Abstract
Kernel callback queues (KQs) are the mechanism of choice for handling events in modern kernels. KQs have been misused by real-world malware to run malicious logic. Current defense mechanisms for kernel code and data integrity have difficulties with kernel queue injection (KQI) attacks, since they work without necessarily changing legitimate kernel code or data. In this paper, we describe the design, implementation, and evaluation of KQguard, an efficient and effective protection mechanism of KQs. KQguard uses static and dynamic analysis of kernel and device drivers to learn the legitimate event handlers. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We implement KQguard on the Windows Research Kernel (WRK) and Linux and extensive experimental evaluation shows that KQguard is efficient (up to ~5% overhead) and effective (capable of achieving zero false positives against representative benign workloads after appropriate training and very low false negatives against 125 real-world malware and nine synthetic attacks). KQguard protects 20 KQs in WRK, can accommodate new device drivers, and through dynamic analysis of binary code can support closed source device drivers.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control flow integrity. In: Proceedings of the 12th ACM CCS (2005)
Anselmi, D., et al.: Battling the Rustock Threat. Microsoft Security Intelligence Report, Special edn. (January 2010 through May 2011)
Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: Proceedings of ACSAC 2008 (2008)
Boldewin, F.: Peacomm.C - Cracking the nutshell. Anti Rootkit, (September 2007), http://www.antirootkit.com/articles/eye-of-the-storm-worm/Peacomm-C-Cracking-the-nutshell.html
Brumley, D.: Invisible intruders: rootkits in practice. Login: 24 (September 1999)
Butler, J.: DKOM (Direct Kernel Object Manipulation), http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf
Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of ACM CCS 2009 (2009)
Castro, M., Costa, M., Harris, T.: Securing Software by Enforcing Dataflow Integrity. In: Proceedings of OSDI 2006 (2006)
Chiang, K., Lloyd, L.: A Case Study of the Rustock Rootkit and Spam Bot. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, HotBots 2007 (2007)
Decker, A., Sancho, D., Kharouni, L., Goncharov, M., McArdle, R.: Pushdo/Cutwail: A Study of the Pushdo/Cutwail Botnet. Trend Micro Technical Report (May 2009)
Giuliani, M.: ZeroAccess – an advanced kernel mode rootkit, rev 1.2., www.prevxresearch.com/zeroaccess_analysis.pdf
Hayes, B.: Who Goes There? An Introduction to On-Access Virus Scanning, Part One. Symantec Connect Community (2010)
Hoglund, G.: Kernel Object Hooking Rootkits (KOH Rootkits) (2006), http://my.opera.com/330205811004483jash520/blog/show.dml/314125
Kapoor, A., Mathur, R.: Predicting the future of stealth attacks. In: Virus Bulletin 2011, Barcelona (2011)
Kaspersky Lab. The Mystery of Duqu: Part One, http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One
Kaspersky Lab. The Mystery of Duqu: Part Five, http://www.securelist.com/en/blog/606/The_Mystery_of_Duqu_Part_Five
Kil, C., Sezer, E., Azab, A., Ning, P., Zhang, X.: Remote attestation to dynamic system properties: Towards providing complete system integrity evidence. In: Proceedings of the International Conference on Dependable Systems and Networks, DSN 2009 (2009)
Kwiatek, L., Litawa, S.: Yet another Rustock analysis... Virus Bulletin (August 2008)
Li, J., Wang, Z., Bletsch, T., Srinivasan, D., Grace, M., Jiang, X.: Comprehensive and Efficient Protection of Kernel Control Data. IEEE Transactions on Information Forensics and Security 6(2) (June 2011)
Microsoft. Using Timer Objects, http://msdn.microsoft.com/en-us/library/ff565561.aspx
Microsoft. Checked Build of Windows, http://msdn.microsoft.com/en-us/library/windows/hardware/ff543457%28v=vs.85%29.aspx
Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: Nigel Horspool, R. (ed.) CC 2002. LNCS, vol. 2304, pp. 213–228. Springer, Heidelberg (2002)
OffensiveComputing. Storm Worm Process Injection from the Windows Kernel, http://offensivecomputing.net/papers/storm-3-9-2008.pdf
Petroni, N., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot—a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th USENIX Security Symposium (2004)
Petroni, N., Hicks, M.: Automated detection of persistent kernel control flow attacks. In: Proceedings of ACM CCS 2007 (2007)
Petroni, N., Fraser, T., Walters, A., Arbaugh, W.A.: An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In: Proceedings of the 15th USENIX Security Symposium (2006)
Prakash, C.: What makes the Rustocks tick! In: Proceedings of the 11th Association of anti-Virus Asia Researchers International Conference, AVAR 2008 (2008)
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-Based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of ACM SOSP 2007 (2007)
Sharif, M., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of ACM CCS 2009 (2009)
Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a Linux Security Module. Technical Report. NSA (May 2002)
Designer, S.: Bugtraq: Getting around non-executable stack (and fix), http://seclists.org/bugtraq/1997/Aug/63
Super PI, http://www.superpi.net/
Symantec Connect Community. W32.Duqu: The Precursor to the Next Stuxnet (October 2011), http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet
Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the Expressiveness of Return-into-libc Attacks. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 121–141. Springer, Heidelberg (2011)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of ACM CCS 2009 (2009)
Wei, J., Pu, C.: Towards a General Defense against Kernel Queue Hooking Attacks. Elsevier Journal of Computers & Security 31(2), 176–191 (2012)
Wei, J., Zhu, F., Pu, C.: KQguard: Protecting Kernel Callback Queues. Florida International University Technical Report, TR-2012-SEC-03-01 (2012), http://www.cis.fiu.edu/~weijp/Jinpeng_Homepage_files/WRK_Tech_Report_03_12.pdf
Windows Research Kernel v1.2., https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=7366&c1=en-us&c2=0
Top 20 Malware Families in 2010, http://blog.fireeye.com/research/2010/07/worlds_top_modern_malware.html
Top 10 Botnet Families in 2009, https://blog.damballa.com/archives/572
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wei, J., Zhu, F., Pu, C. (2013). KQguard: Binary-Centric Defense against Kernel Queue Injection Attacks. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_42
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_42
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)