Skip to main content
SpringerLink
Log in

Binary-centric defense of production operating systems against kernel queue injection attacks

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Kernel callback queues (KQs) are the established mechanism for event handling in modern kernels. Unfortunately, real-world malware has abused KQs to run malicious logic, through an attack called kernel queue injection (KQI). Current kernel-level defense mechanisms have difficulties with KQI attacks, since they work without necessarily changing legitimate kernel code or data. In this paper, we present the design, implementation, and evaluation of KQguard, an efficient and effective protection mechanism of KQs. KQguard employs static and dynamic analysis of kernel and device drivers to learn specifications of legitimate event handlers. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We implement KQguard on the Windows Research Kernel (WRK), Windows XP, and Linux, using source code instrumentation or binary patching. Our extensive experimental evaluation shows that KQguard is effective (i.e., it can have zero false positives against representative benign workloads after enough training and very low false negatives against 125 real-world malware), and it incurs a small overhead (up to ~5%). We also present the result of an automated analysis of 1,528 real-world kernel-level malware samples aiming to detect their KQ Injection behaviors. KQguard protects KQs in both Windows and Linux kernels, can accommodate new device drivers, and can support closed source device drivers through dynamic analysis of their binary code.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control flow integrity. In: Proceedings of the 12th ACM CCS

  2. American Fuzzy Lop (2.51b), http://lcamtuf.coredump.cx/afl/

  3. Anselmi, D., et al.: Battling the Rustock threat. In: Microsoft Security Intelligence Report, Special Edition, January 2010 through May 2011

  4. Baliga, A., Ganapathy, V., Iftod, L.: Automatic inference and enforcement of kernel data structure invariants. In: Proceedings of ACSAC’08

  5. Boldewin, F.: Peacomm.C-Cracking the nutshell. Anti Rootkit (2007). http://www.reconstructer.org/papers/Peacomm.C%20-%20Cracking%20the%20nutshell.zip. Accessed 25 June 2019

  6. Brumley, D.: Invisible intruders: rootkits in practice.;login. 24 Sept 1999

  7. Butler, J.: DKOM (Direct Kernel Object Manipulation). http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf

  8. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Proceedings of ACM CCS’09

  9. Chiang, K., Lloyd, L.: A case study of the Rustock Rootkit and Spam Bot. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets (HotBots’07)

  10. Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: Proceedings of IEEE Symposium Security and Privacy (SP), pp. 292–307 (2014)

  11. Decker, A., Sancho, D., Kharouni, L., Goncharov, M., McArdle, R.: Pushdo/Cutwail: a study of the Pushdo/Cutwail Botnet. In: Trend Micro Technical Report (2009)

  12. Giuliani, M.: ZeroAccess: An Advanced Kernel Mode Rootkit, rev 1.2. https://www.botnetlegalnotice.com/ZeroAccess/files/Ex_12_Decl_Anselmi.pdf. Accessed 25 June 2019

  13. Hoglund, G.: Kernel Object Hooking Rootkits (KOH Rootkits) (2006). http://blog.sina.com.cn/s/blog_55ff0872010004gl.html. Accessed 25 June 2019

  14. Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions. In: Proceedings of the 3rd Conference on USENIX Windows NT Symposium, vol. 3, p. 14. Berkeley, CA, USA, (1999)

  15. Kaspersky Lab: The Mystery of Duqu: Part Five. http://www.securelist.com/en/blog/606/The_Mystery_of_Duqu_Part_Five

  16. Kwiatek, L., Litawa, S.: Yet another Rustock analysis… Virus Bulletin (2008)

  17. Li, J., Wang, Z., Bletsch, T., Srinivasan, D., Grace, M., Jiang, X.: Comprehensive and efficient protection of kernel control data. IEEE Trans. Inf. Forensics Secur. 6(2), 1404–1417 (2011)

    Article  Google Scholar 

  18. Li, J., Tong, X., Zhang, F., Ma, J.: Fine-CFI: fine-grained control-flow integrity for operating system kernels. IEEE Trans. Inf. Forensics Secur. 13(6), 1535–1550 (2018)

