TUM Logo

Code Validation for Modern OS Kernels

The proliferation of kernel mode malware and rootkits over the last decade is one of the most critical challenges the se- curity industry is facing. While mechanisms such as UEFI secure boot in conjunction with signed driver loading effec- tively verify the integrity of the kernel at load time, run- time verification is still an open problem. Various secu- rity systems have been proposed solutions to protect the in- tegrity of the kernel by performing hash-verification of code- pages. This approach requires one to keep track of a poten- tially large set of hashes. Other approaches that attempt to protect code-pages usually do so by heavily restricting the OS from performing otherwise benign optimizations at run-time. In this paper we present an approach for syntactically ver- ifying the integrity of kernel code with the use of semantic (binding) information. By leveraging virtual machine in- trospection, we examine all kernel code pages at runtime to verify their contents and to reconstruct the active system state. By emulating the OS’s patching mechanisms, our sys- tem successfully differentiates between malicious and benign code changes. We demonstrate the ability to detect mali- cious kernel code with a set of rootkit samples. Our method does not restrict modern OS kernels from using otherwise benign patching routines. To further highlight the impor- tance of practical kernel code validation, we also present a critical security issue in the Linux kernel that we discovered in our research which thus far remained unnoticed.

Code Validation for Modern OS Kernels

Workshop on Malware Memory Forensics (MMF)

Authors: Thomas Kittel, Sebastian Vogl, Tamas Lengyel, Jonas Pfoh, and Claudia Eckert
Year/month: 2014/12
Booktitle: Workshop on Malware Memory Forensics (MMF)
Fulltext: acsacmmfkittel-2014.pdf

Abstract

The proliferation of kernel mode malware and rootkits over the last decade is one of the most critical challenges the se- curity industry is facing. While mechanisms such as UEFI secure boot in conjunction with signed driver loading effec- tively verify the integrity of the kernel at load time, run- time verification is still an open problem. Various secu- rity systems have been proposed solutions to protect the in- tegrity of the kernel by performing hash-verification of code- pages. This approach requires one to keep track of a poten- tially large set of hashes. Other approaches that attempt to protect code-pages usually do so by heavily restricting the OS from performing otherwise benign optimizations at run-time. In this paper we present an approach for syntactically ver- ifying the integrity of kernel code with the use of semantic (binding) information. By leveraging virtual machine in- trospection, we examine all kernel code pages at runtime to verify their contents and to reconstruct the active system state. By emulating the OS’s patching mechanisms, our sys- tem successfully differentiates between malicious and benign code changes. We demonstrate the ability to detect mali- cious kernel code with a set of rootkit samples. Our method does not restrict modern OS kernels from using otherwise benign patching routines. To further highlight the impor- tance of practical kernel code validation, we also present a critical security issue in the Linux kernel that we discovered in our research which thus far remained unnoticed.

Bibtex:

@inproceedings { kittel2014,
author = { Thomas Kittel and Sebastian Vogl and Tamas Lengyel and Jonas Pfoh and Claudia Eckert},
title = { Code Validation for Modern OS Kernels },
year = { 2014 },
month = { December },
booktitle = { Workshop on Malware Memory Forensics (MMF) },
url = {https://www.sec.in.tum.de/i20/publications/code-validation-for-modern-os-kernels/@@download/file/acsacmmfkittel-2014.pdf}
}