DIGGER: Identifying Operating System Dynamic Kernel Objects for Run-time Security Analysis

In operating systems, we usually refer to a running instance of a data structure (data type) as an object. Locating runtime dynamic kernel objects in physical memory is the most difficult step towards enabling implementation of robust operating system security solutions. In this paper, we address the problem of systemically uncovering all operating system runtime dynamic kernel objects, without any prior knowledge of the operating system kernel data layout in memory. We present a new hybrid approach – called DIGGER – that enables uncovering kernel runtime objects with nearly complete coverage, high accuracy and robust results. Unlike previous approaches, DIGGER is designed to address the challenges of indirect points-to relations between kernel data structures. DIGGER employs a hybrid approach that combines a new value-invariant approach and a systematic memory mapping technique in order to get accurate results. We have implemented a prototype of DIGGER and conducted an evaluation of its efficiency and effectiveness. To demonstrate our approach’s potential, we have also developed three different proof-of-concept operating system security tools based on DIGGER approach.