Linux kernel integrity measurement using contextual inspection

Loscocco, Peter; Wilson, P. W.; Pendergrass, J.H.; McDonell, C. Durward

doi:10.1145/1314354.1314362

Cited by 92 publications

(50 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Dynamic integrity measurement techniques, such as the ones presented in [5,6,18] have been added as extensions to the Linux Integrity Measurement Unit [2] to detect and prevent return-oriented programming (ROP) attacks. IMUs typically verify the integrity of executable content in an operating system at load-time by inspecting the executable files before loading them; however, the dynamic IMU extensions provide support for run-time detection at the expense of performance overhead.…”

Section: Prior Workmentioning

confidence: 99%

“…We do not address attacks prior to run-time as there have been a plethora of techniques introduced in the literature to help in protecting compile-time code and allocating secure storage for sensitive information [2,29]. From the different types of common weaknesses and vulnerabilities described in Section 2, we focus on software attacks that end up modifying user process code at run-time.…”

Section: Threat Modelmentioning

confidence: 99%

“…Specifically, a system's security can be compromised through the corruption of binaries as they are being downloaded or stored on the embedded system or through the execution of untrusted or unknown sources. Techniques that perform checking of executable code at compile and load time have been widely spread and proven to be effective [2][3][4]. However, techniques that verify correct run-time execution are still a major challenge, especially when targeting resource-constrained embedded devices [5][6][7][8].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Hardware-Based Run-Time Code Integrity in Embedded Devices

2018

View full text Add to dashboard Cite

Attacks on embedded devices are becoming more and more prevalent, primarily due to the extensively increasing plethora of software vulnerabilities. One of the most dangerous types of these attacks targets application code at run-time. Techniques to detect such attacks typically rely on software due to the ease of implementation and integration. However, these techniques are still vulnerable to the same attacks due to their software nature. In this work, we present a novel hardware-assisted run-time code integrity checking technique where we aim to detect if executable code resident in memory is modified at run-time by an adversary. Specifically, a hardware monitor is designed and attached to the device's main memory system. The monitor creates page-based signatures (hashes) of the code running on the system at compile-time and stores them in a secure database. It then checks for the integrity of the code pages at run-time by regenerating the page-based hashes (with data segments zeroed out) and comparing them to the legitimate hashes. The goal is for any modification to the binary of a user-level or kernel-level process that is resident in memory to cause a comparison failure and lead to a kernel interrupt which allows the affected application to halt safely.

show abstract

Section: Prior Workmentioning

confidence: 99%

Section: Threat Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Hardware-Based Run-Time Code Integrity in Embedded Devices

2018

View full text Add to dashboard Cite

show abstract

“…An integrity measurement system typically consists of three components: the target system, the measurement agent, and the decision maker [7]. Our first assumption is that the measurement agent is isolated from and independent of the target system, therefore it has a true view of the internal states (including code and data) of the target system.…”

Section: Background On Integrity Measurement and Security Assumptionsmentioning

confidence: 99%

“…Recent research such as ReDAS [5] and DynIMA [45] improve IMA so that they can support runtime measurement of software integrity. Other related work includes [13], [7], [10], [24], [46], and [47]. These approaches have different mechanisms for measurement, but they do not focus on the integrity properties.…”

Section: Integrity Measurement Mechanismsmentioning

confidence: 99%

Integrity-Based Kernel Malware Detection

Zhu¹

View full text Add to dashboard Cite

Kernel-level malware is one of the most dangerous threats to the security of users on the Internet, so there is an urgent need for its detection. The most popular detection approach is misuse-based detection. However, it cannot catch up with today's advanced malware that increasingly apply polymorphism and obfuscation. In this thesis, we present our integrity-based detection for kernel-level malware, which does not rely on the specific features of malware.We have developed an integrity analysis system that can derive and monitor integrity properties for commodity operating systems kernels. In our system, we focus on two classes of integrity properties: data invariants and integrity of Kernel Queue (KQ) requests.

show abstract