Abstract
Kernel callback queues (KQs) are the established mechanism for event handling in modern kernels. Unfortunately, real-world malware has abused KQs to run malicious logic, through an attack called kernel queue injection (KQI). Current kernel-level defense mechanisms have difficulties with KQI attacks, since they work without necessarily changing legitimate kernel code or data. In this paper, we present the design, implementation, and evaluation of KQguard, an efficient and effective protection mechanism of KQs. KQguard employs static and dynamic analysis of kernel and device drivers to learn specifications of legitimate event handlers. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We implement KQguard on the Windows Research Kernel (WRK), Windows XP, and Linux, using source code instrumentation or binary patching. Our extensive experimental evaluation shows that KQguard is effective (i.e., it can have zero false positives against representative benign workloads after enough training and very low false negatives against 125 real-world malware), and it incurs a small overhead (up to ~5%). We also present the result of an automated analysis of 1,528 real-world kernel-level malware samples aiming to detect their KQ Injection behaviors. KQguard protects KQs in both Windows and Linux kernels, can accommodate new device drivers, and can support closed source device drivers through dynamic analysis of their binary code.
Similar content being viewed by others
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control flow integrity. In: Proceedings of the 12th ACM CCS
American Fuzzy Lop (2.51b), http://lcamtuf.coredump.cx/afl/
Anselmi, D., et al.: Battling the Rustock threat. In: Microsoft Security Intelligence Report, Special Edition, January 2010 through May 2011
Baliga, A., Ganapathy, V., Iftod, L.: Automatic inference and enforcement of kernel data structure invariants. In: Proceedings of ACSAC’08
Boldewin, F.: Peacomm.C-Cracking the nutshell. Anti Rootkit (2007). http://www.reconstructer.org/papers/Peacomm.C%20-%20Cracking%20the%20nutshell.zip. Accessed 25 June 2019
Brumley, D.: Invisible intruders: rootkits in practice.;login. 24 Sept 1999
Butler, J.: DKOM (Direct Kernel Object Manipulation). http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf
Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of ACM CCS’09
Chiang, K., Lloyd, L.: A case study of the Rustock Rootkit and Spam Bot. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets (HotBots’07)
Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: Proceedings of IEEE Symposium Security and Privacy (SP), pp. 292–307 (2014)
Decker, A., Sancho, D., Kharouni, L., Goncharov, M., McArdle, R.: Pushdo/Cutwail: a study of the Pushdo/Cutwail Botnet. In: Trend Micro Technical Report (2009)
Giuliani, M.: ZeroAccess: An Advanced Kernel Mode Rootkit, rev 1.2. https://www.botnetlegalnotice.com/ZeroAccess/files/Ex_12_Decl_Anselmi.pdf. Accessed 25 June 2019
Hoglund, G.: Kernel Object Hooking Rootkits (KOH Rootkits) (2006). http://blog.sina.com.cn/s/blog_55ff0872010004gl.html. Accessed 25 June 2019
Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions. In: Proceedings of the 3rd Conference on USENIX Windows NT Symposium, vol. 3, p. 14. Berkeley, CA, USA, (1999)
Kaspersky Lab: The Mystery of Duqu: Part Five. http://www.securelist.com/en/blog/606/The_Mystery_of_Duqu_Part_Five
Kwiatek, L., Litawa, S.: Yet another Rustock analysis… Virus Bulletin (2008)
Li, J., Wang, Z., Bletsch, T., Srinivasan, D., Grace, M., Jiang, X.: Comprehensive and efficient protection of kernel control data. IEEE Trans. Inf. Forensics Secur. 6(2), 1404–1417 (2011)
Li, J., Tong, X., Zhang, F., Ma, J.: Fine-CFI: fine-grained control-flow integrity for operating system kernels. IEEE Trans. Inf. Forensics Secur. 13(6), 1535–1550 (2018)
Offensive Computing: Storm Worm Process Injection from the Windows Kernel. http://offensivecomputing.net/papers/storm-3-9-2008.pdf
Petroni, N., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot—a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th USENIX Security Symposium
Petroni, N., Hicks, M.: Automated detection of persistent kernel control flow attacks. In: Proceedings of ACM CCS’07
Petroni, N., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th USENIX Security Symposium (2006)
Prakash, C.: What makes the Rustocks tick!. In: Proceedings of the 11th Association of Anti-virus Asia Researchers International Conference (AVAR’08)
Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware Evolutionary Fuzzing. In: Proceeding of the 24th Annual Network and Distributed System Security Symposium (2017)
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-Based memory shadowing. In: Proceedings of RAID’08
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of ACM SOSP’07
Solar Designer: Bugtraq: Getting around non-executable stack (and fix). Website. http://seclists.org/bugtraq/1997/Aug/63
Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the 23rd Annual Network and Distributed System Security Symposium (2016)
Super PI: http://www.superpi.net/
Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V.W., Ning, P.: On the expressiveness of return-into-libc Attacks. In: Proceedings of RAID 2011 (2011)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of ACM CCS’09
Wei, J., Pu, C.: Towards a general defense against kernel queue hooking attacks. Comput. Secur. 31(2), 176–191 (2012)
Wei, J., Zhu, F., Pu, C.: KQguard: binary-centric defense against kernel queue injection attacks. In: Proceeding of the 18th European Symposium on Research in Computer Security (ESORICS 2013) (2013)
Windows Research Kernel v1.2. https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=7366&c1=en-us&c2=0
FireEye: World’s Top Malware. https://www.fireeye.com/blog/threat-research/2010/07/worlds_top_modern_malware.html
Spamfighter: Damballa Releases List of 10 Leading Corporate Botnets. http://www.spamfighter.com/lang/News-13944-Damballa-Releases-List-of-10-Leading-Corporate-Botnets.htm
Cuckoo Sandbox – Automated Malware Analysis https://cuckoosandbox.org/
Open Malware. http://openmalware.org/
VMware: Setting up Desktop and Application Pools in View. http://desbrq3.n-con.net/support/VMWare/VMWare%20Horizon/DOCUMENTATION/view-70-setting-up-desktops.pdf
VMware: VIX API Documentation. http://www.vmware.com/support/developer/vix-api/
CmRegisterCallback. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-cmregistercallback
CmUnRegisterCallback. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-cmunregistercallback
KeRegisterBugCheckReasonCallback. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-keregisterbugcheckreasoncallback
PsSetCreateProcessNotifyRoutine. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine
PsSetLoadImageNotifyRoutine. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetloadimagenotifyroutine
Acknowledgements
This work was partially supported by the United States Army Research Office Grant W911NF-17-1-0437, the National Key R&D Program of China 2018YFB1003201, and NUPT Initial Scientific Research Grant No. NY216016. The views and conclusions contained in this paper are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the United States Army Research Office.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Wei, J., Zhu, F. Binary-centric defense of production operating systems against kernel queue injection attacks. J Comput Virol Hack Tech 15, 259–275 (2019). https://doi.org/10.1007/s11416-019-00337-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-019-00337-8