Skip to main content
SpringerLink
Log in

A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2017)

Abstract

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 143.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Unmasking kernel exploits. https://www.lastline.com/labsblog/unmasking-kernel-exploits/

  2. Aristide, F., Andrea, L., Davide, B., Engin, K.: Hypervisor-based malware protection with AccessMiner. Comput. Secur. 52, 33–50 (2015)

    Article  Google Scholar 

  3. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: SRDS, pp. 82–91 (2010)

    Google Scholar 

  4. Bates, A., Tian, D., Butler, K., Moyer, T.: Trustworthy whole-system provenance for the Linux kernel. In: USENIX Security, pp. 319–334 (2015)

    Google Scholar 

  5. Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: CCS, pp. 555–565 (2009)

    Google Scholar 

  6. Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with panda. In: Proceedings of 5th Program Protection and Reverse Engineering Workshop, pp. 4:1–4:11 (2015)

    Google Scholar 

  7. Dolan-Gavitt, B., Leek, T., Hodosh, J., Lee, W.: Tappan zee (north) bridge: mining memory accesses for introspection. In: CCS, pp. 839–850 (2013)

    Google Scholar 

  8. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, pp. 191–206 (2003)

    Google Scholar 

  9. Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: Proceedings of 35th IEEE S&P, pp. 605–620 (2014)

    Google Scholar 

  10. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: CCS, pp. 128–138 (2007)

    Google Scholar 

  11. Lanzi, A., Sharif, M., Lee, W.: K-tracer: a system for extracting kernel malware behavior. In: NDSS (2009)

    Google Scholar 

  12. Lee, K., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)

    Google Scholar 

  13. Lee, K., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: CCS, pp. 1005–1016 (2013)

    Google Scholar 

  14. Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with “return-less” kernels. In: EuroSys, pp. 195–208 (2010)

    Google Scholar 

  15. Liangnd, Z., Yin, H., Song, D.: HookFinder: identifying and understanding malware hooking behaviors. In: NDSS, pp. 41–57 (2008)

    Google Scholar 

  16. Ma, S., Zhang, X., Xu, D.: ProTracer: towards practical provenance tracing by alternating between logging and tainting. In: NDSS (2016)

    Google Scholar 

  17. Pei, K., Gu, Z., Saltaformaggio, B., Ma, S., Wang, F., Zhang, Z., Si, L., Zhang, X., Xu, D.: HERCULE: attack story reconstruction via community discovery on correlated log graph. In: ACSAC, pp. 583–595 (2016)

    Google Scholar 

  18. Pohly, D., McLaughlin, S., McDaniel, P., Butler, K.: Hi-Fi: collecting high-fidelity whole-system provenance. In: ACSAC, pp. 259–268 (2012)

    Google Scholar 

  19. Rhee, J., Xu, D., Riley, R., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In: RAID, pp. 178–197 (2010)

    Google Scholar 

  20. Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via VMM-based guest-transparent monitoring. In: 2009 International Conference on Availability, Reliability and Security, pp. 74–81 (2009)

    Google Scholar 

  21. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: RAID, pp. 1–20 (2008)

    Google Scholar 

  22. Riley, R., Jiang, X., Xu, D.: Multi-aspect profiling of kernel rootkit behavior. In: EuroSys, pp. 47–60 (2009)

    Google Scholar 

  23. Rudd, E., Rozsa, A., Gunther, M., Boult, T.: A survey of stealth malware: attacks, mitigation measures, and steps toward autonomous open world solutions. IEEE Commun. Surv. Tutor. PP(99), 1–28 (2016)

    Google Scholar 

  24. Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering persistent kernel rootkits through systematic hook discovery. In: RAID, pp. 21–38 (2008)

    Google Scholar 

  25. Xu, Z., Wu, Z., Li, Z., Jee, K., Rhee, J., Xiao, X., Xu, F., Wang, H., Jiang, G.: High fidelity data reduction for big data security dependency analyses. In: CCS, pp. 504–516 (2016)

    Google Scholar 

  26. Xuan, C., Copeland, J., Beyah, R.: Toward revealing kernel malware behavior in virtual execution environments. In: RAID, pp. 304–325 (2009)

    Google Scholar 

  27. Zeng, J., Fu, Y., Lin, Z.: Automatic uncovering of tap points from kernel executions. In: RAID, pp. 49–70 (2016)

    Chapter  Google Scholar 

Download references

Acknowledgement

We would like to thank the anonymous reviewers for their insightful comments that greatly helped improve this paper. This work is a part of the project supported by Beijing Municipal Science Technology Commission (Z161100002616032), Beijing Natural Science Foundation (4172069) and a joint Ph.D program funded by Chinese Academy of Sciences.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Chonghua Wang, Xiaochun Yun & Zhiyu Hao

  2. Purdue University, West Lafayette, USA

    Shiqing Ma & Xiangyu Zhang

  3. NEC Laboratories America, Princeton, USA

    Junghwan Rhee

  4. School of Cyber Security, Chinese Academy of Sciences, Beijing, China

    Chonghua Wang

Authors
  1. Chonghua Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shiqing Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiangyu Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Junghwan Rhee
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xiaochun Yun
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhiyu Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhiyu Hao .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, C., Ma, S., Zhang, X., Rhee, J., Yun, X., Hao, Z. (2018). A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_42

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78813-5_42

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78812-8

  • Online ISBN: 978-3-319-78813-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation