research-article

Public Access

Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics

Authors:

Zhiqiang LinAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 62 - 72

https://doi.org/10.1145/2857705.2857707

Published: 09 March 2016 Publication History

Abstract

Modern OS kernels including Windows, Linux, and Mac OS all have adopted kernel Address Space Layout Randomization (ASLR), which shifts the base address of kernel code and data into different locations in different runs. Consequently, when performing introspection or forensic analysis of kernel memory, we cannot use any pre-determined addresses to interpret the kernel events. Instead, we must derandomize the address space layout and use the new addresses. However, few efforts have been made to derandomize the kernel address space and yet there are many questions left such as which approach is more efficient and robust. Therefore, we present the first systematic study of how to derandomize a kernel when given a memory snapshot of a running kernel instance. Unlike the derandomization approaches used in traditional memory exploits in which only remote access is available, with introspection and forensics applications, we can use all the information available in kernel memory to generate signatures and derandomize the ASLR. In other words, there exists a large volume of solutions for this problem. As such, in this paper we examine a number of typical approaches to generate strong signatures from both kernel code and data based on the insight of how kernel code and data is updated, and compare them from efficiency (in terms of simplicity, speed etc.) and robustness (e.g., whether the approach is hard to be evaded or forged) perspective. In particular, we have designed four approaches including brute-force code scanning, patched code signature generation, unpatched code signature generation, and read-only pointer based approach, according to the intrinsic behavior of kernel code and data with respect to kernel ASLR. We have gained encouraging results for each of these approaches and the corresponding experimental results are reported in this paper.

References

[1]

Elf file format. http://www.skyfree.org/linux/references/ELF\_Format.pdf.

[2]

Microsoft security intelligence report. http://www.microsoft.com/security/sir/strategy/default. aspx\#!section\_3\_3.

[3]

Smp alternatives. http://lwn.net/Articles/164121/.

[4]

Os x mountain lion core technologies overview. http://movies.apple.com/media/us/osx/2012/docs /OSX\_MountainLion\_Core\_Technologies\_Overview.pdf, June 2012.

[5]

Linux 3.14. http://kernelnewbies.org/Linux\_3.14, Mar 2014.

[6]

I. Ahmed, V. Roussev, and A. A. Gombe. Robust fingerprinting for relocatable code. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, San Antonio, TX, USA, March 2--4, 2015, pages 219--229, 2015.

Digital Library

[7]

H. Y. Aravind Prakash, Eknath Venkataramani and Z. Lin. Manipulating semantic values in kernel data structures: Attack assessments and implications. In Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN-PDS 2013), Budapest, Hungary, June 2013.

Digital Library

[8]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP '14, pages 227--242. IEEE Computer Society, 2014.

Digital Library

[9]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: generalizing return-oriented programming to risc. In Proc. 15th ACM Conf. Computer and communications security (CCS'08), pages 27--38, Alexandria, Virginia, USA, 2008. ACM.

Digital Library

[10]

S. Designer. "return-to-libc" attack. Bugtraq, August 1997.

[11]

B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), November 2009.

Digital Library

[12]

Y. Fu, Z. Lin, and D. Brumley. Automatically deriving pointer reference expressions from executions for memory dump analysis. In Proceedings of the 2015 ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE'15), Bergamo, Italy, September 2015.

Digital Library

[13]

Y. Fu, Z. Lin, and K. Hamlen. Subverting systems authentication with context-aware, reactive virtual machine introspection. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC'13), New Orleans, Louisiana, December 2013.

Digital Library

[14]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Sym. (NDSS'03), February 2003.

[15]

Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. Os-sommelier: Memory-only operating system fingerprinting in the cloud. In Proceedings of the 3rd ACM Symposium on Cloud Computing (SOCC'12), San Jose, CA, October 2012.

Digital Library

[16]

Y. Gu, Y. Fu, A. Prakash, Z. Lin, and H. Yin. Multi-aspect, robust, and memory exclusive guest os fingerprinting. IEEE Transactions on Cloud Computing, 2014.

[17]

T. Kittel, S. Vogl, T. K. Lengyel, J. Pfoh, and C. Eckert. Code validation for modern os kernels. In Malware Memory Forensics Workshop (MMF), December 2014.

[18]

Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proc. 18th Annual Network and Distributed System Security Sym. (NDSS'11), San Diego, CA, February 2011.

[19]

Nergal. The advanced return-into-lib(c) exploits: Pax case study. Phrack, 10(58), 2001.

[20]

N. A. Quynh. Operating system fingerprinting for virtual machines, 2010. In DEFCON 18.

[21]

G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25$^th$ Annual Computer Security Applications Conference (ACSAC), pages 60--69. IEEE Computer Society, Dec. 2009. Honolulu, Hawaii, USA.

Digital Library

[22]

V. Roussev. Data fingerprinting with similarity digests. In Advances in digital forensics vi, pages 207--226. Springer, 2010.

[23]

V. Roussev, I. Ahmed, and T. Sires. Image-based kernel fingerprinting. Digit. Investig., 11:S13--S21, Aug. 2014.

Digital Library

[24]

H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proc. 14th ACM Conf. Computer and communications security (CCS'07), pages 552--561, Alexandria, Virginia, USA, 2007. ACM.

Digital Library

[25]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS '04, pages 298--307, New York, NY, USA, 2004. ACM.

Digital Library

[26]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 574--588. IEEE, 2013.

