DRIP: A framework for purifying trojaned kernel drivers

2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2013-06-01 DOI:10.1109/DSN.2013.6575342

Zhongshu Gu, Nick Sumner, Zhui Deng, X. Zhang, Dongyan Xu

{"title":"DRIP: A framework for purifying trojaned kernel drivers","authors":"Zhongshu Gu, Nick Sumner, Zhui Deng, X. Zhang, Dongyan Xu","doi":"10.1109/DSN.2013.6575342","DOIUrl":null,"url":null,"abstract":"Kernel drivers are usually provided in the form of loadable kernel extensions, which can be loaded/unloaded dynamically at runtime and execute with the same privilege as the core operating system kernel. The unrestricted security access from the drivers to the kernel is nevertheless a double-edged sword that makes them susceptible targets of trojan attacks. Given a benign driver, it is now easy to implant malicious logic with existing hacking tools. Once implanted, such malicious logic is difficult to detect. In this paper we propose DRIP, a framework for detecting and eliminating malicious logic embedded in a kernel driver through iteratively eliminating unnecessary kernel API invocations from the driver. When provided with the binary of a trojaned driver, DRIP generates a purified driver with benign functionalities preserved and malicious ones eliminated. Our evaluation shows that DRIP successfully eliminates malicious effects of trojaned drivers in the system, with the purified drivers maintaining or even improving their performance over the trojaned drivers.","PeriodicalId":163407,"journal":{"name":"2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"44 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2013.6575342","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Kernel drivers are usually provided in the form of loadable kernel extensions, which can be loaded/unloaded dynamically at runtime and execute with the same privilege as the core operating system kernel. The unrestricted security access from the drivers to the kernel is nevertheless a double-edged sword that makes them susceptible targets of trojan attacks. Given a benign driver, it is now easy to implant malicious logic with existing hacking tools. Once implanted, such malicious logic is difficult to detect. In this paper we propose DRIP, a framework for detecting and eliminating malicious logic embedded in a kernel driver through iteratively eliminating unnecessary kernel API invocations from the driver. When provided with the binary of a trojaned driver, DRIP generates a purified driver with benign functionalities preserved and malicious ones eliminated. Our evaluation shows that DRIP successfully eliminates malicious effects of trojaned drivers in the system, with the purified drivers maintaining or even improving their performance over the trojaned drivers.

查看原文本刊更多论文

一个净化木马内核驱动程序的框架

内核驱动程序通常以可加载内核扩展的形式提供，它可以在运行时动态加载/卸载，并以与核心操作系统内核相同的特权执行。然而，从驱动程序到内核的无限制安全访问是一把双刃剑，使它们容易成为木马攻击的目标。给定一个良性驱动程序，现在很容易在现有的黑客工具中植入恶意逻辑。这种恶意逻辑一旦被植入，就很难被发现。在本文中，我们提出了DRIP，这是一个通过迭代地消除驱动程序中不必要的内核API调用来检测和消除嵌入在内核驱动程序中的恶意逻辑的框架。当提供木马驱动程序的二进制文件时，DRIP生成一个纯化的驱动程序，保留良性功能，消除恶意功能。我们的评估表明，DRIP成功地消除了系统中木马驱动程序的恶意影响，纯化的驱动程序保持甚至提高了木马驱动程序的性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量