DOCSLIB.ORG

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling Laboratory for Dependable Distributed Systems University of Mannheim, Germany [email protected], fholz,[email protected] Abstract In recent years, several mechanism to protect the in- tegrity of the kernel were introduced [6, 9, 15, 19, 22], Protecting the kernel of an operating system against at- as we now explain. The main idea behind all of these tacks, especially injection of malicious code, is an impor- approaches is that the memory of the kernel should be tant factor for implementing secure operating systems. protected against unauthorized injection of code, such as Several kernel integrity protection mechanism were pro- rootkits. Note that we focus in this work on kernel in- posed recently that all have a particular shortcoming: tegrity protection mechanisms and not on control-flow They cannot protect against attacks in which the attacker integrity [1, 7, 14, 18] or data-flow integrity [5] mech- re-uses existing code within the kernel to perform mali- anisms, which are orthogonal to the techniques we de- cious computations. In this paper, we present the design scribe in the following. and implementation of a system that fully automates the process of constructing instruction sequences that can be 1.1 Kernel Integrity Protection Mecha- used by an attacker for malicious computations. We eval- uate the system on different commodity operating sys- nisms tems and show the portability and universality of our Kernel Module Signing. Kernel module signing is a approach. Finally, we describe the implementation of a simple approach to achieve kernel code integrity. When practical attack that can bypass existing kernel integrity kernel module signing is enabled, every kernel module protection mechanisms. should contain an embedded, valid digital signature that can be checked against a trusted root certification author- ity (CA). If this check fails, loading of the code fails, too. 1 Introduction This technique has been implemented most notably for Windows operating systems since XP [15] and is used in Motivation. Since it is hard to prevent users from run- every new Windows system. ning arbitrary programs within their own account, all Kernel module signing allows to establish basic secu- modern operating systems implement protection con- rity guidelines that have to be followed by kernel code cepts that protect the realm of one user from another. software developers. But the security of the approach Furthermore, it is necessary to protect the kernel itself rests on the assumption that the already loaded kernel from attacks. The basis for such mechanisms is usu- code, i.e., the kernel and all of its modules, does not ally called reference monitor [2]. A reference monitor have a vulnerability which allows for execution of un- controls all accesses to system resources and only grants signed kernel code. It is thus insufficient to check for them if they are allowed. While reference monitors are kernel code integrity only upon loading. an integral part of any of today’s mainstream operating systems, they are of limited use: because of the sheer W⊕X. W⊕X is a general approach which aims at pre- size of a mainstream kernel, the probability that some venting the exploitation of software vulnerabilities at system call, kernel driver or kernel module contains a runtime. The idea is to prevent execution of injected vulnerability rises. Such vulnerabilities can be exploited code by enforcing the W⊕X property on all, or certain, to subvert the operating system in arbitrary ways, giv- page tables of the virtual address space: A memory page ing rise to so called rootkits, malicious software running must never be writable and executable at the same time. without the user’s notice. Since injected code execution always implies previous instruction writes in memory, the integrity of the code versary may compromise arbitrary system entities, e.g., can be guaranteed. The W⊕X technique first appeared in files, processes, etc., as long as the compromise happens OpenBSD 3.3; similar implementations are available for only inside the VM. other operating systems, including the PaX [28] and Exec Shield patches for Linux, and PaX for NetBSD. Data Ex- ecution Prevention (DEP) [16] is a technology from Mi- SecVisor. SecVisor [22] is a software solution that con- crosoft that relies on W⊕X for preventing exploitation of sist of a general, operating system independent approach software vulnerabilities and has been implemented since to enforce W⊕X based on a hypervisor and memory vir- Windows XP Service Pack 2 and Windows Server 2003. tualization. In the threat model for SecVisor an attacker The effectiveness of W⊕X relies on the assumption can control everything but the CPU, the memory con- that the attacker wishes to modify and execute code in troller, and kernel memory. Furthermore, an attacker