automatic uncovering of tap points from kernel executions
play

Automatic Uncovering of Tap Points From Kernel Executions Junyuan - PowerPoint PPT Presentation

Feb 27, 2023 •108 likes •694 views

Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang Lin University of Texas at Dallas RAID 2016 Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary &

  1. Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang Lin University of Texas at Dallas RAID 2016

  2. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Kernel Tap Point An execution point , e.g., ◮ an instruction ◮ a function call ◮ a function called in a particular context where active kernel execution monitoring, e.g., creation, traversal, or deletion of ◮ processes ◮ sockets ◮ files ◮ other kernel objects can be performed 2 / 29

  3. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Why Uncoverying Them sys_fork(){ ... create_process(); ... } 3 / 29

  4. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Why Uncoverying Them sys_fork(){ ... create_process(); ... } Increasingly, kernel malware is using the internal functions (e.g., create_process ) to create kernel objects 3 / 29

  5. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Why Uncoverying Them sys_fork(){ ... create_process(); ... } Increasingly, kernel malware is using the internal functions (e.g., create_process ) to create kernel objects Identifying the internal functions or instructions will be useful in applications: ◮ Virtual machine introspection ◮ Kernel malware detection ◮ Kernel malware profiling 3 / 29

  6. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c14f33fd c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  7. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c14f33fd c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  8. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  9. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  10. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  11. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  12. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  13. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  14. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: ... c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c24e0fe4 c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  15. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: Switched- ... to task c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax ... c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c24e0fe4 c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  16. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Examples of Kernel Tap Points Content Tap Code Read Write c14f30a0 <schedule>: Switched- ... to task c14f33fd: mov -0x58(%ebp),%edx c035dc00 c14f33fd cfe91690 c14f3400 c14f3400: mov -0x5c(%ebp),%eax Switched- ... from task c20f0120 c14f3405 c14f3405: mov %esp,0x318(%eax) c24e0fe4 c14f340b c14f340b: mov 0x318(%edx),%esp c14f3411: movl $0xc14f3433,0x320(%eax) c14f341b: pushl 0x320(%edx) c14f3421: mov 0x204(%edx),%ebx c14f3427: mov %ebx,%fs:0xc17f8694 c14f342e: jmp c1001e80 <__switch_to> c14f3433: pop %ebp 4 / 29

  17. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Why Uncovering the Tap Points is Challenging Large code base of an OS kernel 1 ◮ Millions of instructions ◮ Hundrends of thousands of functions ◮ Tens of thousands of kernel objects Complicated control flow 2 ◮ Asynchronized events ⋆ Interrupts (e.g., timer, keystrokes) ◮ Non standard control flow ⋆ Exceptions (e.g., page fault) 5 / 29

  18. Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary & References Introducing A UTO T AP A UTO T AP : a system for A UTO matic uncovering of T AP points directly from kernel executions. 6 / 29

Recommend

Where the executions are Frank R. Baumgartner Introduction Data compiled on all US executions

Where the executions are Frank R. Baumgartner Introduction Data compiled on all US executions

Where the executions are Frank R. Baumgartner Introduction Data compiled on all US executions since 1976 as of April 11 2011, 1245 executions in total. Maps by county do not include 3 executions by the federal government not assigned to

371 views • 21 slides
Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie

Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie

Automatic Extraction of Object-Oriented Observer Abstractions from Unit-Test Executions Tao Xie David Notkin Dept. of Computer Science &amp; Engineering University of Washington, Seattle Nov. 2004 ICFEM 04, Seattle 1 of 24 Motivation

477 views • 25 slides
Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang

Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang

Introduction A RGOS Design Experimental Results Discussions &amp; Related Work Summary &amp; References Towards Automatic Inference of Kernel Object Semantics from Binary Code Junyuan Zeng, and Zhiqiang Lin Department of Computer Science

738 views • 53 slides
The Kernel Abstrac/on Main Points Process concept A

The Kernel Abstrac/on Main Points Process concept A

The Kernel Abstrac/on Main Points Process concept A process is the OS abstrac/on for execu/ng a program with limited privileges Dual-mode

785 views • 61 slides
Kernel matching with automatic bandwidth selection Ben Jann University of Bern,

Kernel matching with automatic bandwidth selection Ben Jann University of Bern,

Kernel matching with automatic bandwidth selection Ben Jann University of Bern, ben.jann@soz.unibe.ch 2017 London Stata Users Group meeting London, September 78, 2017 Ben Jann (University of Bern) Kernel matching London, 07.09.2017 1

943 views • 61 slides
Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec.

Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec.

Hierarchical Decompositions of Kernel Matrices Bill March On the job market! UT Austin Dec. 12, 2015 Joint work with Bo Xiao, Chenhan Yu, Sameer Tharakan, and George Biros Kernel Matrix Approximation x i R d i = 1 , . . . , N points

617 views • 26 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

241 views • 5 slides
CSCI 6730 / 4730 Really, the part of the system that runs in kernel mode (or need

CSCI 6730 / 4730 Really, the part of the system that runs in kernel mode (or need

Review : What is An Operating System? Key Points Software ( kernel ) that runs at all times CSCI 6730 / 4730 Really, the part of the system that runs in kernel mode (or need to). Operating Systems But note - there

192 views • 15 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Uncovering Interactions Between Moving Objects Gennady Andrienko &amp; Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko &amp; Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko &amp; Natalia Andrienko http://geoanalytics.net Monica Wachowicz &amp; Daniel Orellana Uncovering Interactions between Moving Objects Research Topic Research focus: interactions (

376 views • 26 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, David Herrmann, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started

1.35k views • 111 slides
Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda mulix@mulix.org IBM Haifa Research Lab Kernel Debugging, Haifux 2003 p.1/19 Kernel Debugging - Why? Why would we want to debug the kernel? after

308 views • 19 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner

Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner

Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner with IRIS Date : 23 rd September, 2017 Indian Rural Panel Uncovering Farmers Mindset_777_520 1 Content Overview of Indian agriculture and

268 views • 24 slides
Outline 0024 Spring 2010 21 :: 2 Source [1] Talking About Executions

Outline 0024 Spring 2010 21 :: 2 Source [1] Talking About Executions

Outline 0024 Spring 2010 21 :: 2 Source [1] Talking About Executions Why? Can t we specify the linearization point of each operation without describing an execution? Not Always In some

1.15k views • 62 slides
Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification

Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification

Kernel PCA for SNe Kernel PCA for SNe photometric classification photometric classification Emille E. O. Ishida IAG University of Sao Paulo, Brazil In collaboration with Rafael S. De Souza (KASI) astro-ph/1201.6676 IAU General Assembly,

155 views • 14 slides
The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel Asynchrony Processes Protection Kernel The software component that controls the hardware directly and implements the core privileged OS

934 views • 62 slides
MVC and MPC K. J. strm Department of Automatic Control, Lund University K. J. strm MVC

MVC and MPC K. J. strm Department of Automatic Control, Lund University K. J. strm MVC

MVC and MPC K. J. strm Department of Automatic Control, Lund University K. J. strm MVC and MPC Congratulations to a Stellar Career! Points of tangency , IFAC Teddington 1964 IFAC Prague 1967 First Identi fi cation Symposium

882 views • 46 slides
of In Individuals Liv iving wit ith Mental Ill Illness Betsy Johnson , Legislative and Policy

of In Individuals Liv iving wit ith Mental Ill Illness Betsy Johnson , Legislative and Policy

Working to End Executions of In Individuals Liv iving wit ith Mental Ill Illness Betsy Johnson , Legislative and Policy Advisor, Treatment Advocacy Center, Columbus, Ohio Kevin R. Werner, Jr., Executive Director, Ohioans to Stop Executions

389 views • 25 slides
D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel FOSDEM 2014, Brussels, Belgium January 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started around

1.27k views • 111 slides
Automatic Enrollment and Automatic IRAs David C. John The Heritage Foundation The Retirement

Automatic Enrollment and Automatic IRAs David C. John The Heritage Foundation The Retirement

Automatic Enrollment and Automatic IRAs David C. John The Heritage Foundation The Retirement Security Project Automatic Enrollment Works Legal since 1999. All legal questions resolved 2006. Most larger 401(k)s incorporate automatic

137 views • 13 slides

More recommend