Data Interception through Broken Concurrency in Kernel Land

We present a kernel data interception technique that is undetectable by existing approaches to malware detection, and propose practical methods to detect it. The technique is based on breaking concurrency in a way that enables the attack code to take over the synchronization established by target kernel modules. That level of control allows the attack code to interpose between those modules, and thus intercept sensitive data. We illustrate the overall technique as applied to intercepting keystrokes from a computer keyboard on Windows 7, and demonstrate it in practice through an attack kernel driver that we dubbed kbdinterceptor. The technique has no reliance on function hooking, machine code replacement, direct access to I/O bus, or attachment to any device driver stack whatsoever. In the paper, we capture the salient characteristics of the attack technique to devise a defensive approach that can accurately detect the corresponding attack code through dynamic analysis.