Automatic Inference and Enforcement of Kernel Data Structure Invariants

Baliga, Arati; Ganapathy, Vinod; Iftode, Liviu

doi:10.1109/acsac.2008.29

Cited by 98 publications

(104 citation statements)

References 17 publications

Supporting

Mentioning

104

Contrasting

Order By: Relevance

“…Furthermore, there is a plethora of research aimed towards protecting the Linux kernel [2,22,16,38,21,36,31]. Baliga [2] et al use a PCI device to acquire the memory and automatically derive the kernel invariance.…”

Section: Related Workmentioning

confidence: 99%

“…Baliga [2] et al use a PCI device to acquire the memory and automatically derive the kernel invariance. Currently, we discover the kernel invariance manually but we could employ their techniques directly and without modifications.…”

Section: Related Workmentioning

confidence: 99%

“…Protecting software from integrity attacks using hardware-assisted techniques is not new: researchers used a special-purpose PCI device to acquire the physical memory either for rootkit detection [30,2] or for forensic purpose [8] in the past. The closest system to our work is Copilot [30].…”

Section: Related Workmentioning

confidence: 99%

“…However, having a machine equipped with trusted boot can prevent attacks against HyperCheck that simulate a hardware reset. 2 …”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

HyperCheck: A Hardware-Assisted Integrity Monitor

Jiang

Stavrou

Ghosh

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Over the past few years, virtualization has been employed to environments ranging from densely populated cloud computing clusters to home desktop computers. Security researchers embraced virtual machine monitors (VMMs) as a new mechanism to guarantee deep isolation of untrusted software components. Unfortunately, their widespread adoption promoted VMMs as a prime target for attackers. In this paper, we present HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of VMMs and, for some classes of attacks, the underlying operating system (OS). HyperCheck leverages the CPU System Management Mode (SMM), present in x86 systems, to securely generate and transmit the full state of the protected machine to an external server. Using HyperCheck, we were able to ferret-out rootkits that targeted the integrity of both the Xen hypervisor and traditional OSes. Moreover, HyperCheck is robust against attacks that aim to disable or block its operation. Our experimental results show that HyperCheck can produce and communicate a scan of the state of the protected software in less than 40ms.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

“…However, having a machine equipped with trusted boot can prevent attacks against HyperCheck that simulate a hardware reset. 2 …”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

HyperCheck: A Hardware-Assisted Integrity Monitor

Jiang

Stavrou

Ghosh

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…3) Dynamic Learning: Rather than identifying code invariants from kernel source code, VMI based on dynamic analysis learns data structure invariants based on observing an OS instance [24,41,64].…”

Section: A Learning and Reconstructionmentioning

confidence: 99%

SoK: Introspections on Trust and the Semantic Gap

Jain

Baig

Zhang

et al. 2014

2014 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-An essential goal of Virtual Machine Introspection (VMI) is assuring security policy enforcement and overall functionality in the presence of an untrustworthy OS. A fundamental obstacle to this goal is the difficulty in accurately extracting semantic meaning from the hypervisor's hardwarelevel view of a guest OS, called the semantic gap. Over the twelve years since the semantic gap was identified, immense progress has been made in developing powerful VMI tools.Unfortunately, much of this progress has been made at the cost of reintroducing trust into the guest OS, often in direct contradiction to the underlying threat model motivating the introspection. Although this choice is reasonable in some contexts and has facilitated progress, the ultimate goal of reducing the trusted computing base of software systems is best served by a fresh look at the VMI design space.This paper organizes previous work based on the essential design considerations when building a VMI system, and then explains how these design choices dictate the trust model and security properties of the overall system. The paper then observes portions of the VMI design space which have been under-explored, as well as potential adaptations of existing techniques to bridge the semantic gap without trusting the guest OS.Overall, this paper aims to create an essential checkpoint in the broader quest for meaningful trust in virtualized environments through VM introspection.

show abstract

Dynamic Analysis

Christodorescu¹,

Ganapathy²

2011

Encyclopedia of Cryptography and Security

View full text Add to dashboard Cite

Automatic Inference and Enforcement of Kernel Data Structure Invariants

Cited by 98 publications

References 17 publications

HyperCheck: A Hardware-Assisted Integrity Monitor

HyperCheck: A Hardware-Assisted Integrity Monitor

SoK: Introspections on Trust and the Semantic Gap

Dynamic Analysis

Contact Info

Product

Resources

About