kernel space. In practice, however, an attacker usually can have the knowledge of kernel exploits, i.e., she can first gains userspace access which implies the possibil- exploit a vulnerability in kernel mode. In this setting, ity to alter page-wise permission in the userspace por- SecVisor “protects the kernel against code injection at- tion of the virtual address space. Due to the fact that tacks such as kernel rootkits” [22]. This is achieved by the no-executable bit in the page-table is not fine-grained implementing a hypervisor that restricts what code can enough, it is not possible to mark a memory page to be be executed by a (modified) Linux kernel. The hyper- executably only in user mode. So an attacker may simply visor virtualizes the physical memory and the MMU to prepare her instructions in userspace and let the vulnera- set page-table-based memory protections. Furthermore, ble code jump there. SecVisor verifies certain properties on kernel mode en- try and exit, e.g., all kernel mode exits set the privilege NICKLE. NICKLE [19] is a system which allows for level of the CPU to that of user mode or the instruction lifetime kernel code integrity, and thus rootkit preven- pointer points to approved code at kernel entry. Franklin tion, by exploiting a technology called memory shadow- et al. showed that these properties are prone to attacks ing. NICKLE is implemented as virtual machine moni- and successfully injected code in a SecVisor-protected tor (VMM) which maintains a separate so-called shadow Linux kernel [8], but afterwards also corrected the errors memory. The shadow memory is not accessible from found. within the VM guest and contains copies of certain por- tions of the VM guest’s main memory. Newly executing code, i.e., code that is executed for the first time, is au- 1.2 Bypassing Integrity Protection Mecha- thenticated using a simple cryptographic hash value com- nisms parison and then copied to the shadow memory trans- parently by NICKLE. Since the VMM is trusted in this Based on earlier programming techniques like return-to- model, it is guaranteed that no unauthenticated modifica- libc [17, 21, 27], Shacham [23] introduced the technique tions to the shadow memory can be applied as executing of return-oriented programming. This technique allows guest code can never access the privileged shadow mem- to execute arbitrary programs in privileged mode with- ory. Therefore, any attempt to execute unauthenticated out adding code to the kernel. Roughly speaking, it mis- code can be foiled in the first place. Another positive uses the system stack to “re-use” existing code fragments aspect of this approach is that it can be implemented in (called gadgets) of the kernel (we explain this technique a rather generic fashion, meaning that it is perfectly ap- in more detail in Section 2). Shacham analyzed the GNU plicable to both open source and commodity operating Linux libc of Fedora Core 4 on an Intel x86 machine systems. Of course, NICKLE itself has to make certain and showed that executing one malicious instruction in assumptions about underlying file format of executable system mode is sufficient to construct arbitrary computa- code, e.g., driver files, since it needs to understand the tions from existing code. No malicious code is needed, loading of these files. Currently, NICKLE supports Win- so most of the integrity protection mechanisms fail to dows 2000, Windows XP, as well as Linux 2.4 and 2.6 stop this kind of attack. based kernels. So far, NICKLE has been implemented Buchanan et al. [4] recently extended the approach to for QEMU, VMware, and VirtualBox hypervisors. The the Sparc architecture. They investigated the Solaris 10 QEMU source code is publicly available [20]. C library, extracted code gadgets and wrote a compiler The isolation of the VMM from the VM Guest allows that can produce Sparc machine programs that are made for a comparably unrestrictive threat model. In the given up entirely of the code from the identified gadgets. They system, an attacker may have gained the highest level of concluded that it is not sufficient to prevent introduction privilege within the VM guest and may access the en- of malicious code; we must rather prevent introduction tire memory space of the VM. In other words, an ad- of malicious computations. 2 Attacker Model. Like the mentioned literature, we 2 Background: Return-Oriented Pro- base our work on the following reasonable attacker gramming model. We assume that the attacker has full access to the user’s address space in normal mode (local attacker) and that there exists at least one vulnerability within a system call such that it is possible to point the control The idea behind a return-to-libc attack [17, 27] is that the flow to an address of the attacker’s choice at least once attacker can use a buffer overflow to overwrite the return while being in privileged mode.
