Weidong Cui, Zhilei Xu, Marcus Peinado, and Ellick Chan
Type information is typically not available for dynamic data of system programs developed in native code. The lack of type information makes it extremely difficult to perform certain tasks on a program's memory such as checking kernel integrity and debugging crash dumps. Previous solutions have either high data coverage or high performance and robustness. But no existing solution has these three desirable properties. This prevents them from being applied to a wide range of real-world tasks.
In this paper, we present KOP2, a system that can type dynamic data in kernel memory robustly with high coverage and high speed. The key observation behind KOP2 is that we should follow generic pointers (e.g., void*) in memory traversal but should not rely on resolving type ambiguities (e.g., a pointer with multiple candidate types). To precisely and quickly identify candidate types for generic pointers, we design a novel demand-driven pointer analysis algorithm that is both field-sensitive and context-sensitive. We have implemented a prototype of KOP2 and evaluated it with memory snapshots from both real-world and virtual machines running Windows 7, Windows Vista SP1 or Windows XP SP3. By running static analysis in parallel, KOP2 can potentially finish in tens of minutes, two orders of magnitude faster than KOP but still achieves better precision. When analyzing a memory snapshot, KOP2 can finish within two minutes, a four times speed-up over KOP with a data coverage of 95%. We have applied KOP2 to detect function pointers manipulated by kernel rootkits and identified pointers to corrupted data in crash dumps. KOP2 correctly identified all malicious function pointers planted by rootkits. It also correctly identified all but one pointers to corrupted data when the pointers are part of dynamic data whose type definitions are known. This shows that KOP2 can robustly analyze the memory of real-world machines.