Kernel drivers are usually provided in the form of loadable kernel extensions, which can be loaded/unloaded dynamically at runtime and execute with the same privilege as the core operating system kernel. The unrestricted security access from the drivers to the kernel is nevertheless a double-edged sword that makes them become susceptible targets of driver trojan attacks. Given a benign driver, it is now easy to implant malicious logic with existing hacking tools at hand. Once implanted, such malicious logic will be difficult to detect. In this paper we propose DRIP, a framework for detecting and eliminating malicious logic embedded in a kernel driver through iteratively eliminating unnecessary kernel API invocations from the driver. When provided with the binary of a trojaned driver, DRIP generates a purified driver with benign functionalities preserved and malicious ones eliminated. Our evaluation shows that DRIP successfully eliminates malicious effects of trojaned drivers in the system, with the purified drivers maintaining or even improving their performance over the trojaned driver.
@inproceedings{guDSN2013, author = {Zhongshu Gu and William N. Sumner and Zhui Deng and Xiangyu Zhang and Dongyan Xu}, title = {DRIP: A Framework for Purifying Trojaned Kernel Drivers}, booktitle = {DSN}, year = {2013}, }