HookScout: Proactive Binary-Centric Hook Detection View Full Text


Ontology type: schema:Chapter      Open Access: True


Chapter Info

DATE

2010

AUTHORS

Heng Yin , Pongsin Poosankam , Steve Hanna , Dawn Song

ABSTRACT

In order to obtain and maintain control, kernel malware usually makes persistent control flow modifications (i.e., installing hooks). To avoid detection, malware developers have started to target function pointers in kernel data structures, especially those dynamically allocated from heaps and memory pools. Function pointer modification is stealthy and the attack surface is large; thus, this type of attacks is appealing to malware developers. In this paper, we first conduct a systematic study of this problem, and show that the attack surface is vast, with over 18,000 function pointers (most of them long-lived) existing within the Windows kernel. Moreover, to demonstrate this threat is realistic for closed-source operating systems, we implement two new attacks for Windows by exploiting two function pointers individually. Then, we propose a new proactive hook detection technique, and develop a prototype, called HookScout. Our approach is binary-centric, and thus can generate hook detection policy without access to the OS kernel source code. Our approach is also context-sensitive, and thus can deal with polymorphic data structures. We evaluated HookScout with a set of rootkits which use advanced hooking techniques and show that it detects all of the stealth techniques utilized (including our new attacks). Additionally, we show that our approach is easily deployable, has wide coverage and minimal performance overhead. More... »

PAGES

1-20

Book

TITLE

Detection of Intrusions and Malware, and Vulnerability Assessment

ISBN

978-3-642-14214-7
978-3-642-14215-4

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-642-14215-4_1

DOI

http://dx.doi.org/10.1007/978-3-642-14215-4_1

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1046108278


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Artificial Intelligence and Image Processing", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "Syracuse University, 13104, Syracuse, NY", 
          "id": "http://www.grid.ac/institutes/grid.264484.8", 
          "name": [
            "Syracuse University, 13104, Syracuse, NY"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Yin", 
        "givenName": "Heng", 
        "id": "sg:person.010023156265.84", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010023156265.84"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Carnegie Mellon University, 15213, Pittsburgh, PA", 
          "id": "http://www.grid.ac/institutes/grid.147455.6", 
          "name": [
            "UC Berkeley, 94720, Berkeley, CA", 
            "Carnegie Mellon University, 15213, Pittsburgh, PA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Poosankam", 
        "givenName": "Pongsin", 
        "id": "sg:person.016604336755.76", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016604336755.76"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "UC Berkeley, 94720, Berkeley, CA", 
          "id": "http://www.grid.ac/institutes/grid.47840.3f", 
          "name": [
            "UC Berkeley, 94720, Berkeley, CA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Hanna", 
        "givenName": "Steve", 
        "id": "sg:person.07741311617.07", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.07741311617.07"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "UC Berkeley, 94720, Berkeley, CA", 
          "id": "http://www.grid.ac/institutes/grid.47840.3f", 
          "name": [
            "UC Berkeley, 94720, Berkeley, CA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Song", 
        "givenName": "Dawn", 
        "id": "sg:person.01143152610.86", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.01143152610.86"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2010", 
    "datePublishedReg": "2010-01-01", 
    "description": "In order to obtain and maintain control, kernel malware usually makes persistent control flow modifications (i.e., installing hooks). To avoid detection, malware developers have started to target function pointers in kernel data structures, especially those dynamically allocated from heaps and memory pools. Function pointer modification is stealthy and the attack surface is large; thus, this type of attacks is appealing to malware developers. In this paper, we first conduct a systematic study of this problem, and show that the attack surface is vast, with over 18,000 function pointers (most of them long-lived) existing within the Windows kernel. Moreover, to demonstrate this threat is realistic for closed-source operating systems, we implement two new attacks for Windows by exploiting two function pointers individually. Then, we propose a new proactive hook detection technique, and develop a prototype, called HookScout. Our approach is binary-centric, and thus can generate hook detection policy without access to the OS kernel source code. Our approach is also context-sensitive, and thus can deal with polymorphic data structures. We evaluated HookScout with a set of rootkits which use advanced hooking techniques and show that it detects all of the stealth techniques utilized (including our new attacks). Additionally, we show that our approach is easily deployable, has wide coverage and minimal performance overhead.", 
    "editor": [
      {
        "familyName": "Kreibich", 
        "givenName": "Christian", 
        "type": "Person"
      }, 
      {
        "familyName": "Jahnke", 
        "givenName": "Marko", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-642-14215-4_1", 
    "inLanguage": "en", 
    "isAccessibleForFree": true, 
    "isPartOf": {
      "isbn": [
        "978-3-642-14214-7", 
        "978-3-642-14215-4"
      ], 
      "name": "Detection of Intrusions and Malware, and Vulnerability Assessment", 
      "type": "Book"
    }, 
    "keywords": [
      "function pointers", 
      "malware developers", 
      "attack surface", 
      "data structure", 
      "kernel data structures", 
      "kernel source code", 
      "types of attacks", 
      "operating system", 
      "source code", 
      "hooking techniques", 
      "new attacks", 
      "minimal performance", 
      "Windows kernel", 
      "detection policy", 
      "detection techniques", 
      "developers", 
      "stealth techniques", 
      "wide coverage", 
      "pointers", 
      "memory pool", 
      "attacks", 
      "malware", 
      "rootkits", 
      "technique", 
      "detection", 
      "prototype", 
      "kernel", 
      "code", 
      "set", 
      "heap", 
      "access", 
      "performance", 
      "system", 
      "threat", 
      "window", 
      "order", 
      "coverage", 
      "structure", 
      "policy", 
      "control", 
      "modification", 
      "types", 
      "flow modification", 
      "pool", 
      "systematic study", 
      "study", 
      "surface", 
      "approach", 
      "paper", 
      "problem"
    ], 
    "name": "HookScout: Proactive Binary-Centric Hook Detection", 
    "pagination": "1-20", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1046108278"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-642-14215-4_1"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-642-14215-4_1", 
      "https://app.dimensions.ai/details/publication/pub.1046108278"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2022-05-10T10:44", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20220509/entities/gbq_results/chapter/chapter_267.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-3-642-14215-4_1"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-642-14215-4_1'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-642-14215-4_1'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-642-14215-4_1'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-642-14215-4_1'


