AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY

Satyajit Grover, Divya Naidu Kolar Sunder, Samuel O. Moffatt, Michael E. Kounavis

2008

Abstract

In this paper we address the problem of protecting computer systems against stealth malware. The problem is important because the number of known types of stealth malware increases exponentially. Existing approaches have some advantages for ensuring system integrity but sophisticated techniques utilized by stealthy malware can thwart them. We propose Runtime Kernel Rootkit Detection (RKRD), a hardware-based, event-driven, secure and inclusionary approach to kernel integrity that addresses some of the limitations of the state of the art. Our solution is based on the principles of using virtualization hardware for isolation, verifying signatures coming from trusted code as opposed to malware for scalability and performing system checks driven by events. Our RKRD implementation is guided by our goals of strong isolation, no modifications to target guest OS kernels, easy deployment, minimal infrastructure impact, and minimal performance overhead. We developed a system prototype and conducted a number of experiments which show that the performance impact of our solution is negligible.

References

  1. X. Wang, Y. L. Yin and H. Yu, “Finding Collisions in the Full SHA-1”, Lecture Notes in Computer Science, Vol. 3621 (November 2005), pp. 17-36
  2. Microsoft Corporation. “Microsoft portable executable and common object file format specification”. Available at: http://www.microsoft.com/whdc/system/ platform/firm-ware/PECOFF.mspx, 2006.
  3. Microsoft Corporation. “Kernel enhancements for windows vista and windows server 2008”. Available at: http://www.microsoft.com/whdc/system/vista/kernelen. mspx, 2007.
  4. Microsoft Corporation. “Enumdevicedrivers function (windows)”. http://msdn2.microsoft.com/en-us/library/ ms682617(VS.85).aspx, 2008.
  5. T. Hardjono and N. Smith. “TCG infrastructure working group architecture part ii - integrity management. Specification”, Trusted Computing Group, 2006. https://www.trustedcomputinggroup.org/specs/IWG/I WG ArchitecturePartII v1.0.pdf.
  6. N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh, “Copilot - a coprocessor-based kernel runtime integrity monitor”, In USENIX Security Symposium, pages 179-194. USENIX, 2004.
  7. J. Rutkowska. “System virginity verifier, defining the roadmap for malware detection on windows system”. Kuala Lumpur, Malaysia, September 2005.
  8. J. Rutkowska. “Beyond the CPU: Defeating hardware based RAM acquisition Tools”, BlackHat DC 2007, February 2007.
  9. A. Seshadri, M. Luk, N. Qu, and A. Perrig. “Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSs”. In Thomas C. Bressoud and M. Frans Kaashoek, editors, SOSP, pages 335- 350. ACM, 2007.
Download


Paper Citation


in Harvard Style

Grover S., Naidu Kolar Sunder D., O. Moffatt S. and E. Kounavis M. (2008). AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 411-420. DOI: 10.5220/0001916004110420


in Bibtex Style

@conference{secrypt08,
author={Satyajit Grover and Divya Naidu Kolar Sunder and Samuel O. Moffatt and Michael E. Kounavis},
title={AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={411-420},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001916004110420},
isbn={978-989-8111-59-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY
SN - 978-989-8111-59-3
AU - Grover S.
AU - Naidu Kolar Sunder D.
AU - O. Moffatt S.
AU - E. Kounavis M.
PY - 2008
SP - 411
EP - 420
DO - 10.5220/0001916004110420