SlideShare a Scribd company logo

Analyzing Kernel Security and Approaches for Improving it

M
Milan Rajpara

This presentation gives a basic detail on kernel security and different approaches to improving it.

EducationTechnology
1 of 27
Download to read offline
Analyzing Kernel Security and Approaches for Improving It Milan Rajpara IT Systems and Network Security Gujarat Technological University C DAC Ahmedabad Pune
Agenda • Kernel Introduction • Necessity for Kernel Security • Kernel breach • Analyzing Kernel Security • Improving Approaches • Future Work Milan Rajpara October 8, 2013 2
What is Kernel ? • A computer program that manages input/output requests from software and translates them into data processing instructions for the central processing unit and other electronic components of a computer. [Wikipedia] • The kernel is a fundamental part of a modern computer's operating system. • OS rests on a outer ring, and application above that. Fig: Privilege rings for the x86 available in protected mode [Source: Wikipedia] Milan Rajpara October 8, 2013 3
Necessity for Kernel Security • Kernel, a vary basic (core) part of the Operating Systems • Single vulnerability will be exposes large number of systems • Increasing of Cloud Usage with Virtual Systems • Smartphones now is in every hand Milan Rajpara October 8, 2013 4
We talk on .. • Kernels for General Purpose Operating System • Some Linux flavor gives Server Optimized Kernel • Ex. Ubuntu older then 12.04, were gave this option. Since 12.04, linux-image-server is merged into linuximage-generic, there is no difference between Generic and Server kernel. [4] • Windows do not disclose. • Kernels which Constructed in C language • Almost kernels are in C • Improvement for Monolithic kernels • All work performed in Virtual environment • The Xen, and VMware used Milan Rajpara October 8, 2013 5
How Kernel Affected ? • By Kernel level rootkits • Manipulating pointers • Manipulating data • Direct Kernel Object Manipulation (DKOM) • By Boot-kits • Via hooking techniques • Direct Hardware or Firmware injection Milan Rajpara October 8, 2013 6
Effect of this Attacks • Escalate a process’ privileges by overwriting the process’ credentials • Hide itself by illicitly removing data structures identifying their presence from loaded drivers • Eliding task structures for the processes from the kernel’s process accounting list • Alter the overall behavior of OS without injecting any malicious code into the kernel address space, by just pointer manipulating. Milan Rajpara October 8, 2013 7
How to analyze the Kernel Security • Find the most critical objects of the kernel, without prior knowledge of the OS kernel data layout in memory • Identifying OS Kernel Objects for Run-time Security Analysis • Sort-out objects which are vulnerable to hijack • Do Kernel Data Disambiguation • This will make the system easy to analyze Milan Rajpara October 8, 2013 8
Most critical objects in Kernel • Windows and Linux, the core kernel part are mostly written in C • 40% inter-data structure relations are Pointer based • 35% of these are Generic Pointers • Pointers which defines at run time, no initial value or data type is associated • 28% kernel data structure are well known objects Milan Rajpara October 8, 2013 9
Generic Pointer Problem • It is the weak link in kernel security • Use of void pointers *, assists hackers to point somewhere else • Use of NULL pointers (to implements linklist), helps hackers to hide / change runtime objects. • Use of Casting in C • Enables the hackers to exploit data structure layout in physical memory Milan Rajpara October 8, 2013 10
To Find Critical Objects 1. Memory Mapping techniques • Travers address space from global variables via pointer dereferencing until reaching running object. • according to a predefined kernel data definition for each kernel version. 2. Value Invariant Approaches • Use the value invariants of certain fields or of a whole data structure as a signature to scan the memory for matching running instances. Ex. DeepScanner, DIMSIM • Drawbacks of this approaches - Not very accurate - Require a predefined definition of the kernel data layout - Not effective when memory mapping and object reachability information is not available. - High performance overhead Milan Rajpara October 8, 2013 11
To Find Critical Objects 3. DIGGER [1] • Uncover all system runtime objects without any prior knowledge of the OS kernel data layout in memory. • First it performs offline and constructs type-graph (which is used to enable systematic memory traversal of the object details). • Then it uses the 4-byte pool memory tagging schema (to uncover kernel runtime objects from the kernel address space.) • (+) • Accurate result • Low performance overhead • Fast and nearly complete coverage Milan Rajpara October 8, 2013 12
DIGGER & KDD • DIGGER uses the KDD (Kernel Data Disambiguator) to precisely models the direct and indirect relations between data structures. • KDD is a static analysis tool that operates offline on an OS kernel’s source code • Generates a type-graph for the kernel data with direct and indirect relations between structures, models data structures [2] • KDD disambiguates pointer-based relations (including generic pointers) • by performing static points-to analysis on the kernel’s source code. • Points-to analysis is the problem of determining statically a set of locations to which a given variable may point to at runtime. Milan Rajpara October 8, 2013 13
KDD Operation Source: Ref [2] AST: Abstract Syntax Tree (high-level intermediate representation for the source code ) Milan Rajpara October 8, 2013 14
