Rule-Based Integrity Checking of Interrupt Descriptor Tables in Cloud Environments

  • Irfan Ahmed
  • Aleksandar Zoranic
  • Salman Javaid
  • Golden RichardIII
  • Vassil Roussev
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 410)


An interrupt descriptor table (IDT) is used by a processor to transfer the execution of a program to software routines that handle interrupts raised during the normal course of operation or to signal an exceptional condition such as a hardware failure. Attackers frequently modify IDT pointers to execute malicious code. This paper describes the IDTchecker tool, which uses a rule-based approach to check the integrity of the IDT and the corresponding interrupt handling code based on a common scenario encountered in cloud environments. In this scenario, multiple virtual machines (VMs) run the same version of an operating system kernel, which implies that IDT-related code should also be identical across the pool of VMs. IDTchecker leverages this scenario to compare the IDTs and the corresponding interrupt handlers across the VMs for inconsistencies based on a pre-defined set of rules. Experimental results related to the effectiveness and runtime performance of IDTchecker are presented. The results demonstrate that IDTchecker can detect IDT and interrupt handling code modifications without much impact on guest VM resources.


Cloud forensics interrupt descriptor table integrity checking 


  1. 1.
    I. Ahmed, A. Zoranic, S. Javaid and G. Richard III, ModChecker: Kernel module integrity checking in the cloud environment, Proceedings of the Forty-First International Conference on Parallel Processing Workshops, pp. 306–313, 2012.Google Scholar
  2. 2.
    A. Bassov, Hooking the kernel directly (, 2006.
  3. 3.
    J. Butler and G. Hoglund, Rootkits: Subverting the Windows Kernel, Addison-Wesley, Boston, Massachusetts, 2005.Google Scholar
  4. 4.
    T. Garfinkel and M. Rosenblum, A virtual machine introspection based architecture for intrusion detection, Proceedings of the Network and Distributed System Security Symposium, pp. 191–206, 2003. Google Scholar
  5. 5.
    Intel, Intel 64 and IA-32 Architectures Software Developer’s Manuals, Santa Clara, California (, 2013.
  6. 6.
    Kad, Handling the interrupt descriptor table for fun and profit, Phrack, vol. 0x0b(0x3b), 2002.Google Scholar
  7. 7.
    G. Kroah-Hartman, Signed kernel modules, Linux Journal, vol. 2004(117), article no. 4, 2004.Google Scholar
  8. 8.
    P. Loscocco, P. Wilson, J. Pendergrass and C. McDonell, Linux kernel integrity measurement using contextual inspection, Proceedings of the Second ACM Workshop on Scalable Trusted Computing, pp. 21–29, 2007.Google Scholar
  9. 9.
    Microsoft, Digital Signatures for Kernel Modules on Windows, Redmond, Washington (, 2007.
  10. 10.
    mxatone and ivanlef0u, Stealth hooking: Another way to subvert the Windows kernel, Phrack, vol. 0x0c(0x41), 2008.Google Scholar
  11. 11.
    W. Oney, Programming the Microsoft Windows Driver Model, Microsoft Press, Redmond, Washington, 2002.Google Scholar
  12. 12.
    Opdis Project, Opdis (
  13. 13.
    OpenSSL Core and Development Team, OpenSSL Cryptography and SSL/TLS Toolkit (, 2009.
  14. 14.
    pragmatic, (Nearly) complete Linux loadable kernel modules: The definitive guide for hackers, virus coders and system administrators (, 1999.
  15. 15.
    J. Rutkowska, System virginity verifier: Defining the roadmap for malware detection in Windows systems, presented at the Hack in the Box Conference, 2005.Google Scholar
  16. 16.
    sd and devik, Linux on-the-fly kernel patching without LKM, Phrack, vol. 0x0b(0x3a), 2001.Google Scholar
  17. 17.
    A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn and P. Khosla, Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems, Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 1–16, 2005.CrossRefGoogle Scholar
  18. 18.
    S. Skape, Bypassing PatchGuard on Windows x64 (, 2005.
  19. 19.
    M. Suiche, IDTGuard v0.1 December 2005 Build (, 2005.
  20. 20.
    VMI Tools Project, LibVMI (
  21. 21.
    Volatility Project, The Volatility Framework (
  22. 22.
  23. 23.
    Xen Project, Xen, Cambridge, United Kingdom (

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Irfan Ahmed
    • 1
  • Aleksandar Zoranic
    • 1
  • Salman Javaid
    • 1
  • Golden RichardIII
    • 1
  • Vassil Roussev
    • 1
  1. 1.Department of Computer ScienceUniversity of New OrleansNew OrleansUSA

Personalised recommendations