A study of hardware-assisted event-triggered kernel integrity monitoring platform

Abstract

Kernel rootkit is a class of malware which manipulates the operating system kernel. Adversaries deploy kernel-level rootkits to perpetuate the intrusion by subverting the core functionalities in her favor. A kernel infected by a rootkit report false system status; traces of attacker such as files, processes, or network connections are hidden to the system status reporting tools. Furthermore, rootkits operate in kernel layer hold the highest privilege level, and are capable of evading or even incapacitating any in-system security measures. In turn, VMMs and hardwares have been proposed as roots of trust which provide a safe execution environment for monitoring softwares. VMMs are popularly used as a platform for kernel integrity monitoring because they innately monitor or intervene the operations of a guest system for virtualization. However, VMMs also have been exposed to the common software vulnerability attacks, implying that they can be compromised by rootkits as well. While external hardwares provide better isolation and security, the existing works either employed snapshot-based methods thus incurring a significant performance overhead, or limited to monitoring of kernel static region protection. Therefore, there is a need for a hardware-based integrity monitoring platforms that can monitor the dynamic regions of kernel with a negligible performance overhead.This thesis presents a hardware-based platform for event-triggered kernel integrity monitoring, called KI-Mon. The proposed platform provides a kernel integrity monitoring platform which is capable of monitoring mutable kernel objects. A refined form of bus traffic monitoring makes value verification of the objects efficient, and callback verification routines can be programmed and executed for a designated event space. The prototype of the proposed platform was implemented, and the experiments demonstrated the effectiveness of the prototype`s event-triggered mechanism and efficacy in terms of perform...