TY - JOUR
T1 - ProbeBuilder
T2 - Uncovering Opaque Kernel Data Structures for Automatic Probe Construction
AU - Wang, Chi Wei
AU - Wang, Chia Wei
AU - Shieh, Shiuhpyng
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/9/1
Y1 - 2016/9/1
N2 - VM-based inspection tools generally implement probes in the hypervisor to monitor events and the state of kernel of the guest system. The most important function of a probe is to carve information of interest out of the memory of the guest when it is triggered. Implementing probes for a closed-source OS demands manually reverse-engineering the undocumented code/data structures in the kernel binary image. Furthermore, the reverse-engineering result is often non-reusable between OS versions or even kernel updates due to the rapid change of these structures. In this paper, we propose ProbeBuilder, a system automating the process to inference kernel data structures. Based on dynamic execution, ProbeBuilder searches for data structures matching the 'pointer-offset-pointer' pattern in guest memory. The sequences of these offsets, which are referred to as dereferences, are then verified by ProbeBuilder with instruction evidence that traverse them. The experiment on Windows kernel shows that ProbeBuilder efficiently narrows thousands of choices for kernel-level probes down to dozens. The finding allows analysts to quickly implement probes, facilitating rapid development/update of inspection tools for different OSes. With these features, ProbeBuilder is the first system capable of automatically generating practical probes that extracts information through dereferences to opaque kernel data structures.
AB - VM-based inspection tools generally implement probes in the hypervisor to monitor events and the state of kernel of the guest system. The most important function of a probe is to carve information of interest out of the memory of the guest when it is triggered. Implementing probes for a closed-source OS demands manually reverse-engineering the undocumented code/data structures in the kernel binary image. Furthermore, the reverse-engineering result is often non-reusable between OS versions or even kernel updates due to the rapid change of these structures. In this paper, we propose ProbeBuilder, a system automating the process to inference kernel data structures. Based on dynamic execution, ProbeBuilder searches for data structures matching the 'pointer-offset-pointer' pattern in guest memory. The sequences of these offsets, which are referred to as dereferences, are then verified by ProbeBuilder with instruction evidence that traverse them. The experiment on Windows kernel shows that ProbeBuilder efficiently narrows thousands of choices for kernel-level probes down to dozens. The finding allows analysts to quickly implement probes, facilitating rapid development/update of inspection tools for different OSes. With these features, ProbeBuilder is the first system capable of automatically generating practical probes that extracts information through dereferences to opaque kernel data structures.
KW - Operating system: security and privacy protection
KW - Software engineering: Testing and debugging-monitors
UR - http://www.scopus.com/inward/record.url?scp=84985990777&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2015.2416728
DO - 10.1109/TDSC.2015.2416728
M3 - Article
AN - SCOPUS:84985990777
SN - 1545-5971
VL - 13
SP - 568
EP - 581
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 5
M1 - 7069236
ER -