multi aspect profiling of kernel rootkit behavior
play

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, - PowerPoint PPT Presentation

Oct 06, 2022 •143 likes •674 views

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

  1. Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nürnberg, Germany

  2. Rootkits • Stealthy malware • Hide attacker • Modifying the OS kernel in memory • Injecting new code • Injecting new code • Threat model: – “Root” privileges – Full memory access 2

  3. In the news… 3

  4. Rootkit techniques 4

  5. Rootkit techniques adore-ng • • Linux 2.4/2.6 Linux 2.4/2.6 • Kernel module • Adds “custom” functions 5 5

  6. Rootkit techniques adore-ng hp • • Linux 2.4/2.6 Linux 2.4/2.6 • • Linux 2.4 Linux 2.4 • Kernel module • Kernel module • Adds “custom” • Modifies kernel functions objects 6 6

  7. Profiling a rootkit? • Quickly reveal behavior • Tool for malware investigators • Honeypot environment • This is hard, rootkits are highly privileged! • This is hard, rootkits are highly privileged! 7

  8. Profiling: Determining behavior 1. What code does it run? 2. What kernel objects does it modify? 3. How does it modify control flow? 4. What system calls are affected at user- level? 8 8

  9. PoKeR: Architecture Virtual Machine Kernel Symbols & Kernel Object Types User-level Applications User-level Applications Kernel Object Kernel Object Log Guest Kernel Interpretation Interpretation Logging and Logging and Right-Before Context Context Detection Tracking Tracking Profile Profile Virtual Machine Monitor 9

  10. PoKeR: Architecture Logging and Logging and Right-Before Context Context Detection Tracking Tracking 10

  11. “Right before” detection? VM Applications Guest OS VMM VMM NICKLE Module Standard Shadow 11 11

  12. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 12 12

  13. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Guest Kernel Instruction Fetch Standard Shadow 13 13

  14. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 14 14

  15. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Other Memory Access Standard Shadow 15 15

  16. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 16 16

  17. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Other Memory Access Guest Kernel Instruction Fetch Standard Shadow 17 17

  18. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Memory Access Standard Shadow 18 18

  19. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Memory Access Compare Standard Shadow 19 19

  20. What code does it run? • Compare standard and shadow memories – Extract code as – Extract code as you go 20 20

  21. PoKeR: Architecture Virtual Machine Kernel Symbols & Kernel Object Types User-level Applications User-level Applications Kernel Object Kernel Object Log Guest Kernel Interpretation Interpretation Logging and Logging and Right-Before Context Context Detection Tracking Tracking Profile Profile Virtual Machine Monitor 21

  22. Kernel Symbols & Kernel Object Types Kernel Object Kernel Object Log Interpretation Interpretation Logging and Logging and Context Context Tracking Tracking 22

  23. Logging and context tracking • Logging rootkit code… – Execution – Reads – Writes – Writes 23 23

  24. What kernel objects does it modify? • We have memory writes from rootkit code • Use static analysis to build a map – Kernel with debug symbols 24

  25. What about dynamic allocation? • Some objects are allocated dynamically 25 25

  26. What about dynamic allocation? • Some objects are allocated dynamically Static Objects Dynamic Objects task_struct task_struct init_task init_task 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11a0000 0xc11b0000 0xc11c0000 … … … 26 26

  27. Simple observation #1 Static Objects Dynamic Objects 27 27

  28. Simple observation #1 Static Objects Dynamic Objects 28 28

  29. Simple observation #2 • The rootkit is just as ignorant as we are • It will find dynamic objects by starting at static ones 29 29

  30. “Combat tracking” • Track rootkit reads • Build a map of dynamic memory • Reverse VMI 30 30

  31. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 31 31

  32. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid � 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 32 32

  33. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 33 33

  34. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 34 34

  35. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 35 35

  36. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 36 36

  37. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid � pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 37 37

  38. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 38 38

  39. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 39 39

  40. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 40 40

  41. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 41 41

  42. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 � pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 42 42

Recommend

Tensor Decompositions for ensor Decompositions for Big Multi-aspect Data Big Multi-aspect Data

Tensor Decompositions for ensor Decompositions for Big Multi-aspect Data Big Multi-aspect Data

