DIGGER: identifying OS dynamic kernel objects for run-time security analysis

In operating systems, we usually refer to a running instance of a data structure (data type) as an object. Locating dynamic runtime kernel objects in physical memory is the most difficult step towards enabling implementation of robust operating system security solutions. In this paper, we address the problem of systemically uncovering all operating system dynamic kernel runtime objects, without any prior knowledge of the operating system kernel data layout in memory. We present a new hybrid approach – called DIGGER – that uncovers kernel runtime objects with nearly complete coverage, high accuracy and robust results. The information revealed allows detection of generic pointer exploits and data hooks. We have implemented a prototype of DIGGER and conducted an evaluation of its efficiency and effectiveness. To demonstrate our approach’s potential, we have also developed three different proof-of-concept operating system security tools based on the DIGGER approach.