 

This table displays all metadata directly associated to this object as RDF triples.

143 TRIPLES      23 PREDICATES      76 URIs      69 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-642-14215-4_1 schema:about anzsrc-for:08
2 anzsrc-for:0801
3 schema:author N086d3751d9164f03a5a3340a930b6034
4 schema:datePublished 2010
5 schema:datePublishedReg 2010-01-01
6 schema:description In order to obtain and maintain control, kernel malware usually makes persistent control flow modifications (i.e., installing hooks). To avoid detection, malware developers have started to target function pointers in kernel data structures, especially those dynamically allocated from heaps and memory pools. Function pointer modification is stealthy and the attack surface is large; thus, this type of attacks is appealing to malware developers. In this paper, we first conduct a systematic study of this problem, and show that the attack surface is vast, with over 18,000 function pointers (most of them long-lived) existing within the Windows kernel. Moreover, to demonstrate this threat is realistic for closed-source operating systems, we implement two new attacks for Windows by exploiting two function pointers individually. Then, we propose a new proactive hook detection technique, and develop a prototype, called HookScout. Our approach is binary-centric, and thus can generate hook detection policy without access to the OS kernel source code. Our approach is also context-sensitive, and thus can deal with polymorphic data structures. We evaluated HookScout with a set of rootkits which use advanced hooking techniques and show that it detects all of the stealth techniques utilized (including our new attacks). Additionally, we show that our approach is easily deployable, has wide coverage and minimal performance overhead.
7 schema:editor Nfb61aaee038648c8b148899315af48e4
8 schema:genre chapter
9 schema:inLanguage en
10 schema:isAccessibleForFree true
11 schema:isPartOf N2b8a2e47fe1b4e5b911181db3439c239
12 schema:keywords Windows kernel
13 access
14 approach
15 attack surface
16 attacks
17 code
18 control
19 coverage
20 data structure
21 detection
22 detection policy
23 detection techniques
24 developers
25 flow modification
26 function pointers
27 heap
28 hooking techniques
29 kernel
30 kernel data structures
31 kernel source code
32 malware
33 malware developers
34 memory pool
35 minimal performance
36 modification
37 new attacks
38 operating system
39 order
40 paper
41 performance
42 pointers
43 policy
44 pool
45 problem
46 prototype
47 rootkits
48 set
49 source code
50 stealth techniques
51 structure
52 study
53 surface
54 system
55 systematic study
56 technique
57 threat
58 types
59 types of attacks
60 wide coverage
61 window
62 schema:name HookScout: Proactive Binary-Centric Hook Detection
63 schema:pagination 1-20
64 schema:productId N40ce0778d6694e619634e67bd2f3a727
65 Ncf7e34a3801043f5b976d83508a1df88
66 schema:publisher N82b475bcb80e4fcc8a003e3415622131
67 schema:sameAs https://app.dimensions.ai/details/publication/pub.1046108278
68 https://doi.org/10.1007/978-3-642-14215-4_1
69 schema:sdDatePublished 2022-05-10T10:44
70 schema:sdLicense https://scigraph.springernature.com/explorer/license/
71 schema:sdPublisher N7292ce4d40da4b74b1389222c639461e
72 schema:url https://doi.org/10.1007/978-3-642-14215-4_1
73 sgo:license sg:explorer/license/
74 sgo:sdDataset chapters
75 rdf:type schema:Chapter
