Article

Linux kernel integrity measurement using contextual inspection

Authors:

Peter A. Loscocco,

Perry W. Wilson,

J. Aaron Pendergrass,

C. Durward McDonellAuthors Info & Claims

STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computing

Pages 21 - 29

https://doi.org/10.1145/1314354.1314362

Published: 02 November 2007 Publication History

Abstract

This paper introduces the Linux Kernel Integrity Monitor (LKIM) as an improvement over conventional methods of software integrity measurement. LKIM employs contextual inspection as a means to more completely characterize the operational integrity of a running kernel. In addition to cryptographically hashing static code and data in the kernel, dynamic data structures are examined to provide improved integrity measurement. The base approach examines structures that control the execution flow of the kernel through the use of function pointers as well as other data that affect the operation of the kernel. Such structures provide an efficient means of extending the kernel operations, but they are also a means of inserting malicious code without modifying the static parts. The LKIM implementation is discussed and initial performance data is presented to show that contextual inspection is practical

References

[1]

P. Barham, B. Dragovic, et al. Xen and the art of virtualization. Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pages 164--177, 2003.

Digital Library

[2]

V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation - a virtual machine directed approach to trusted computing. Proceedings of the 3rd USENIX Virtual Machine Research & Technology Symposium, May 2004.

Digital Library

[3]

D. Heine and Y. Kouskoulas. N-force daemon prototype technical description. Technical Report VS-03-021, The Johns Hopkins University Applied Physics Laboratory, July 2003.

[4]

P. Iglio. Trustedbox: a kernel-level integrity checker. In ACSAC '99: Proceedings of the 15th Annual Computer Security Applications Conference, page 34. IEEE Computer Society, 1999.

Digital Library

[5]

Intel Corporation. IA-32 Intel Architecture Software Develper's Manual, 2004.

[6]

T. Jaeger, R. Sailer, and U. Shankar. Prima: Policy-reduced integrity measurement architecture. SACMAT '06: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, 2006.

Digital Library

[7]

G. Kim and E. Spafford. The Design and Implementation of Tripwire: A File System Integrity Checker. Purdue Univiversity, November 1993.

[8]

J. Levine, J. Grizzard, and H. Owen. Detecting and categorizing kernel-level rootkits to aid future detection. IEEE Security and Privacy, 2006.

Digital Library

[9]

P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. Proceedings of the FREENIX Track, June 2001.

Digital Library

[10]

P. Loscocco, P. Wilson, et al. Measuring the linux kernel using contextual measurement. Technical Report AI-07-077, The Johns Hopkins University Applied Physics Laboratory, August 2007.

[11]

Mindcraft, Inc., http://www.mindcraft.com. WebStone 2.x Benchmark Description.

[12]

G. Mohay and J. Zellers. Kernel and shell based applications integrity assurance. In ACSAC '97: Proceedings of the 13th Annual Computer Security Applications Conference, page 34. IEEE Computer Society, 1997.

Digital Library

[13]

N. Petroni Jr., T. Fraser, et al. Copilot - a coprocessor-based kernel runtime integrity monitor. Proceedings of the 13th Usenix Security Symposium, pages 179--194, August 2004.

Digital Library

[14]

N. Petroni Jr., T. Fraser, et al. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. Security '06: 15th USENIX Security Symposium, 2006.

Digital Library

[15]

R. Sailer, X. Zhang, et al. Design and implementation of a TCG-based integrity measurement architecture. Proceedings of the 13th Usenix Security Symposium, pages 223--238, August 2004.

Digital Library

[16]

A. Seshardri, M. Luk, et al. Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems. ACM Symposium on Operating Systems Principles, October 2005.

Digital Library

[17]

J. Sheehy, G. Coker, et al. Attestation evidence and trust. Technical Report 07 0186, MITRE Corporation, March 2007.

[18]

Tool Interface Standards Committee. DWARF Debugging Information Format Specification v2.0, May 1995.

[19]

Tool Interface Standards Committee. Executable and Linking Format (ELF), v1.2 edition, May 1995.

[20]

Trusted Computing Group, https://www.trustedcomputinggroup.org. TCG Specification Architecture Overview - Specification Revision 1.2, April 2004.

