An architecture for specification-based detection of semantic integrity violations in kernel dynamic data

TLDR

Intruders can now conceal themselves in compromised systems by altering dynamic kernel data structures, while current integrity monitors only detect changes in static kernel data and cannot differentiate legitimate state changes from tampering. The authors propose a general architecture for specifying and monitoring semantic integrity constraints to detect such tampering. The architecture uses a specification language to define constraints that monitor dynamic kernel data structures. This approach will allow future integrity monitors to distinguish valid state changes from malicious tampering.

Abstract

The ability of intruders to hide their presence in compromised systems has surpassed the ability of the current generation of integrity monitors to detect them. Once in control of a system, intruders modify the state of constantly-changing dynamic kernel data structures to hide their processes and elevate their privileges. Current monitoring tools are limited to detecting changes in nominally static kernel data and text and cannot distinguish a valid state change from tampering in these dynamic data structures. We introduce a novel general architecture for defining and monitoring semantic integrity constraints using a specification language-based approach. This approach will enable a new generation of integrity monitors to distinguish valid states from tampering.

References

Page 1

	Year	Citations

Page 1