Ensuring Kernel Integrity Using KIPBMFH
Kernel-level malwares are a serious threat to the integrity and security of the operating system. Current kernel integrity measurement methods have one-sidedness in selecting the measurement objects, and the characters of periodic measurement make TOC-TOU attacks unavoidable. The kernel integrity measurement methods based on hardware usually suffer high cost due to the additional hardware, while the kernel integrity measurement methods based on host are always likely to be passed. To address these problems, a kernel integrity protection approach based on memory forensics technique implemented in Hypervisor (KIPBMFH) is proposed in this paper. We first use memory forensics technology to extract the static and dynamic measurement objects, and then adopt time randomization algorithm to weaken TOC-TOU attacks. The experimental results show that KIPBMFH can measure the integrity of the operating system effectively, and has reasonable performance overhead.
KeywordsKernel integrity TOC-TOU Memory forensics Time randomization Hypervisor
- 1.Wang, Y.M., Beck, D., et al.: Detecting stealth software with strider ghostbuster. In: Proceedings of the International Conference on Dependable Systems and Networks (2005)Google Scholar
- 5.Petroni, Jr. N.L., Fraser, et al.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium (2004)Google Scholar
- 7.Petroni Jr. N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)Google Scholar
- 8.Hofmann, O.S., Dunn, A.M., et al.: Ensuring operating system kernel integrity with OSck. In: Proceedings of the 6th International Conference on Architectural Support For Programming Languages and Operating Systems (2011)Google Scholar
- 11.Carvey, H.: Windows Forensic Analysis and DVD Toolkit, pp. 59–63. Elsevier: Syngress, Burlington (2009)Google Scholar