KDD Operation • Interprocedural Analysis 1: Takes AST and differentiate it • Gets: Variables, Procedure definition, Procedure call, etc.. . • Interprocedural Analysis 2: Do points-to analysis across different files to perform whole-program analysis. • Context Sensitive Analysis: • It uses Procedure Dependency Graph (PDG) consists of nodes representing the statements of the data dependency in the program. • context-sensitive analysis solves two problems: the calling context and the indirect (implicit) relations between nodes. Milan Rajpara October 8, 2013 15
Soundness and Precision of KDD • The points-to analysis algorithm is sound if the points-to set for each variable contains all its actual runtime targets, and is imprecise if the inferred set is larger than necessary. • Check on C programs from the SPEC2000 and SPEC2006 benchmark suites. • Achieved a high level of precision and 100% of soundness. • And 96% precision on Windows (WRK*, Vista) and Linux kernel (v3.0.22). [2] *WRK – Windows Research Kernel, the only available code from windows [6] Milan Rajpara October 8, 2013 16
DIGGER Approach Source: Ref [1] Milan Rajpara October 8, 2013 17
DIGGER Approach • Static Analysis Component: from KDD • Signature Extraction Component: • When the object manager allocates a memory pool block, it associates with a pool tag (pool tag is a unique four-byte tag for each object type.) Uses this tag to uncover the kernel objects running instances, and they are static and cannot be changed during object runtime. • Dynamic Memory Analysis Component: Extract the object details, • From Pool Tag, it gets the pool block start memory address and the object’s start address. Milan Rajpara October 8, 2013 18
Analyzing Kernel through DIGGER Gives … • Disambiguate the points-to relations between data structures, all without any prior knowledge of the OS kernel data layout. • Robust and quite small signature size to uncover runtime objects, enhancing performance • Able to keep track of all critical objects of kernel Milan Rajpara October 8, 2013 19
Protection of Kernel • Protect the generic pointers. • Microsoft added a feature PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel. • But TDL (rootkit) manages to circumvent this protection as well, by altering a machine's MBR so that it can intercept Windows startup routines. [7] • One approach is use of “Object Partitioning” to protect kernel data structure. [3] • Uses Sentry, that creates access control protections for security-critical kernel data. Milan Rajpara October 8, 2013 20
Sentry Architecture • Sentry protects critical data and enforces data access restrictions based upon the origin of the access within the code of the kernel and its modules or drivers. [3] • The data integrity model is straightforward and matches that of the Biba ring policy [9] • The malicious code that modifies privileges by directly writing to memory is in a loaded module and not in the core kernel code, so Sentry will prevent the write Milan Rajpara October 8, 2013 21
Kernel Memory Access Control • Protect data structure from DCOM • Sentry’s design uses a hypervisor to remain isolated from an untrusted kernel • To keep the overhead low, Sentry uses memory partitioning to lay out sensitive data on separate memory pages and protects those pages using the hypervisor • The policy enforcer mediates attempted writes to protected data and uses the policy to determine when writes should be permitted. Milan Rajpara October 8, 2013 22
Working of Sentry • Identifying Security-Critical Members • Activation of mediated access • Instruction emulation • Secure execution history extraction Milan Rajpara October 8, 2013 23
Evaluation of Sentry • Performance • Low performance overhead • more performance van be achieved by memory layout optimization • False Positive Analysis • There were no instances when security-critical kernel data protected by Sentry was directly modified by a benign driver. • Sentry provided a 100% detection rate for DKOM rootkits Milan Rajpara October 8, 2013 24
Future Work • Detect all kernel data structures automatically, beyond the kernel version • The DIGGER can only be used to analyze Windows Kernels. • The current prototype of Sentry only protects two key structures. • Other kernel data structures may also require similar protection. • This may gives versatile performance of Sentry, (if more data structure included) Milan Rajpara October 8, 2013 25
References [1] Amani S. Ibrahim, James Hamlyn-Harris, John Grundy, Mohamed Almorsy, "Identifying OS Kernel Objects for Run-Time Security Analysis", DOI: 10.1007/978-3-642-34601-9_6 [2] Amani S. Ibrahim, John Grundy, James Hamlyn-Harris, Mohamed Almorsy, "Operating System Kernel Data Disambiguation to Support Security Analysis", DOI: 10.1007/978-3-642-34601-9_20 [3] Abhinav Srivastava, Jonathon Giffin, "Efficient Protection of Kernel Data Structures via Object Partitioning", DOI: 10.1145/2420950.2421012 [4] RFC: Linux kernel merging. https://lists.ubuntu.com/archives/kernel-team/2011-October/017471.html [5] Rootkits detail by Symantec http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf [6] Windows Research Kernel https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=7366&c1=enus&c2=0 [7] TDL Rootkit: http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows [8] Windows hooks: http://msdn.microsoft.com/en-us/library/ms644959(v=vs.85).aspx [9] K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre, Apr. 1977 Milan Rajpara October 8, 2013 26
Thank you  Questions __________________________ - Milan Rajpara 27

