Assessing the Trustworthiness of Drivers

  • Shengzhi Zhang
  • Peng Liu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7462)


Drivers, especially third party drivers, could contain malicious code (e.g., logic bombs) or carefully designed-in vulnerabilities. Generally, it is extremely difficult for static analysis to identify these code and vulnerabilities. Without knowing the exact triggers that cause the execution/exploitation of these code/vulnerabilities, dynamic taint analysis cannot help either. In this paper, we propose a novel cross-brand comparison approach to assess the drivers in a honeypot or testing environment. Through hardware virtualization, we design and deploy diverse-drivers based replicas to compare the runtime behaviour of the drivers developed by different vendors. Whenever the malicious code is executed or vulnerability is exploited, our analysis can capture the evidence of malicious driver behaviour through comparison and difference telling. Evaluation shows that it can faithfully reveal various kernel integrity/confidentiality manipulation and resource starvation attacks launched by compromised drivers, thus to assess the trustworthiness of the evaluated drivers.


Driver code safety diversity hardware virtualization 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    QEMU, open source processor emulator,
  2. 2.
  3. 3.
    Vulnerability Summary for CVE-2008-1943: Buffer overflow in the backend of XenSource Xen Para Virtualized Frame Buffer,
  4. 4.
    Windriver cross platform device driver development, Technical report, Jungo Corporation (2002),
  5. 5.
    Architecture of the user-mode driver framework, Version 1.0, Microsoft (2007)Google Scholar
  6. 6.
    Francois, A.: Give a process to your drivers. EurOpen (1991)Google Scholar
  7. 7.
    Arati, B., Vinod, G., Liviu, I.: Automatic Inference and Enforcement of Kernel Data Structure Invariants. In: 24th ACSAC (2008)Google Scholar
  8. 8.
    Davide, B., Marco, C., Christoph, K., Christopher, K., Engin, K., Giovanni, V.: Efficient Detection of Split Personalities in Malware. NDSS (2010)Google Scholar
  9. 9.
    Danilo, B., Lorenzo, C., Andrea, L.: Diversified Process Replicae for Defeating Memory Error Exploits. In: IEEE International Performance, Computing, and Communications Conference (2007)Google Scholar
  10. 10.
    Shakeel, B., Vinod, G., Michael, M.S., Chih-Cheng, C.: Protecting Commodity Operating System Kernels from Vulnerable Device Drivers. In: ACSAC (2009)Google Scholar
  11. 11.
    Jim, C., Ben, P., Tal, G., Kevin, C., Mendel, R.: Understanding data lifetime via whole system simulation. In: USENIX Security Symposium (2004)Google Scholar
  12. 12.
    Benjamin, C., David, E., Adrian, F., Jonathan, R., Wei, H., Jack, D., John, K., Anh, N., Jason, H.: N-variant systems: A secretless framework for security through diversity. In: USENIX Security Symposium (2006)Google Scholar
  13. 13.
    Artem, D., Paul, R., Monirul, S., Wenke, L.: Ether: malware analysis via hardware virtualization extensions. In: 15th ACM CCS (2008)Google Scholar
  14. 14.
    Brendan, D., Tim, L., Michael, Z., Jonathon, G., Wenke, L.: Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In: IEEE Security and Privacy Symposium (2011)Google Scholar
  15. 15.
    Brendan, D., Abhinav, S., Patrick, T., Jonathon, G.: Robust signatures for kernel data structures. In: 16th ACM CCS (2009)Google Scholar
  16. 16.
    George, W.D., Samuel, T.K., Sukru, C., Murtaza, A.B., Peter, M.C.: Revirt: enabling intrusion analysis through virtual-machine logging and replay. In: OSDI (2002)Google Scholar
  17. 17.
    Ulfar, E., Tom, R., Ted, W.: Virtual Environments for Unreliable Extensions. Technical Report MSR-TR-2005-82, Microsoft Research (2005)Google Scholar
  18. 18.
    Vinod, G., Matthew, J.R., Arini, B., Michael, M.S., Somesh, J.: The design and implementation of microdrivers. In: 13th ASPLOS (2008)Google Scholar
