1. Field
One or more embodiments of the present invention relate to a snoop-based kernel integrity monitoring apparatus and a method thereof, and more particularly, to a kernel integrity monitoring apparatus which is provided as a hardware device independent of a host system, and snoops traffic occurring in a system bus of the host system and by detecting a write attempt in a kernel immutable region, monitors integrity of the kernel, and a method thereof.
2. Description of the Related Art
In order to protect the integrity of an operating system kernel, many security specialists strive to make a security monitor independent of a host system.
Recent efforts for this kernel integrity monitoring are broken down into two approaches. One if a hardware-based approach and the other is a hypervisor-based approach.
Recently, the hypervisor-based approach has gained popularity. However, as a hypervisor becomes more complex, the hypervisor may be exposed to much more software vulnerabilities.
Meanwhile, in order to protect the integrity of a hypervisor, an additional software layer may be inserted, but this is not sufficient to solve the problem. The additional software layer may introduce new vulnerabilities in a similar manner to that of the hypervisor. If another padding is inserted into the software layer for security, security may be strengthened temporarily but a fundamental solution is not provided.
In order to monitor the integrity of a hypervisor, hardware-supported schemes are introduced.
Most of existing solutions for kernel integrity monitoring make use of snapshot analysis schemes.
The snapshot analysis schemes are usually assisted by a predetermined type of hardware component which stores contents of a memory as a snapshot, and then, perform an analysis to find the traces of a rootkit attack.
HyperSentry, Copilot, and HyperCheck are exemplary approaches on snapshot-based kernel integrity monitoring.
Generally, snapshot-based monitoring schemes have inherent weakness because they inspect only those snapshots which are collected in predetermined intervals, and thus missing evanescent changes in between the intervals.
A transient attack means an attack which does not leave persistent traces in memory content. Transient attacks are capable of achieving their goals by using only momentary and transitory manipulations.
Attackers can exploit the critical limitations of snapshot-based kernel integrity monitoring. If attackers know the presence of a snapshot-based integrity monitoring and estimate the time of snapshot-taking and its intervals, they can devise a stealthy malware that subverts the kernel only in between the snapshots and restores all modifications in the next snapshot interval. This is called as a scrubbing attack.
Meanwhile, even though attackers do not know an exact snapshot-taking time, they can still create a transient attack that leaves its traces as minimal as possible. If the traces are left in the memory for a short time, there is a chance that it can avoid being captured in snapshot and thus it is not detected.
HyperSentry is not designed to address such transient attacks.
In relation to detecting such attacks using snapshot-based approaches, raising the rate of snapshot-taking may increase the probability of detection. However, frequent snapshot-taking inevitably causes increased overhead to the host system.
Randomizing the snapshot interval of the monitor can be another solution to defeat such deliberately designed transient attacks. However, the detection rate depends on luck and is not consistent. If the transient attack is short-lived, and not repeating its transient attacks, the probability of detection based on the random snapshot interval is low.