Abstract
Kernel driver purification is a technique used for detecting and eliminating malicious code embedded in kernel drivers. Ideally, only the benign functionalities remain after purification. As many kernel drivers are distributed in binary format, a kernel driver purifier is effective against existing kernel rootkits. However, in this paper, we demonstrate that an attacker is able to defeat such purification mechanisms through two different approaches: (1) by exploiting self-checksummed code or (2) by avoiding calling kernel APIs. Both approaches would allow arbitrary code to be injected into a kernel driver. Based on the two proposed offensive schemes, we implement prototypes of both types of rootkits and validate their efficacy through real experiments. Our evaluation results show that the proposed rootkits can defeat the current purification techniques. Moreover, these rootkits retain the same functionalities as those of real world rootkits, and only incur negligible performance overhead.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Sony bmg copy protection rootkit scandal. http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
Alberts, B.: Dr linux 2.6 rootkit released. http://lwn.net/Articles/296952/
Aucsmith, D.: Tamper resistant software: an implementation. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 317–333. Springer, Heidelberg (1996)
Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. In: Proceedings of the First European Conference on Computer Systems (EuroSys), vol. 40, pp. 73–85. ACM (2006)
Boyd-Wickizer, S., Zeldovich, N.: Tolerating malicious device drivers in linux. In: Proceedings of the USENIX Annual Technical Conference (ATC), p. 9. USENIX Association (2010)
Chang, H., Atallah, M.J.: Protecting software code by guards. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 160–175. Springer, Heidelberg (2002)
Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.: An empirical study of operating systems errors. In: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles (SOSP). ACM (2001)
Cuadro cpu benchmark. http://sourceforge.net/projects/cuadrocpubenchm
Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Tenth Annual Symposium on Network and Distributed Systems Security (NDSS) (2003)
Glerum, K., Kinshumann, K., Greenberg, S., Aul, G., Orgovan, V., Nichols, G., Grant, D., Loihle, G., Hunt, G.: Debugging in the (very) large: ten years of implementation and experience. In: Proceedings of the Twenty-Second ACM Symposium on Operating Systems Principles (SOSP), pp. 103–116. ACM (2009)
Gu, Z., Sumner, W.N., Deng, Z., Zhang, X., Xu, D.: Drip: a framework for purifying trojaned kernel drivers. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE (2013)
Horne, B., Matheson, L., Sheehan, C., Tarjan, R.E.: Dynamic self-checking techniques for improved tamper resistance. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 141–159. Springer, Heidelberg (2002)
Iperf benchmark. http://sourceforge.net/projects/iperf/
IPSECS. The kbeast rootkit. http://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In: Proceedings of the Fourteenth ACM Conference on Computer and Communications Security (CCS), pp. 128–138. ACM (2007)
Kadav, A., Swift, M.M.: Understanding modern device drivers. In: Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), vol. 40, pp. 87–98. ACM (2012)
Kagstrom, S.: Provide ways of crashing the kernel through debugfs. http://lwn.net/Articles/371208/
Keizer, G.: Researchers spot rootkits on more sony usb drives. http://www.computerworld.com/s/article/9033798/Researchers_spot_rootkits_on_more_Sony_USB_drives
Kovah, X., Kallenberg, C., Weathers, C., Herzog, A., Albin, M., Butterworth, J.: New results for timing-based attestation. In: Proceedings of the IEEE Symposium on Security and Privacy (S&P), pp. 239–253. IEEE (2012)
Kuznetsov, V., Chipounov, V., Candea, G.: Testing closed-source binary device drivers with ddt. In: Proceedings of the USENIX Annual Technical Conference (ATC), p. 12. USENIX Association (2010)
Mao, Y., Chen, H., Zhou, D., Wang, X., Zeldovich, N., Kaashoek, M.F.: Software fault isolation with api integrity and multi-principal modules. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP), pp. 115–128. ACM (2011)
Mitchell, D.: The rootkit of all evil. http://www.nytimes.com/2005/11/19/business/media/19online.html?_r=0
Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot-a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium, pp. 179–194 (2004)
Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., Khosla, P.: Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles (SOSP), vol. 39, pp. 1–16. ACM (2005)
Srivastava, A., Giffin, J.T.: Efficient monitoring of untrusted kernel-mode execution. In: Proceedings of the Eighteenth Annual Symposium on Network and Distributed System Security (NDSS). Citeseer (2011)
stealth. Announcing full functional adore-ng rootkit for 2.6 kernel. http://lwn.net/Articles/75991/
styx\(\hat{.}\) Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x. http://www.phrack.org/issues.html?issue=68&id=11#article
Sze, W.-K., Sekar, R.: A portable user-level approach for system-wide integrity protection. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 219–228. ACM (2013)
Viega, J., Messier, M.: Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More. O’Reilly Media Inc. (2009)
Williams, D., Reynolds, P., Walsh, K., Sirer, E.G., Schneider, F.B.: Device driver safety through a reference validation mechanism. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI), pp. 241–254 (2008)
Xiong, X., Tian, D., Liu, P.: Practical protection of kernel integrity for commodity os from untrusted extensions. In: Proceedings of the Eighteenth Annual Symposium on Network and Distributed System Security (NDSS) (2011)
Zhang, F., Leach, K., Sun, K., Stavrou, A.: Spectre: a dependable introspection framework via system management mode. In: Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Xiao, J., Huang, H., Wang, H. (2015). Defeating Kernel Driver Purifier. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-28865-9_7
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28864-2
Online ISBN: 978-3-319-28865-9
eBook Packages: Computer ScienceComputer Science (R0)