  19. 19.
    Gao, D., Reiter, M.K., Song, D.: Behavioral Distance for Intrusion Detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 63–81. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Tal, G., Keith, A., Andrew, W., Jason, F.: Compatibility is not transparency: VMM detection myths and realities. In: 11th USENIX HotOS (2007)Google Scholar
  21. 21.
    Ralf, H., Thorsten, H., Felix, C.F.: Return oriented rootkits: Bypassing kernel code integrity protection mechanisms. In: USENIX Security Symposium (2009)Google Scholar
  22. 22.
    Xuxian, J., Xinyuan, W., Dongyan, X.: Stealthy Malware Detection Through VMM-Based ’Out-of-the-Box’ Semantic View Reconstruction. In: 14th ACM CCS (2007)Google Scholar
  23. 23.
    Ben, L., Peter, C., Nicholas, F., Stefan, G., Charles, G., Luke, M., Daniel, P., Yueting, S., Kevin, E., Gernot, H.: User-level device drivers: Achieved performance. Journal of Computer Science and Technology 5, 654–664 (2005)Google Scholar
  24. 24.
    Joshua, L., Volkmar, U., Jan, S., Stefan, G.: Unmodified device driver reuse and improved system dependability via virtual machines. In: 6th OSDI (2004)Google Scholar
  25. 25.
    Zhiqiang, L., Junghwan, R., Xiangyu, Z., Dongyan, X., Xuxian, J.: SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures. In: 18th NDSS (2011)Google Scholar
  26. 26.
    Kevin, T., Van, M.: The Fluke device driver framework. Master’s thesis, University of Utah (1999)Google Scholar
  27. 27.
    George, C.N., Scott, M., Shree, P.R., Westley, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: International Conference on Compiler Construction (2002)Google Scholar
  28. 28.
    Abhinav, S., Jonathon, G.: Efficient Monitoring of Untrusted Kernel-Mode Executio. In: 18th NDSS (2011)Google Scholar
  29. 29.
    Michael, M.S., Muthukaruppan, A., Brian, N.B., Henry, M.L.: Recovering Device Drivers. In: 6th OSDI (2004)Google Scholar
  30. 30.
    Michael, M.S., Brian, N.B., Henry, M.L.: Improving the reliability of commodity operating systems. In: 19th SOSP (2003)Google Scholar
  31. 31.
    Totel, E., Majorczyk, F., Mé, L.: COTS Diversity Based Intrusion Detection and Application to Web Servers. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 43–62. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. 32.
    Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering Persistent Kernel Rootkits through Systematic Hook Discovery. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 21–38. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Dan, W., Patrick, R., Kevin, W., Emin Gn, S., Fred, B.S.: Device Driver Safety Through a Reference Validation Mechanism. In: 8th OSDI (2008)Google Scholar
  34. 34.
    Emmett, W., Krste, A.: Memory isolation for Linux using Mondriaan memory protection. In: 12th SOSP (2005)Google Scholar
  35. 35.
    Xi, X., Donghai, T., Peng, L.: Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions. In: 18th NDSS (2011)Google Scholar
  36. 36.
    Min, X., Vyacheslav, M., Jeffrey, S., Ganesh, V., Boris, W.: Retrace: Collecting execution trace with virtual machine deterministic replay. In: 3rd MoBS (2007)Google Scholar
  37. 37.
    Heng, Y., Dawn, S., Manuel, E., Christopher, K., Engin, K.: Panorama: capturing system-wide information flow for malware detection and analysis. In: 14th ACM CCS (2007)Google Scholar
  38. 38.
    Shengzhi, Z., Xiaoqi, J., Peng, L., Jiwu, J.: Cross-Layer Comprehensive Intrusion Harm Analysis for Production Workload Server Systems. In: 26th ACSAC (2010)Google Scholar
  39. 39.
    Shengzhi, Z., Peng, L.: Letting Applications Operate through Attacks Launched from Compromised Drivers. In: AsiaCCS (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Shengzhi Zhang
    • 1
  • Peng Liu
    • 1
  1. 1.The Penn State UniversityUniversity ParkUSA

Personalised recommendations