Code Validation for Modern OS Kernels
The proliferation of kernel mode malware and rootkits over the last decade is one of the most critical challenges the se- curity industry is facing. While mechanisms such as UEFI secure boot in conjunction with signed driver loading effec- tively verify the integrity of the kernel at load time, run- time verification is still an open problem. Various secu- rity systems have been proposed solutions to protect the in- tegrity of the kernel by performing hash-verification of code- pages. This approach requires one to keep track of a poten- tially large set of hashes. Other approaches that attempt to protect code-pages usually do so by heavily restricting the OS from performing otherwise benign optimizations at run-time. In this paper we present an approach for syntactically ver- ifying the integrity of kernel code with the use of semantic (binding) information. By leveraging virtual machine in- trospection, we examine all kernel code pages at runtime to verify their contents and to reconstruct the active system state. By emulating the OS’s patching mechanisms, our sys- tem successfully differentiates between malicious and benign code changes. We demonstrate the ability to detect mali- cious kernel code with a set of rootkit samples. Our method does not restrict modern OS kernels from using otherwise benign patching routines. To further highlight the impor- tance of practical kernel code validation, we also present a critical security issue in the Linux kernel that we discovered in our research which thus far remained unnoticed.
Code Validation for Modern OS Kernels
Workshop on Malware Memory Forensics (MMF)
| Authors: | Thomas Kittel, Sebastian Vogl, Tamas Lengyel, Jonas Pfoh, and Claudia Eckert |
| Year/month: | 2014/12 |
| Booktitle: | Workshop on Malware Memory Forensics (MMF) |
| Fulltext: | acsacmmfkittel-2014.pdf |
Abstract |
|
| The proliferation of kernel mode malware and rootkits over the last decade is one of the most critical challenges the se- curity industry is facing. While mechanisms such as UEFI secure boot in conjunction with signed driver loading effec- tively verify the integrity of the kernel at load time, run- time verification is still an open problem. Various secu- rity systems have been proposed solutions to protect the in- tegrity of the kernel by performing hash-verification of code- pages. This approach requires one to keep track of a poten- tially large set of hashes. Other approaches that attempt to protect code-pages usually do so by heavily restricting the OS from performing otherwise benign optimizations at run-time. In this paper we present an approach for syntactically ver- ifying the integrity of kernel code with the use of semantic (binding) information. By leveraging virtual machine in- trospection, we examine all kernel code pages at runtime to verify their contents and to reconstruct the active system state. By emulating the OS’s patching mechanisms, our sys- tem successfully differentiates between malicious and benign code changes. We demonstrate the ability to detect mali- cious kernel code with a set of rootkit samples. Our method does not restrict modern OS kernels from using otherwise benign patching routines. To further highlight the impor- tance of practical kernel code validation, we also present a critical security issue in the Linux kernel that we discovered in our research which thus far remained unnoticed. | |
Bibtex:
@inproceedings { kittel2014,author = { Thomas Kittel and Sebastian Vogl and Tamas Lengyel and Jonas Pfoh and Claudia Eckert},
title = { Code Validation for Modern OS Kernels },
year = { 2014 },
month = { December },
booktitle = { Workshop on Malware Memory Forensics (MMF) },
url = {https://www.insec.cit.tum.de/i20/publications/code-validation-for-modern-os-kernels/@@download/file/acsacmmfkittel-2014.pdf}
}