Automatic invariant generation for monitoring OS kernel integrity

Hiromasa Shimada, Tatsuo Nakajima

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    1 Citation (Scopus)

    Abstract

    System administrators have used integrity checkers to prevent the system from malicious infections. Especially, checking the integrity of the kernel is important, since the infections of the kernel affect the entire system. Most of the previous works to prevent such infections rely on the developers or administrators to write specifications to detect them. Those works require high engineering cost and may incur vulnerabilities. The other previous works use virtualization techniques to trace the memory usage of the target system. However, they require hardware supports for the virtualization to avoid significant overhead. Most of embedded systems do not have such hardware supports. In addition, the overhead of the integrity checking affects all of the guest OSes, because they check integrity of the target OS in the virtualization layer. Therefore, they are difficult to be applied to multi-core environment. In this paper, we propose a method to generate the integrity checker automatically. The integrity checker runs on a virtualization layer and checks the integrity of kernel data structures of the target OS kernel from the outside of it. The virtualization layer does not require a special hardware support for the virtualization, because the integrity checker only reads memory area used by the target OS. Moreover, the integrity checker is executed as a guest OS, and thereforeit does not affect the entire system performance when it runs on multicore environment. The integrity checker checks the kernel data structures using invariants of them. In order to generate the invariants automatically, our system analyzes obtained kernel data structures. However, checking all of the kernel data structures is not feasible, since there are a lot of kernel data structures and an analyzer uses relationships with them to generate invariants. Therefore, our challenge is to reduce the target kernel data structures while avoiding false positives and false negatives as much as possible.

    Original languageEnglish
    Title of host publicationProceedings - 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - 2nd Workshop on Cyber-Physical Systems, Networks, and Applications, CPSNA
    Pages408-410
    Number of pages3
    DOIs
    Publication statusPublished - 2012
    Event18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - Seoul
    Duration: 2012 Aug 192012 Aug 22

    Other

    Other18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012
    CitySeoul
    Period12/8/1912/8/22

    Fingerprint

    Data structures
    Monitoring
    Computer hardware
    ROM
    Embedded systems
    Virtualization
    Computer systems
    Specifications
    Data storage equipment
    Costs

    Keywords

    • integrity checker
    • invariant
    • security

    ASJC Scopus subject areas

    • Artificial Intelligence
    • Hardware and Architecture
    • Computer Vision and Pattern Recognition

    Cite this

    Shimada, H., & Nakajima, T. (2012). Automatic invariant generation for monitoring OS kernel integrity. In Proceedings - 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - 2nd Workshop on Cyber-Physical Systems, Networks, and Applications, CPSNA (pp. 408-410). [6300241] https://doi.org/10.1109/RTCSA.2012.68

    Automatic invariant generation for monitoring OS kernel integrity. / Shimada, Hiromasa; Nakajima, Tatsuo.

    Proceedings - 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - 2nd Workshop on Cyber-Physical Systems, Networks, and Applications, CPSNA. 2012. p. 408-410 6300241.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Shimada, H & Nakajima, T 2012, Automatic invariant generation for monitoring OS kernel integrity. in Proceedings - 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - 2nd Workshop on Cyber-Physical Systems, Networks, and Applications, CPSNA., 6300241, pp. 408-410, 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012, Seoul, 12/8/19. https://doi.org/10.1109/RTCSA.2012.68
    Shimada H, Nakajima T. Automatic invariant generation for monitoring OS kernel integrity. In Proceedings - 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - 2nd Workshop on Cyber-Physical Systems, Networks, and Applications, CPSNA. 2012. p. 408-410. 6300241 https://doi.org/10.1109/RTCSA.2012.68
    Shimada, Hiromasa ; Nakajima, Tatsuo. / Automatic invariant generation for monitoring OS kernel integrity. Proceedings - 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - 2nd Workshop on Cyber-Physical Systems, Networks, and Applications, CPSNA. 2012. pp. 408-410
    @inproceedings{70bc533fac9c46f9af5998d48ee71ba8,
    title = "Automatic invariant generation for monitoring OS kernel integrity",
    abstract = "System administrators have used integrity checkers to prevent the system from malicious infections. Especially, checking the integrity of the kernel is important, since the infections of the kernel affect the entire system. Most of the previous works to prevent such infections rely on the developers or administrators to write specifications to detect them. Those works require high engineering cost and may incur vulnerabilities. The other previous works use virtualization techniques to trace the memory usage of the target system. However, they require hardware supports for the virtualization to avoid significant overhead. Most of embedded systems do not have such hardware supports. In addition, the overhead of the integrity checking affects all of the guest OSes, because they check integrity of the target OS in the virtualization layer. Therefore, they are difficult to be applied to multi-core environment. In this paper, we propose a method to generate the integrity checker automatically. The integrity checker runs on a virtualization layer and checks the integrity of kernel data structures of the target OS kernel from the outside of it. The virtualization layer does not require a special hardware support for the virtualization, because the integrity checker only reads memory area used by the target OS. Moreover, the integrity checker is executed as a guest OS, and thereforeit does not affect the entire system performance when it runs on multicore environment. The integrity checker checks the kernel data structures using invariants of them. In order to generate the invariants automatically, our system analyzes obtained kernel data structures. However, checking all of the kernel data structures is not feasible, since there are a lot of kernel data structures and an analyzer uses relationships with them to generate invariants. Therefore, our challenge is to reduce the target kernel data structures while avoiding false positives and false negatives as much as possible.",
    keywords = "integrity checker, invariant, security",
    author = "Hiromasa Shimada and Tatsuo Nakajima",
    year = "2012",
    doi = "10.1109/RTCSA.2012.68",
    language = "English",
    pages = "408--410",
    booktitle = "Proceedings - 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - 2nd Workshop on Cyber-Physical Systems, Networks, and Applications, CPSNA",

