S igGraph : Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures

1. The 18th Annual Network and Distributed System Security Symposium SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures ZhiqiangLin1 Junghwan Rhee1, Xiangyu Zhang1, Dongyan Xu1, Xuxian Jiang2 1Purdue University 2North Carolina State University February 7th, 2011

2. Problem Statement • Given a kernel data structure definition • Identifying instances of this data structure in a kernel memory image at arbitrary location structtask{ [0] structthread*thread; [4] structmemory*mm; [8] structsignal*signal; [12] structtask*parent; [16] intmagic_number; } task A simplified Linux Kernel task_struct

3. Security Applications: Memory Forensics structuser_account { 00: short intu_type; 04: pid_tu_pid; 08: char u_line[32]; 40: char uid[4]; 44: char user[32]; 76: char password[128]; 204: char u_host[128]; 332: short inte_termination; 334: short inte_exit; 336: long intu_session; 340: structtimevalu_tv; 348: int32_t u_addr_v6[4]; } Password Password IPaddr Data structure signatures play a critical role in memory forensics

4. Security Applications: Kernel Rootkit Defense Process A Process B Process C task_struct task_struct task_struct thread thread thread mm mm mm prev prev prev next next next

5. State-of-the-art • Value-invariant signature schemes • Klist[Rutkowska,2003],GREPEXEC[bugcheck, 2006], Volatility [Walters, 2006], [Schuster, 2006], [Dolan-Gavitt et al., CCS’09] Invariant value can be changed? structtask{ [0] structthread*thread; [4] structmemory*mm; [8] structsignal*signal; [12] structtask*parent; [16] intmagic_number; } Field w/o value invariant? task [Dolan-Gavitt et al., CCS’09] magic_number=0xabcdef0f magic_number=0xabcdef0f

6. Key Idea thread(*(x+0)) ∧mm(*(x+4)) ∧signal(*(x+8))∧task(*(x+12)) structtask{ [0] structthread*thread; [4] structmemory*mm; [8] structsignal*signal; [12] structtask*parent; }   task(x) task A x 12 0 1st layer 4 structthread{ [0] structtask*task; } 8 signal task thread mm B structmemory{ [0]structvma *mmap; [4] void (*map_area) (struct memory* mmap); } 0 0 0 4 2nd layer task structsignal { [0] structtask_status *status; } 3rd layer

7. How to Use SigGraph 0xc001c0a8: 0xc002c0a8 0xc002bee0 0xc002caa0 0xc00ddbb0 ... 0xc002c0a8: 0xc12a0e7c 0xc727faa8 0xbfbb9195 0x00000009 ... 0xc002bee0: 0xc001c1140xc001c16c 0xffb29122 0x00201001 ... 0xc002caa0: 0xb002ca200xb021d00a0xc05b9f5c 0x00000000 ... 0xc00ddbb0: 0xc12a0e7c 0xc727faa8 0xc001c1140xc001c16c ... task task(0xc001c0a8) 12 0 4 8 thread signal task mm 0 0 4 0 12 0 4 8

8. SigGraph Overview Signature Generator OS Data Structure Definitions Memory Dump Data structure Instances Graph- Signatures • structtask{ • [0] structthread*thread; • [4] structmemory*mm; • [8] structsignal*signal; • [12] structlist_head *prev; • [16] structlist_head *next; • } Brute-force Scanner Profiler (1) Compiler approach (2) Extracting from debug information (3) Reverse engineering kernel

9. Signature Generator task • Challenge: Signatures must be unique, non-isomorphic among each other. 12 0 1st layer 4 8 signal task thread mm 0 0 0 4 2nd layer task 3rd layer

10. Isomorphism structG{ ... [10] int* g; } structB { [0] E * b1; [4] B * b2; } structBB { [0] EE * bb1; [4] BB * bb2; } structEE { ... [12] GG * ee1; ... [24] HH * ee3; } structE { ... [12] G * e1; ... [24] H * e3; } structGG{ ... [4] char * gg1; [8] char * gg2; } BB B 0 4 BB 0 4 EE B E 12 24 12 24 GG HH G H 8 4 10

11. Isomorphism A X 54 18 8 0 12 36 48 DD CC B Y C D BB structA { [0] structB * a1; ... [12] structC * a2; ... [18] structD * a3; } structX { ... [8] structY * x1; ... [36] structBB * x2; ... [48] structCC * x3; ... [54] structDD * x4; }

12. Our Solution • Immediate pointer pattern (IPP): one-layer pointer structure as a string • Pointer expansion ‘ ’ IPP(T)= f1 · t1 · (f2 − f1) · t2 · ... · (fn − fn−1) · tn B structB { [0] E * b1; [4] B * b2; } 4 0 B E T B IPP(B)=0·E·4·B IPP(B) 0·E·4·(0·E·4·B)

13. Problem Formulation IPP(T)=f1·t1·(f2−f1)·t2·...·(fn − fn−1)·tn Ignore the symbol type at specific layer A X 54 18 8 0 IPP(A)=0·B·12·C·6·D IPP(X)=8·Y·28·BB·12·CC·6·DD 12 36 48 DD CC B Y C D BB • Substring “If IPP(A) is a substring of IPP(X) ”

14. Profiler • Practical pointer issues • null Pointer • void Pointer • Special Pointer • LIST_POISON1 (0x00100100) • LIST_POISON2 (0x00200200) • SPINLOCK_MAGIC (0xdead4ead) • Pruning a few noisy pointer fields does not degenerate the uniqueness of the graph-based signatures LiveDM[Rhee et al., RAID’10]

15. Evaluation • Memory snapshot collection • QEMU • Ground truth acquisition • RedHat crash utility • Symbolic information • system.map • Profiling run • Long runs with typical workload crash-utility.redhat.com

16. Evaluation on Memory Forensics crash-utility.redhat.com

17. Application: Rootkit Detection ps lsmod

18. Related Work • Kernel memory mapping and analysis • Copilot [Petroni et al., Security’04], [Petroni et al., CCS’07] • Gibraltar [Baliga et al., ACSAC’08] • KOP [Carbone et al.,CCS’09] • Memory forensics • Memory graph-based: Redhat crash utility, KOP • Value-invariant Signature: Klist[Rutkowska,2003],GREPEXEC [bugcheck, 2006], Volatility [Walters, 2006], [Schuster, 2006], [Dolan-Gavitt et al., CCS’09] • Dynamic heap type inference [Polishchuk et al., 2007]

19. Conclusion • Points-to relations can be leveraged to generate graph-based signatures for brute force scanning • SigGraph, a framework that generates non-isomorphic structural-invariant signatures • Complements value-invariant signatures • Applications: • Kernel memory forensics • Kernel rootkit detection

20. Q&A Thank you For more information {zlin,rhee,xyzhang,dxu}@cs.purdue.edu