A dynamic per-context verification of kernel address integrity from external monitors

Abstract

The introduction of Address Translation Redirection Attack (ATRA) has revealed a critical weakness in all existing hardware-based external kernel integrity monitors. The attack redefines system's memory mappings in favor of the attacker so that the monitored kernel regions are relocated out of the monitor's sight. We provide a generalized approach and a prototype evaluation to prove our proposed scheme for ensuring the integrity of kernel address mapping from external monitors.With a slight modification on the hardware-side on the host, we were able to enable the monitor to continuously trace Page Table Base Register (PTBR) of the host – which is an essential capability in monitoring the host memory mapping integrity.In conjunction with this hardware feature, we incorporate our findings on the invariant of the kernel memory mapping patterns to implement a dynamic per-context page table monitoring scheme. Our experiment proves the viability of our work in terms of its effectiveness against memory mapping manipulation attacks such as ATRA and satisfies the time constraints required by the proposed per-context mapping verification scheme.