1. Summary
Copilot is kernel integrity monitoring system and It is in form of PCI card.
So, Copilot does not require any additional modifications to the host's software or system.
Copilot monitor can detect changes to a hash of kernel's critical regions in 30 seconds of being made by a rootkit.
For this reason, Copilot has limitation to detect transient attacks.
But This attacks can be overcome by random timing checking.
2. Related work Summary
For this proposal, previous work by Monila was helpful that demonstrated the use of the PCI add-in card as a filesystem integrity monitor.
And X.Zang proposed using a secure coprocessor as an intrusion detection system for kernel memory.
But, there are a number of significant differences between Zhang’s work and Copilot.
Notably, Zhang’s design was not implemented on an actual coprocessor.
3. The good
I think.. The good points of this approach is verifying integrity of part of virtual memory which has 0xc0000000~High_Mem.
these address are called linear-mapped addresses because the kernel maps them to physical address in a linear.
If I can calculate this area, I will find kernel modification easily.
4. The Bad
first, The bad points of this approach is the cost. Because If I want to protect my PC, I will buy a additional hardware Rather than just download some
software.
second, this paper don’t explain a dynamic area such as 0xfe000000 ~ 0xffffffff.
'정보보안 > 커널 보안' 카테고리의 다른 글
| ATRA Summary (0) | 2015.10.15 |
|---|---|
| KI-Mon Summary (0) | 2015.10.15 |
| Vigilare Summary (0) | 2015.10.15 |
| Exploitable 취약점 분류 (0) | 2015.08.27 |
| 프로세스와 메모리의 관계 (0) | 2015.08.24 |