Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS
advertisement
Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011 Acknowledgements • Title: Countering Kernel Rootkits with Lightweight Hook Protection • Authors: – North Carolina State University • Zhi Wang • Xuxian Jiang • Peng Ning – Microsoft Research • Weidong Cui • Published at: CCS '09 Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009 • Sponsored by: – NSF 0852131, 0855297, 0855036, and 0910767 2 Outline • • • • • Rootkits HookSafe Design and Implementation Performance Closing Remarks 3 Outline • • • • • Rootkits HookSafe Design and Implementation Performance Closing Remarks 4 Kernel Space • • • • Where the core of the OS resides May be accessed through system calls Has full access to the system Like running in real mode assembly language, but at a higher level (i.e. easier programming) 5 Kernel Rootkits • Hide presence and activities – Hijack control by modifying kernel space • Types: – Kernel Object Hooking (most of the rootkits) – Dynamic Kernel Object Manipulation • Tamper OS to launch attacks – – – – System backdoor Stealing private information Escalating privileges of malicious process Disabling defense mechanisms 6 Example of Rootkit (TDL4) • • • • • • • • • From the Rootkit.Win32.TDSS family Installs in Master Boot Record Runs before the Operating System Blocks programs from running Delivers advertisements Google redirects Keeps a copy of payload in MBR so it can be reinstalled Best way to get rid of it is by replacing the MBR Previous versions (infecting drivers) could be removed with TDSSKiller from Kasperry group 7 Outline • • • • • Rootkits HookSafe Design and Implementation Performance Closing Remarks 8 Traditional Defense Approaches • Analyzing rootkits behaviors – Examples: Panorama, HookFinder, K-Tracer • Search common symptoms on infected computers – Examples: Copilot, SBCFI, VMwatcher • Preserve kernel code integrity – Examples: SecVisor, Patagonix, NICKLE – Can be bypassed by return-oriented rootkits • Hijack function pointers or return addresses • Utilize kernel code snippets 9 HookSafe • Challenge: Protection granularity gap – Hook protection requires byte granularity – Hardware only provides page level protection • Kernel hooks (function pointers), after initialized have frequent read access, less write access (less than 1%) • Move hooks to page-aligned memory and protect with traditional page protection – Any write access can be monitored • Small overhead effect 10 Hooks per Page Histogram [1] 11 What are Pages? • Fundamental to use non-continuous memory blocks • Creates a mapping between a physical address and a virtual ones • Provides virtual RAM 12 Paging Process [2] 13 Paging Mapping [2] 14 Outline • • • • • Rootkits HookSafe Design and Implementation Performance Closing Remarks 15 Assumptions • A hypervisor will be used to monitor virtual machines – From Wikipedia: “In computing, a hypervisor, also called virtual machine monitor (VMM), is one of many virtualization techniques which allow multiple operating systems, termed guests, to run concurrently on a host computer, a feature called hardware virtualization.” • A bootstrap like tboot exists to establish a static root of trust of the system – A hypervisor can be securely loaded – Protect the kernel at boot time • Runtime integrity of hypervisor is maintained 16 HookSafe Architecture 17 [1] Offline Hook Profiler • Set of functions that read/write the hook – Hook Access Points (HAPs) • Set of values assign to a hook • Enables transparent hook indirection 18 Offline Hook Profiler Design • Static Analysis – Performed on kernel’s source code – Automatically collect hook profiles using 3rd party program techniques (e.g. points-to analysis) • Dynamic Analysis – Does not need the source code (good for Windows) – Run target system on an emulator and monitor memory access to derive hook profiles • Tradeoff – Coverage (static) vs Precision (dynamic) • HookSafe choses precision over coverage 19 Offline Hook Profiler Implementation • Run in emulation and hooks are recorded with set of read/write (HAPs) and values [1] 20 Online Hook Protector • Its input is the Hook Access Profiles • Creates a shadow copy of all protected hooks • Instruments HAP instructions so that the access is redirected to the shadow copy • Shadow copies are moved into a centralized location to be protected from unauthorized modifications (i.e. page level protection) 21 Online Hook Protector Design • Initialization – Temporary kernel module to create shadow copy of hooks and load the code for indirection layer – Patch the HAPs for redirection to copy • Run-Time Read/Write Indirection – Read: reads from copy and returns to HAPs – Write: control is passed to hypervisor for validation check. New value seen in the offline profiling phase. • Run-Time Tracking of Dynamically Allocated Hooks – Embedded in Dynamic Kernel Object (i.e. heap) – Size is fixed because it can only be know at runtime • Hardware abstraction intercept register access 22 Online Hook Protector Implementation • 5 bytes jmp instruction • 1 byte opcode (0xE9) • 32-bit integer offset operand [1] • Variable length instructions in x86 • jmps are padded with NOP (0x90) • old instructions are re-written and moved 23 Outline • • • • • Rootkits HookSafe Design and Implementation Performance Closing Remarks 24 Detecting Rootkits • At read periodically the hook indirection checks for consistency between the original hook, and the shadow copy • Any discrepancy is caused by a compromised original hook • At write if action is legitimate both original and copy of the hook is written 25 Evaluation [1] 26 Evaluation Example [1] 27 Outline • • • • • Rootkits HookSafe Design and Implementation Performance Closing Remarks 28 Strengths (Remarks) • Rootkit protection without the need of going to the source code • Low overhead of 6% of runtime • Works with variable instruction length architecture (e.g. x86) • Byte equivalent protection using page protection of the hypervisor 29 Weakness • Doesn’t record what caused the rootkit infection. It can detect, but not defend against future attempts • When discrepancy is found it automatically assumes the original hook was compromised. This was not the case with mood-nt • Legitimate values need to be inside of hook profile • Memory usage for creating shadow copies 30 Suggestions • Test HookSafe on Windows • Add mechanisms to restore MBR or VBR in case of multiple OS present • Instead of checking discrepancy between hooks and their copy, check against a hash value to find out which is compromised • Incorporate static analysis or broader dynamic analysis (e.g. adaptive analysis) 31 References 1. Z. Wang, X. Jiang, W. Cui, and P. Ning, “Countering kernel rootkits with lightweight hook protection”, Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009, pp. 545 – 554 2. http://www.wikipedia.org 3. http://www.bleepingcomputer.com 4. http://support.kaspersky.com/viruses/solutions ?qid=208280684 32 QUESTIONS 33
