Rule-Based Integrity Checking of Interrupt Descriptor Tables in Cloud Environments
An interrupt descriptor table (IDT) is used by a processor to transfer the execution of a program to software routines that handle interrupts raised during the normal course of operation or to signal an exceptional condition such as a hardware failure. Attackers frequently modify IDT pointers to execute malicious code. This paper describes the IDTchecker tool, which uses a rule-based approach to check the integrity of the IDT and the corresponding interrupt handling code based on a common scenario encountered in cloud environments. In this scenario, multiple virtual machines (VMs) run the same version of an operating system kernel, which implies that IDT-related code should also be identical across the pool of VMs. IDTchecker leverages this scenario to compare the IDTs and the corresponding interrupt handlers across the VMs for inconsistencies based on a pre-defined set of rules. Experimental results related to the effectiveness and runtime performance of IDTchecker are presented. The results demonstrate that IDTchecker can detect IDT and interrupt handling code modifications without much impact on guest VM resources.
KeywordsCloud forensics interrupt descriptor table integrity checking
- 1.I. Ahmed, A. Zoranic, S. Javaid and G. Richard III, ModChecker: Kernel module integrity checking in the cloud environment, Proceedings of the Forty-First International Conference on Parallel Processing Workshops, pp. 306–313, 2012.Google Scholar
- 2.A. Bassov, Hooking the kernel directly (www.codeproject.com/Articles/13677/Hooking-the-kernel-directly), 2006.
- 3.J. Butler and G. Hoglund, Rootkits: Subverting the Windows Kernel, Addison-Wesley, Boston, Massachusetts, 2005.Google Scholar
- 4.T. Garfinkel and M. Rosenblum, A virtual machine introspection based architecture for intrusion detection, Proceedings of the Network and Distributed System Security Symposium, pp. 191–206, 2003. Google Scholar
- 5.Intel, Intel 64 and IA-32 Architectures Software Developer’s Manuals, Santa Clara, California (www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html), 2013.
- 6.Kad, Handling the interrupt descriptor table for fun and profit, Phrack, vol. 0x0b(0x3b), 2002.Google Scholar
- 7.G. Kroah-Hartman, Signed kernel modules, Linux Journal, vol. 2004(117), article no. 4, 2004.Google Scholar
- 8.P. Loscocco, P. Wilson, J. Pendergrass and C. McDonell, Linux kernel integrity measurement using contextual inspection, Proceedings of the Second ACM Workshop on Scalable Trusted Computing, pp. 21–29, 2007.Google Scholar
- 9.Microsoft, Digital Signatures for Kernel Modules on Windows, Redmond, Washington (msdn.microsoft.com/en-us/library/windows/hardware/gg487332.aspx), 2007.
- 10.mxatone and ivanlef0u, Stealth hooking: Another way to subvert the Windows kernel, Phrack, vol. 0x0c(0x41), 2008.Google Scholar
- 11.W. Oney, Programming the Microsoft Windows Driver Model, Microsoft Press, Redmond, Washington, 2002.Google Scholar
- 12.Opdis Project, Opdis (mkfs.github.com/content/opdis).
- 13.OpenSSL Core and Development Team, OpenSSL Cryptography and SSL/TLS Toolkit (www.openssl.org), 2009.
- 14.pragmatic, (Nearly) complete Linux loadable kernel modules: The definitive guide for hackers, virus coders and system administrators (newdata.box.sk/raven/lkm.html), 1999.
- 15.J. Rutkowska, System virginity verifier: Defining the roadmap for malware detection in Windows systems, presented at the Hack in the Box Conference, 2005.Google Scholar
- 16.sd and devik, Linux on-the-fly kernel patching without LKM, Phrack, vol. 0x0b(0x3a), 2001.Google Scholar
- 18.S. Skape, Bypassing PatchGuard on Windows x64 (uninformed.org/?v=3&a=3&t=sumry), 2005.
- 19.M. Suiche, IDTGuard v0.1 December 2005 Build (www.msuiche.net/2006/12/10/idtguard-v01-december-2005-build), 2005.
- 20.VMI Tools Project, LibVMI (code.google.com/p/vmitools).
- 21.Volatility Project, The Volatility Framework (code.google.com/p/volatility).
- 22.Volatility Project, Volatility Plugin (code.google.com/p/volatility/source/browse/trunk/volatility/plugins/linux/check_idt.py?spec=svn2273&r=2273).
- 23.Xen Project, Xen, Cambridge, United Kingdom (www.xenproject.org).