76 N086d3751d9164f03a5a3340a930b6034 rdf:first sg:person.010023156265.84
77 rdf:rest N7180a63cedc145438f241f11131ee5c7
78 N2b8a2e47fe1b4e5b911181db3439c239 schema:isbn 978-3-642-14214-7
79 978-3-642-14215-4
80 schema:name Detection of Intrusions and Malware, and Vulnerability Assessment
81 rdf:type schema:Book
82 N2df01e18783a49f4b01b7c566b9ed029 rdf:first sg:person.01143152610.86
83 rdf:rest rdf:nil
84 N40ce0778d6694e619634e67bd2f3a727 schema:name dimensions_id
85 schema:value pub.1046108278
86 rdf:type schema:PropertyValue
87 N7180a63cedc145438f241f11131ee5c7 rdf:first sg:person.016604336755.76
88 rdf:rest Nf1be80466a0c49c782d7260493b7cd6b
89 N7292ce4d40da4b74b1389222c639461e schema:name Springer Nature - SN SciGraph project
90 rdf:type schema:Organization
91 N78e75359cc164408af661d53d81261cb rdf:first N8ce89ab8bf0446d1bc9c76e75c7f959c
92 rdf:rest rdf:nil
93 N82b475bcb80e4fcc8a003e3415622131 schema:name Springer Nature
94 rdf:type schema:Organisation
95 N8ce89ab8bf0446d1bc9c76e75c7f959c schema:familyName Jahnke
96 schema:givenName Marko
97 rdf:type schema:Person
98 Nce3bb806e527413fadd6c529cfbaa104 schema:familyName Kreibich
99 schema:givenName Christian
100 rdf:type schema:Person
101 Ncf7e34a3801043f5b976d83508a1df88 schema:name doi
102 schema:value 10.1007/978-3-642-14215-4_1
103 rdf:type schema:PropertyValue
104 Nf1be80466a0c49c782d7260493b7cd6b rdf:first sg:person.07741311617.07
105 rdf:rest N2df01e18783a49f4b01b7c566b9ed029
106 Nfb61aaee038648c8b148899315af48e4 rdf:first Nce3bb806e527413fadd6c529cfbaa104
107 rdf:rest N78e75359cc164408af661d53d81261cb
108 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
109 schema:name Information and Computing Sciences
110 rdf:type schema:DefinedTerm
111 anzsrc-for:0801 schema:inDefinedTermSet anzsrc-for:
112 schema:name Artificial Intelligence and Image Processing
113 rdf:type schema:DefinedTerm
114 sg:person.010023156265.84 schema:affiliation grid-institutes:grid.264484.8
115 schema:familyName Yin
116 schema:givenName Heng
117 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010023156265.84
118 rdf:type schema:Person
119 sg:person.01143152610.86 schema:affiliation grid-institutes:grid.47840.3f
120 schema:familyName Song
121 schema:givenName Dawn
122 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.01143152610.86
123 rdf:type schema:Person
124 sg:person.016604336755.76 schema:affiliation grid-institutes:grid.147455.6
125 schema:familyName Poosankam
126 schema:givenName Pongsin
127 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016604336755.76
128 rdf:type schema:Person
129 sg:person.07741311617.07 schema:affiliation grid-institutes:grid.47840.3f
130 schema:familyName Hanna
131 schema:givenName Steve
132 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.07741311617.07
133 rdf:type schema:Person
134 grid-institutes:grid.147455.6 schema:alternateName Carnegie Mellon University, 15213, Pittsburgh, PA
135 schema:name Carnegie Mellon University, 15213, Pittsburgh, PA
136 UC Berkeley, 94720, Berkeley, CA
137 rdf:type schema:Organization
138 grid-institutes:grid.264484.8 schema:alternateName Syracuse University, 13104, Syracuse, NY
139 schema:name Syracuse University, 13104, Syracuse, NY
140 rdf:type schema:Organization
141 grid-institutes:grid.47840.3f schema:alternateName UC Berkeley, 94720, Berkeley, CA
142 schema:name UC Berkeley, 94720, Berkeley, CA
143 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...