Mapping kernel objects to enable systematic integrity checking

Carbone, Martim; Cui, Weidong; Lu, Long; Lee, Wenke; Peinado, Marcus; Jiang, Xuxian

doi:10.1145/1653662.1653729

Cited by 100 publications

(96 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Searching overheads: In practice, searching for data structures in a kernel memory snapshot can take from tens of milliseconds [51] up to to several minutes [31]. Thus, most systems reduce overheads by searching periodically and asynchronously ( §IV-A).…”

Section: A Learning and Reconstructionmentioning

confidence: 99%

“…Kernel Object Pinpointer (KOP) [31] extended a fast aliasing analysis developed for non-security purposes [49], with several additional features, including: field-sensitivity, allowing KOP to differentiate accesses made to different fields within the same struct; context-sensitivity, differentiating different uses of union types and void pointers based on type information in code at the call sites; as well as inter-procedural and flow-insensitive analysis, rendering the analysis robust to conditional control flow, e.g., if statements. In applying the static analysis to a memory snapshot, KOP begins with global symbols and traverses all pointers in the identified data structures to generate a graph of kernel data structures.…”

Section: A Learning and Reconstructionmentioning

confidence: 99%

See 1 more Smart Citation

SoK: Introspections on Trust and the Semantic Gap

Jain

Baig

Zhang

et al. 2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardwarelevel view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools.Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space.This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS.Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.

show abstract

Section: A Learning and Reconstructionmentioning

confidence: 99%

Section: A Learning and Reconstructionmentioning

confidence: 99%

SoK: Introspections on Trust and the Semantic Gap

Jain

Baig

Zhang

et al. 2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Prior work identifies data structures in memory by traversing pointers starting from program (kernel) global variables and following the points-to relationships to reach instances of the data structure. KOP [5], MAS [16], FATKIT [1] and VOLATILITY [3] all use such technique. While SIGPATH also leverages this approach the substantial difference is that these works require access to the target's source code or its data structure definitions in symbol files.…”

Section: Related Workmentioning

confidence: 99%

“…These data structures store private, often sensitive, data of interest such as running processes in an OS, unit and resource information in online games, and credentials and contact information in Instant Messengers (IM). Such capability is crucial for memory forensics [1][2][3][4], rootkit detection [5][6][7], game hacking [8], reverse engineering [9][10][11], and virtual machine introspection (VMI) [12].…”

Section: Introductionmentioning

confidence: 99%

“…Prior memory analysis works reuse the target's binary code or APIs to dump the data of interest (e.g., the UNIX ps command to list processes) [13,14], or leverage the target's source code and debugging symbols [5,15,16]. However, most application-level programs do not expose external APIs to examine the data of interest and commercial off-the-self (COTS) programs rarely have source code or debugging symbols available.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

SigPath: A Memory Graph Based Approach for Program Data Introspection and Modification

Urbina

Caballero

et al. 2014

Computer Security - ESORICS 2014

View full text Add to dashboard Cite

Abstract. Examining and modifying data of interest in the memory of a target program is an important capability for security applications such as memory forensics, rootkit detection, game hacking, and virtual machine introspection. In this paper we present a novel memory graph based approach for program data introspection and modification, which does not require source code, debugging symbols, or any API in the target program. It takes as input a sequence of memory snapshots taken while the program executes, and produces a path signature, which can be used in different executions of the program to efficiently locate and traverse the in-memory data structures where the data of interest is stored. We have implemented our approach in a tool called SIGPATH. We have applied SIG-PATH to game hacking, building cheats for 10 popular real-time and turn-based games, and for memory forensics, recovering from snapshots the contacts a user has stored in four IM applications including Skype and Yahoo Messenger.

show abstract