Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Security '12 Home
  • Registration Information
  • Registration Discounts
  • Organizers
  • At a Glance
  • Calendar
  • Technical Sessions
  • Workshops
  • Hotel & Travel Information
  • Poster Session
  • Rump Session
  • Birds-of-a-Feather Sessions
  • Sponsors
  • Activities
  • Students
  • Questions?
  • For Participants
  • Help Promote
  • Call for Papers
  • Past Proceedings

sponsors

Gold Sponsor
Silver Sponsor
Silver Sponsor
Bronze Sponsor
Bronze Sponsor
Bronze Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor

twitter

Tweets by USENIXSecurity

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Tracking Rootkit Footprints with a Practical Memory Analysis System
Tweet

connect with us

http://twitter.com/USENIXSecurity
https://www.facebook.com/events/309825352408177/

Tracking Rootkit Footprints with a Practical Memory Analysis System

Authors: 

Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute of Technology; Ellick Chan, University of Illinois at Urbana-Champaign

Abstract: 

In this paper, we present MAS, a practical memory analysis system for identifying a kernel rootkit’s memory footprint in an infected system. We also present two large-scale studies of applying MAS to 848 real-world Windows kernel crash dumps and 154,768 potential malware samples.

Error propagation and invalid pointers are two key challenges that stop previous pointer-based memory traversal solutions from effectively and efficiently analyzing real-world systems. MAS uses a new memory traversal algorithm to support error correction and stop error propagation. Our enhanced static analysis allows the MAS memory traversal to avoid error-prone operations and provides it with a reliable partial type assignment.

Our experiments show that MAS was able to analyze all memory snapshots quickly with typical running times between 30 and 160 seconds per snapshot and with near perfect accuracy. Our kernel malware study observes that the malware samples we tested hooked 191 different function pointers in 31 different data structures. With MAS, we were able to determine quickly that 95 out of the 848 crash dumps contained kernel rootkits.

 

Weidong Cui, Microsoft Research

Marcus Peinado, Microsoft Research

Zhilei Xu, Massachusetts Institute of Technology

Ellick Chan, University of Illinois at Urbana-Champaign

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {180239,
author = {Weidong Cui and Marcus Peinado and Zhilei Xu and Ellick Chan},
title = {Tracking Rootkit Footprints with a Practical Memory Analysis System},
booktitle = {21st USENIX Security Symposium (USENIX Security 12)},
year = {2012},
isbn = {978-931971-95-9},
address = {Bellevue, WA},
pages = {601--615},
url = {https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/cui},
publisher = {USENIX Association},
month = aug,
}
Download
Cui PDF
View the slides

Presentation Video

Presentation Audio

MP3 Download OGG Download

Download Audio

  • Log in or    Register to post comments

Comments

I think that the paper is

Posted by KEVIN
July 17, 2012 - 7:22 am
0 likes
0 dislikes
  • Log in or    Register to post comments

Gold Sponsors

Silver Sponsors

Bronze Sponsors

Media Sponsors & Industry Partners

© USENIX

  • Privacy Policy
  • Contact Us