• Title/Summary/Keyword: snoop-based integrity monitoring

Search Result 2, Processing Time 0.014 seconds

Efficient Kernel Integrity Monitor Design for Commodity Mobile Application Processors

  • Heo, Ingoo;Jang, Daehee;Moon, Hyungon;Cho, Hansu;Lee, Seungwook;Kang, Brent Byunghoon;Paek, Yunheung
    • JSTS:Journal of Semiconductor Technology and Science
    • /
    • v.15 no.1
    • /
    • pp.48-59
    • /
    • 2015

  • In recent years, there are increasing threats of rootkits that undermine the integrity of a system by manipulating OS kernel. To cope with the rootkits, in Vigilare, the snoop-based monitoring which snoops the memory traffics of the host system was proposed. Although the previous work shows its detection capability and negligible performance loss, the problem is that the proposed design is not acceptable in recent commodity mobile application processors (APs) which have become de facto the standard computing platforms of smart devices. To mend this problem and adopt the idea of snoop-based monitoring in commercial products, in this paper, we propose a snoop-based monitor design called S-Mon, which is designed for the AP platforms. In designing S-Mon, we especially consider two design constraints in the APs which were not addressed in Vigilare; the unified memory model and the crossbar switch interconnect. Taking into account those, we derive a more realistic architecture for the snoop-based monitoring and a new hardware module, called the region controller, is also proposed. In our experiments on a simulation framework modeling a productionquality device, it is shown that our S-Mon can detect the rootkit attacks while the runtime overhead is also negligible.

  • https://doi.org/10.5573/JSTS.2015.15.1.048 인용 PDF KSCI

A Snoop-Based Kernel Introspection System against Address Translation Redirection Attack (메모리 주소 변환 공격을 탐지하기 위한 Snoop기반의 커널 검사 시스템)

  • Kim, Donguk;Kim, Jihoon;Park, Jinbum;Kim, Jinmok
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.26 no.5
    • /
    • pp.1151-1160
    • /
    • 2016

  • A TrustZone-based rootkit detecting solution using a secure timer ensures the integrity of monitoring system, because ARM TrustZone technology provides isolated environments from a monitored OS against intercepting and modifying invoke commands. However, it is vulnerable to transient attack due to periodic monitoring. Also, Address Translation Redirection Attack (ATRA) cannot be detected, because the monitoring is operated by using the physical address of memory. To ameliorate this problem, we propose a snoop-based kernel introspection system. The proposed system can monitor a kernel memory in real-time by using a snooper, and detect memory-bound ATRA by introspecting kernel pages every context switch of processes. Experimental results show that the proposed system successfully protects the kernel memory without incurring any significant performance penalty in run-time.

  • https://doi.org/10.13089/JKIISC.2016.26.5.1151 인용 PDF KSCI HTML