BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:Automatic generation of the kernel integrity monitor and how to pr
 otect the integrity monitor itself - Yuki Kinebuchi and Hiromasa Shimada (
 Waseda University)
DTSTART:20120302T160000Z
DTEND:20120302T163000Z
UID:TALK36528@talks.cam.ac.uk
CONTACT:Wei Ming Khoo
DESCRIPTION:The complexity and the huge size of a modern OS kernel make th
 e system prone to bugs.  Through these bugs\, rootkits exploit the OS kern
 el\, and hide themselves by breaking the integrity of kernel data structur
 es.  In order to detect the unexpected modification of the kernel data str
 uctures\, integrity monitor must define the 'correct states' of the target
 ed kernel.  This is difficult engineering\, since the correct states of a 
 kernel varies from OS to OS. Even if they are built from the same source c
 ode\, their states differs.  This issue makes hard to implement an integri
 ty monitor manually by hand and to detect undefined rootkits.  Therefore w
 e propose a method to generate an integrity monitor automatically from the
  invariants of the kernel data structures.  There are two challenges in th
 is research.  First\, we need to reduce the amount of kernel data structur
 es from which invariants are generated.  The number and the combinations o
 f the kernel data structures may expand exponentially without proper care.
  Second\, we need to manage timing of getting kernel data structures. Diff
 erent timing generates different invariants. We conducted our experiment o
 n a virtualized environment\, running a targeted OS and an integrity monit
 or accommodated on a single machine.\n\nFurthermore we propose a method to
  protect the integrity checker itself from malicious attack in the above e
 nvironment.  The integrity checker itself can be exploited by rootkits if 
 the underlying virtualization layer is exploitable.  We propose a new mult
 i-core processor architecture that gives a special privilege to a specific
  core that has private memory area isolated by means of hardware.  We call
  this memory area the core-local memory.  The shortage of the core-local m
 emory is its size\, which is limited to contain a few hundred kilo-bytes o
 f data.  Thus\, in addition\, we also propose a method to virtually extend
  the size of the core-local memory by swapping the pages of the integrity 
 checker between the core-local and the main memory.  Our method keep track
  of cryptographic hashes of pages in the main memory in order to keep thei
 r integrity. 
LOCATION:Computer Laboratory\, William Gates Building\, Room FW11
END:VEVENT
END:VCALENDAR