Tensor Decompositions for ensor Decompositions for Big Multi-aspect Data Big Multi-aspect Data Analytics Analytics Evangelos Evangelos (V (Vagelis) agelis) Papalexakis Papalexakis UC Riverside Second W Second Workshop of Mission-Critical

535 views • 42 slides
Profiling the Memory Usage of OCaml Applications without Changing their Behavior OCaml 2013

Profiling the Memory Usage of OCaml Applications without Changing their Behavior OCaml 2013

Profiling the Memory Usage of OCaml Applications without Changing their Behavior OCaml 2013 agdas Bozman 1 , 2 , 3 C Thomas Gazagnaire 1 Fabrice Le Fessant 2 Michel Mauny 3 OCamlPro 1 | INRIA 2 | ENSTA-ParisTech 3 Sept. 24 2013 - Boston (MA)

713 views • 18 slides
Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang,

Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang,

ACM SIGCOMM 2005 Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang, and Supratik Bhattacharyya University of Minnesota Sprint ATL August 24, 2005 Why profile traffic? Changes in

709 views • 25 slides
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses

638 views • 52 slides
Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens

Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens

Aspect-Oriented Programming and Aspect-J TDDD05 Ola Leifer Most slides courtesy of Jens Gustafsson and Mikhail Chalabine Outline: Aspect-Oriented Programming New concepts introduced Crosscutting concern Aspect Dynamic aspect

1.12k views • 50 slides
Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador

Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador

Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador Morales Robotic & Tech of Computers Lab, University of Seville ricardo@atc.us.es Convolutional neural networks ricardo@atc.us.es 2

370 views • 12 slides
ProfileDroid: Multi-layer Profiling of Android Applications Xuetao Wei Lorenzo Gomez Iulian

ProfileDroid: Multi-layer Profiling of Android Applications Xuetao Wei Lorenzo Gomez Iulian

ProfileDroid: Multi-layer Profiling of Android Applications Xuetao Wei Lorenzo Gomez Iulian Neamtiu Michalis Faloutsos How do we know what is occuring in an app? Description, connections, services? >550 000 apps on Goal - Complete app

723 views • 24 slides
Profiling Go Code FLAME GRAPHS Ram Nadella Online Marketplace CPU Flame Graph of Linux Kernel

Profiling Go Code FLAME GRAPHS Ram Nadella Online Marketplace CPU Flame Graph of Linux Kernel

Profiling Go Code FLAME GRAPHS Ram Nadella Online Marketplace CPU Flame Graph of Linux Kernel Flame Graphs Function call stacks Each cell => Function Width => cost of the function Colors have no meaning Flame Graphs

775 views • 28 slides
Ark: A Kernel For Multi-Paradigm Modeling MSDL Summer Presentation 2009 Xiaoxi Dong, MSDL,

Ark: A Kernel For Multi-Paradigm Modeling MSDL Summer Presentation 2009 Xiaoxi Dong, MSDL,

Ark: A Kernel For Multi-Paradigm Modeling MSDL Summer Presentation 2009 Xiaoxi Dong, MSDL, McGill University Content Intention of A kernel for multi-paradigm modeling Ark Overview: hierarchical modeling environment Ark breakdown:

540 views • 27 slides
Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in recovering and development processes Natalia Krynsky Baal , Coordinator, Joint IDP Profiling Service WHAT IS PROFILING? Defining profiling A

439 views • 12 slides
Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do Virtualization 101 Vitriol/Hyperjacking (and other HVM Rootkits) Why detecting HVMs arent as difficult as you think Pro Forma Punditry

428 views • 41 slides
PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ PROFESSOR I U LI AN N EAM T I U PROFESSOR M I CH ALI S FALOU T SOS U N I V ERSI T Y OF CALI FORN I A, RI V ERSI DE WE DEPEND ON SMARTPHONES MORE AND

316 views • 29 slides
Advanced Computer Graphics CS 525M: ProfileDroid: Multi layer Profiling of Android Applications

Advanced Computer Graphics CS 525M: ProfileDroid: Multi layer Profiling of Android Applications