    }

    TY - GEN

    T1 - Automatic invariant generation for monitoring OS kernel integrity

    AU - Shimada, Hiromasa

    AU - Nakajima, Tatsuo

    PY - 2012

    Y1 - 2012

    N2 - System administrators have used integrity checkers to prevent the system from malicious infections. Especially, checking the integrity of the kernel is important, since the infections of the kernel affect the entire system. Most of the previous works to prevent such infections rely on the developers or administrators to write specifications to detect them. Those works require high engineering cost and may incur vulnerabilities. The other previous works use virtualization techniques to trace the memory usage of the target system. However, they require hardware supports for the virtualization to avoid significant overhead. Most of embedded systems do not have such hardware supports. In addition, the overhead of the integrity checking affects all of the guest OSes, because they check integrity of the target OS in the virtualization layer. Therefore, they are difficult to be applied to multi-core environment. In this paper, we propose a method to generate the integrity checker automatically. The integrity checker runs on a virtualization layer and checks the integrity of kernel data structures of the target OS kernel from the outside of it. The virtualization layer does not require a special hardware support for the virtualization, because the integrity checker only reads memory area used by the target OS. Moreover, the integrity checker is executed as a guest OS, and thereforeit does not affect the entire system performance when it runs on multicore environment. The integrity checker checks the kernel data structures using invariants of them. In order to generate the invariants automatically, our system analyzes obtained kernel data structures. However, checking all of the kernel data structures is not feasible, since there are a lot of kernel data structures and an analyzer uses relationships with them to generate invariants. Therefore, our challenge is to reduce the target kernel data structures while avoiding false positives and false negatives as much as possible.

    AB - System administrators have used integrity checkers to prevent the system from malicious infections. Especially, checking the integrity of the kernel is important, since the infections of the kernel affect the entire system. Most of the previous works to prevent such infections rely on the developers or administrators to write specifications to detect them. Those works require high engineering cost and may incur vulnerabilities. The other previous works use virtualization techniques to trace the memory usage of the target system. However, they require hardware supports for the virtualization to avoid significant overhead. Most of embedded systems do not have such hardware supports. In addition, the overhead of the integrity checking affects all of the guest OSes, because they check integrity of the target OS in the virtualization layer. Therefore, they are difficult to be applied to multi-core environment. In this paper, we propose a method to generate the integrity checker automatically. The integrity checker runs on a virtualization layer and checks the integrity of kernel data structures of the target OS kernel from the outside of it. The virtualization layer does not require a special hardware support for the virtualization, because the integrity checker only reads memory area used by the target OS. Moreover, the integrity checker is executed as a guest OS, and thereforeit does not affect the entire system performance when it runs on multicore environment. The integrity checker checks the kernel data structures using invariants of them. In order to generate the invariants automatically, our system analyzes obtained kernel data structures. However, checking all of the kernel data structures is not feasible, since there are a lot of kernel data structures and an analyzer uses relationships with them to generate invariants. Therefore, our challenge is to reduce the target kernel data structures while avoiding false positives and false negatives as much as possible.

    KW - integrity checker

    KW - invariant

    KW - security

    UR - http://www.scopus.com/inward/record.url?scp=84869000950&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84869000950&partnerID=8YFLogxK

    U2 - 10.1109/RTCSA.2012.68

    DO - 10.1109/RTCSA.2012.68

    M3 - Conference contribution

    AN - SCOPUS:84869000950

    SP - 408

    EP - 410

    BT - Proceedings - 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2012 - 2nd Workshop on Cyber-Physical Systems, Networks, and Applications, CPSNA

    ER -