Load more

Recommended publications
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)
    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
    [Show full text]
  • A Solution to Php Code Injection Attacks and Web
    INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS Vol.2 Issue.9, Pg.: 24-31 September 2014 www.ijrcar.com INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS ISSN 2320-7345 A SOLUTION TO PHP CODE INJECTION ATTACKS AND WEB VULNERABILITIES Venkatesh Yerram1, Dr G.Venkat Rami Reddy2 ¹Computer Networks and Information Security, [email protected] ²Computer Science Engineering, 2nd [email protected] JNTU Hyderabad, India Abstract Over the decade web applications are grown rapidly. This leads to cyber crimes. Attacker injects various scripts to malfunction the web application. Attacker injects these scripts to text box of vulnerable web application from various compounds such as search bar, feedback form, login form etc and later which is executed by the server. Sometimes attacker modifies the URL to execute a successful attack. This execution of system calls and API on web server by attacker can damage the file system and or leaks information of web server. PHP is a server side scripting language, dynamic features and functionalities are controlled through the PHP language. Hence, the use of PHP language results in high possibility of successful execution of code injection attacks. The aim of this paper is first to understand the code web application vulnerability related to PHP code injection attack, the scenario has been developed. Secondly defeat the attack and fast incident determination from the developed domain dictionary. This proposed system is helpful for cyber forensics expert to gather and analyze the evidence effectively Keywords: Code Injection, vulnerabilities, Attack, cyber forensics 1. INTRODUCTION The web environment is growing rapidly day by day, the cyber crimes also increasing rapidly.
    [Show full text]
  • Security Assurance Requirements for Linux Application Container Deployments
    NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli Computer Security Division Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 October 2017 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology NISTIR 8176 SECURITY ASSURANCE FOR LINUX CONTAINERS National Institute of Standards and Technology Internal Report 8176 37 pages (October 2017) This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. This p There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each ublication is available free of charge from: http publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.
    [Show full text]
  • Host-Based Code Injection Attacks: a Popular Technique Used by Malware
    Host-Based Code Injection Attacks: A Popular Technique Used By Malware Thomas Barabosch Elmar Gerhards-Padilla Fraunhofer FKIE Fraunhofer FKIE Friedrich-Ebert-Allee 144 Friedrich-Ebert-Allee 144 53113 Bonn, Germany 53113 Bonn, Germany [email protected] [email protected] c 2014 IEEE. Personal use of this material is per- implemented with different goals in mind, they share one mitted. Permission from IEEE must be obtained for all common feature: they all inject code locally into foreign other uses, in any current or future media, including process spaces. One reason for this behaviour is detection reprinting/republishing this material for advertising or avoidance. However, code injections are not limited to tar- promotional purposes, creating new collective works, for geted malware. Mass-malware also uses code injections in resale or redistribution to servers or lists, or reuse of any order to stay under the radar (ZeroAccess, ZeusP2P or Con- copyrighted component of this work in other works. ficker). Detection avoidance is not the only advantage of us- ing code injections from a malware author’s point of view. Abstract Further reasons for using code injections are interception of critical information, privilege escalation or manipulation of Common goals of malware authors are detection avoid- security products. ance and gathering of critical information. There exist The above mentioned examples are all malware fami- numerous techniques that help these actors to reach their lies for Microsoft Windows. However, code injections are goals. One especially popular technique is the Host-Based platform-independent. In fact all established multitasking Code Injection Attack (HBCIA).
