Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 103--115, October 2007.

This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel's control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing unnoticeable overhead for both a typical web server workload and CPU-intensive workloads when operating at 10 second intervals.

[ .pdf ]

@inproceedings{petroni07sbcfi,
  author = {Petroni, Jr., Nick L. and Michael Hicks},
  title = {Automated Detection of Persistent Kernel Control-Flow Attacks},
  booktitle = {Proceedings of the {ACM} Conference on Computer and Communications Security (CCS)},
  month = oct,
  pages = {103--115},
  year = 2007
}

This file was generated by bibtex2html 1.99.