Vigilare: toward snoop-based kernel integrity monitor

In this paper, we present Vigilare system, a kernel integrity monitor that is architected to snoop the bus traffic of the host system from a separate independent hardware. This snoop-based monitoring enabled by the Vigilare system, overcomes the limitations of the snapshot-based monitoring employed in previous kernel integrity monitoring solutions. Being based on inspecting snapshots collected over a certain interval, the previous hardware-based monitoring solutions cannot detect transient attacks that can occur in between snapshots. We implemented a prototype of the Vigilare system on Gaisler's grlib-based system-on-a-chip (SoC) by adding Snooper hardware connections module to the host system for bus snooping. To evaluate the benefit of snoop-based monitoring, we also implemented similar SoC with a snapshot-based monitor to be compared with. The Vigilare system detected all the transient attacks without performance degradation while the snapshot-based monitor could not detect all the attacks and induced considerable performance degradation as much as 10% in our tuned STREAM benchmark test.

[1]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[2]  Arati Baliga,et al.  Automatic Inference and Enforcement of Kernel Data Structure Invariants , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[3]  Sandra L. Murphy,et al.  BGP Security Vulnerabilities Analysis , 2006, RFC.

[4]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[5]  Trent Jaeger,et al.  Secure coprocessor-based intrusion detection , 2002, EW 10.

[6]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[7]  Calton Pu,et al.  Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[8]  Arati Baliga,et al.  Rootkits on smart phones: attacks, implications and opportunities , 2010, HotMobile '10.

[9]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[10]  Yoshiyasu Takefuji,et al.  A novel approach for a file-system integrity monitor tool of Xen virtual machine , 2007, ASIACCS '07.

[11]  D. Hollingworth,et al.  Enhancing operating system resistance to information warfare , 2000, MILCOM 2000 Proceedings. 21st Century Military Communications. Architectures and Technologies for Information Superiority (Cat. No.00CH37155).

[12]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[13]  Xuxian Jiang,et al.  Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring , 2009, 2009 International Conference on Availability, Reliability and Security.

[14]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[15]  Jiang Wang,et al.  Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor , 2013 .

[16]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[17]  Grigore Rosu,et al.  Hardware Runtime Monitoring for Dependable COTS-Based Real-Time Embedded Systems , 2008, 2008 Real-Time Systems Symposium.

[18]  Duflot,et al.  Using CPU System Management Mode to Circumvent Operating System Security Functions , 2022 .