GRIM

Leveraging GPUs for Kernel integrity monitoring

Lazaros Koromilas, Giorgos Vasiliadis, Elias Athanasopoulos, Sotiris Ioannidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

Kernel rootkits can exploit an operating system and enable future accessibility and control, despite all recent advances in software protection. A promising defense mechanism against rootkits is Kernel Integrity Monitor (KIM) systems, which inspect the kernel text and data to discover any malicious changes. A KIM can be implemented either in software, using a hypervisor, or using extra hardware. The latter option is more attractive due to better performance and higher security, since the monitor is isolated from the potentially vulnerable host. To remain under the radar and avoid detection it is paramount for a rootkit to conceal its malicious activities. In order to detect self-hiding rootkits researchers have proposed snooping for inferring suspicious behaviour in kernel memory. This is accomplished by constantly monitoring all memory accesses on the bus and not the actual memory area where the kernel is mapped. In this paper, we present GRIM, an external memory monitor that is built on commodity, off-the-shelf, graphics hardware, and is able to verify OS kernel integrity at a speed that outperforms all so-far published snapshot-based systems. GRIM allows for checking eight thousand 64- bit values simultaneously at a 10 KHz snapshot frequency, which is sufficient to accurately detect a self-hiding loadable kernel module insertion. According to the state-of-the-art, this detection can only happen using a snoop-based monitor. GRIM does not only demonstrate that snapshotbased monitors can be significantly improved, but it additionally offers a fully programmable platform that can be instantly deployed without requiring any modifications to the host it protects. Notice that all snoopbased monitors require substantial changes at the microprocessor level.

Original languageEnglish
Title of host publicationResearch in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings
PublisherSpringer Verlag
Pages3-23
Number of pages21
Volume9854 LNCS
ISBN (Print)9783319457185
DOIs
Publication statusPublished - 2016
Event19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016 - Paris, France
Duration: 19 Sep 201621 Sep 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9854 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016
CountryFrance
CityParis
Period19/9/1621/9/16

Fingerprint

Integrity
Monitor
Monitoring
kernel
Data storage equipment
Hardware
Snapshot
Computer operating systems
Microprocessor chips
Radar
Memory Kernel
Graphics Hardware
External Memory
Software
Microprocessor
Graphics processing unit
Malware
Accessibility
Operating Systems
Insertion

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Koromilas, L., Vasiliadis, G., Athanasopoulos, E., & Ioannidis, S. (2016). GRIM: Leveraging GPUs for Kernel integrity monitoring. In Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings (Vol. 9854 LNCS, pp. 3-23). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9854 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-45719-2_1

GRIM : Leveraging GPUs for Kernel integrity monitoring. / Koromilas, Lazaros; Vasiliadis, Giorgos; Athanasopoulos, Elias; Ioannidis, Sotiris.

Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings. Vol. 9854 LNCS Springer Verlag, 2016. p. 3-23 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9854 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Koromilas, L, Vasiliadis, G, Athanasopoulos, E & Ioannidis, S 2016, GRIM: Leveraging GPUs for Kernel integrity monitoring. in Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings. vol. 9854 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9854 LNCS, Springer Verlag, pp. 3-23, 19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016, Paris, France, 19/9/16. https://doi.org/10.1007/978-3-319-45719-2_1
Koromilas L, Vasiliadis G, Athanasopoulos E, Ioannidis S. GRIM: Leveraging GPUs for Kernel integrity monitoring. In Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings. Vol. 9854 LNCS. Springer Verlag. 2016. p. 3-23. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-45719-2_1
Koromilas, Lazaros ; Vasiliadis, Giorgos ; Athanasopoulos, Elias ; Ioannidis, Sotiris. / GRIM : Leveraging GPUs for Kernel integrity monitoring. Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings. Vol. 9854 LNCS Springer Verlag, 2016. pp. 3-23 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{363a6505532d4e52baf1026ad51e78ce,
title = "GRIM: Leveraging GPUs for Kernel integrity monitoring",
abstract = "Kernel rootkits can exploit an operating system and enable future accessibility and control, despite all recent advances in software protection. A promising defense mechanism against rootkits is Kernel Integrity Monitor (KIM) systems, which inspect the kernel text and data to discover any malicious changes. A KIM can be implemented either in software, using a hypervisor, or using extra hardware. The latter option is more attractive due to better performance and higher security, since the monitor is isolated from the potentially vulnerable host. To remain under the radar and avoid detection it is paramount for a rootkit to conceal its malicious activities. In order to detect self-hiding rootkits researchers have proposed snooping for inferring suspicious behaviour in kernel memory. This is accomplished by constantly monitoring all memory accesses on the bus and not the actual memory area where the kernel is mapped. In this paper, we present GRIM, an external memory monitor that is built on commodity, off-the-shelf, graphics hardware, and is able to verify OS kernel integrity at a speed that outperforms all so-far published snapshot-based systems. GRIM allows for checking eight thousand 64- bit values simultaneously at a 10 KHz snapshot frequency, which is sufficient to accurately detect a self-hiding loadable kernel module insertion. According to the state-of-the-art, this detection can only happen using a snoop-based monitor. GRIM does not only demonstrate that snapshotbased monitors can be significantly improved, but it additionally offers a fully programmable platform that can be instantly deployed without requiring any modifications to the host it protects. Notice that all snoopbased monitors require substantial changes at the microprocessor level.",
author = "Lazaros Koromilas and Giorgos Vasiliadis and Elias Athanasopoulos and Sotiris Ioannidis",
year = "2016",
doi = "10.1007/978-3-319-45719-2_1",
language = "English",
isbn = "9783319457185",
volume = "9854 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "3--23",
booktitle = "Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings",

