Article

Linux kernel integrity measurement using contextual inspection

Authors:
Peter A. Loscocco

National Security Agency

National Security Agency
View Profile

,
Perry W. Wilson

The Johns Hopkins University

The Johns Hopkins University
View Profile

,
J. Aaron Pendergrass

The Johns Hopkins University

The Johns Hopkins University
View Profile

,
C. Durward McDonell

The Johns Hopkins University

The Johns Hopkins University
View Profile

STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computingNovember 2007Pages 21–29https://doi.org/10.1145/1314354.1314362

Published:02 November 2007Publication History

STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computing

Pages 21–29

ABSTRACT

This paper introduces the Linux Kernel Integrity Monitor (LKIM) as an improvement over conventional methods of software integrity measurement. LKIM employs contextual inspection as a means to more completely characterize the operational integrity of a running kernel. In addition to cryptographically hashing static code and data in the kernel, dynamic data structures are examined to provide improved integrity measurement. The base approach examines structures that control the execution flow of the kernel through the use of function pointers as well as other data that affect the operation of the kernel. Such structures provide an efficient means of extending the kernel operations, but they are also a means of inserting malicious code without modifying the static parts. The LKIM implementation is discussed and initial performance data is presented to show that contextual inspection is practical

References

P. Barham, B. Dragovic, et al. Xen and the art of virtualization. Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pages 164--177, 2003. Google ScholarDigital Library
V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation - a virtual machine directed approach to trusted computing. Proceedings of the 3rd USENIX Virtual Machine Research & Technology Symposium, May 2004. Google ScholarDigital Library
D. Heine and Y. Kouskoulas. N-force daemon prototype technical description. Technical Report VS-03-021, The Johns Hopkins University Applied Physics Laboratory, July 2003.Google Scholar
P. Iglio. Trustedbox: a kernel-level integrity checker. In ACSAC '99: Proceedings of the 15th Annual Computer Security Applications Conference, page 34. IEEE Computer Society, 1999. Google ScholarDigital Library
Intel Corporation. IA-32 Intel Architecture Software Develper's Manual, 2004.Google Scholar
T. Jaeger, R. Sailer, and U. Shankar. Prima: Policy-reduced integrity measurement architecture. SACMAT '06: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, 2006. Google ScholarDigital Library
G. Kim and E. Spafford. The Design and Implementation of Tripwire: A File System Integrity Checker. Purdue Univiversity, November 1993.Google Scholar
J. Levine, J. Grizzard, and H. Owen. Detecting and categorizing kernel-level rootkits to aid future detection. IEEE Security and Privacy, 2006. Google ScholarDigital Library
P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. Proceedings of the FREENIX Track, June 2001. Google ScholarDigital Library
P. Loscocco, P. Wilson, et al. Measuring the linux kernel using contextual measurement. Technical Report AI-07-077, The Johns Hopkins University Applied Physics Laboratory, August 2007.Google Scholar
Mindcraft, Inc., http://www.mindcraft.com. WebStone 2.x Benchmark Description.Google Scholar
G. Mohay and J. Zellers. Kernel and shell based applications integrity assurance. In ACSAC '97: Proceedings of the 13th Annual Computer Security Applications Conference, page 34. IEEE Computer Society, 1997. Google ScholarDigital Library
N. Petroni Jr., T. Fraser, et al. Copilot - a coprocessor-based kernel runtime integrity monitor. Proceedings of the 13th Usenix Security Symposium, pages 179--194, August 2004. Google ScholarDigital Library
N. Petroni Jr., T. Fraser, et al. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. Security '06: 15th USENIX Security Symposium, 2006. Google ScholarDigital Library
R. Sailer, X. Zhang, et al. Design and implementation of a TCG-based integrity measurement architecture. Proceedings of the 13th Usenix Security Symposium, pages 223--238, August 2004. Google ScholarDigital Library
A. Seshardri, M. Luk, et al. Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems. ACM Symposium on Operating Systems Principles, October 2005. Google ScholarDigital Library
J. Sheehy, G. Coker, et al. Attestation evidence and trust. Technical Report 07 0186, MITRE Corporation, March 2007.Google Scholar
Tool Interface Standards Committee. DWARF Debugging Information Format Specification v2.0, May 1995.Google Scholar
Tool Interface Standards Committee. Executable and Linking Format (ELF), v1.2 edition, May 1995.Google Scholar
Trusted Computing Group, https://www.trustedcomputinggroup.org. TCG Specification Architecture Overview - Specification Revision 1.2, April 2004.Google Scholar

Index Terms

Linux kernel integrity measurement using contextual inspection
1. Information systems
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Subverting Linux' integrity measurement architecture
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Integrity is a key protection objective in the context of system security. This holds for both hardware and software. Since hardware cannot be changed after its manufacturing process, the manufacturer must be trusted to build it properly. However, it is ...
Read More
Linux on HP Integrity Servers
Read More
Linux kernel
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computing
November 2007
82 pages
ISBN:9781595938886
DOI:10.1145/1314354
General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Vijay Atluri
Rutgers University, USA
,
Shouhuai Xu
University of Texas, San Antonio, USA
,
Moti Yung
Columbia University, USA
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 November 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
LKIM
attestation systems
integrity measurement
system monitoring
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate17of31submissions,55%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 80
  Total Citations
  View Citations
- 2,250
  Total Downloads
- Downloads (Last 12 months)24
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Linux kernel integrity measurement using contextual inspection

STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

Subverting Linux' integrity measurement architecture

Linux on HP Integrity Servers

Linux kernel