1. Summary
KI-Mon is an external hardware-based monitoring platform that operates on an event-triggered mechanism based on a VTMU hardware unit.
The hardware platform monitors the host bus traffic and generates events, assisted by its whitelisting capability of filtering benign updates.
Also, the KI-Min API has been developed to support the programmability of the monitoring rules.
The snapshot-only monitor missed 30% of LKM hiding attacks, while KI-Mon was able to detect 100% of the attacks.
And KI-Mon consumes significantly fewer CPU cycles due to its event-triggered mechanism which is eliminates the need of constant snapshot-based polling of the monitored region.
2. Related work Summary
➀ KI-Mon adopts a event-triggered mechanism from previous work.
➁ In previous work, There are cases in which verifying the update value against a known good value is not sufficient for integrity verification.
3. The good
➀ Semantic verification
Authors propose refined with a support for whitelist-based filtering to unnecessary software involvement in value verification.
➁ monitoring mutable kernel objects
➂ Give a Monitoring Rule Template
4. The Bad
➀ Processing power is not much fast compared to common PC.
➁ need additional SoC for outside higher caches.
'정보보안 > 커널 보안' 카테고리의 다른 글
| CHERI Summary (0) | 2015.10.15 |
|---|---|
| ATRA Summary (0) | 2015.10.15 |
| Vigilare Summary (0) | 2015.10.15 |
| Copilot summary (0) | 2015.10.15 |
| Exploitable 취약점 분류 (0) | 2015.08.27 |