}

TY - GEN

T1 - GRIM

T2 - Leveraging GPUs for Kernel integrity monitoring

AU - Koromilas, Lazaros

AU - Vasiliadis, Giorgos

AU - Athanasopoulos, Elias

AU - Ioannidis, Sotiris

PY - 2016

Y1 - 2016

N2 - Kernel rootkits can exploit an operating system and enable future accessibility and control, despite all recent advances in software protection. A promising defense mechanism against rootkits is Kernel Integrity Monitor (KIM) systems, which inspect the kernel text and data to discover any malicious changes. A KIM can be implemented either in software, using a hypervisor, or using extra hardware. The latter option is more attractive due to better performance and higher security, since the monitor is isolated from the potentially vulnerable host. To remain under the radar and avoid detection it is paramount for a rootkit to conceal its malicious activities. In order to detect self-hiding rootkits researchers have proposed snooping for inferring suspicious behaviour in kernel memory. This is accomplished by constantly monitoring all memory accesses on the bus and not the actual memory area where the kernel is mapped. In this paper, we present GRIM, an external memory monitor that is built on commodity, off-the-shelf, graphics hardware, and is able to verify OS kernel integrity at a speed that outperforms all so-far published snapshot-based systems. GRIM allows for checking eight thousand 64- bit values simultaneously at a 10 KHz snapshot frequency, which is sufficient to accurately detect a self-hiding loadable kernel module insertion. According to the state-of-the-art, this detection can only happen using a snoop-based monitor. GRIM does not only demonstrate that snapshotbased monitors can be significantly improved, but it additionally offers a fully programmable platform that can be instantly deployed without requiring any modifications to the host it protects. Notice that all snoopbased monitors require substantial changes at the microprocessor level.

AB - Kernel rootkits can exploit an operating system and enable future accessibility and control, despite all recent advances in software protection. A promising defense mechanism against rootkits is Kernel Integrity Monitor (KIM) systems, which inspect the kernel text and data to discover any malicious changes. A KIM can be implemented either in software, using a hypervisor, or using extra hardware. The latter option is more attractive due to better performance and higher security, since the monitor is isolated from the potentially vulnerable host. To remain under the radar and avoid detection it is paramount for a rootkit to conceal its malicious activities. In order to detect self-hiding rootkits researchers have proposed snooping for inferring suspicious behaviour in kernel memory. This is accomplished by constantly monitoring all memory accesses on the bus and not the actual memory area where the kernel is mapped. In this paper, we present GRIM, an external memory monitor that is built on commodity, off-the-shelf, graphics hardware, and is able to verify OS kernel integrity at a speed that outperforms all so-far published snapshot-based systems. GRIM allows for checking eight thousand 64- bit values simultaneously at a 10 KHz snapshot frequency, which is sufficient to accurately detect a self-hiding loadable kernel module insertion. According to the state-of-the-art, this detection can only happen using a snoop-based monitor. GRIM does not only demonstrate that snapshotbased monitors can be significantly improved, but it additionally offers a fully programmable platform that can be instantly deployed without requiring any modifications to the host it protects. Notice that all snoopbased monitors require substantial changes at the microprocessor level.

UR - http://www.scopus.com/inward/record.url?scp=84988615466&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84988615466&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-45719-2_1

DO - 10.1007/978-3-319-45719-2_1

M3 - Conference contribution

SN - 9783319457185

VL - 9854 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 3

EP - 23

BT - Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings

PB - Springer Verlag

ER -