This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel's control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing negligible overhead for both a typical web server workload and CPU-intensive workloads when operating at 1 second intervals on a multi-core machine.
Extends the conference version with more extensive performance results.
[ .pdf ]
@TECHREPORT{petroni07sbcfitr,
AUTHOR = {Petroni, Jr., Nick L. and Michael Hicks},
TITLE = {Automated Detection of Persistent Kernel Control-Flow Attacks},
INSTITUTION = {Department of Computer Science, University of Maryland},
NUMBER = {CS-TR-4880},
MONTH = OCT,
YEAR = 2007
}