Recommended

Kernel security Concepts
Kernel security ConceptsKernel security Concepts
Kernel security ConceptsMohit Saxena
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of SystemsJamal Jamali
 
EMBEDDED OS
EMBEDDED OSEMBEDDED OS
EMBEDDED OSAJAL A J
 
Chapter02
Chapter02Chapter02
Chapter02Downloadssu Fullmaza
 
Chapter02
Chapter02Chapter02
Chapter02kamran zamanifar
 
RTOS for Embedded System Design
RTOS for Embedded System DesignRTOS for Embedded System Design
RTOS for Embedded System Designanand hd
 
RTOS Basic Concepts
RTOS Basic ConceptsRTOS Basic Concepts
RTOS Basic ConceptsPantech ProLabs India Pvt Ltd
 
Operating system overview by narender singh sandhu
Operating system overview by narender singh sandhuOperating system overview by narender singh sandhu
Operating system overview by narender singh sandhuNarenderSinghSandhu2
 

Recommended

Kernel security Concepts
Kernel security ConceptsKernel security Concepts
Kernel security ConceptsMohit Saxena
 
Kernel security of Systems
Kernel security of SystemsKernel security of Systems
Kernel security of SystemsJamal Jamali
 
EMBEDDED OS
EMBEDDED OSEMBEDDED OS
EMBEDDED OSAJAL A J
 
Chapter02
Chapter02Chapter02
Chapter02Downloadssu Fullmaza
 
Chapter02
Chapter02Chapter02
Chapter02kamran zamanifar
 
RTOS for Embedded System Design
RTOS for Embedded System DesignRTOS for Embedded System Design
RTOS for Embedded System Designanand hd
 
RTOS Basic Concepts
RTOS Basic ConceptsRTOS Basic Concepts
RTOS Basic ConceptsPantech ProLabs India Pvt Ltd
 
Operating system overview by narender singh sandhu
Operating system overview by narender singh sandhuOperating system overview by narender singh sandhu
Operating system overview by narender singh sandhuNarenderSinghSandhu2
 
How to choose an RTOS?
How to choose an RTOS?How to choose an RTOS?
How to choose an RTOS?Rohit Choudhury
 
Embedded os
Embedded osEmbedded os
Embedded oschian417
 
How to Measure RTOS Performance
How to Measure RTOS Performance How to Measure RTOS Performance
How to Measure RTOS Performance mentoresd
 
Introduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary MargaratIntroduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary MargaratMary Margarat
 
Os4
Os4Os4
Os4gopal10scs185
 
Lec 2
Lec 2Lec 2
Lec 2mohamed ali
 
Unit 4 Real Time Operating System
Unit 4 Real Time Operating SystemUnit 4 Real Time Operating System
Unit 4 Real Time Operating SystemDr. Pankaj Zope
 
Ch1 introduction
Ch1 introductionCh1 introduction
Ch1 introductionWelly Dian Astika
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Peter Tröger
 
Windows kernel
Windows kernelWindows kernel
Windows kernelSisimon Soman
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating SystemTech_MX
 
Operating system interview question
Operating system interview questionOperating system interview question
Operating system interview questionsriram saravanan
 
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)Arti Parab Academics
 
Microkernel
MicrokernelMicrokernel
MicrokernelSuraj Mehta
 
CS6401 Operating Systems
CS6401 Operating SystemsCS6401 Operating Systems
CS6401 Operating SystemsKathirvel Ayyaswamy
 
Real Time Operating System
Real Time Operating SystemReal Time Operating System
Real Time Operating SystemHimanshu Choudhary
 
Bca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsBca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsRai University
 
Real time operating system
Real time operating systemReal time operating system
Real time operating systemPratik Hiremath
 
Rtos ss
Rtos ssRtos ss
Rtos ssSudheesh S Madhav
 
Operating system concepts
Operating system conceptsOperating system concepts
Operating system conceptsArnav Chowdhury
 
chapter1
chapter1chapter1
chapter1Awud Auwal
 
Nonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problemNonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problemMichele Filannino
 

More Related Content

What's hot

Embedded os
Embedded osEmbedded os
Embedded oschian417
 
How to Measure RTOS Performance
How to Measure RTOS Performance How to Measure RTOS Performance
How to Measure RTOS Performance mentoresd
 
Introduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary MargaratIntroduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary MargaratMary Margarat
 
Unit 4 Real Time Operating System
Unit 4 Real Time Operating SystemUnit 4 Real Time Operating System
Unit 4 Real Time Operating SystemDr. Pankaj Zope
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Peter Tröger
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating SystemTech_MX
 
Operating system interview question
Operating system interview questionOperating system interview question
Operating system interview questionsriram saravanan
 
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)Arti Parab Academics
 
Bca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsBca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsRai University
 
Real time operating system
Real time operating systemReal time operating system
Real time operating systemPratik Hiremath
 
Operating system concepts
Operating system conceptsOperating system concepts
Operating system conceptsArnav Chowdhury
 

What's hot (20)

How to choose an RTOS?
How to choose an RTOS?How to choose an RTOS?
How to choose an RTOS?
 
