nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

02.01.2020 | Original Paper

Leveraging branch traces to understand kernel internals from within

verfasst von: Marcus Botacin, Paulo Lício de Geus, André Grégio

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 2/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel’s internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes.

Vorheriger Artikel Lightweight versus obfuscation-resilient malware detection in android applications

Nächster Artikel Deep learning for image-based mobile malware detection

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Akao, Y., Yamauchi, T.: Krguard: kernel rootkits detection method by monitoring branches using hardware features. In: 2016 International Conference on Information Science and Security (ICISS), pp. 1–5 (2016). https://doi.org/10.1109/ICISSEC.2016.7885860

Bissyandé, T.F., Réveillère, L., Lawall, J.L., Muller, G.: Diagnosys: automatic generation of a debugging interface to the linux kernel. In: 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 60–69 (2012). https://doi.org/10.1145/2351676.2351686

Botacin, M.: Hardware-assisted malware analysis. https://secret.inf.ufpr.br/papers/marcus-msc.pdf (2017)

Botacin, M., de Geus, P., Grégio, A.: Enhancing branch monitoring for security purposes: from control flow integrity to malware analysis and debugging. Transactions on Privacy and Security (TOPS) (2018)

Botacin, M., Geus, P.L.D., grégio, A.: Who watches the watchmen: a security-focused review on current state-of-the-art techniques, tools, and methods for systems and binary analysis on modern platforms. ACM Comput. Surv. 51(4), 69:1–69:34 (2018). https://doi.org/10.1145/3199673 CrossRef

Botacin, M.F., de Geus, P.L., Grégio, A.R.A.: The other guys: automated analysis of marginalized malware. J. Comput. Virol. Hacking Tech. 14(1), 87–98 (2018). https://doi.org/10.1007/s11416-017-0292-8 CrossRef

Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, R.H., Yu, M.: Ropecker: a generic and practical approach for defending against ROP attack. In: Proceedings of the NDSS Symposium (2015)

Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008). https://doi.org/10.1145/2089125.2089126 CrossRef

Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ASE ’10, pp. 417–426. ACM, New York, NY, USA (2010). https://doi.org/10.1145/1858996.1859085

10.

Gebai, M., Dagenais, M.R.: Survey and analysis of kernel and userspace tracers on linux: design, implementation, and overhead. ACM Comput. Surv. 51(2), 26:1–26:33 (2018). https://doi.org/10.1145/3158644 CrossRef

11.

Haiku: Virtualbox serial debugging on windows. https://www.haiku-os.org/guides/virtualizing/virtualbox-windows-debugging/

12.

Horsch, J., Wessel, S.: Transparent page-based kernel and user space execution tracing from a custom minimal arm hypervisor. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 408–417 (2015). https://doi.org/10.1109/Trustcom.2015.401

13.

Intel: Intel®64 and IA-32 Architectures Software Developer’s Manual. Intel (2013)

14.

Khen, E., Zaidenberg, N.J., Averbuch, A.: Using virtualization for online kernel profiling, code coverage and instrumentation. In: 2011 International Symposium on Performance Evaluation of Computer Telecommunication Systems, pp. 104–110 (2011)

15.

Khen, E., Zaidenberg, N.J., Averbuch, A., Fraimovitch, E.: Lgdb 2.0: Using lguest for kernel profiling, code coverage and simulation. In: 2013 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), pp. 78–85 (2013)

16.

Kirat, D., Vigna, G., Kruegel, C.: Barebox: Efficient malware analysis on bare-metal. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC ’11, pp. 403–412. ACM, New York, NY, USA (2011). https://doi.org/10.1145/2076732.2076790

17.

Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (2014)

18.

Li, H.: A system architecture of double kernels for trusted windows terminal. In: Proceedings 2013 International Conference on Mechatronic Sciences, Electric Engineering and Computer (MEC), pp. 2562–2566 (2013). https://doi.org/10.1109/MEC.2013.6885467

19.

Li, X., Zhang, Y., Tang, Y.: Kernel malware core implementation: a survey. In: 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 9–15 (2015). https://doi.org/10.1109/CyberC.2015.26

20.

MalwareList: Intel SMEP—a new hardware-based security on windows 8. https://malwarelist.net/2012/10/20/intel-smep-on-windows-8/ (2012)

21.

Microsoft: Bluetooth profile drivers overview. https://msdn.microsoft.com/en-us/library/windows/hardware/ff536598

22.

Microsoft: Cmregistercallbackex function. https://msdn.microsoft.com/en-us/library/windows/hardware/ff541921

23.

Microsoft: Crash dump analysis. https://msdn.microsoft.com/pt-br/library/windows/desktop/ee416349(v=vs.85).aspx

24.

