Detecting Compromised Kemel Hooks with Support of Hardware Debugging Features
Although there exist a few good schemes to protect the kernel hooks of operating systems,attackers are still able to circumvent existing defense mechanisms with spurious context information.To address this challenge,this paper proposes a framework,called HooklMA,to detect compromised kernel hooks by using hardware debugging features.The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data.Using commodity hardware,a proof-of-concept prototype system of HookIMA has been developed.This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space.Experiments show that HooklMA is capable of detecting compromised kemel hooks caused by kernel rootkits.Performance evaluations with UnixBench indicate that runtime overhead introduced by HookIMA is about 215%.
operating system kernel hook integrity hardware control flow
Shi Wenchang Zhou HongWei Yuan JinHui Liang Bin
School of Information,Renmin University of China,Beijing 100872,P.R.China;Key Laboratory of Data Eng School of Information,Renmin University of China,Beijing 100872,P.R.China;Key Laboratory of Data Eng Information Engineering University of China,Zhengzhou 450004,P.R.China
国内会议
福州
英文
78-90
2012-10-27(万方平台首次上网日期,不代表论文的发表时间)