Fluorescence: Detecting Kernel-Resident Malware In Clouds

Kernel-resident malware remains a significant threat. An effective way to detect such malware is to examine the kernel memory of many similar (virtual) machines, as one might find in an enterprise network or cloud, in search of anomalies: i.e., the relatively rare infected hosts within a large population of healthy hosts. It is challenging, however, to compare the kernel memories of different hosts against each other. Previous work has relied on knowledge of specific kernels-e.g., the locations of important variables and the layouts of key data structures-to cross the "semantic gap" and allow kernels to be compared. As a result, those previous systems work only with the kernels they were built for, and they make assumptions about the malware being searched for. We present a new approach to detecting kernel-resident malware within a "herd" of similar virtual machines. Our approach uses limited knowledge of the kernels under examination-e.g., the location of the page global directory and the processor's instruction set-to concisely fingerprint each kernel. It uses no kernel-specific semantics to compare the fingerprints and find those that represent anomalous hosts. We implement our method in a tool called Fluorescence and demonstrate its ability to identify Linux and Windows hosts infected with real-world, kernel-resident malware. Fluorescence can examine a herd of 200 virtual machines with Linux guests in about an hour.