Monitoring integrity using limited local memory

Yuki Kinebuchi, Shakeel Butt, Vinod Ganapathy, Liviu Iftode, Tatsuo Nakajima

研究成果: Article査読

13 被引用数 (Scopus)


System integrity monitors, such as rootkit detectors, rely critically on the ability to fetch and inspect pages containing code and data of a target system under study. To avoid being infected by malicious or compromised targets, state-of-the-art system integrity monitors rely on virtualization technology to set up a tamper-proof execution environment. Consequently, the virtualization infrastructure is part of the trusted computing base. However, modern virtual machine monitors are complex entities, with large code bases that are difficult to verify. In this paper, we present a new machine architecture called limited local memory (LLM), which we use to set up an alternative tamper-proof execution environment for system integrity monitors. This architecture builds upon recent trends in multicore chip design to equip each processing core with access to a small, private memory area. We show that the features of the LLM architecture, combined with a novel secure paging mechanism, suffice to bootstrap a tamper-proof execution environment without support for hardware virtualization. We demonstrate the utility of this architecture by building a rootkit detector that leverages the key features of LLM. This rootkit detector can safely inspect a target operating system without itself becoming the victim of infection.

ジャーナルIEEE Transactions on Information Forensics and Security
出版ステータスPublished - 2013

ASJC Scopus subject areas

  • 安全性、リスク、信頼性、品質管理
  • コンピュータ ネットワークおよび通信


「Monitoring integrity using limited local memory」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。