Efficient Kernel Integrity Monitor Design for Commodity Mobile Application Processors

  • Heo, Ingoo (Department of Electrical and Computer Engineering, Seoul National University) ;
  • Jang, Daehee (Graduate School of Information Security, Korea Advanced Institute of Science & Technology) ;
  • Moon, Hyungon (Department of Electrical and Computer Engineering, Seoul National University) ;
  • Cho, Hansu (DMC R&D Center, Samsung Electronics Ltd.) ;
  • Lee, Seungwook (DMC R&D Center, Samsung Electronics Ltd.) ;
  • Kang, Brent Byunghoon (Graduate School of Information Security, Korea Advanced Institute of Science & Technology) ;
  • Paek, Yunheung (Department of Electrical and Computer Engineering, Seoul National University)
  • Received : 2014.02.24
  • Accepted : 2014.11.24
  • Published : 2015.02.28


In recent years, there are increasing threats of rootkits that undermine the integrity of a system by manipulating OS kernel. To cope with the rootkits, in Vigilare, the snoop-based monitoring which snoops the memory traffics of the host system was proposed. Although the previous work shows its detection capability and negligible performance loss, the problem is that the proposed design is not acceptable in recent commodity mobile application processors (APs) which have become de facto the standard computing platforms of smart devices. To mend this problem and adopt the idea of snoop-based monitoring in commercial products, in this paper, we propose a snoop-based monitor design called S-Mon, which is designed for the AP platforms. In designing S-Mon, we especially consider two design constraints in the APs which were not addressed in Vigilare; the unified memory model and the crossbar switch interconnect. Taking into account those, we derive a more realistic architecture for the snoop-based monitoring and a new hardware module, called the region controller, is also proposed. In our experiments on a simulation framework modeling a productionquality device, it is shown that our S-Mon can detect the rootkit attacks while the runtime overhead is also negligible.



Supported by : National Research Foundation of Korea (NRF)


  1. J. Wei, B. Payne, J. Giffin, and C. Pu, "Soft-timer driven transient kernel control flow attacks and defense," In Computer Security Applications Conference, 2008. ACSAC 2008. Annual, pages 97-107, dec.2008.USENIX Security Symposium.
  2. N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh, "Copilot - a coprocessor-based kernel runtime integrity monitor," In Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 13-13, Berkeley, CA, USA, 2004.USENIX Association
  3. X. Zhang, L. van Doorn, T. Jaeger, R. Perez, and R. Sailer, "Secure coprocessor-based intrusion detection," In Proceedings of the 10th workshop on ACM SIGOPS European workshop, EW 10, pages 239-242, New York, NY, USA, 2002. ACM.
  4. T. Garfinkel and M. Rosenblum, "A virtual machine introspection based architecture for intrusion detection," In Proceedings of Network and Distributed Systems Security Symposium, Feb 2003. Internet Society
  5. J. Rhee, R. Riley, D. Xu, and X. Jiang, "Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring," In Availability, Reliability and Security, 2009. ARES '09. International Conference on, pages 74-81, march 2009. IEEE.
  6. A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky, "Hypersentry: enabling stealthy in-context measurement of hypervisor integrity," In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 38-49, New York, NY, USA, 2010. ACM.
  7. J. Wang, A. Stavrou, and A. Ghosh, "Hypercheck: A hardware-assisted integrity monitor," In S. Jha, R. Sommer, and C. Kreibich, editors, Recent Advances in Intrusion Detection, volume 6307 of Lecture Notes in Computer Science, pages 158-177. Springer Berlin /Heidelberg, 2010.
  8. H. Moon, H. Lee, J. Lee, K. Kim, Y. Paek and Brent B. Kang, "Vigilare: toward snoop-based kernel integrity monitor," Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012.
  9. Rootkits, part 1 of 3: A growing threat, April 2006. MacAfee AVERT Labs Whitepaper.
  10. J. D. McCalpin, "Memory bandwidth and machine balance in current high performance computers," IEEE Computer Society Technical Committee on Computer Architecture (TCCA) Newsletter, pages 19-25, Dec.1995.
  11. Lee, Hojoon, et al., "KI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object," Presented as part of the 22nd USENIX Security Symposium. USENIX, 2013.
  12. LTD ARM co., "a9 processor," 2011.
  13. LTD ARM co., "AMBA Network Interconnect (NIC-301) Technical Reference Manual," 2009.
  14. LTD Samsung Electronics co. Exynos 4, 2011,
  15. Carbon Design Systems, Carbon SoC Designer Plus.,
  16. Carbon Design Systems, Carbon Model Studio., model-studio/
  17. Na, Sangkwon, Sung Yang, and Chong-Min Kyung, "Low-power bus architecture composition for AMBA AXI," Journal of Semiconductor Technology and Science 9.2 (2009): 1.
  18. Synopsys, Inc., Synopsys Design Compiler, TLSynthesis/DesignCompiler/Pages/default.aspx
  19. J. L. Henning, "Spec cpu2006 benchmark descriptions," ACM SIGARCH Computer Architecture News, vol. 34, no. 4, pp. 1-17, 2006.