Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content

Advertisement

Springer Nature Link
Log in

Leveraging branch traces to understand kernel internals from within

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

    We’re sorry, something doesn't seem to be working properly.

    Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Abstract

Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel’s internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Akao, Y., Yamauchi, T.: Krguard: kernel rootkits detection method by monitoring branches using hardware features. In: 2016 International Conference on Information Science and Security (ICISS), pp. 1–5 (2016). https://doi.org/10.1109/ICISSEC.2016.7885860

  2. Bissyandé, T.F., Réveillère, L., Lawall, J.L., Muller, G.: Diagnosys: automatic generation of a debugging interface to the linux kernel. In: 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 60–69 (2012). https://doi.org/10.1145/2351676.2351686

  3. Botacin, M.: Hardware-assisted malware analysis. https://secret.inf.ufpr.br/papers/marcus-msc.pdf (2017)

  4. Botacin, M., de Geus, P., Grégio, A.: Enhancing branch monitoring for security purposes: from control flow integrity to malware analysis and debugging. Transactions on Privacy and Security (TOPS) (2018)

  5. Botacin, M., Geus, P.L.D., grégio, A.: Who watches the watchmen: a security-focused review on current state-of-the-art techniques, tools, and methods for systems and binary analysis on modern platforms. ACM Comput. Surv. 51(4), 69:1–69:34 (2018). https://doi.org/10.1145/3199673

    Article  Google Scholar 

  6. Botacin, M.F., de Geus, P.L., Grégio, A.R.A.: The other guys: automated analysis of marginalized malware. J. Comput. Virol. Hacking Tech. 14(1), 87–98 (2018). https://doi.org/10.1007/s11416-017-0292-8

    Article  Google Scholar 

  7. Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, R.H., Yu, M.: Ropecker: a generic and practical approach for defending against ROP attack. In: Proceedings of the NDSS Symposium (2015)

  8. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008). https://doi.org/10.1145/2089125.2089126

    Article  Google Scholar 

  9. Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ASE ’10, pp. 417–426. ACM, New York, NY, USA (2010). https://doi.org/10.1145/1858996.1859085

  10. Gebai, M., Dagenais, M.R.: Survey and analysis of kernel and userspace tracers on linux: design, implementation, and overhead. ACM Comput. Surv. 51(2), 26:1–26:33 (2018). https://doi.org/10.1145/3158644

    Article  Google Scholar 

  11. Haiku: Virtualbox serial debugging on windows. https://www.haiku-os.org/guides/virtualizing/virtualbox-windows-debugging/

  12. Horsch, J., Wessel, S.: Transparent page-based kernel and user space execution tracing from a custom minimal arm hypervisor. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 408–417 (2015). https://doi.org/10.1109/Trustcom.2015.401

  13. Intel: Intel®64 and IA-32 Architectures Software Developer’s Manual. Intel (2013)

  14. Khen, E., Zaidenberg, N.J., Averbuch, A.: Using virtualization for online kernel profiling, code coverage and instrumentation. In: 2011 International Symposium on Performance Evaluation of Computer Telecommunication Systems, pp. 104–110 (2011)

  15. Khen, E., Zaidenberg, N.J., Averbuch, A., Fraimovitch, E.: Lgdb 2.0: Using lguest for kernel profiling, code coverage and simulation. In: 2013 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), pp. 78–85 (2013)

  16. Kirat, D., Vigna, G., Kruegel, C.: Barebox: Efficient malware analysis on bare-metal. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC ’11, pp. 403–412. ACM, New York, NY, USA (2011). https://doi.org/10.1145/2076732.2076790

  17. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (2014)

  18. Li, H.: A system architecture of double kernels for trusted windows terminal. In: Proceedings 2013 International Conference on Mechatronic Sciences, Electric Engineering and Computer (MEC), pp. 2562–2566 (2013). https://doi.org/10.1109/MEC.2013.6885467

  19. Li, X., Zhang, Y., Tang, Y.: Kernel malware core implementation: a survey. In: 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 9–15 (2015). https://doi.org/10.1109/CyberC.2015.26

  20. MalwareList: Intel SMEP—a new hardware-based security on windows 8. https://malwarelist.net/2012/10/20/intel-smep-on-windows-8/ (2012)

  21. Microsoft: Bluetooth profile drivers overview. https://msdn.microsoft.com/en-us/library/windows/hardware/ff536598

  22. Microsoft: Cmregistercallbackex function. https://msdn.microsoft.com/en-us/library/windows/hardware/ff541921

  23. Microsoft: Crash dump analysis. https://msdn.microsoft.com/pt-br/library/windows/desktop/ee416349(v=vs.85).aspx

  24. Microsoft: Cryptography API: Next generation. https://msdn.microsoft.com/pt-br/library/windows/desktop/aa376210

  25. Microsoft: Debugging windows setup and the os loader. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-windows-setup-and-the-os-loader

