• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.9 no.3
• /
• pp.201-207
• /
• 2009

As the existing backdoor worked at user mode, which is application mode, it was possible to check the existence of backdoor by the integrity check of system file. However, for the backdoor using kernel module, it is impossible to check its existence by the integrity check of system file. Even various programs were presented to protect this LKM Kernel backdoor, there is limitation in protection as they examine the changes on the system Call Table. This study, recognizing the danger of invasion through such LKM Kernel backdoor, will provide alternative for the limitation which the existing integrity check couldn't prevent intrusion through Kernel backdoor.

• Proceedings of the Korean Information Science Society Conference
• /
• 2002.10c
• /
• pp.562-564
• /
• 2002

최근 커널의 특정부분을 사용자 임의로 수정하여 시스템을 공격하는 여러 가지 기법들, 즉 커널 백도어가 늘어나고 있다. 이 커널 백도어의 문제점은 커널 자체를 수정하기 때문에 탐지 및 복구가 힘들다는 것이다. 이에 대응하여 커널 백도어를 탐지하는 대부분의 방법이 특정 주소를 검사하여 이루어지는데 이는 확실한 탐지에는 한계가 있다. 설사 탐지는 가능하다 하더라도 복구는 거의 불가능한 것이 현실이다. 이에 본 논문에서는 커널이 기동될 때 사용되는 순수한 부트 이미지와 커널에서 실행중인 이미지를 비교하여 커널의 무결성을 검사, 복구하는 시스템을 제안한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.863-872
• /
• 2015

Kernel rootkit is recognized as one of the most severe and widespread threats to corrupt the integrity of an operating system. Without an external monitor as a root of trust, it is not easy to detect kernel rootkits which can intercept and modify communications at the interfaces between operating system components. To provide such a monitor isolated from an operating system that can be compromised, most existing solutions are based on external hardware. Unlike those solutions, we develop a kernel introspection system based on the ARM TrustZone technology without incurring extra hardware cost, which can provide a secure memory space in isolation from the rest of the system. We particularly use a secure timer to implement an autonomous switch between secure and non-secure modes. To ensure integrity of reference, this system measured reference from vmlinux which is a kernel original image. In addition, the flexibility of monitoring block size can be configured for efficient kernel introspection system. The experimental results show that a secure kernel introspection system is provided without incurring any significant performance penalty (maximum 6% decrease in execution time compared with the normal operating system).

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.873-880
• /
• 2015

Since hardware-based kernel-integrity monitoring systems run in the environments that are isolated from the monitored OS, attackers in the monitored OS cannot undermine the security of monitoring systems. However, because the monitoring is performed by using physical addresses, the hardware-based monitoring systems are vulnerable to Address Translation Redirection Attack (ATRA) that manipulates virtual-to-physical memory translations. To ameliorate this problem, we propose a scheduler-based ATRA detection method. The method detects ATRA during the process scheduling by leveraging the fact that kernel scheduler engages every context switch of processes. We implemented a prototype on Android emulator and TizenTV, and verified that it successfully detected ATRA without incurring any significant performance loss.

• JSTS:Journal of Semiconductor Technology and Science
• /
• v.15 no.1
• /
• pp.48-59
• /
• 2015

In recent years, there are increasing threats of rootkits that undermine the integrity of a system by manipulating OS kernel. To cope with the rootkits, in Vigilare, the snoop-based monitoring which snoops the memory traffics of the host system was proposed. Although the previous work shows its detection capability and negligible performance loss, the problem is that the proposed design is not acceptable in recent commodity mobile application processors (APs) which have become de facto the standard computing platforms of smart devices. To mend this problem and adopt the idea of snoop-based monitoring in commercial products, in this paper, we propose a snoop-based monitor design called S-Mon, which is designed for the AP platforms. In designing S-Mon, we especially consider two design constraints in the APs which were not addressed in Vigilare; the unified memory model and the crossbar switch interconnect. Taking into account those, we derive a more realistic architecture for the snoop-based monitoring and a new hardware module, called the region controller, is also proposed. In our experiments on a simulation framework modeling a productionquality device, it is shown that our S-Mon can detect the rootkit attacks while the runtime overhead is also negligible.