Microsoft: Cryptography API: Next generation. https://msdn.microsoft.com/pt-br/library/windows/desktop/aa376210

25.

Microsoft: Debugging windows setup and the os loader. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-windows-setup-and-the-os-loader

26.

Microsoft: Fltiscallbackdatadirty function. https://msdn.microsoft.com/en-us/library/windows/hardware/ff543311

27.

Microsoft: Getcurrentprocessornumber function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms683181

28.

Microsoft: Getthreadid function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms683233(v=vs.85).aspx

29.

Microsoft: Introduction to spin locks. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-spin-locks

30.

Microsoft: Local kernel-mode debugging. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/performing-local-kernel-debugging

31.

Microsoft: Ndisregisterprotocol (windows ce 5.0). https://msdn.microsoft.com/en-us/library/ms904134.aspx

32.

Microsoft: Network driver interface specification. https://technet.microsoft.com/en-us/library/cc958797.aspx

33.

Microsoft: Pssetcreateprocessnotifyroutine function. https://msdn.microsoft.com/en-us/library/windows/hardware/ff559951

34.

Microsoft: Setting up kernel-mode debugging over a usb 3.0 cable manually. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-usb-3-0-debug-cable-connection

35.

Microsoft: Setting up kdnet network kernel debugging manually. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection (2018)

36.

NirSoft: “driverview”. http://www.nirsoft.net/utils/driverview.html (2015)

37.

NirSoft: “dll export viewer. http://www.nirsoft.net/utils/dll_export_viewer.html (2016)

38.

Paleari, R.: Fast coverage analysis for binary applications. http://roberto.greyhats.it/2015/02/fast-coverage-analysis-for-binary.html (2015)

39.

Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 447–462. USENIX, Washington, D.C. (2013). https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/pappas

40.

Petit, L., Nafaa, A., Jurdak, R.: Historical data storage for large scale sensor networks. In: Proceedings of the 5th French-Speaking Conference on Mobility and Ubiquity Computing, UbiMob ’09, pp. 45–52. ACM, New York, NY, USA (2009). https://doi.org/10.1145/1739268.1739278

41.

RedHat: Debugging a kernel in qemu/libvirt. https://access.redhat.com/blogs/766093/posts/2690881 (2017)

42.

Rhee, J., Zhang, H., Arora, N., Jiang, G., Yoshihira, K.: Software system performance debugging with kernel events feature guidance. In: 2014 IEEE Network Operations and Management Symposium (NOMS), pp. 1–5 (2014). https://doi.org/10.1109/NOMS.2014.6838353

43.

Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Steen, M.V.: Prudent practices for designing malware experiments: Status quo and outlook. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pp. 65–79. IEEE Computer Society, Washington, DC, USA (2012). https://doi.org/10.1109/SP.2012.14

44.

Saidi, S., Tendulkar, P., Lepley, T., Maler, O.: Optimizing explicit data transfers for data parallel applications on the cell architecture. ACM Trans. Archit. Code Optim. 8(4), 37:1–37:20 (2012). https://doi.org/10.1145/2086696.2086716 CrossRef

45.

Siddha, S., Pallipadi, V., Mallick, A.: Process scheduling challenges in the era of multi-core processors (2007)

46.

Softonic: Security and privacy for windows. https://en.softonic.com/windows/security-privacy

47.

Tate, A., Bewoor, L.: Survey on frequent pattern mining algorithm for kernel trace. In: 2017 IEEE 7th International Advance Computing Conference (IACC), pp. 793–798 (2017). https://doi.org/10.1109/IACC.2017.0163

48.

Willems, C., Hund, R., Holz, T.: Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. VirusBulletin (2013)

49.

WinDbg: Windbg. http://www.windbg.org/

50.

Xie, P., Wu, B., Liu, M., Harris, J., Scheiman, C.: Profiling the performance of tcp/ip on windows nt. In: Proceedings IEEE International Computer Performance and Dependability Symposium. IPDS 2000, pp. 133–137 (2000). https://doi.org/10.1109/IPDS.2000.839471

51.

Xu, J., Mu, D., Xing, X., Liu, P., Chen, P., Mao, B.: Postmortem program analysis with hardware-enhanced post-crash artifacts. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 17–32. USENIX Association, Vancouver, BC (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/xu-jun

Titel: Leveraging branch traces to understand kernel internals from within
verfasst von: Marcus Botacin
Paulo Lício de Geus
André Grégio
Publikationsdatum: 02.01.2020
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 2/2020
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-019-00343-w

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2020

Exploiting flaws in Windbg: how to escape or fool debuggers from existing flaws

Hiding a fault enabled virus through code construction

Deep learning for image-based mobile malware detection

Lightweight versus obfuscation-resilient malware detection in android applications