Copilot - a coprocessor-based kernel runtime integrity monitor

TitleCopilot - a coprocessor-based kernel runtime integrity monitor
Publication TypeConference Papers
Year of Publication2004
AuthorsPetroni J., Fraser T, Molina J, Arbaugh WA
Conference NameProceedings of the 13th conference on USENIX Security Symposium - Volume 13
Date Published2004///
PublisherUSENIX Association
Conference LocationSan Diego, CA
Keywordsdesign, management, MONITORS, Security, security and protection

Copilot is a coprocessor-based kernel integrity monitor for commodity systems. Copilot is designed to detect malicious modifications to a host's kernel and has correctly detected the presence of 12 real-world rootkits, each within 30 seconds of their installation with less than a 1% penalty to the host's performance. Copilot requires no modifications to the protected host's software and can be expected to operate correctly even when the host kernel is thoroughly compromised - an advantage over traditional monitors designed to run on the host itself.