    [Show full text]
  • Defeating Web Code Injection Attacks Using Web Element Attribute Mutation
    Session 1: New Moving Target Defenses MTD’17, October 30, 2017, Dallas, TX, USA WebMTD: Defeating Web Code Injection Attacks using Web Element Attribute Mutation Amirreza Niakanlahiji Jafar Haadi Jafarian UNC Charlotte University of Colorado Denver [email protected] [email protected] ABSTRACT injection and server-side script injection, they are still one of the Existing mitigation techniques for Web code injection attacks have most common attack vectors on Web applications; examples are the not been widely adopted, primarily due to incurring impractical recently discovered XSS vulnerabilities on Amazon [4] and Ebay overheads on the developer, Web applications, or Web browsers. [7] Websites. According to OWASP [21], XSS, the most prevalent They either substantially increase Web server/client execution time, type of Web code injection attacks, is the third Web application enforce restrictive coding practices on developers, fail to support security risk. legacy Web applications, demand browser code modification, or Methodologies for countering code injection attacks could be fail to provide browser backward compatibility. Moving Target De- broadly divided into two categories: (I) input validation techniques fense (MTD) is a novel proactive class of techniques that aim to that prevent injection of malicious code, but are highly suscepti- defeat attacks by imposing uncertainty in attack reconnaissance ble to evasion [23]; and, (II) code differentiation techniques that and planning. This uncertainty is achieved by frequent and ran- prevent execution of injected code, including BEEP [15] , ISR [17], dom mutation (randomization) of system configuration in a manner CSP [25], Noncespaces [27] and xJS [2]. However, as demonstrated that is not traceable (predictable) by attackers.
    [Show full text]
  • Arbitrary Code Injection Through Self-Propagating Worms in Von Neumann Architecture Devices
    Arbitrary Code Injection through Self-propagating Worms in Von Neumann Architecture Devices Thanassis Giannetsos1, Tassos Dimitriou1, Ioannis Krontiris2 and Neeli R. Prasad3 1Athens Information Tech. 19.5 km Markopoulo Ave. Athens, Greece 2Computer Science Dep. University of Mannheim D-68161 Mannheim, Germany 3Department of Communication Aalborg University Fr. Bajers Vej 7A5, DK-9220,Denmark Email: [email protected], [email protected], [email protected], [email protected] Malicious code (or malware) is de¯ned as software designed to execute attacks on software systems and ful¯ll the harmful intents of an attacker. As lightweight embedded devices become more ubiquitous and increasingly networked, they present a new and very disturbing target for malware developers. In this paper, we demonstrate how to execute malware on wireless sensor nodes that are based on the Von Neumann architecture. We achieve this by exploiting a bu®er overflow vulnerability to smash the call stack and intrude a remote node over the radio channel. By breaking the malware into multiple packets, the attacker can inject arbitrarily long malicious code to the node and completely take control of it. Then we proceed to show how the malware can be crafted to become a self-replicating worm that broadcasts itself and infects the network in a hop-by-hop manner. To our knowledge, this is the ¯rst instance of a self-propagating worm that provides a detailed analysis along with instructions in order to execute arbitrary malicious code. We also provide a complete implementation of our attack, measure its e®ectiveness in terms of time taken for the worm to propagate to the entire sensor network and, ¯nally, suggest possible countermeasures.
    [Show full text]
  • Study of Stenography and Forensic Analysis of Cyber Crimes Using Sql Injection Attack Viral Rajendrakumar Dagli, Surendranagar Dr
    Science, Technology and Development ISSN : 0950-0707 STUDY OF STENOGRAPHY AND FORENSIC ANALYSIS OF CYBER CRIMES USING SQL INJECTION ATTACK VIRAL RAJENDRAKUMAR DAGLI, SURENDRANAGAR DR. H. B. BHADKA, C U SHAH UNIVERSITY DR. K. H. WANDRA ABSTRACT Cyber Crime is normally comprehended to comprise of getting to a PC without the proprietor's consent, surpassing the extent of one's endorsement to get to a PC framework, changing or annihilating PC information or utilizing PC time and assets without appropriate approval. Cyber fear mongering comprises basically of undertaking these equivalent exercises to propel one's political or ideological closures. Psychological oppressor activities in the internet should be possible by confined people or fear monger gatherings, yet one state against another. By that, digital psychological warfare doesn't vary from other sort of fear mongering in any capacity. The particular idea of the risk can extend from forswearing of administration to listening in, extortion, damage, and robbery of licensed innovation and restrictive data. This paper expects to give a wide review of the difficulties looked by the world in digital wrongdoing and issues looked by law implementation organizations and Information and Communication Technology security masters in digital examinations and the advantages that might be picked up by the worldwide network and obviously the open private associations (PPP) to the anticipation, location and arraignment of digital violations and how underdeveloped nations need to keep pace with the consistently changing innovations and the control of this innovation by what we may term digital crooks so as to make benefit. Keywords: Cyber Crime, online frauds, SQL Injection INTRODUCTION Cybercrime is any crime that includes a PC, organized gadget or a system.
