · tn B structB { [0] E * b1; [4] B * b2; } 4 0 B E T B IPP(B)=0·E·4·B IPP(B) 0·E·4·(0·E·4·B)

  13. Problem Formulation IPP(T)=f1·t1·(f2−f1)·t2·...·(fn − fn−1)·tn Ignore the symbol type at specific layer A X 54 18 8 0 IPP(A)=0·B·12·C·6·D IPP(X)=8·Y·28·BB·12·CC·6·DD 12 36 48 DD CC B Y C D BB • Substring “If IPP(A) is a substring of IPP(X) ”

  14. Profiler • Practical pointer issues • null Pointer • void Pointer • Special Pointer • LIST_POISON1 (0x00100100) • LIST_POISON2 (0x00200200) • SPINLOCK_MAGIC (0xdead4ead) • Pruning a few noisy pointer fields does not degenerate the uniqueness of the graph-based signatures LiveDM[Rhee et al., RAID’10]

  15. Evaluation • Memory snapshot collection • QEMU • Ground truth acquisition • RedHat crash utility • Symbolic information • system.map • Profiling run • Long runs with typical workload crash-utility.redhat.com

  16. Evaluation on Memory Forensics crash-utility.redhat.com

  17. Application: Rootkit Detection ps lsmod

  18. Related Work • Kernel memory mapping and analysis • Copilot [Petroni et al., Security’04], [Petroni et al., CCS’07] • Gibraltar [Baliga et al., ACSAC’08] • KOP [Carbone et al.,CCS’09] • Memory forensics • Memory graph-based: Redhat crash utility, KOP • Value-invariant Signature: Klist[Rutkowska,2003],GREPEXEC [bugcheck, 2006], Volatility [Walters, 2006], [Schuster, 2006], [Dolan-Gavitt et al., CCS’09] • Dynamic heap type inference [Polishchuk et al., 2007]

  19. Conclusion • Points-to relations can be leveraged to generate graph-based signatures for brute force scanning • SigGraph, a framework that generates non-isomorphic structural-invariant signatures • Complements value-invariant signatures • Applications: • Kernel memory forensics • Kernel rootkit detection

  20. Q&A Thank you For more information {zlin,rhee,xyzhang,dxu}@cs.purdue.edu

More Related