Monitoring integrity using limited local memory

Yuki Kinebuchi, Shakeel Butt, Vinod Ganapathy, Liviu Iftode, Tatsuo Nakajima

    Research output: Contribution to journalArticle

    12 Citations (Scopus)

    Abstract

    System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state-of-the-art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastructure is part of the trusted computing base. However, modern virtual machine monitors are complex entities, with large code bases that are difficult to verify. In this paper, we present a new machine architecture called limited local memory (LLM), which we use to set up an alternative tamper-proof execution environment for system integrity monitors. This architecture builds upon recent trends in multicore chip design to equip each processing core with access to a small, private memory area. We show that the features of the LLM architecture, combined with a novel secure paging mechanism, suffice to bootstrap a tamper-proof execution environment without support for hardware virtualization. We demonstrate the utility of this architecture by building a rootkit detector that leverages the key features of LLM. This rootkit detector can safely inspect a target operating system without itself becoming the victim of infection.

    Original languageEnglish
    Article number6523151
    Pages (from-to)1230-1242
    Number of pages13
    JournalIEEE Transactions on Information Forensics and Security
    Volume8
    Issue number7
    DOIs
    Publication statusPublished - 2013

    Fingerprint

    Detectors
    Data storage equipment
    Monitoring
    Computer monitors
    Memory architecture
    Computer operating systems
    Computer hardware
    Computer systems
    Processing
    Virtualization
    Malware
    Virtual machine
    Trusted computing

    Keywords

    • Local memory
    • multicore
    • system integrity

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Safety, Risk, Reliability and Quality

    Cite this

    Monitoring integrity using limited local memory. / Kinebuchi, Yuki; Butt, Shakeel; Ganapathy, Vinod; Iftode, Liviu; Nakajima, Tatsuo.

    In: IEEE Transactions on Information Forensics and Security, Vol. 8, No. 7, 6523151, 2013, p. 1230-1242.

    Research output: Contribution to journalArticle

    Kinebuchi, Yuki ; Butt, Shakeel ; Ganapathy, Vinod ; Iftode, Liviu ; Nakajima, Tatsuo. / Monitoring integrity using limited local memory. In: IEEE Transactions on Information Forensics and Security. 2013 ; Vol. 8, No. 7. pp. 1230-1242.
    @article{dc5c668bf0024714b733b0290941d95e,
    title = "Monitoring integrity using limited local memory",
    abstract = "System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state-of-the-art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastructure is part of the trusted computing base. However, modern virtual machine monitors are complex entities, with large code bases that are difficult to verify. In this paper, we present a new machine architecture called limited local memory (LLM), which we use to set up an alternative tamper-proof execution environment for system integrity monitors. This architecture builds upon recent trends in multicore chip design to equip each processing core with access to a small, private memory area. We show that the features of the LLM architecture, combined with a novel secure paging mechanism, suffice to bootstrap a tamper-proof execution environment without support for hardware virtualization. We demonstrate the utility of this architecture by building a rootkit detector that leverages the key features of LLM. This rootkit detector can safely inspect a target operating system without itself becoming the victim of infection.",
    keywords = "Local memory, multicore, system integrity",
    author = "Yuki Kinebuchi and Shakeel Butt and Vinod Ganapathy and Liviu Iftode and Tatsuo Nakajima",
    year = "2013",
    doi = "10.1109/TIFS.2013.2266095",
    language = "English",
    volume = "8",
    pages = "1230--1242",
    journal = "IEEE Transactions on Information Forensics and Security",
    issn = "1556-6013",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",
    number = "7",

    }

    TY - JOUR

    T1 - Monitoring integrity using limited local memory

    AU - Kinebuchi, Yuki

    AU - Butt, Shakeel

    AU - Ganapathy, Vinod

    AU - Iftode, Liviu

    AU - Nakajima, Tatsuo

    PY - 2013

    Y1 - 2013

    N2 - System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state-of-the-art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastructure is part of the trusted computing base. However, modern virtual machine monitors are complex entities, with large code bases that are difficult to verify. In this paper, we present a new machine architecture called limited local memory (LLM), which we use to set up an alternative tamper-proof execution environment for system integrity monitors. This architecture builds upon recent trends in multicore chip design to equip each processing core with access to a small, private memory area. We show that the features of the LLM architecture, combined with a novel secure paging mechanism, suffice to bootstrap a tamper-proof execution environment without support for hardware virtualization. We demonstrate the utility of this architecture by building a rootkit detector that leverages the key features of LLM. This rootkit detector can safely inspect a target operating system without itself becoming the victim of infection.

    AB - System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state-of-the-art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastructure is part of the trusted computing base. However, modern virtual machine monitors are complex entities, with large code bases that are difficult to verify. In this paper, we present a new machine architecture called limited local memory (LLM), which we use to set up an alternative tamper-proof execution environment for system integrity monitors. This architecture builds upon recent trends in multicore chip design to equip each processing core with access to a small, private memory area. We show that the features of the LLM architecture, combined with a novel secure paging mechanism, suffice to bootstrap a tamper-proof execution environment without support for hardware virtualization. We demonstrate the utility of this architecture by building a rootkit detector that leverages the key features of LLM. This rootkit detector can safely inspect a target operating system without itself becoming the victim of infection.

    KW - Local memory

    KW - multicore

    KW - system integrity

    UR - http://www.scopus.com/inward/record.url?scp=84880179193&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84880179193&partnerID=8YFLogxK

    U2 - 10.1109/TIFS.2013.2266095

    DO - 10.1109/TIFS.2013.2266095

    M3 - Article

    VL - 8

    SP - 1230

    EP - 1242

    JO - IEEE Transactions on Information Forensics and Security

    JF - IEEE Transactions on Information Forensics and Security

    SN - 1556-6013

    IS - 7

    M1 - 6523151

    ER -