    [Show full text]
  • Writing Kernel Exploits
    Writing kernel exploits Keegan McAllister January 27, 2012 Keegan McAllister Writing kernel exploits Why attack the kernel? Total control of the system Huge attack surface Subtle code with potential for fun bugs Keegan McAllister Writing kernel exploits Kernel security Kernel and user code coexist in memory Kernel integrity depends on a few processor features: Separate CPU modes for kernel and user code Well-defined transitions between these modes Kernel-only instructions and memory Keegan McAllister Writing kernel exploits User vs. kernel exploits Typical userspace exploit: Manipulate someone's buggy program, locally or remotely Payload runs in the context of that user Typical kernel exploit: Manipulate the local kernel using system calls Payload runs in kernel mode Goal: get root! Remote kernel exploits exist, but are much harder to write Keegan McAllister Writing kernel exploits Scope We'll focus on the Linux kernel and 32-bit x86 hardware. Most ideas will generalize. References are on the last slides. Keegan McAllister Writing kernel exploits Let's see some exploits! We'll look at Two toy examples Two real exploits in detail Some others in brief How to harden your kernel Keegan McAllister Writing kernel exploits NULL dereference Keegan McAllister Writing kernel exploits A simple kernel module Consider a simple Linux kernel module. It creates a file /proc/bug1. It defines what happens when someone writes to that file. Keegan McAllister Writing kernel exploits bug1.c void (*my_funptr)(void); int bug1_write(struct file *file, const char *buf, unsigned long len) { my_funptr(); return len; } int init_module(void){ create_proc_entry("bug1", 0666, 0) ->write_proc = bug1_write; return 0; } Keegan McAllister Writing kernel exploits The bug $ echo foo > /proc/bug1 BUG: unable to handle kernel NULL pointer dereference Oops: 0000 [#1] SMP Pid: 1316, comm: bash EIP is at 0x0 Call Trace : [<f81ad009>] ? bug1_write+0x9/0x10 [bug1] [<c10e90e5>] ? proc_file_write+0x50/0x62 ..
    [Show full text]
  • Revealing Injection Vulnerabilities by Leveraging Existing Tests
    Revealing Injection Vulnerabilities by Leveraging Existing Tests Katherine Hough1, Gebrehiwet Welearegai2, Christian Hammer2 and Jonathan Bell1 1George Mason University, Fairfax, VA, USA 2University of Potsdam, Potsdam, Germany [email protected],[email protected],[email protected],[email protected] Abstract just one of over 8,200 similar code injection exploits discovered in Code injection attacks, like the one used in the high-prole 2017 recent years in popular software [44]. Code injection vulnerabilities Equifax breach, have become increasingly common, now ranking have been exploited in repeated attacks on US election systems [10, #1 on OWASP’s list of critical web application vulnerabilities. Static 18, 39, 61], in the theft of sensitive nancial data [56], and in the analyses for detecting these vulnerabilities can overwhelm develop- theft of millions of credit card numbers [33]. In the past several ers with false positive reports. Meanwhile, most dynamic analyses years, code injection attacks have persistently ranked at the top rely on detecting vulnerabilities as they occur in the eld, which of the Open Web Application Security Project (OWASP) top ten can introduce a high performance overhead in production code. most dangerous web aws [46]. Injection attacks can be damaging This paper describes a new approach for detecting injection vul- even for applications that are not traditionally considered critical nerabilities in applications by harnessing the combined power of targets, such as personal websites, because attackers can use them human developers’ test suites and automated dynamic analysis. as footholds to launch more complicated attacks. Our new approach, Rivulet, monitors the execution of developer- In a code injection attack, an adversary crafts a malicious in- written functional tests in order to detect information ows that put that gets interpreted by the application as code rather than may be vulnerable to attack.