Cited By

Kretz IRowe PParran CRamsdell J(2024)Evidence Tampering and Chain of Custody in Layered AttestationsProceedings of the 26th International Symposium on Principles and Practice of Declarative Programming10.1145/3678232.3678244(1-11)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3678232.3678244
Han XZhang J(2024)Behavior-based dynamic trusted measurement schemeThird International Conference on Electronic Information Engineering, Big Data, and Computer Technology (EIBDCT 2024)10.1117/12.3031239(228)Online publication date: 19-Jul-2024
https://doi.org/10.1117/12.3031239
Varshith HSural SVaidya JAtluri V(2024)Efficiently Supporting Attribute-Based Access Control in LinuxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329942921:4(2012-2026)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3299429
Show More Cited By

Index Terms

Linux kernel integrity measurement using contextual inspection
1. Information systems
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Subverting Linux' integrity measurement architecture
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Integrity is a key protection objective in the context of system security. This holds for both hardware and software. Since hardware cannot be changed after its manufacturing process, the manufacturer must be trusted to build it properly. However, it is ...
Linux on HP Integrity Servers
Linux kernel

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computing

November 2007

82 pages

ISBN:9781595938886

DOI:10.1145/1314354

General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Vijay Atluri
Rutgers University, USA
,
Shouhuai Xu
University of Texas, San Antonio, USA
,
Moti Yung
Columbia University, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2, 2007

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 17 of 31 submissions, 55%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

84
Total Citations
View Citations
2,258
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kretz IRowe PParran CRamsdell J(2024)Evidence Tampering and Chain of Custody in Layered AttestationsProceedings of the 26th International Symposium on Principles and Practice of Declarative Programming10.1145/3678232.3678244(1-11)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3678232.3678244
Han XZhang J(2024)Behavior-based dynamic trusted measurement schemeThird International Conference on Electronic Information Engineering, Big Data, and Computer Technology (EIBDCT 2024)10.1117/12.3031239(228)Online publication date: 19-Jul-2024
https://doi.org/10.1117/12.3031239
Varshith HSural SVaidya JAtluri V(2024)Efficiently Supporting Attribute-Based Access Control in LinuxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329942921:4(2012-2026)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3299429
Zhang XQi LMa XLiu WSun LLi XDuan BZhang SChe X(2023)Semantic Integrity Measurement of Industrial Control Embedded Devices Based on National Secret Algorithm2023 IEEE/CIC International Conference on Communications in China (ICCC Workshops)10.1109/ICCCWorkshops57813.2023.10233798(1-6)Online publication date: 10-Aug-2023
https://doi.org/10.1109/ICCCWorkshops57813.2023.10233798
Hickert CTekeoglu AMaurio JWatson RSyed DChavis JBrown GSookoor T(2022)Distributed Ledgers for Enhanced Machine-to-Machine Trust in Smart Cities2022 International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN54977.2022.9868905(1-7)Online publication date: Jul-2022
https://doi.org/10.1109/ICCCN54977.2022.9868905
Petz AAlexander P(2022)Formally verified bundling and appraisal of evidence for layered attestationsInnovations in Systems and Software Engineering10.1007/s11334-022-00475-119:4(411-426)Online publication date: 4-Sep-2022
https://doi.org/10.1007/s11334-022-00475-1
Arfaoui GFouque PJacques TLafourcade PNedelcu AOnete CRobert L(2022)A Cryptographic View of Deep-Attestation, or How to Do Provably-Secure Layer-LinkingApplied Cryptography and Network Security10.1007/978-3-031-09234-3_20(399-418)Online publication date: 20-Jun-2022
https://dl.acm.org/doi/10.1007/978-3-031-09234-3_20
Rowe PRamsdell JKretz I(2021)Automated Trust Analysis of Copland Specifications for Layered Attestations✱Proceedings of the 23rd International Symposium on Principles and Practice of Declarative Programming10.1145/3479394.3479418(1-15)Online publication date: 6-Sep-2021
https://dl.acm.org/doi/10.1145/3479394.3479418
Helble SKretz ILoscocco PRamsdell JRowe PAlexander P(2021)Flexible Mechanisms for Remote AttestationACM Transactions on Privacy and Security10.1145/347053524:4(1-23)Online publication date: 30-Sep-2021
https://dl.acm.org/doi/10.1145/3470535
Petz AAlexander P(2021)An Infrastructure for Faithful Execution of Remote Attestation ProtocolsNASA Formal Methods10.1007/978-3-030-76384-8_17(268-286)Online publication date: 19-May-2021
https://doi.org/10.1007/978-3-030-76384-8_17
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents