By Topic

Guest-transparent instruction authentication for self-patching kernels

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Dannie M. Stanley ; Department of Computer Science, Purdue University, West Lafayette, IN 47907 ; Zhui Deng ; Dongyan Xu ; Rick Porter
more authors

Attackers can exploit vulnerable programs that are running with elevated permissions to insert kernel rootkits into a system. Security mechanisms have been created to prevent kernel rootkit implantation by relocating the vulnerable physical system to a guest virtual machine and enforcing a W ⊕ KX memory access control policy from the host virtual machine monitor. Such systems must also be able to identify and authorize the introduction of known-good kernel code. Previous works use cryptographic hashes to verify the integrity of kernel code at load-time. The hash creation and verification procedure depends on immutable kernel code. However, some modern kernels contain self-patching kernel code; they may overwrite executable instructions in memory after load-time. Such dynamic patching may occur for a variety of reason including: CPU optimizations, multiprocessor compatibility adjustments, and advanced debugging. The previous hash verification procedure cannot handle such modifications. We describe the design and implementation of a procedure that verifies the integrity of each modified instruction as it is introduced into the guest kernel. Our experiments with a self-patching Linux guest kernel show that our system can correctly detect and verify all valid instruction modifications and reject all invalid ones. In most cases our patch-level verification procedure incurs only nominal performance impact.

Published in:

MILCOM 2012 - 2012 IEEE Military Communications Conference

Date of Conference:

Oct. 29 2012-Nov. 1 2012