    Article  Google Scholar 

  19. Offensive Computing: Storm Worm Process Injection from the Windows Kernel. http://offensivecomputing.net/papers/storm-3-9-2008.pdf

  20. Petroni, N., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot—a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th USENIX Security Symposium

  21. Petroni, N., Hicks, M.: Automated detection of persistent kernel control flow attacks. In: Proceedings of ACM CCS’07

  22. Petroni, N., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th USENIX Security Symposium (2006)

  23. Prakash, C.: What makes the Rustocks tick!. In: Proceedings of the 11th Association of Anti-virus Asia Researchers International Conference (AVAR’08)

  24. Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware Evolutionary Fuzzing. In: Proceeding of the 24th Annual Network and Distributed System Security Symposium (2017)

  25. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-Based memory shadowing. In: Proceedings of RAID’08

  26. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of ACM SOSP’07

  27. Solar Designer: Bugtraq: Getting around non-executable stack (and fix). Website. http://seclists.org/bugtraq/1997/Aug/63

  28. Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the 23rd Annual Network and Distributed System Security Symposium (2016)

  29. Super PI: http://www.superpi.net/

  30. Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V.W., Ning, P.: On the expressiveness of return-into-libc Attacks. In: Proceedings of RAID 2011 (2011)

  31. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Proceedings of ACM CCS’09

  32. Wei, J., Pu, C.: Towards a general defense against kernel queue hooking attacks. Comput. Secur. 31(2), 176–191 (2012)

    Article  Google Scholar 

  33. Wei, J., Zhu, F., Pu, C.: KQguard: binary-centric defense against kernel queue injection attacks. In: Proceeding of the 18th European Symposium on Research in Computer Security (ESORICS 2013) (2013)

    Google Scholar 

  34. Windows Research Kernel v1.2. https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=7366&c1=en-us&c2=0

  35. FireEye: World’s Top Malware. https://www.fireeye.com/blog/threat-research/2010/07/worlds_top_modern_malware.html

  36. Spamfighter: Damballa Releases List of 10 Leading Corporate Botnets. http://www.spamfighter.com/lang/News-13944-Damballa-Releases-List-of-10-Leading-Corporate-Botnets.htm

  37. Cuckoo Sandbox – Automated Malware Analysis https://cuckoosandbox.org/

  38. Open Malware. http://openmalware.org/

  39. VMware: Setting up Desktop and Application Pools in View. http://desbrq3.n-con.net/support/VMWare/VMWare%20Horizon/DOCUMENTATION/view-70-setting-up-desktops.pdf

  40. VMware: VIX API Documentation. http://www.vmware.com/support/developer/vix-api/

  41. CmRegisterCallback. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-cmregistercallback

  42. CmUnRegisterCallback. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-cmunregistercallback

  43. KeRegisterBugCheckReasonCallback. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-keregisterbugcheckreasoncallback

  44. PsSetCreateProcessNotifyRoutine. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine

  45. PsSetLoadImageNotifyRoutine. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetloadimagenotifyroutine

Download references

Acknowledgements

This work was partially supported by the United States Army Research Office Grant W911NF-17-1-0437, the National Key R&D Program of China 2018YFB1003201, and NUPT Initial Scientific Research Grant No. NY216016. The views and conclusions contained in this paper are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the United States Army Research Office.

Author information

Authors and Affiliations

  1. College of Computing and Informatics, University of North Carolina Charlotte, 9201 University City Blvd., Charlotte, NC, 28223, USA

    Jinpeng Wei

  2. School of Computer Science and Technology, Nanjing University of Posts and Telecommunications, 38 Guangdong Rd, Gulou Qu, Nanjing, Jiangsu, China

    Feng Zhu

Authors
  1. Jinpeng Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Feng Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jinpeng Wei.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wei, J., Zhu, F. Binary-centric defense of production operating systems against kernel queue injection attacks. J Comput Virol Hack Tech 15, 259–275 (2019). https://doi.org/10.1007/s11416-019-00337-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-019-00337-8

Keywords

Search

Navigation