Title :
DRIP: A framework for purifying trojaned kernel drivers
Author :
Zhongshu Gu ; Sumner, William N. ; Zhui Deng ; Xiangyu Zhang ; Dongyan Xu
Author_Institution :
Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA
Abstract :
Kernel drivers are usually provided in the form of loadable kernel extensions, which can be loaded/unloaded dynamically at runtime and execute with the same privilege as the core operating system kernel. The unrestricted security access from the drivers to the kernel is nevertheless a double-edged sword that makes them susceptible targets of trojan attacks. Given a benign driver, it is now easy to implant malicious logic with existing hacking tools. Once implanted, such malicious logic is difficult to detect. In this paper we propose DRIP, a framework for detecting and eliminating malicious logic embedded in a kernel driver through iteratively eliminating unnecessary kernel API invocations from the driver. When provided with the binary of a trojaned driver, DRIP generates a purified driver with benign functionalities preserved and malicious ones eliminated. Our evaluation shows that DRIP successfully eliminates malicious effects of trojaned drivers in the system, with the purified drivers maintaining or even improving their performance over the trojaned drivers.
Keywords :
application program interfaces; authorisation; device drivers; invasive software; operating system kernels; DRIP; hacking tools; iterative elimination; loadable kernel extensions; malicious logic detection; malicious logic elimination; operating system kernel; trojan attacks; trojaned kernel drivers; unnecessary kernel API invocation elimination; unrestricted security access; Communication channels; Context; Kernel; Monitoring; Runtime; Testing; Kernel Drivers; System Security; Trojan Detection;
Conference_Titel :
Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on
Conference_Location :
Budapest
Print_ISBN :
978-1-4673-6471-3
DOI :
10.1109/DSN.2013.6575342
