ABSTRACT
This paper introduces the Linux Kernel Integrity Monitor (LKIM) as an improvement over conventional methods of software integrity measurement. LKIM employs contextual inspection as a means to more completely characterize the operational integrity of a running kernel. In addition to cryptographically hashing static code and data in the kernel, dynamic data structures are examined to provide improved integrity measurement. The base approach examines structures that control the execution flow of the kernel through the use of function pointers as well as other data that affect the operation of the kernel. Such structures provide an efficient means of extending the kernel operations, but they are also a means of inserting malicious code without modifying the static parts. The LKIM implementation is discussed and initial performance data is presented to show that contextual inspection is practical
- P. Barham, B. Dragovic, et al. Xen and the art of virtualization. Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pages 164--177, 2003. Google ScholarDigital Library
- V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation - a virtual machine directed approach to trusted computing. Proceedings of the 3rd USENIX Virtual Machine Research & Technology Symposium, May 2004. Google ScholarDigital Library
- D. Heine and Y. Kouskoulas. N-force daemon prototype technical description. Technical Report VS-03-021, The Johns Hopkins University Applied Physics Laboratory, July 2003.Google Scholar
- P. Iglio. Trustedbox: a kernel-level integrity checker. In ACSAC '99: Proceedings of the 15th Annual Computer Security Applications Conference, page 34. IEEE Computer Society, 1999. Google ScholarDigital Library
- Intel Corporation. IA-32 Intel Architecture Software Develper's Manual, 2004.Google Scholar
- T. Jaeger, R. Sailer, and U. Shankar. Prima: Policy-reduced integrity measurement architecture. SACMAT '06: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, 2006. Google ScholarDigital Library
- G. Kim and E. Spafford. The Design and Implementation of Tripwire: A File System Integrity Checker. Purdue Univiversity, November 1993.Google Scholar
- J. Levine, J. Grizzard, and H. Owen. Detecting and categorizing kernel-level rootkits to aid future detection. IEEE Security and Privacy, 2006. Google ScholarDigital Library
- P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. Proceedings of the FREENIX Track, June 2001. Google ScholarDigital Library
- P. Loscocco, P. Wilson, et al. Measuring the linux kernel using contextual measurement. Technical Report AI-07-077, The Johns Hopkins University Applied Physics Laboratory, August 2007.Google Scholar
- Mindcraft, Inc., http://www.mindcraft.com. WebStone 2.x Benchmark Description.Google Scholar
- G. Mohay and J. Zellers. Kernel and shell based applications integrity assurance. In ACSAC '97: Proceedings of the 13th Annual Computer Security Applications Conference, page 34. IEEE Computer Society, 1997. Google ScholarDigital Library
- N. Petroni Jr., T. Fraser, et al. Copilot - a coprocessor-based kernel runtime integrity monitor. Proceedings of the 13th Usenix Security Symposium, pages 179--194, August 2004. Google ScholarDigital Library
- N. Petroni Jr., T. Fraser, et al. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. Security '06: 15th USENIX Security Symposium, 2006. Google ScholarDigital Library
- R. Sailer, X. Zhang, et al. Design and implementation of a TCG-based integrity measurement architecture. Proceedings of the 13th Usenix Security Symposium, pages 223--238, August 2004. Google ScholarDigital Library
- A. Seshardri, M. Luk, et al. Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems. ACM Symposium on Operating Systems Principles, October 2005. Google ScholarDigital Library
- J. Sheehy, G. Coker, et al. Attestation evidence and trust. Technical Report 07 0186, MITRE Corporation, March 2007.Google Scholar
- Tool Interface Standards Committee. DWARF Debugging Information Format Specification v2.0, May 1995.Google Scholar
- Tool Interface Standards Committee. Executable and Linking Format (ELF), v1.2 edition, May 1995.Google Scholar
- Trusted Computing Group, https://www.trustedcomputinggroup.org. TCG Specification Architecture Overview - Specification Revision 1.2, April 2004.Google Scholar
Index Terms
- Linux kernel integrity measurement using contextual inspection
Recommendations
Subverting Linux' integrity measurement architecture
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and SecurityIntegrity is a key protection objective in the context of system security. This holds for both hardware and software. Since hardware cannot be changed after its manufacturing process, the manufacturer must be trusted to build it properly. However, it is ...
Comments