CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM

Authors:
Ziyi Liu;JongHyuk Lee;Junyuan Zeng;Yuanfeng Wen;Zhiqiang Lin;Weidong Shi
Affiliations:
University of Houston, Houston, TX;Samsung Electronics, Suwon-si, Gyeonggi-do, Korea;University of Texas at Dallas, Dallas, TX;University of Houston, Houston, TX;University of Texas at Dallas, Dallas, TX;University of Houston, Houston, TX
Venue:
Proceedings of the 40th Annual International Symposium on Computer Architecture
Year:
2013

Citing 27
Cited 0

Multifacet's general execution-driven multiprocessor simulator (GEMS) toolset

ACM SIGARCH Computer Architecture News - Special issue: dasCMP'05
SubVirt: Implementing malware with virtual machines

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
The M5 Simulator: Modeling Networked Systems

IEEE Micro
SPEC CPU2006 benchmark descriptions

ACM SIGARCH Computer Architecture News
Copilot - a coprocessor-based kernel runtime integrity monitor

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for specification-based detection of semantic integrity violations in kernel dynamic data

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction

Proceedings of the 14th ACM conference on Computer and communications security
VMM-based hidden process detection and identification using Lycosid

Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Flicker: an execution infrastructure for tcb minimization

Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
SMM rootkits: a new breed of OS independent malware

Proceedings of the 4th international conference on Security and privacy in communication netowrks
Automatic Inference and Enforcement of Kernel Data Structure Invariants

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Decoupled DIMM: building high-bandwidth memory system using low-speed DRAM devices

Proceedings of the 36th annual international symposium on Computer architecture
Countering kernel rootkits with lightweight hook protection

Proceedings of the 16th ACM conference on Computer and communications security
Mapping kernel objects to enable systematic integrity checking

Proceedings of the 16th ACM conference on Computer and communications security
Robust signatures for kernel data structures

Proceedings of the 16th ACM conference on Computer and communications security
HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
HyperSentry: enabling stealthy in-context measurement of hypervisor integrity

Proceedings of the 17th ACM conference on Computer and communications security
HyperCheck: a hardware-assisted integrity monitor

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Ensuring operating system kernel integrity with OSck

Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems
DRAMSim2: A Cycle Accurate Memory System Simulator

IEEE Computer Architecture Letters
The gem5 simulator

ACM SIGARCH Computer Architecture News
Architectural support for hypervisor-secure virtualization

ASPLOS XVII Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems
Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Vigilare: toward snoop-based kernel integrity monitor

Proceedings of the 2012 ACM conference on Computer and communications security
OS-Sommelier: memory-only operating system fingerprinting in the cloud

Proceedings of the Third ACM Symposium on Cloud Computing
EXTERIOR: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery

Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Quantified Score

Hi-index	0.00

Visualization

Abstract

Increasingly, cyber attacks (e.g., kernel rootkits) target the inner rings of a computer system, and they have seriously undermined the integrity of the entire computer systems. To eliminate these threats, it is imperative to develop innovative solutions running below the attack surface. This paper presents MGuard, a new most inner ring solution for inspecting the system integrity that is directly integrated with the DRAM DIMM devices. More specifically, we design a programmable guard that is integrated with the advanced memory buffer of FB-DIMM to continuously monitor all the memory traffic and detect the system integrity violations. Unlike the existing approaches that are either snapshot-based or lack compatibility and flexibility, MGuard continuously monitors the integrity of all the outer rings including both OS kernel and hypervisor of interest, with a greater extendibility enabled by a programmable interface. It offers a hardware drop-in solution transparent to the host CPU and memory controller. Moreover, MGuard is isolated from the host software and hardware, leading to strong security for remote attackers. Our simulation-based experimental results show that MGuard introduces no speed overhead, and is able to detect nearly all the OS-kernel and hypervisor control data related rootkits we tested.