Abstract
Kernel rootkit is recognized as one of the most severe and widespread threats to corrupt the integrity of an operating system. Without an external monitor as a root of trust, it is not easy to detect kernel rootkits which can intercept and modify communications at the interfaces between operating system components. To provide such a monitor isolated from an operating system that can be compromised, most existing solutions are based on external hardware. Unlike those solutions, we develop a kernel introspection system based on the ARM TrustZone technology without incurring extra hardware cost, which can provide a secure memory space in isolation from the rest of the system. We particularly use a secure timer to implement an autonomous switch between secure and non-secure modes. To ensure integrity of reference, this system measured reference from vmlinux which is a kernel original image. In addition, the flexibility of monitoring block size can be configured for efficient kernel introspection system. The experimental results show that a secure kernel introspection system is provided without incurring any significant performance penalty (maximum 6% decrease in execution time compared with the normal operating system).
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: Journal of the Korea Institute of Information Security and Cryptology
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
