Towards Fundamental and Binary Centric Techniques for Kernal Malware Defense
Technical Report,01 Sep 2014,31 Aug 2019
UNIVERSITY OF TEXAS AT DALLAS RICHARDSON United States
Pagination or Media Count:
This project seeks to develop a set of fundamental and binary-centric techniques for kernel malware defense. Defeating kernel malware is challenging because kernel malware runs as the same privilege level as the OS kernels, and they can easily disable and fight against the security software at this layer. The unique difference compared to all the existing work is that we focus on the semantic and syntactic analysis of OS kernel binary code to discover the invariants between kernel code and data, from which to detect kernel intrusions, investigate damages, repair attacks, and enforce the preventions from hypervisor layer. During the past five years supporting period, a number of fundamental techniques have been developed from this project, and these include address-agnostic cross-kernel pointer integrity checks FPCK, robust kernel object semantic inference Argos, kernel tap points discovery AutoTap, and superset disassembly MultiVerse and so on. These binary-centric techniques have enabled kernel invariant understanding, extraction, and enforcement e.g., rewriting with the tap points from virtual machine layer a layer that cannot be disabled by kernel malware inside the virtual machines. In total,25 peer-reviewed academic papers supported or partially supported by this project have been published, many of which appeared in top venues such as IEEE S and P, CCS, USENIX Security, NDSS, FSE, ICSE, ACSAC, and RAID.
- Computer Systems Management and Standards