  26. Microsoft: Fltiscallbackdatadirty function. https://msdn.microsoft.com/en-us/library/windows/hardware/ff543311

  27. Microsoft: Getcurrentprocessornumber function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms683181

  28. Microsoft: Getthreadid function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms683233(v=vs.85).aspx

  29. Microsoft: Introduction to spin locks. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-spin-locks

  30. Microsoft: Local kernel-mode debugging. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/performing-local-kernel-debugging

  31. Microsoft: Ndisregisterprotocol (windows ce 5.0). https://msdn.microsoft.com/en-us/library/ms904134.aspx

  32. Microsoft: Network driver interface specification. https://technet.microsoft.com/en-us/library/cc958797.aspx

  33. Microsoft: Pssetcreateprocessnotifyroutine function. https://msdn.microsoft.com/en-us/library/windows/hardware/ff559951

  34. Microsoft: Setting up kernel-mode debugging over a usb 3.0 cable manually. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-usb-3-0-debug-cable-connection

  35. Microsoft: Setting up kdnet network kernel debugging manually. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection (2018)

  36. NirSoft: “driverview”. http://www.nirsoft.net/utils/driverview.html (2015)

  37. NirSoft: “dll export viewer. http://www.nirsoft.net/utils/dll_export_viewer.html (2016)

  38. Paleari, R.: Fast coverage analysis for binary applications. http://roberto.greyhats.it/2015/02/fast-coverage-analysis-for-binary.html (2015)

  39. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 447–462. USENIX, Washington, D.C. (2013). https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/pappas

  40. Petit, L., Nafaa, A., Jurdak, R.: Historical data storage for large scale sensor networks. In: Proceedings of the 5th French-Speaking Conference on Mobility and Ubiquity Computing, UbiMob ’09, pp. 45–52. ACM, New York, NY, USA (2009). https://doi.org/10.1145/1739268.1739278

  41. RedHat: Debugging a kernel in qemu/libvirt. https://access.redhat.com/blogs/766093/posts/2690881 (2017)

  42. Rhee, J., Zhang, H., Arora, N., Jiang, G., Yoshihira, K.: Software system performance debugging with kernel events feature guidance. In: 2014 IEEE Network Operations and Management Symposium (NOMS), pp. 1–5 (2014). https://doi.org/10.1109/NOMS.2014.6838353

  43. Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Steen, M.V.: Prudent practices for designing malware experiments: Status quo and outlook. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pp. 65–79. IEEE Computer Society, Washington, DC, USA (2012). https://doi.org/10.1109/SP.2012.14

  44. Saidi, S., Tendulkar, P., Lepley, T., Maler, O.: Optimizing explicit data transfers for data parallel applications on the cell architecture. ACM Trans. Archit. Code Optim. 8(4), 37:1–37:20 (2012). https://doi.org/10.1145/2086696.2086716

    Article  Google Scholar 

  45. Siddha, S., Pallipadi, V., Mallick, A.: Process scheduling challenges in the era of multi-core processors (2007)

  46. Softonic: Security and privacy for windows. https://en.softonic.com/windows/security-privacy

  47. Tate, A., Bewoor, L.: Survey on frequent pattern mining algorithm for kernel trace. In: 2017 IEEE 7th International Advance Computing Conference (IACC), pp. 793–798 (2017). https://doi.org/10.1109/IACC.2017.0163

  48. Willems, C., Hund, R., Holz, T.: Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. VirusBulletin (2013)

  49. WinDbg: Windbg. http://www.windbg.org/

  50. Xie, P., Wu, B., Liu, M., Harris, J., Scheiman, C.: Profiling the performance of tcp/ip on windows nt. In: Proceedings IEEE International Computer Performance and Dependability Symposium. IPDS 2000, pp. 133–137 (2000). https://doi.org/10.1109/IPDS.2000.839471

  51. Xu, J., Mu, D., Xing, X., Liu, P., Chen, P., Mao, B.: Postmortem program analysis with hardware-enhanced post-crash artifacts. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 17–32. USENIX Association, Vancouver, BC (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/xu-jun

Download references

Acknowledgements

This work was supported by the Brazilian National Counsel of Technological and Scientific Development (CNPq, Ph.D. Scholarship, process 164745/2017-3) and the Coordination for the Improvement of Higher Education Personnel (CAPES, Project FORTE, Forensics Sciences Program 24/2014, process 23038.007604/2014-69).

Author information

Authors and Affiliations

  1. Federal University of Paraná, Curitiba, Brazil

    Marcus Botacin & André Grégio

  2. University of Campinas, Campinas, Brazil

    Paulo Lício de Geus

Authors
  1. Marcus Botacin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paulo Lício de Geus
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. André Grégio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marcus Botacin.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

In this appendix, we present more detailed information about the identified modules and callback routines for Avast (Table 7) and Avira (Table 8) solutions.

Table 8 Avira
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Botacin, M., de Geus, P.L. & Grégio, A. Leveraging branch traces to understand kernel internals from within. J Comput Virol Hack Tech 16, 141–155 (2020). https://doi.org/10.1007/s11416-019-00343-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-019-00343-w

Search

Navigation