%0 Conference Paper %B Proceedings of the 14th ACM conference on Computer and communications security %D 2007 %T Automated detection of persistent kernel control-flow attacks %A Petroni,Jr.,Nick L. %A Hicks, Michael W. %K CFI %K integrity %K Kernel %K rootkit %K virtualization %X This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel's control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing unnoticeable overhead for both a typical web server workload and CPU-intensive workloads when operating at 10 second intervals. %B Proceedings of the 14th ACM conference on Computer and communications security %S CCS '07 %I ACM %C New York, NY, USA %P 103 - 115 %8 2007/// %@ 978-1-59593-703-2 %G eng %U http://doi.acm.org/10.1145/1315245.1315260 %R 10.1145/1315245.1315260