GRIM: Leveraging GPUs for Kernel integrity monitoring

Lazaros Koromilas*, Giorgos Vasiliadis, Ilias Athanasopoulos, Sotiris Ioannidis

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Kernel rootkits can exploit an operating system and enable future accessibility and control, despite all recent advances in software protection. A promising defense mechanism against rootkits is Kernel Integrity Monitor (KIM) systems, which inspect the kernel text and data to discover any malicious changes. A KIM can be implemented either in software, using a hypervisor, or using extra hardware. The latter option is more attractive due to better performance and higher security, since the monitor is isolated from the potentially vulnerable host. To remain under the radar and avoid detection it is paramount for a rootkit to conceal its malicious activities. In order to detect self-hiding rootkits researchers have proposed snooping for inferring suspicious behaviour in kernel memory. This is accomplished by constantly monitoring all memory accesses on the bus and not the actual memory area where the kernel is mapped. In this paper, we present GRIM, an external memory monitor that is built on commodity, off-the-shelf, graphics hardware, and is able to verify OS kernel integrity at a speed that outperforms all so-far published snapshot-based systems. GRIM allows for checking eight thousand 64- bit values simultaneously at a 10 KHz snapshot frequency, which is sufficient to accurately detect a self-hiding loadable kernel module insertion. According to the state-of-the-art, this detection can only happen using a snoop-based monitor. GRIM does not only demonstrate that snapshotbased monitors can be significantly improved, but it additionally offers a fully programmable platform that can be instantly deployed without requiring any modifications to the host it protects. Notice that all snoopbased monitors require substantial changes at the microprocessor level.

Original languageEnglish
Title of host publicationResearch in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings
PublisherSpringer/Verlag
Pages3-23
Number of pages21
Volume9854 LNCS
ISBN (Print)9783319457185
DOIs
Publication statusPublished - 2016
Event19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016 - Paris, France
Duration: 19 Sept 201621 Sept 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9854 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Conference

Conference19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016
Country/TerritoryFrance
CityParis
Period19/09/1621/09/16

Fingerprint

Dive into the research topics of 'GRIM: Leveraging GPUs for Kernel integrity monitoring'. Together they form a unique fingerprint.

Cite this