Ensuring Kernel Integrity Using KIPBMFH

  • Zhifeng ChenEmail author
  • Qingbao Li
  • Songhui Guo
  • Ye Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9543)


Kernel-level malwares are a serious threat to the integrity and security of the operating system. Current kernel integrity measurement methods have one-sidedness in selecting the measurement objects, and the characters of periodic measurement make TOC-TOU attacks unavoidable. The kernel integrity measurement methods based on hardware usually suffer high cost due to the additional hardware, while the kernel integrity measurement methods based on host are always likely to be passed. To address these problems, a kernel integrity protection approach based on memory forensics technique implemented in Hypervisor (KIPBMFH) is proposed in this paper. We first use memory forensics technology to extract the static and dynamic measurement objects, and then adopt time randomization algorithm to weaken TOC-TOU attacks. The experimental results show that KIPBMFH can measure the integrity of the operating system effectively, and has reasonable performance overhead.


Kernel integrity TOC-TOU Memory forensics Time randomization Hypervisor 


  1. 1.
    Wang, Y.M., Beck, D., et al.: Detecting stealth software with strider ghostbuster. In: Proceedings of the International Conference on Dependable Systems and Networks (2005)Google Scholar
  2. 2.
    Joy, J., John, A.: A host based kernel level rootkit detection mechanism using clustering technique. In: Nagamalai, D., Renault, E., Dhanuskodi, M. (eds.) CCSEIT 2011. CCIS, vol. 204, pp. 564–570. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Liu, Z.W., Feng, D.G.: TPM-based dynamic integrity measurement architecture. J. Electron. Inf. Technol. 32(4), 875–879 (2010)CrossRefGoogle Scholar
  4. 4.
    Bratus, S., D’Cunha, N., Sparks, E., Smith, S.W.: TOCTOU, traps, and trusted computing. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 14–32. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Petroni, Jr. N.L., Fraser, et al.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium (2004)Google Scholar
  6. 6.
    Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. IEEE Trans. Dependable Secure Comput. 8(5), 670–684 (2011)CrossRefGoogle Scholar
  7. 7.
    Petroni Jr. N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)Google Scholar
  8. 8.
    Hofmann, O.S., Dunn, A.M., et al.: Ensuring operating system kernel integrity with OSck. In: Proceedings of the 6th International Conference on Architectural Support For Programming Languages and Operating Systems (2011)Google Scholar
  9. 9.
    Li, B., Wo, T.Y., et al.: Hidden OS objects correlated detection technology based on VMM. J. Softw. 24(2), 405–420 (2013). (in Chinese)CrossRefGoogle Scholar
  10. 10.
    Lin, J., Liu, C.Y., Fang, B.X.: IVirt runtime environment integrity measurement mechanism based on virtual machine introspection. Chin. J. Comput. 38(1), 191–203 (2015). (in Chinese)MathSciNetGoogle Scholar
  11. 11.
    Carvey, H.: Windows Forensic Analysis and DVD Toolkit, pp. 59–63. Elsevier: Syngress, Burlington (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Zhifeng Chen
    • 1
    Email author
  • Qingbao Li
    • 1
  • Songhui Guo
    • 1
  • Ye Wang
    • 1
  1. 1.State Key Laboratory of Mathematical Engineering and Advanced ComputingZhengzhouChina

Personalised recommendations