Towards Fundamental and Binary Centric Techniques for Kernal Malware Defense
Abstract
This project seeks to develop a set of fundamental and binary-centric techniques for kernel malware defense. Defeating kernel malware is challenging because kernel malware runs as the same privilege level as the OS kernels, and they can easily disable and fight against the security software at this layer. The unique difference compared to all the existing work is that we focus on the semantic and syntactic analysis of OS kernel binary code to discover the invariants between kernel code and data, from which to detect kernel intrusions, investigate damages, repair attacks, and enforce the preventions from hypervisor layer. During the past five years supporting period, a number of fundamental techniques have been developed from this project, and these include address-agnostic cross-kernel pointer integrity checks (FPCK), robust kernel object semantic inference (Argos), kernel tap points discovery (AutoTap), and superset disassembly (MultiVerse) and so on. These binary-centric techniques have enabled kernel invariant understanding, extraction, and enforcement (e.g., rewriting with the tap points) from virtual machine layer (a layer that cannot be disabled by kernel malware inside the virtual machines). In total,25 peer-reviewed academic papers supported or partially supported by this project have been published, many of which appeared in top venues such as IEEE S and P, CCS, USENIX Security, NDSS, FSE, ICSE, ACSAC, and RAID.
Document Details
- Document Type
- Technical Report
- Publication Date
- Dec 05, 2019
- Accession Number
- AD1105897
Entities
People
- Bhavani Thuraisingham
- Zhiqiang Lin
Organizations
- University of Texas at Dallas