Kernel callback queues (KQs) are the mechanism of choice for handling events in modern kernels. KQs have been misused by real-world malware to run malicious logic. Current defense mechanisms for kernel code and data integrity have difficulties with kernel queue injection (KQI) attacks, since they work without necessarily changing legitimate kernel code or data. In this paper, we describe the design, implementation, and evaluation of KQguard, an efficient and effective protection mechanism of KQs. KQguard uses static and dynamic analysis of kernel and device drivers to learn the legitimate event handlers. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We implement KQguard on the Windows Research Kernel (WRK) and Linux and extensive experimental evaluation shows that KQguard is efficient (up to -5% overhead) and effective (capable of achieving zero false positives against representative benign workloads after appropriate training and very low false negatives against 125 real-world malware and nine synthetic attacks). KQguard protects 20 KQs in WRK, can accommodate new device drivers, and through dynamic analysis of binary code can support closed source device drivers.
展开▼
