Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. Technical Report CS-TR-4880, Department of Computer Science, University of Maryland, October 2007. Extends the CCS 2007 paper with more thorough performance results.

This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel's control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing negligible overhead for both a typical web server workload and CPU-intensive workloads when operating at 1 second intervals on a multi-core machine.

[ .pdf ]

@TECHREPORT{petroni07sbcfitr,
  AUTHOR = {Petroni, Jr., Nick L. and Michael Hicks},
  TITLE = {Automated Detection of Persistent Kernel Control-Flow Attacks},
  INSTITUTION = {Department of Computer Science, University of Maryland},
  NUMBER = {CS-TR-4880},
  MONTH = OCT,
  NOTE = {Extends the CCS 2007 paper with more thorough performance results},
  YEAR = 2007
}

This file has been generated by bibtex2html 1.69