    [Show full text]
  • Operating Systems & Virtualisation Security Knowledge Area
    Operating Systems & Virtualisation Security Knowledge Area Issue 1.0 Herbert Bos Vrije Universiteit Amsterdam EDITOR Andrew Martin Oxford University REVIEWERS Chris Dalton Hewlett Packard David Lie University of Toronto Gernot Heiser University of New South Wales Mathias Payer École Polytechnique Fédérale de Lausanne The Cyber Security Body Of Knowledge www.cybok.org COPYRIGHT © Crown Copyright, The National Cyber Security Centre 2019. This information is licensed under the Open Government Licence v3.0. To view this licence, visit: http://www.nationalarchives.gov.uk/doc/open-government-licence/ When you use this information under the Open Government Licence, you should include the following attribution: CyBOK © Crown Copyright, The National Cyber Security Centre 2018, li- censed under the Open Government Licence: http://www.nationalarchives.gov.uk/doc/open- government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at con- [email protected] to let the project know how they are using CyBOK. Issue 1.0 is a stable public release of the Operating Systems & Virtualisation Security Knowl- edge Area. However, it should be noted that a fully-collated CyBOK document which includes all of the Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas KA Operating Systems & Virtualisation Security j October 2019 Page 1 The Cyber Security Body Of Knowledge www.cybok.org INTRODUCTION In this Knowledge Area, we introduce the principles, primitives and practices for ensuring se- curity at the operating system and hypervisor levels.
    [Show full text]
  • Hypervisor-Based Active Data Protection for Integrity And
    The 13th Annual ADFSL Conference on Digital Forensics, Security and Law, 2018 HYPERVISOR-BASED ACTIVE DATA PROTECTION FOR INTEGRITY AND CONFIDENTIALITY OF DYNAMICALLY ALLOCATED MEMORY IN WINDOWS KERNEL Igor Korkin, PhD Security Researcher Moscow, Russia [email protected] ABSTRACT One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64. Keywords: hypervisor-based protection, Windows kernel, Intel, CNC security, rootkits, dynamic data protection. 1. INTRODUCTION The vulnerable VirtualBox driver (VBoxDrv.sys) Currently, protection of data in computer memory has been exploited by Turla rootkit and allows to is becoming essential. Growing integration of write arbitrary values to any kernel memory (Singh, ubiquitous Windows-based computers into 2015; Kirda, 2015). industrial automation makes this security issue critically important.
    [Show full text]
  • Kernel Integrity Analysis
    Project CS2 AAVR Kernel Integrity Analysis Major Qualifying Project Submitted to the Faculty of Worcester Polytechnic Institute in partial fulfillment of the requirements for the Degree in Bachelor of Science in Computer Science By Caleb Stepanian [email protected] Submitted On: October 27, 2015 Project Advisor: Professor Craig Shue [email protected] This report represents work of WPI undergraduate students submitted to the faculty as evidence of a degree requirement. WPI routinely publishes these reports on its web site without editorial or peer review. For more information about the projects program at WPI, see http: // www. wpi. edu/ Academics/ Projects . Abstract Rootkits are dangerous and hard to detect. A rootkit is malware specifically de- signed to be stealthy and maintain control of a computer without alerting users or administrators. Existing detection mechanisms are insufficient to reliably detect rootkits, due to fundamental problems with the way they do detection. To gain control of an operating system kernel, a rootkit edits certain parts of the kernel data structures to route execution to its code or to hide files that it has placed on the file system. Each of the existing detector tools only monitors a subset of those data structures. This MQP has two major contributions. The first contribution is a Red Team analysis of WinKIM, a rootkit detection tool. The analysis shows my attempts to find flaws in WinKIM's ability to detect rootkits. WinKIM monitors a particular set of Windows data structures; I attempt to show that this set is insufficient to detect all possible rootkits. The second is the enumeration of data structures in the Windows kernel which can possibly be targeted by a rootkit.
    [Show full text]