15th USENIX Security Symposium Abstract
Pp. 289304 of the Proceedings
An Architecture for Specification-Based Detection of Semantic
Integrity Violations in Kernel Dynamic Data
Nick L. Petroni, Jr., and Timothy Fraser, University of Maryland; AAron Walters, Purdue University; William A. Arbaugh, University of Maryland
The ability of intruders to hide their presence in compromised
systems has surpassed the ability of the current
generation of integrity monitors to detect them. Once
in control of a system, intruders modify the state of
constantly-changing dynamic kernel data structures to
hide their processes and elevate their privileges. Current
monitoring tools are limited to detecting changes in nominally
static kernel data and text and cannot distinguish
a valid state change from tampering in these dynamic
data structures. We introduce a novel general architecture
for defining and monitoring semantic integrity constraints
using a specification language-based approach.
This approach will enable a new generation of integrity
monitors to distinguish valid states from tampering.
- View the full text of this paper in HTML and PDF. Listen to the presentation and Q & A in MP3 format.
Until August 2007, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.