Digital Library

[27]

P. Team. Pax address space layout randomization (aslr). http://pax.grsecurity.net/docs/aslr.txt.

[28]

D. Urbina, Y. Gu, J. Caballero, and Z. Lin. SigPath: A Memory Graph Based Approach for Program Data Introspection and Modification. In Proceedings of the 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 2014.

Digital Library

[29]

A. Walters. The volatility framework: Volatile memory artifact extraction utility framework. https://www.volatilesystems.com/default/volatility.

[30]

J. Zeng and Z. Lin. Towards automatic inference of kernel object semantics from binary code. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'15), Kyoto, Japan, November 2015.

Digital Library

Cited By

Dangl TSentanoe SReiser H(2024)Active and passive virtual machine introspection on AMD and ARM processorsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2024.103101149:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2024.103101
Islam CProkhorenko VBabar M(2023)Runtime software patching: Taxonomy, survey and future directionsJournal of Systems and Software10.1016/j.jss.2023.111652200(111652)Online publication date: Jun-2023
https://doi.org/10.1016/j.jss.2023.111652
Horan CSaiedian H(2021)Cyber Crime Investigation: Landscape, Challenges, and Future Research DirectionsJournal of Cybersecurity and Privacy10.3390/jcp10400291:4(580-596)Online publication date: 30-Sep-2021
https://doi.org/10.3390/jcp1040029
Show More Cited By

Index Terms

Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics
1. Applied computing
  1. Computer forensics
    1. System forensics
2. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Virtualization and security

Recommendations

Breaking Kernel Address Space Layout Randomization with Intel TSX
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Kernel hardening has been an important topic since many applications and security mechanisms often consider the kernel as part of their Trusted Computing Base (TCB). Among various hardening techniques, Kernel Address Space Layout Randomization (KASLR) ...
KPRM: Kernel Page Restriction Mechanism to Prevent Kernel Memory Corruption
Advances in Information and Computer Security
Abstract
An operating system (OS) comprises a mechanism for sharing the kernel address space with each user process. An adversary’s user process compromises the OS kernel through memory corruption, exploiting the kernel vulnerability. It overwrites the ...
Chaos: Function Granularity Runtime Address Layout Space Randomization for Kernel Module
APSys '24: Proceedings of the 15th ACM SIGOPS Asia-Pacific Workshop on Systems

The return-oriented programming (ROP) is a prevalent code reuse attack. It exploits vulnerabilities such as stack overflows to hijack the execution flow into the carefully chosen instruction snippet (called gadget) chain already in the memory. Address ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF
NSA
AFOSR

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
486
Total Downloads

Downloads (Last 12 months)96
Downloads (Last 6 weeks)18

Reflects downloads up to 10 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dangl TSentanoe SReiser H(2024)Active and passive virtual machine introspection on AMD and ARM processorsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2024.103101149:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2024.103101
Islam CProkhorenko VBabar M(2023)Runtime software patching: Taxonomy, survey and future directionsJournal of Systems and Software10.1016/j.jss.2023.111652200(111652)Online publication date: Jun-2023
https://doi.org/10.1016/j.jss.2023.111652
Horan CSaiedian H(2021)Cyber Crime Investigation: Landscape, Challenges, and Future Research DirectionsJournal of Cybersecurity and Privacy10.3390/jcp10400291:4(580-596)Online publication date: 30-Sep-2021
https://doi.org/10.3390/jcp1040029
Jin ZChen YLiu TLi KWang ZZheng J(2019)A Novel and Fine-grained Heap Randomization Allocation Strategy for Effectively Alleviating Heap Buffer Overflow VulnerabilitiesProceedings of the 2019 4th International Conference on Mathematics and Artificial Intelligence10.1145/3325730.3325738(115-122)Online publication date: 12-Apr-2019
https://dl.acm.org/doi/10.1145/3325730.3325738
Pagani FFedorov OBalzarotti D(2019)Introducing the Temporal Dimension to Memory ForensicsACM Transactions on Privacy and Security10.1145/331035522:2(1-21)Online publication date: 18-Mar-2019
https://dl.acm.org/doi/10.1145/3310355
Di Pietro RFranzoni FLombardi F(2017)HyBIS: Advanced Introspection for Effective Windows Guest ProtectionICT Systems Security and Privacy Protection10.1007/978-3-319-58469-0_13(189-204)Online publication date: 4-May-2017
https://doi.org/10.1007/978-3-319-58469-0_13
Evtyushkin DPonomarev DAbu-Ghazaleh NHsu WYang CLipasti MLee H(2016)Jump over ASLRThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195686(1-13)Online publication date: 15-Oct-2016
https://dl.acm.org/doi/10.5555/3195638.3195686
Evtyushkin DPonomarev DAbu-Ghazaleh N(2016)Jump over ASLR: Attacking branch predictors to bypass ASLR2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO.2016.7783743(1-13)Online publication date: Oct-2016
https://doi.org/10.1109/MICRO.2016.7783743
Zeng JFu YLin Z(2016)Automatic Uncovering of Tap Points from Kernel ExecutionsResearch in Attacks, Intrusions, and Defenses10.1007/978-3-319-45719-2_3(49-70)Online publication date: 7-Sep-2016
https://doi.org/10.1007/978-3-319-45719-2_3
Islam CProkhorenko VBabar M(undefined)Runtime Software Patching: Taxonomy, Survey and Future DirectionsSSRN Electronic Journal10.2139/ssrn.4062747
https://doi.org/10.2139/ssrn.4062747

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents