Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers

Research Article

Defeating Kernel Driver Purifier

  • @INPROCEEDINGS{10.1007/978-3-319-28865-9_7,
        author={Jidong Xiao and Hai Huang and Haining Wang},
        title={Defeating Kernel Driver Purifier},
        proceedings={Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2016},
        month={2},
        keywords={},
        doi={10.1007/978-3-319-28865-9_7}
    }
    
  • Jidong Xiao
    Hai Huang
    Haining Wang
    Year: 2016
    Defeating Kernel Driver Purifier
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-28865-9_7
Jidong Xiao1,*, Hai Huang2, Haining Wang3
  • 1: College of William and Mary
  • 2: IBM T.J. Watson Research Center
  • 3: University of Delaware
*Contact email: jxiao@email.wm.edu

Abstract

Kernel driver purification is a technique used for detecting and eliminating malicious code embedded in kernel drivers. Ideally, only the benign functionalities remain after purification. As many kernel drivers are distributed in binary format, a kernel driver purifier is effective against existing kernel rootkits. However, in this paper, we demonstrate that an attacker is able to defeat such purification mechanisms through two different approaches: (1) by exploiting self-checksummed code or (2) by avoiding calling kernel APIs. Both approaches would allow arbitrary code to be injected into a kernel driver. Based on the two proposed offensive schemes, we implement prototypes of both types of rootkits and validate their efficacy through real experiments. Our evaluation results show that the proposed rootkits can defeat the current purification techniques. Moreover, these rootkits retain the same functionalities as those of real world rootkits, and only incur negligible performance overhead.