Abstract
Drivers, especially third party drivers, could contain malicious code (e.g., logic bombs) or carefully designed-in vulnerabilities. Generally, it is extremely difficult for static analysis to identify these code and vulnerabilities. Without knowing the exact triggers that cause the execution/exploitation of these code/vulnerabilities, dynamic taint analysis cannot help either. In this paper, we propose a novel cross-brand comparison approach to assess the drivers in a honeypot or testing environment. Through hardware virtualization, we design and deploy diverse-drivers based replicas to compare the runtime behaviour of the drivers developed by different vendors. Whenever the malicious code is executed or vulnerability is exploited, our analysis can capture the evidence of malicious driver behaviour through comparison and difference telling. Evaluation shows that it can faithfully reveal various kernel integrity/confidentiality manipulation and resource starvation attacks launched by compromised drivers, thus to assess the trustworthiness of the evaluated drivers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
QEMU, open source processor emulator, http://wiki.qemu.org/Main_Page
Stuxnet, http://en.wikipedia.org/wiki/Stuxnet
Vulnerability Summary for CVE-2008-1943: Buffer overflow in the backend of XenSource Xen Para Virtualized Frame Buffer, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943
Windriver cross platform device driver development, Technical report, Jungo Corporation (2002), http://www.jungo.com/windriver.html
Architecture of the user-mode driver framework, Version 1.0, Microsoft (2007)
Francois, A.: Give a process to your drivers. EurOpen (1991)
Arati, B., Vinod, G., Liviu, I.: Automatic Inference and Enforcement of Kernel Data Structure Invariants. In: 24th ACSAC (2008)
Davide, B., Marco, C., Christoph, K., Christopher, K., Engin, K., Giovanni, V.: Efficient Detection of Split Personalities in Malware. NDSS (2010)
Danilo, B., Lorenzo, C., Andrea, L.: Diversified Process Replicae for Defeating Memory Error Exploits. In: IEEE International Performance, Computing, and Communications Conference (2007)
Shakeel, B., Vinod, G., Michael, M.S., Chih-Cheng, C.: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers. In: ACSAC (2009)
Jim, C., Ben, P., Tal, G., Kevin, C., Mendel, R.: Understanding data lifetime via whole system simulation. In: USENIX Security Symposium (2004)
Benjamin, C., David, E., Adrian, F., Jonathan, R., Wei, H., Jack, D., John, K., Anh, N., Jason, H.: N-variant systems: A secretless framework for security through diversity. In: USENIX Security Symposium (2006)
Artem, D., Paul, R., Monirul, S., Wenke, L.: Ether: malware analysis via hardware virtualization extensions. In: 15th ACM CCS (2008)
Brendan, D., Tim, L., Michael, Z., Jonathon, G., Wenke, L.: Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In: IEEE Security and Privacy Symposium (2011)
Brendan, D., Abhinav, S., Patrick, T., Jonathon, G.: Robust signatures for kernel data structures. In: 16th ACM CCS (2009)
George, W.D., Samuel, T.K., Sukru, C., Murtaza, A.B., Peter, M.C.: Revirt: enabling intrusion analysis through virtual-machine logging and replay. In: OSDI (2002)
Ulfar, E., Tom, R., Ted, W.: Virtual Environments for Unreliable Extensions. Technical Report MSR-TR-2005-82, Microsoft Research (2005)
Vinod, G., Matthew, J.R., Arini, B., Michael, M.S., Somesh, J.: The design and implementation of microdrivers. In: 13th ASPLOS (2008)
Gao, D., Reiter, M.K., Song, D.: Behavioral Distance for Intrusion Detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 63–81. Springer, Heidelberg (2006)
Tal, G., Keith, A., Andrew, W., Jason, F.: Compatibility is not transparency: VMM detection myths and realities. In: 11th USENIX HotOS (2007)
Ralf, H., Thorsten, H., Felix, C.F.: Return oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: USENIX Security Symposium (2009)
Xuxian, J., Xinyuan, W., Dongyan, X.: Stealthy Malware Detection Through VMM-Based ’Out-of-the-Box’ Semantic View Reconstruction. In: 14th ACM CCS (2007)
Ben, L., Peter, C., Nicholas, F., Stefan, G., Charles, G., Luke, M., Daniel, P., Yueting, S., Kevin, E., Gernot, H.: User-level device drivers: Achieved performance. Journal of Computer Science and Technology 5, 654–664 (2005)
Joshua, L., Volkmar, U., Jan, S., Stefan, G.: Unmodified device driver reuse and improved system dependability via virtual machines. In: 6th OSDI (2004)
Zhiqiang, L., Junghwan, R., Xiangyu, Z., Dongyan, X., Xuxian, J.: SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures. In: 18th NDSS (2011)
Kevin, T., Van, M.: The Fluke device driver framework. Master’s thesis, University of Utah (1999)
George, C.N., Scott, M., Shree, P.R., Westley, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: International Conference on Compiler Construction (2002)
Abhinav, S., Jonathon, G.: Efficient Monitoring of Untrusted Kernel-Mode Executio. In: 18th NDSS (2011)
Michael, M.S., Muthukaruppan, A., Brian, N.B., Henry, M.L.: Recovering Device Drivers. In: 6th OSDI (2004)
Michael, M.S., Brian, N.B., Henry, M.L.: Improving the reliability of commodity operating systems. In: 19th SOSP (2003)
Totel, E., Majorczyk, F., Mé, L.: COTS Diversity Based Intrusion Detection and Application to Web Servers. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 43–62. Springer, Heidelberg (2006)
Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering Persistent Kernel Rootkits through Systematic Hook Discovery. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 21–38. Springer, Heidelberg (2008)
Dan, W., Patrick, R., Kevin, W., Emin Gn, S., Fred, B.S.: Device Driver Safety Through a Reference Validation Mechanism. In: 8th OSDI (2008)
Emmett, W., Krste, A.: Memory isolation for Linux using Mondriaan memory protection. In: 12th SOSP (2005)
Xi, X., Donghai, T., Peng, L.: Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions. In: 18th NDSS (2011)
Min, X., Vyacheslav, M., Jeffrey, S., Ganesh, V., Boris, W.: Retrace: Collecting execution trace with virtual machine deterministic replay. In: 3rd MoBS (2007)
Heng, Y., Dawn, S., Manuel, E., Christopher, K., Engin, K.: Panorama: capturing system-wide information flow for malware detection and analysis. In: 14th ACM CCS (2007)
Shengzhi, Z., Xiaoqi, J., Peng, L., Jiwu, J.: Cross-Layer Comprehensive Intrusion Harm Analysis for Production Workload Server Systems. In: 26th ACSAC (2010)
Shengzhi, Z., Peng, L.: Letting Applications Operate through Attacks Launched from Compromised Drivers. In: AsiaCCS (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhang, S., Liu, P. (2012). Assessing the Trustworthiness of Drivers. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-33338-5_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33337-8
Online ISBN: 978-3-642-33338-5
eBook Packages: Computer ScienceComputer Science (R0)