Embedded os
Embedded osEmbedded os
Embedded os
 
How to Measure RTOS Performance
How to Measure RTOS Performance How to Measure RTOS Performance
How to Measure RTOS Performance
 
Introduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary MargaratIntroduction to Operating Systems - Mary Margarat
Introduction to Operating Systems - Mary Margarat
 
Os4
Os4Os4
Os4
 
Lec 2
Lec 2Lec 2
Lec 2
 
Unit 4 Real Time Operating System
Unit 4 Real Time Operating SystemUnit 4 Real Time Operating System
Unit 4 Real Time Operating System
 
Ch1 introduction
Ch1 introductionCh1 introduction
Ch1 introduction
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)
 
Windows kernel
Windows kernelWindows kernel
Windows kernel
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating System
 
Operating system interview question
Operating system interview questionOperating system interview question
Operating system interview question
 
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT V Real Time Operating System (RTOS)
 
Microkernel
MicrokernelMicrokernel
Microkernel
 
CS6401 Operating Systems
CS6401 Operating SystemsCS6401 Operating Systems
CS6401 Operating Systems
 
Real Time Operating System
Real Time Operating SystemReal Time Operating System
Real Time Operating System
 
Bca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsBca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systems
 
Real time operating system
Real time operating systemReal time operating system
Real time operating system
 
Rtos ss
Rtos ssRtos ss
Rtos ss
 
Operating system concepts
Operating system conceptsOperating system concepts
Operating system concepts
 

Viewers also liked

Nonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problemNonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problemMichele Filannino
 
Principal component analysis and matrix factorizations for learning (part 2) ...
Principal component analysis and matrix factorizations for learning (part 2) ...Principal component analysis and matrix factorizations for learning (part 2) ...
Principal component analysis and matrix factorizations for learning (part 2) ...zukun
 
fauvel_igarss.pdf
fauvel_igarss.pdffauvel_igarss.pdf
fauvel_igarss.pdfgrssieee
 
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdfKernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdfgrssieee
 
Different kind of distance and Statistical Distance
Different kind of distance and Statistical DistanceDifferent kind of distance and Statistical Distance
Different kind of distance and Statistical DistanceKhulna University
 
Principal Component Analysis For Novelty Detection
Principal Component Analysis For Novelty DetectionPrincipal Component Analysis For Novelty Detection
Principal Component Analysis For Novelty DetectionJordan McBain
 
KPCA_Survey_Report
KPCA_Survey_ReportKPCA_Survey_Report
KPCA_Survey_ReportRandy Salm
 
Adaptive anomaly detection with kernel eigenspace splitting and merging
Adaptive anomaly detection with kernel eigenspace splitting and mergingAdaptive anomaly detection with kernel eigenspace splitting and merging
Adaptive anomaly detection with kernel eigenspace splitting and mergingieeepondy
 
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...hanshang
 
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdfExplicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdfgrssieee
 
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...Sahidul Islam
 
Regularized Principal Component Analysis for Spatial Data
Regularized Principal Component Analysis for Spatial DataRegularized Principal Component Analysis for Spatial Data
Regularized Principal Component Analysis for Spatial DataWen-Ting Wang
 
Pca and kpca of ecg signal
Pca and kpca of ecg signalPca and kpca of ecg signal
Pca and kpca of ecg signales712
 
DataEngConf: Feature Extraction: Modern Questions and Challenges at Google
DataEngConf: Feature Extraction: Modern Questions and Challenges at GoogleDataEngConf: Feature Extraction: Modern Questions and Challenges at Google
DataEngConf: Feature Extraction: Modern Questions and Challenges at GoogleHakka Labs
 
Probabilistic PCA, EM, and more
Probabilistic PCA, EM, and moreProbabilistic PCA, EM, and more
Probabilistic PCA, EM, and morehsharmasshare
 
Principal component analysis and matrix factorizations for learning (part 1) ...
Principal component analysis and matrix factorizations for learning (part 1) ...Principal component analysis and matrix factorizations for learning (part 1) ...
Principal component analysis and matrix factorizations for learning (part 1) ...zukun
 
