Sciweavers

CCS
2007
ACM

Automated detection of persistent kernel control-flow attacks

13 years 9 months ago
Automated detection of persistent kernel control-flow attacks
This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel’s control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing unnoticeable overhead for both a typical web server workload and CPU-intensive workloads when operating at 10 second intervals. Categories and Subject Descriptors D.4.6 [OPERATING SYSTEMS]: Security and Protection—Invasive software General Terms Security Keywords CFI, integrity, virtualization, rootkit, kernel
Nick L. Petroni Jr., Michael W. Hicks
Added 07 Jun 2010
Updated 07 Jun 2010
Type Conference
Year 2007
Where CCS
Authors Nick L. Petroni Jr., Michael W. Hicks
Comments (0)