AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY

Satyajit Grover; Divya Naidu Kolar Sunder; Samuel O. Moffatt; Michael E. Kounavis

doi:10.5220/0001916004110420

AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY

Satyajit Grover, Divya Naidu Kolar Sunder, Samuel O. Moffatt, Michael E. Kounavis

2008

Abstract

In this paper we address the problem of protecting computer systems against stealth malware. The problem is important because the number of known types of stealth malware increases exponentially. Existing approaches have some advantages for ensuring system integrity but sophisticated techniques utilized by stealthy malware can thwart them. We propose Runtime Kernel Rootkit Detection (RKRD), a hardware-based, event-driven, secure and inclusionary approach to kernel integrity that addresses some of the limitations of the state of the art. Our solution is based on the principles of using virtualization hardware for isolation, verifying signatures coming from trusted code as opposed to malware for scalability and performing system checks driven by events. Our RKRD implementation is guided by our goals of strong isolation, no modifications to target guest OS kernels, easy deployment, minimal infrastructure impact, and minimal performance overhead. We developed a system prototype and conducted a number of experiments which show that the performance impact of our solution is negligible.

Download

Paper Citation

in Harvard Style

Grover S., Naidu Kolar Sunder D., O. Moffatt S. and E. Kounavis M. (2008). AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 411-420. DOI: 10.5220/0001916004110420

in Bibtex Style

@conference{secrypt08,
author={Satyajit Grover and Divya Naidu Kolar Sunder and Samuel O. Moffatt and Michael E. Kounavis},
title={AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={411-420},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001916004110420},
isbn={978-989-8111-59-3},
}

in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - AN EVENT-DRIVEN, INCLUSIONARY AND SECURE APPROACH TO KERNEL INTEGRITY
SN - 978-989-8111-59-3
AU - Grover S.
AU - Naidu Kolar Sunder D.
AU - O. Moffatt S.
AU - E. Kounavis M.
PY - 2008
SP - 411
EP - 420
DO - 10.5220/0001916004110420