Principal Component Analysis and Clustering
Principal Component Analysis and ClusteringPrincipal Component Analysis and Clustering
Principal Component Analysis and ClusteringUsha Vijay
 
ECG: Indication and Interpretation
ECG: Indication and InterpretationECG: Indication and Interpretation
ECG: Indication and InterpretationRakesh Verma
 

Viewers also liked (20)

chapter1
chapter1chapter1
chapter1
 
Nonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problemNonlinear component analysis as a kernel eigenvalue problem
Nonlinear component analysis as a kernel eigenvalue problem
 
Principal component analysis and matrix factorizations for learning (part 2) ...
Principal component analysis and matrix factorizations for learning (part 2) ...Principal component analysis and matrix factorizations for learning (part 2) ...
Principal component analysis and matrix factorizations for learning (part 2) ...
 
fauvel_igarss.pdf
fauvel_igarss.pdffauvel_igarss.pdf
fauvel_igarss.pdf
 
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdfKernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
Kernel Entropy Component Analysis in Remote Sensing Data Clustering.pdf
 
Different kind of distance and Statistical Distance
Different kind of distance and Statistical DistanceDifferent kind of distance and Statistical Distance
Different kind of distance and Statistical Distance
 
Principal Component Analysis For Novelty Detection
Principal Component Analysis For Novelty DetectionPrincipal Component Analysis For Novelty Detection
Principal Component Analysis For Novelty Detection
 
KPCA_Survey_Report
KPCA_Survey_ReportKPCA_Survey_Report
KPCA_Survey_Report
 
Adaptive anomaly detection with kernel eigenspace splitting and merging
Adaptive anomaly detection with kernel eigenspace splitting and mergingAdaptive anomaly detection with kernel eigenspace splitting and merging
Adaptive anomaly detection with kernel eigenspace splitting and merging
 
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
Modeling and forecasting age-specific mortality: Lee-Carter method vs. Functi...
 
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdfExplicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
Explicit Signal to Noise Ratio in Reproducing Kernel Hilbert Spaces.pdf
 
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...
A Comparative Study between ICA (Independent Component Analysis) and PCA (Pri...
 
Regularized Principal Component Analysis for Spatial Data
Regularized Principal Component Analysis for Spatial DataRegularized Principal Component Analysis for Spatial Data
Regularized Principal Component Analysis for Spatial Data
 
Pca and kpca of ecg signal
Pca and kpca of ecg signalPca and kpca of ecg signal
Pca and kpca of ecg signal
 
DataEngConf: Feature Extraction: Modern Questions and Challenges at Google
DataEngConf: Feature Extraction: Modern Questions and Challenges at GoogleDataEngConf: Feature Extraction: Modern Questions and Challenges at Google
DataEngConf: Feature Extraction: Modern Questions and Challenges at Google
 
Probabilistic PCA, EM, and more
Probabilistic PCA, EM, and moreProbabilistic PCA, EM, and more
Probabilistic PCA, EM, and more
 
Principal component analysis and matrix factorizations for learning (part 1) ...
Principal component analysis and matrix factorizations for learning (part 1) ...Principal component analysis and matrix factorizations for learning (part 1) ...
Principal component analysis and matrix factorizations for learning (part 1) ...
 
Principal Component Analysis and Clustering
Principal Component Analysis and ClusteringPrincipal Component Analysis and Clustering
Principal Component Analysis and Clustering
 
Ipl process
Ipl processIpl process
Ipl process
 
ECG: Indication and Interpretation
ECG: Indication and InterpretationECG: Indication and Interpretation
ECG: Indication and Interpretation
 

Similar to Analyzing Kernel Security and Approaches for Improving it

DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapFelipe Prado
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Guglielmo Iozzia
 
Data Lake and the rise of the microservices
Data Lake and the rise of the microservicesData Lake and the rise of the microservices
Data Lake and the rise of the microservicesBigstep
 
Closed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsClosed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsLiz Warner
 
Closed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsClosed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsLiz Warner
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running ModulesYourHelper1
 
Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018Steve Wong
 
Network Processor - 2021.pptx
Network Processor - 2021.pptxNetwork Processor - 2021.pptx
Network Processor - 2021.pptxssuserdfb2da
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningjClarity
 
Distributed semantic search system (dsss)
Distributed semantic search system (dsss) Distributed semantic search system (dsss)
Distributed semantic search system (dsss) Isuru Vincent
 
Exadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13cExadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13cAlfredo Krieg
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
Ch 6 IoT Processing Topologies and Types.pdf
Ch 6 IoT Processing Topologies and Types.pdfCh 6 IoT Processing Topologies and Types.pdf
Ch 6 IoT Processing Topologies and Types.pdfDr. Loganathan R
 
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdf
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdfCloud Security Strategy Socialization v1.0 Clean.pptx.pdf
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdfJames Cupps
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionSplunk
 
