Skip to main content
SpringerLink
Log in

Towards Automatic Inference of Kernel Object Semantics from Binary Code

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Included in the following conference series:

Abstract

This paper presents Argos, the first system that can automatically uncover the semantics of kernel objects directly from a kernel binary. Based on the principle of data use reveals data semantics, it starts from the execution of system calls (i.e., the user level application interface) and exported kernel APIs (i.e., the kernel module development interface), and automatically tracks how an instruction accesses the kernel object and assigns a bit-vector for each observed kernel object. This bit-vector encodes which system call accesses the object and how the object is accessed (e.g., read, write, create, destroy), from which we derive the meaning of the kernel object based on a set of rules developed according to the general understanding of OS kernels. The experimental results with Linux kernels show that Argos is able to recognize the semantics of kernel objects of our interest, and can even directly pinpoint the important kernel data structures such as the process descriptor and memory descriptor across different kernels. We have applied Argos to recognize internal kernel functions by using the kernel objects we inferred, and we demonstrate that with Argos we can build a more precise kernel event tracking system by hooking these internal functions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Note that Argos is an automated offline system. Performance is not a big issue as long as we produce the result in a reasonable amount of time.

  2. 2.

    Note that we show the symbol name instead of the address in Fig. 4 just for the readability of the type graph.

References

  1. Linux test project. https://github.com/linux-test-project

  2. QEMU: an open source processor emulator. http://www.qemu.org/

  3. Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  4. Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the 16th ACM Conference on Computer and and Communications Security (CCS 2009), pp. 621–634, Chicago, Illinois, USA (2009)

    Google Scholar 

  5. Caballero, J., Song, D.: Polyglot: automatic extraction of protocol format using dynamic binary analysis. In: Proceedings of the 14th ACM Conference on Computer and and Communications Security (CCS 2007), pp. 317–329, Alexandria, Virginia, USA (2007)

    Google Scholar 

  6. Cozzie, A., Stratton, F., Xue, H., King, S.T.: Digging for data structures. In: Proceeding of 8th Symposium on Operating System Design and Implementation (OSDI 2008), pp. 231–244, San Diego, CA, December 2008

    Google Scholar 

  7. Cui, W., Peinado, M., Chen, K., Wang, H.J., Irun-Briz, L.: Tupni: automatic reverse engineering of input formats. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 391–402, Alexandria, Virginia, USA, October 2008

    Google Scholar 

  8. Damas, L., Milner, R.: Principal type-schemes for functional programs. In: Proceedings of the 9th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 207–212, January 1982

    Google Scholar 

  9. Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 289–298, New Orleans, Louisiana (2013)

    Google Scholar 

  10. Fu, Y., Lin, Z.: Space traveling across VM: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: Proceedings of 33rd IEEE Symposium on Security and Privacy, May 2012

    Google Scholar 

  11. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings Network and Distributed Systems Security Symposium (NDSS 2003), pp. 38–53, February 2003

    Google Scholar 

  12. Guo, P.J., Perkins, J.H., McCamant, S., Ernst, M.D.: Dynamic inference of abstract types. In: ISSTA, pp. 255–265, July 2006

    Google Scholar 

  13. Hay, B., Nance, K.: Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev. 42, 74–82 (2008)

    Article  Google Scholar 

  14. Johnson, N., Caballero, J., Chen, K., McCamant, S., Poosankam, P., Reynaud, D., Song, D.: Differential slicing: identifying causal execution differences for security applications. In: Proceedings of 32nd IEEE Symposium on Security and Privacy, pp. 347–362, May 2011

    Google Scholar 

  15. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the Annual Conference on USENIX 2006 Annual Technical Conference. USENIX Association, Boston (2006)

    Google Scholar 

  16. Lee, J., Avgerinos, T., Brumley, D.: Tie: principled reverse engineering of types in binary programs. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS 2011), San Diego, CA, February 2011

    Google Scholar 

  17. Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, CA, February 2008

    Google Scholar 

  18. Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS 2010), San Diego, CA, February 2010

    Google Scholar 

  19. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2005), San Diego, CA, February 2005

    Google Scholar 

  20. O’Callahan, R., Jackson, D.: Lackwit: a program understanding tool based on type inference. In Proceedings of the 19th International Conference on Software Engineering, ICSE 1997, pp. 338–348, Boston, Massachusetts, USA (1997)

    Google Scholar 

  21. Ramalingam, G., Field, J., Tip, F.: Aggregate structure identification and its application to program analysis. In: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of programming languages (POPL 1999), San Antonio, Texas, pp. 119–132. ACM (1999)

    Google Scholar 

  22. Reps, T., Balakrishnan, G.: Improved memory-access analysis for x86 executables. In: Hendren, L. (ed.) CC 2008. LNCS, vol. 4959, pp. 16–35. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  23. Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS 2011), San Diego, CA, February 2011

    Google Scholar 

  24. Walters, A.: The volatility framework: volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility

  25. Wondracek, G., Milani, P., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, CA, February 2008

    Google Scholar 

  26. Zeng, J., Fu, Y., Lin, Z.: Pemu: a pin highly compatible out-of-VM dynamic binary instrumentation framework. In: Proceedings of the 11th Annual International Conference on Virtual Execution Environments, pp. 147–160, Istanbul, Turkey, March 2015

    Google Scholar 

  27. Zhang, M., Prakash, A., Li, X., Liang, Z., Yin, H.: Identifying and analyzing pointer misuses for sophisticated memory-corruption exploit diagnosis. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS 2012), San Diego, CA, February 2012

    Google Scholar 

Download references

Acknowledgement

We thank our shepherd William Robertson and other anonymous reviewers for their insightful comments. This research was partially supported by an AFOSR grant FA9550-14-1-0119, and an NSF grant 1453011. Any opinions, findings, conclusions, or recommendations expressed are those of the authors and not necessarily of the AFOSR and NSF.

Author information

Authors and Affiliations

  1. The University of Texas at Dallas, 800 W. Campbell Rd, Richardson, TX, 75080, USA

    Junyuan Zeng & Zhiqiang Lin

Authors
  1. Junyuan Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhiqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhiqiang Lin .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Zeng, J., Lin, Z. (2015). Towards Automatic Inference of Kernel Object Semantics from Binary Code. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation