ModChecker: Kernel Module Integrity Checking in the Cloud Environment

Ahmed, Irfan; Zoranic, Aleksandar; Javaid, Salman; Richard, Golden G.

doi:10.1109/icppw.2012.46

Cited by 8 publications

(2 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…HookLocator works in such a virtualized environment, where it runs in a privileged VM and accesses the physical memory of guest VMs through VMI. We also assume that the kernel code and the well-known kernel data structures inside the guest VMs are protected by PatchGuard or an alternate solution, such as VICE [9], System Virginity Verifier [10], ModChecker [11] and IceSword [12].…”

Section: Environmentmentioning

confidence: 99%

Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection

Ahmed

Richard

Zoranic

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

With the introduction of kernel integrity checking mechanisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernel code and well-known data structures. Instead, they must target other areas of the kernel, such as the heap, which stores a large number of function pointers that are potentially prone to malicious exploits. These areas of kernel memory are currently not monitored by kernel integrity checkers. We present a novel approach to monitoring the integrity of Windows kernel pools, based entirely on virtual machine introspection, called Hook-Locator. Unlike prior efforts to maintain kernel integrity, our implementation runs entirely outside the monitored system, which makes it inherently more difficult to detect and subvert. Our system also scales easily to protect multiple virtualized targets. Unlike other kernel integrity checking mechanisms, HookLocator does not require the source code of the operating system, complex reverse engineering efforts, or the debugging map files. Our empirical analysis of kernel heap behavior shows that integrity monitoring needs to focus only on a small fraction of it to be effective; this allows our prototype to provide effective real-time monitoring of the protected system.

show abstract

Section: Environmentmentioning

confidence: 99%

Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection

Ahmed

Richard

Zoranic

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…e state of a VM can be monitored through some specific Hypervisor APIs, while the retrieved information is limited to the inherent APIs severely without opportunities to expand or customize, such as products of OpenStack Ceilometer and AWS CloudWatch. To make up for that deficiency, the methods based on Virtual Machine Introspection (VMI) have been proposed [18][19][20].…”

Section: Introductionmentioning

confidence: 99%

Extension of Research on Security as a Service for VMs in IaaS Platform

Yin

Chen

et al. 2020

Security and Communication Networks

View full text Add to dashboard Cite

To satisfy security concerns including infrastructure as a service (IaaS) security framework, security service access, network anomaly detection, and virtual machine (VM) monitoring, a layered security framework is built which composes of a physical layer, a virtualization layer, and a security management layer. Then, two security service access methods are realized for various security tools from the perspective of whether security tools generate communication traffic. One without generating traffic employs the VM traffic redirection technology and the other leveraged the mechanism of multitasking process access. Moreover, a stacked LSTM-based network anomaly detection agentless method is proposed, which has advantages of a higher ratio of precision and recall. Finally, a Hypervisor-based agentless monitoring method for VMs based on dynamic code injection is proposed, which has benefits of high security of the external monitoring method and good context analysis of the internal monitoring mechanism. The experimental results demonstrate the effectiveness of the proposed protection framework and the corresponding security mechanisms, respectively.

show abstract