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022InfluxData
 
Approximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithmsApproximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithmsSabidur Rahman
 

Similar to Analyzing Kernel Security and Approaches for Improving it (20)

DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
 
Data Lake and the rise of the microservices
Data Lake and the rise of the microservicesData Lake and the rise of the microservices
Data Lake and the rise of the microservices
 
Closed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsClosed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma Collins
 
Closed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsClosed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma Collins
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
 
Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018
 
Network Processor - 2021.pptx
Network Processor - 2021.pptxNetwork Processor - 2021.pptx
Network Processor - 2021.pptx
 
Comparison between Dynamo and riak
Comparison between Dynamo and riakComparison between Dynamo and riak
Comparison between Dynamo and riak
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance Tuning
 
Distributed semantic search system (dsss)
Distributed semantic search system (dsss) Distributed semantic search system (dsss)
Distributed semantic search system (dsss)
 
Spark 1.0
Spark 1.0Spark 1.0
Spark 1.0
 
Exadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13cExadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13c
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Ch 6 IoT Processing Topologies and Types.pdf
Ch 6 IoT Processing Topologies and Types.pdfCh 6 IoT Processing Topologies and Types.pdf
Ch 6 IoT Processing Topologies and Types.pdf
 
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdf
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdfCloud Security Strategy Socialization v1.0 Clean.pptx.pdf
Cloud Security Strategy Socialization v1.0 Clean.pptx.pdf
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
 
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022
Charles Mahler [InfluxData] | Use Case: Networking Monitoring | InfluxDays 2022
 
Approximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithmsApproximation techniques used for general purpose algorithms
Approximation techniques used for general purpose algorithms
 

Recently uploaded

ANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxPoojaSen20
 
Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).Mohamed Rizk Khodair
 
SURVEY I created for uni project research
SURVEY I created for uni project researchSURVEY I created for uni project research
SURVEY I created for uni project researchCaitlinCummins3
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Denish Jangid
 
How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17Celine George
 
MOOD STABLIZERS DRUGS.pptx
MOOD STABLIZERS DRUGS.pptxMOOD STABLIZERS DRUGS.pptx
MOOD STABLIZERS DRUGS.pptxPoojaSen20
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppCeline George
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...Gary Wood
 
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjStl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjMohammed Sikander
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽中 央社
 
The basics of sentences session 4pptx.pptx
The basics of sentences session 4pptx.pptxThe basics of sentences session 4pptx.pptx
The basics of sentences session 4pptx.pptxheathfieldcps1
 
PSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxPSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxMarlene Maheu
 
The Liver & Gallbladder (Anatomy & Physiology).pptx
The Liver & Gallbladder (Anatomy & Physiology).pptxThe Liver & Gallbladder (Anatomy & Physiology).pptx
The Liver & Gallbladder (Anatomy & Physiology).pptxVishal Singh
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFVivekanand Anglo Vedic Academy
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesPeter Brusilovsky
 
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatmentsaipooja36
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...EduSkills OECD
 
demyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptxdemyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptxMohamed Rizk Khodair
 

Recently uploaded (20)

ANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptx
 
Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).
 
SURVEY I created for uni project research
SURVEY I created for uni project researchSURVEY I created for uni project research
SURVEY I created for uni project research
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
 
How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17
 
Including Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdfIncluding Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdf
 
MOOD STABLIZERS DRUGS.pptx
MOOD STABLIZERS DRUGS.pptxMOOD STABLIZERS DRUGS.pptx
MOOD STABLIZERS DRUGS.pptx
 
Mattingly "AI and Prompt Design: LLMs with NER"
Mattingly "AI and Prompt Design: LLMs with NER"Mattingly "AI and Prompt Design: LLMs with NER"
Mattingly "AI and Prompt Design: LLMs with NER"
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge App
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
 
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjStl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
 
The basics of sentences session 4pptx.pptx
The basics of sentences session 4pptx.pptxThe basics of sentences session 4pptx.pptx
The basics of sentences session 4pptx.pptx
 
PSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxPSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptx
 
The Liver & Gallbladder (Anatomy & Physiology).pptx
The Liver & Gallbladder (Anatomy & Physiology).pptxThe Liver & Gallbladder (Anatomy & Physiology).pptx
The Liver & Gallbladder (Anatomy & Physiology).pptx
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDF
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
 
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...
 
demyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptxdemyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptx
 

