Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge,...Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge, this paper proposes a framework, called HooklMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept pro- totype system of HooklMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HooklMA is capable of detecting compomised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtirre overhead introduced by HooklMA is about 21.5%.展开更多
Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in t...Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel mo- dules whose memory locations cannot be pre- determined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH off- ers the protected OS a fully transparent envi- ronment and an easy deployment. In general, the working procedure of OPKH can be di- vided into two steps. First, we utilise the me- mory virtualization for offiine profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to in- strument the hooks for run-time protection. The experiments show that our system can pro- tect the dynamic hooks effectively with mini- mal performance overhead.展开更多
基金The authors would like to thank the anonymous reviewers for their insightful corrnlents that have helped improve the presentation of this paper. The work was supported partially by the National Natural Science Foundation of China under Grants No. 61070192, No.91018008, No. 61170240 the National High-Tech Research Development Program of China under Grant No. 2007AA01ZA14 the Natural Science Foundation of Beijing un- der Grant No. 4122041.
文摘Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge, this paper proposes a framework, called HooklMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept pro- totype system of HooklMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HooklMA is capable of detecting compomised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtirre overhead introduced by HooklMA is about 21.5%.
基金supported in part by the National High Technology Research and Development Program of China(863 Program)under Grant No.2009AA01Z433the Project of National Ministry under Grant No.A21201-10006the Open Foundation of State Key Laboratory of Information Security(Institute of Information Engineering,Chinese Academy of Sciences)under Grant No.2013-4-1
文摘Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel mo- dules whose memory locations cannot be pre- determined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH off- ers the protected OS a fully transparent envi- ronment and an easy deployment. In general, the working procedure of OPKH can be di- vided into two steps. First, we utilise the me- mory virtualization for offiine profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to in- strument the hooks for run-time protection. The experiments show that our system can pro- tect the dynamic hooks effectively with mini- mal performance overhead.
