University of Cambridge > Talks.cam > Computer Laboratory Security Group meeting presentations > Automatic generation of the kernel integrity monitor and how to protect the integrity monitor itself

Automatic generation of the kernel integrity monitor and how to protect the integrity monitor itself

Add to your list(s) Download to your calendar using vCal

If you have a question about this talk, please contact Wei Ming Khoo.

The complexity and the huge size of a modern OS kernel make the system prone to bugs. Through these bugs, rootkits exploit the OS kernel, and hide themselves by breaking the integrity of kernel data structures. In order to detect the unexpected modification of the kernel data structures, integrity monitor must define the ‘correct states’ of the targeted kernel. This is difficult engineering, since the correct states of a kernel varies from OS to OS. Even if they are built from the same source code, their states differs. This issue makes hard to implement an integrity monitor manually by hand and to detect undefined rootkits. Therefore we propose a method to generate an integrity monitor automatically from the invariants of the kernel data structures. There are two challenges in this research. First, we need to reduce the amount of kernel data structures from which invariants are generated. The number and the combinations of the kernel data structures may expand exponentially without proper care. Second, we need to manage timing of getting kernel data structures. Different timing generates different invariants. We conducted our experiment on a virtualized environment, running a targeted OS and an integrity monitor accommodated on a single machine.

Furthermore we propose a method to protect the integrity checker itself from malicious attack in the above environment. The integrity checker itself can be exploited by rootkits if the underlying virtualization layer is exploitable. We propose a new multi-core processor architecture that gives a special privilege to a specific core that has private memory area isolated by means of hardware. We call this memory area the core-local memory. The shortage of the core-local memory is its size, which is limited to contain a few hundred kilo-bytes of data. Thus, in addition, we also propose a method to virtually extend the size of the core-local memory by swapping the pages of the integrity checker between the core-local and the main memory. Our method keep track of cryptographic hashes of pages in the main memory in order to keep their integrity.

This talk is part of the Computer Laboratory Security Group meeting presentations series.

Tell a friend about this talk:

This talk is included in these lists:

Note that ex-directory lists are not shown.

 

© 2006-2017 Talks.cam, University of Cambridge. Contact Us | Help and Documentation | Privacy and Publicity