Analyzing Kernel Security and Approaches for Improving it

  • 1. Analyzing Kernel Security and Approaches for Improving It Milan Rajpara IT Systems and Network Security Gujarat Technological University C DAC Ahmedabad Pune
  • 2. Agenda • Kernel Introduction • Necessity for Kernel Security • Kernel breach • Analyzing Kernel Security • Improving Approaches • Future Work Milan Rajpara October 8, 2013 2
  • 3. What is Kernel ? • A computer program that manages input/output requests from software and translates them into data processing instructions for the central processing unit and other electronic components of a computer. [Wikipedia] • The kernel is a fundamental part of a modern computer's operating system. • OS rests on a outer ring, and application above that. Fig: Privilege rings for the x86 available in protected mode [Source: Wikipedia] Milan Rajpara October 8, 2013 3
  • 4. Necessity for Kernel Security • Kernel, a vary basic (core) part of the Operating Systems • Single vulnerability will be exposes large number of systems • Increasing of Cloud Usage with Virtual Systems • Smartphones now is in every hand Milan Rajpara October 8, 2013 4
  • 5. We talk on .. • Kernels for General Purpose Operating System • Some Linux flavor gives Server Optimized Kernel • Ex. Ubuntu older then 12.04, were gave this option. Since 12.04, linux-image-server is merged into linuximage-generic, there is no difference between Generic and Server kernel. [4] • Windows do not disclose. • Kernels which Constructed in C language • Almost kernels are in C • Improvement for Monolithic kernels • All work performed in Virtual environment • The Xen, and VMware used Milan Rajpara October 8, 2013 5
  • 6. How Kernel Affected ? • By Kernel level rootkits • Manipulating pointers • Manipulating data • Direct Kernel Object Manipulation (DKOM) • By Boot-kits • Via hooking techniques • Direct Hardware or Firmware injection Milan Rajpara October 8, 2013 6
  • 7. Effect of this Attacks • Escalate a process’ privileges by overwriting the process’ credentials • Hide itself by illicitly removing data structures identifying their presence from loaded drivers • Eliding task structures for the processes from the kernel’s process accounting list • Alter the overall behavior of OS without injecting any malicious code into the kernel address space, by just pointer manipulating. Milan Rajpara October 8, 2013 7
  • 8. How to analyze the Kernel Security • Find the most critical objects of the kernel, without prior knowledge of the OS kernel data layout in memory • Identifying OS Kernel Objects for Run-time Security Analysis • Sort-out objects which are vulnerable to hijack • Do Kernel Data Disambiguation • This will make the system easy to analyze Milan Rajpara October 8, 2013 8
  • 9. Most critical objects in Kernel • Windows and Linux, the core kernel part are mostly written in C • 40% inter-data structure relations are Pointer based • 35% of these are Generic Pointers • Pointers which defines at run time, no initial value or data type is associated • 28% kernel data structure are well known objects Milan Rajpara October 8, 2013 9
  • 10. Generic Pointer Problem • It is the weak link in kernel security • Use of void pointers *, assists hackers to point somewhere else • Use of NULL pointers (to implements linklist), helps hackers to hide / change runtime objects. • Use of Casting in C • Enables the hackers to exploit data structure layout in physical memory Milan Rajpara October 8, 2013 10
  • 11. To Find Critical Objects 1. Memory Mapping techniques • Travers address space from global variables via pointer dereferencing until reaching running object. • according to a predefined kernel data definition for each kernel version. 2. Value Invariant Approaches • Use the value invariants of certain fields or of a whole data structure as a signature to scan the memory for matching running instances. Ex. DeepScanner, DIMSIM • Drawbacks of this approaches - Not very accurate - Require a predefined definition of the kernel data layout - Not effective when memory mapping and object reachability information is not available. - High performance overhead Milan Rajpara October 8, 2013 11
  • 12. To Find Critical Objects 3. DIGGER [1] • Uncover all system runtime objects without any prior knowledge of the OS kernel data layout in memory. • First it performs offline and constructs type-graph (which is used to enable systematic memory traversal of the object details). • Then it uses the 4-byte pool memory tagging schema (to uncover kernel runtime objects from the kernel address space.) • (+) • Accurate result • Low performance overhead • Fast and nearly complete coverage Milan Rajpara October 8, 2013 12
  • 13. DIGGER & KDD • DIGGER uses the KDD (Kernel Data Disambiguator) to precisely models the direct and indirect relations between data structures. • KDD is a static analysis tool that operates offline on an OS kernel’s source code • Generates a type-graph for the kernel data with direct and indirect relations between structures, models data structures [2] • KDD disambiguates pointer-based relations (including generic pointers) • by performing static points-to analysis on the kernel’s source code. • Points-to analysis is the problem of determining statically a set of locations to which a given variable may point to at runtime. Milan Rajpara October 8, 2013 13
  • 14. KDD Operation Source: Ref [2] AST: Abstract Syntax Tree (high-level intermediate representation for the source code ) Milan Rajpara October 8, 2013 14
