Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.4.863

An Efficient Kernel Introspection System using a Secure Timer on TrustZone  

Kim, Jinmok (Software R&D Center, Samsung Electronics)
Kim, Donguk (Software R&D Center, Samsung Electronics)
Park, Jinbum (Software R&D Center, Samsung Electronics)
Kim, Jihoon (Software R&D Center, Samsung Electronics)
Kim, Hyoungshick (Sungkyunkwan University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.4, 2015 , pp. 863-872 More about this Journal
Abstract
Kernel rootkit is recognized as one of the most severe and widespread threats to corrupt the integrity of an operating system. Without an external monitor as a root of trust, it is not easy to detect kernel rootkits which can intercept and modify communications at the interfaces between operating system components. To provide such a monitor isolated from an operating system that can be compromised, most existing solutions are based on external hardware. Unlike those solutions, we develop a kernel introspection system based on the ARM TrustZone technology without incurring extra hardware cost, which can provide a secure memory space in isolation from the rest of the system. We particularly use a secure timer to implement an autonomous switch between secure and non-secure modes. To ensure integrity of reference, this system measured reference from vmlinux which is a kernel original image. In addition, the flexibility of monitoring block size can be configured for efficient kernel introspection system. The experimental results show that a secure kernel introspection system is provided without incurring any significant performance penalty (maximum 6% decrease in execution time compared with the normal operating system).
Keywords
Platform security; System security; TrustZone; Code injection; System call table hooking;
Citations & Related Records
연도 인용수 순위
  • Reference
1 O.S. Hofmann, A.M. Dunn, Sangman Kim, I. Roy, and E.Witchel, "Ensuring operating system kernel integrity with OSck," Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems, pp. 279-290, Mar. 2011
2 Z. Wang, X. Jiang, W. Cui, and P. Ning, "Countering kernel rootkits with lightweight hook protection," Proceedings of the 16th ACM conference on Computer and communications security, pp. 545-554, Nov. 2009
3 N.L. Petroni Jr., T. Fraser, J. Molina, and W. Arbaugh, W. A. "Copilot - a coprocessor-based kernel runtime integrity monitor," Proceedings of the 13th USENIX Security Symposium, pp. 179-194, Aug. 2004
4 Hyungon Moon, Hojoon Lee, Jihoon Lee, Kihwan Kim, Yunheung Paek, and Brent Byunghoon Kang, "Vigilare: toward snoop-based kernel integrity monitor," Proceedings of the 2012 ACM conference on Computer and communications security, pp. 28-37, Oct. 2012
5 A.M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma, and W. Shen, "Hypervision across worlds: real-time kernel protection from the ARM TrustZone secure world," Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 90-102, Nov. 2014
6 X. Ge, H. Vijayakumar, and T. Jaeger, "Sprobes: enforcing kernel code integrity on the TrustZone architecture," Proceedings of the Third Workshop on Mobile Security Technologies (MoST) 2014, May. 2014
7 "Vmware : Vulnerability statistics," http://www.cvedetails.com/vendor/252/Vmware.html
8 "Xen : Security vulnerabilities," http://www.cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html
9 "Sensepost," http://www.sensepost.com/blog/9114.html
10 "Unlocking the motorola bootloader," http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html
11 Sunjune Kong and Brent Byunghoon Kang, "Kernel introspection methods based on TrustZone," CISC-W'14, Dec. 2014
12 "ARM TrustZone Software Architecture," http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/EABGFFIC.html
13 R. Riley, X. Jiang, D. Xu, "Multi-aspect profiling of kernel rootkit behavior," Proceedings of the 4th ACM European conference on Computer systems, pp. 47-60, Apr. 2009
14 "Unix bench," https://code.google.com/p/byte-unixbench/
15 "Linpack," http://www.netlib.org/benchmark/hpl/
16 "CoreMark," http://www.eembc.org/coremark/download_coremark.php
17 "nbench," http://www.tux.org/-mayer/linux/bmark.html