Advanced Computer Graphics CS 525M: ProfileDroid: Multi layer Profiling of Android Applications Cheng Cheng Computer Science Dept. Worcester Polytechnic Institute (WPI) Motivation More and more people Android is an very use smartphones

548 views • 23 slides
Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of algorithms. Profiling techniques fall into two main categories: Instruction counting the number of times which particular instruction(s)

672 views • 19 slides
Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit

Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit

Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking

297 views • 17 slides
COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling Issues with current profilers Causal profiling COZ Overview and Implementation COZ Evaluation Comparison with Pivot Tracing

660 views • 23 slides
Conclusions TRECVID 2008 Conclusions TRECVID 2008 Good settings for Bag Good settings

Conclusions TRECVID 2008 Conclusions TRECVID 2008 Good settings for Bag Good settings

MediaMill TRECVID 2009 17 11 2009 Multi Multi- -Frame, Multi Frame, Multi- -Modal, and Multi Modal, and Multi- -Kernel Kernel Concept Detection in Video Concept Detection in Video Cees Cees G.M. Snoek , G.M. Snoek , Koen

487 views • 15 slides
An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson

An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson

An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson (d.dickinson@york.ac.uk) Overview What is meant by profiling? Why do we care about profiling? How do we do profiling? Specific example using Scalasca

912 views • 22 slides
2020-1 UROP 2020.03.12 2016-12146 Seri Lee Goal Multi-Behavior Recommendation Given user

2020-1 UROP 2020.03.12 2016-12146 Seri Lee Goal Multi-Behavior Recommendation Given user

2020-1 UROP 2020.03.12 2016-12146 Seri Lee Goal Multi-Behavior Recommendation Given user behavior data of multiple types, predict users next behaviors of target type. Approach Implement an RNN-based recommendation algorithm for a

230 views • 18 slides
Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel

Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel

Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel Kruck 1 / 41 Outline Motivation 1 Background - GPUs 2 Profiler 3 NVIDIA Tools Lynx Optimizations 4 Conclusion 5 09/02/2014 Profiling

441 views • 41 slides
Web User Profiling using Data Redundancy http://aminer.org/profiling Xiaotao Gu, Hong Yang, Jie

Web User Profiling using Data Redundancy http://aminer.org/profiling Xiaotao Gu, Hong Yang, Jie

Web User Profiling using Data Redundancy http://aminer.org/profiling Xiaotao Gu, Hong Yang, Jie Tang, Jing Zhang Tsinghua University 1 Web User Profiling using Data Redundancy Introduction Traditional Way Basic Idea

717 views • 34 slides
GreenSONAR A multi-domain energy profiling system based on perfSONAR Lutz Engels Todor Yakimov

GreenSONAR A multi-domain energy profiling system based on perfSONAR Lutz Engels Todor Yakimov

GreenIT Research Results GreenSONAR A multi-domain energy profiling system based on perfSONAR Lutz Engels Todor Yakimov University of Amsterdam System and Network Engineering February 8, 2013 Lutz Engels, Todor Yakimov GreenSONAR 1 / 23

308 views • 28 slides
Exploiting Domain Knowledge in Aspect Extraction Meichun Hsu Zhiyuan (Brett) Chen Malu

Exploiting Domain Knowledge in Aspect Extraction Meichun Hsu Zhiyuan (Brett) Chen Malu

Exploiting Domain Knowledge in Aspect Extraction Meichun Hsu Zhiyuan (Brett) Chen Malu Castellanos Arjun Mukherjee Riddhiman Ghosh Bing Liu Aspect Extraction Extracting aspect terms Aspect Terms This camera takes beautiful pictures but

985 views • 70 slides
GenerOS: An Asymmetric Operating System Kernel for Multi-core Systems Authors: Qingbo Yuan,

GenerOS: An Asymmetric Operating System Kernel for Multi-core Systems Authors: Qingbo Yuan,

IPDPS 2010 @ Atlanta GenerOS: An Asymmetric Operating System Kernel for Multi-core Systems Authors: Qingbo Yuan, Jianbo Zhao, Mingyu Chen, Ninghui Sun Institute of Computing Technology Chinese Academy of Sciences yuanbor@ncic.ac.cn Speaker:

760 views • 28 slides

More recommend