• Nuclear Engineering and Technology
• /
• v.54 no.8
• /
• pp.2792-2800
• /
• 2022

In the core of the WWR-K reactor, a long-term irradiation of tristructural isotopic (TRISO)-coated fuel particles (CFPs) with a UO₂ kernel was carried out under high-temperature gas-cooled reactor (HTGR)-like operating conditions. The temperature of this TRISO fuel during irradiation varied in the range of 950-1100 ℃. A fission per initial metal atom (FIMA) of uranium burnup of 9.9% was reached. The release of gaseous fission products was measured in-pile. The release-to-birth ratio (R/B) for the fission product isotopes was calculated. Aspects of fuel safety while achieving deep fuel burnup are important and relevant, including maintaining the integrity of the fuel coatings. The main mechanisms of fuel failure are kernel migration, silicon carbide corrosion by palladium, and gas pressure increase inside the CFP. The formation of gaseous fission products and carbon monoxide leads to an increase in the internal pressure in the CFP, which is a dominant failure mechanism of the coatings under this level of burnup. Irradiated fuel compacts were subjected to electric dissociation to isolate the CFPs from the fuel compacts. In addition, nondestructive methods, such as X-ray radiography and gamma spectrometry, were used. The predicted R/B ratio was evaluated using the fission gas release model developed in the high-temperature test reactor (HTTR) project. In the model, both the through-coatings of failed CFPs and as-fabricated uranium contamination were assumed to be sources of the fission gas. The obtained R/B ratio for gaseous fission products allows the finalization and validation of the model for the release of fission products from the CFPs and fuel compacts. The success of the integrity of TRISO fuel irradiated at approximately 9.9% FIMA was demonstrated. A low fuel failure fraction and R/B ratios indicated good performance and reliability of the studied TRISO fuel.

• Journal of the Korea Society of Computer and Information
• /
• v.19 no.12
• /
• pp.123-132
• /
• 2014

In this paper, we study the verification techniques for OS integrity that can be more fatal than applications in case of security issues. The dissemination of smartphones is rapidly progressing and there are many similarities of smartphones and PCs in terms of security risks. Recently, in mobile network environment, there is a trend of increasing damages and now, there are active researches on a system that can comprehensively respond to this. As a way to prevent these risks, integrity checking method on operation system is being researched. As most integrity checking algorithms are classified by verification from the levels before booting the OS and at the time of passing on the control to the OS, in which, there are minor differences in the definitions of integrity checking or its methods. In this paper, we suggests the integrity verification technique of OS using a boot loader and a physically independent storing device in the mobile device.

• The KIPS Transactions:PartC
• /
• v.18C no.3
• /
• pp.157-166
• /
• 2011

The virtualization layer is executed in higher authority layer than kernel layer and suitable for monitoring operating systems. However, existing virtualization monitoring systems provide simple information about the usage rate of CPU or memory. In this paper, the monitoring system using full virtualization technique is proposed, which can monitor virtual machine's dynamic kernel object as memory, register, GDT, IDT and system call table. To verify the monitoring system, the proposed system was implemented based on KVM(Kernel-based Virtual Machine) with full virtualization that is directly applied to linux kernel without any modification. The proposed system consists of KvmAccess module to access KVM's internal object and API to provide other external modules with monitoring result. In experiments, the CPU utilization for monitoring operations in the proposed monitering system is 0.35% when the system is monitored with 1-second period. The proposed monitoring system has a little performance degradation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.5
• /
• pp.1151-1160
• /
• 2016

A TrustZone-based rootkit detecting solution using a secure timer ensures the integrity of monitoring system, because ARM TrustZone technology provides isolated environments from a monitored OS against intercepting and modifying invoke commands. However, it is vulnerable to transient attack due to periodic monitoring. Also, Address Translation Redirection Attack (ATRA) cannot be detected, because the monitoring is operated by using the physical address of memory. To ameliorate this problem, we propose a snoop-based kernel introspection system. The proposed system can monitor a kernel memory in real-time by using a snooper, and detect memory-bound ATRA by introspecting kernel pages every context switch of processes. Experimental results show that the proposed system successfully protects the kernel memory without incurring any significant performance penalty in run-time.

• KIISE Transactions on Computing Practices
• /
• v.23 no.8
• /
• pp.504-509
• /
• 2017

Preserving the integrity of the booting process is important. Recent rootkit attacks and subverting OS attacks prove that any post-OS security mechanism can be easily circumvented if the booting process is not properly controlled. Using an actual case as an example, the hacker of the Se-jong government office simply bypassed the user's password authentication by compromising the normal booting process. This paper analyzes existing pre-OS protection using secure boot and measured boot, and proposes another bootloader that overcomes the limitations. The proposed bootloader not only guarantees the integrity of all the pre-OS binaries, bootloaders, and kernel, it also makes explicit records of integrity in the booting process to the external TPM device, so that we can track modifications of BIOS configurations or unintended booting process modifications.