Automated detection of persistent kernel control-flow attacks
| Title | Automated detection of persistent kernel control-flow attacks |
| Publication Type | Conference Papers |
| Year of Publication | 2007 |
| Authors | Petroni, Jr. NL, Hicks MW |
| Conference Name | Proceedings of the 14th ACM conference on Computer and communications security |
| Date Published | 2007/// |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-59593-703-2 |
| Keywords | CFI, integrity, Kernel, rootkit, virtualization |
| Abstract | This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel's control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing unnoticeable overhead for both a typical web server workload and CPU-intensive workloads when operating at 10 second intervals. |
| URL | http://doi.acm.org/10.1145/1315245.1315260 |
| DOI | 10.1145/1315245.1315260 |