Automated detection of persistent kernel control-flow attacks

TitleAutomated detection of persistent kernel control-flow attacks
Publication TypeConference Papers
Year of Publication2007
AuthorsPetroni, Jr. NL, Hicks MW
Conference NameProceedings of the 14th ACM conference on Computer and communications security
Date Published2007///
Conference LocationNew York, NY, USA
ISBN Number978-1-59593-703-2
KeywordsCFI, integrity, Kernel, rootkit, virtualization

This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel's control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing unnoticeable overhead for both a typical web server workload and CPU-intensive workloads when operating at 10 second intervals.