Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 103-115, October 2007.

This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel's control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing unnoticeable overhead for both a typical web server workload and CPU-intensive workloads when operating at 10 second intervals.

[ .pdf ]

@INPROCEEDINGS{petroni07sbcfi,
  AUTHOR = {Petroni, Jr., Nick L. and Michael Hicks},
  TITLE = {Automated Detection of Persistent Kernel Control-Flow Attacks},
  BOOKTITLE = {Proceedings of the {ACM} Conference on Computer and Communications Security (CCS)},
  MONTH = OCT,
  PAGES = {103--115},
  YEAR = 2007
}

This file has been generated by bibtex2html 1.69