  • 15. KDD Operation • Interprocedural Analysis 1: Takes AST and differentiate it • Gets: Variables, Procedure definition, Procedure call, etc.. . • Interprocedural Analysis 2: Do points-to analysis across different files to perform whole-program analysis. • Context Sensitive Analysis: • It uses Procedure Dependency Graph (PDG) consists of nodes representing the statements of the data dependency in the program. • context-sensitive analysis solves two problems: the calling context and the indirect (implicit) relations between nodes. Milan Rajpara October 8, 2013 15
  • 16. Soundness and Precision of KDD • The points-to analysis algorithm is sound if the points-to set for each variable contains all its actual runtime targets, and is imprecise if the inferred set is larger than necessary. • Check on C programs from the SPEC2000 and SPEC2006 benchmark suites. • Achieved a high level of precision and 100% of soundness. • And 96% precision on Windows (WRK*, Vista) and Linux kernel (v3.0.22). [2] *WRK – Windows Research Kernel, the only available code from windows [6] Milan Rajpara October 8, 2013 16
  • 17. DIGGER Approach Source: Ref [1] Milan Rajpara October 8, 2013 17
  • 18. DIGGER Approach • Static Analysis Component: from KDD • Signature Extraction Component: • When the object manager allocates a memory pool block, it associates with a pool tag (pool tag is a unique four-byte tag for each object type.) Uses this tag to uncover the kernel objects running instances, and they are static and cannot be changed during object runtime. • Dynamic Memory Analysis Component: Extract the object details, • From Pool Tag, it gets the pool block start memory address and the object’s start address. Milan Rajpara October 8, 2013 18
  • 19. Analyzing Kernel through DIGGER Gives … • Disambiguate the points-to relations between data structures, all without any prior knowledge of the OS kernel data layout. • Robust and quite small signature size to uncover runtime objects, enhancing performance • Able to keep track of all critical objects of kernel Milan Rajpara October 8, 2013 19
  • 20. Protection of Kernel • Protect the generic pointers. • Microsoft added a feature PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel. • But TDL (rootkit) manages to circumvent this protection as well, by altering a machine's MBR so that it can intercept Windows startup routines. [7] • One approach is use of “Object Partitioning” to protect kernel data structure. [3] • Uses Sentry, that creates access control protections for security-critical kernel data. Milan Rajpara October 8, 2013 20
  • 21. Sentry Architecture • Sentry protects critical data and enforces data access restrictions based upon the origin of the access within the code of the kernel and its modules or drivers. [3] • The data integrity model is straightforward and matches that of the Biba ring policy [9] • The malicious code that modifies privileges by directly writing to memory is in a loaded module and not in the core kernel code, so Sentry will prevent the write Milan Rajpara October 8, 2013 21
  • 22. Kernel Memory Access Control • Protect data structure from DCOM • Sentry’s design uses a hypervisor to remain isolated from an untrusted kernel • To keep the overhead low, Sentry uses memory partitioning to lay out sensitive data on separate memory pages and protects those pages using the hypervisor • The policy enforcer mediates attempted writes to protected data and uses the policy to determine when writes should be permitted. Milan Rajpara October 8, 2013 22
  • 23. Working of Sentry • Identifying Security-Critical Members • Activation of mediated access • Instruction emulation • Secure execution history extraction Milan Rajpara October 8, 2013 23
  • 24. Evaluation of Sentry • Performance • Low performance overhead • more performance van be achieved by memory layout optimization • False Positive Analysis • There were no instances when security-critical kernel data protected by Sentry was directly modified by a benign driver. • Sentry provided a 100% detection rate for DKOM rootkits Milan Rajpara October 8, 2013 24
  • 25. Future Work • Detect all kernel data structures automatically, beyond the kernel version • The DIGGER can only be used to analyze Windows Kernels. • The current prototype of Sentry only protects two key structures. • Other kernel data structures may also require similar protection. • This may gives versatile performance of Sentry, (if more data structure included) Milan Rajpara October 8, 2013 25
  • 26. References [1] Amani S. Ibrahim, James Hamlyn-Harris, John Grundy, Mohamed Almorsy, "Identifying OS Kernel Objects for Run-Time Security Analysis", DOI: 10.1007/978-3-642-34601-9_6 [2] Amani S. Ibrahim, John Grundy, James Hamlyn-Harris, Mohamed Almorsy, "Operating System Kernel Data Disambiguation to Support Security Analysis", DOI: 10.1007/978-3-642-34601-9_20 [3] Abhinav Srivastava, Jonathon Giffin, "Efficient Protection of Kernel Data Structures via Object Partitioning", DOI: 10.1145/2420950.2421012 [4] RFC: Linux kernel merging. https://lists.ubuntu.com/archives/kernel-team/2011-October/017471.html [5] Rootkits detail by Symantec http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf [6] Windows Research Kernel https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=7366&c1=enus&c2=0 [7] TDL Rootkit: http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows [8] Windows hooks: http://msdn.microsoft.com/en-us/library/ms644959(v=vs.85).aspx [9] K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre, Apr. 1977 Milan Rajpara October 8, 2013 26