Scanning workstation memory for malicious codes using dedicated coprocessors

Quantified Score

Visualization

Abstract

This paper describes the implementation of a coprocessor platform for scanning workstation memory in order to detect signatures of malicious codes. The coprocessor is especially beneficial in clusters of workstations used for high performance computing where the overhead imposed by software-based intrusion detection codes is unacceptable. The coprocessor connects to the host via the PCI bus and accesses the host's memory using bus mastering DMA.The coprocessor interprets the host's virtual memory data structures in order to fetch page frames associated with specific processes into local memory. Once a set of page frames is in local memory, the coprocessor searches the memory content for signatures of known malicious codes. The coprocessor implementation requires no modification to the kernel code. Furthermore, the coprocessor software only requires a small set of initialization data during system bootup. After this initialization, the coprocessor operates independently from the host's processors.Empirical analysis of prototype coprocessor implementation demonstrates the effectiveness of the coprocessor in detecting malicious codes without intervention from the host processor. The additional memory bus traffic generated by the coprocessor causes a small performance reduction, especially for software that does not make effective use of the host processor's cache. Conversely, the impact of the coprocessor induced PCI traffic is negligible on I/O bound applications.