Junghwan Rhee - Purdue University
Dec 08, 2010
"Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory"
Dynamic kernel memory has been a popular target of recent kernel malware due to the difficulty of determining the status of volatile dynamic kernel objects. Some existing approaches use kernel memory mapping to identify dynamic kernel objects and check kernel integrity. The snapshot-based memory maps generated by these approaches are based on the kernel memory which may have been manipulated by kernel malware. In addition, because the snapshot only reflects the memory status at a single time instance, its usage is limited in temporal kernel execution analysis. We introduce a new runtime kernel memory mapping scheme called allocation-driven mapping, which systematically identifies dynamic kernel objects, including their types and lifetimes. The scheme works by capturing kernel object allocation and deallocation events. Our system provides a number of unique benefits to kernel malware analysis: (1) an un-tampered view wherein the mapping of kernel data is unaffected by the manipulation of kernel memory and (2) a temporal view of kernel objects to be used in temporal analysis of kernel execution. We demonstrate the effectiveness of allocation-driven mapping in two usage scenarios. First, we build a hidden kernel object detector that uses an un-tampered view to detect the data hiding attacks of 10 kernel rootkits that directly manipulate kernel objects (DKOM). Second, we develop a temporal malware behavior monitor that tracks and visualizes malware behavior triggered by the manipulation of dynamic kernel objects. Allocation-driven mapping enables a reliable analysis of such behavior by guiding the inspection only to the events relevant to the attack.
About the Speaker
Junghwan Rhee is a Ph.D. candidate in the Department of Computer Science at Purdue University. His research interests span the areas of systems security, malware analysis, memory forensics, virtualization, and cloud computing. His recent research focus is kernel malware defense based on kernel data-centric properties. He received a M.S. in Computer Sciences from the University of Texas at Austin in 2005 and a B.E. from Korea University in 2003. He is preparing to graduate with his Ph.D. in 2011.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M.
STEW G52 (Suite 050B), West Lafayette Campus. More information...