AA monitorAA 모니터 : 주소 변환 재배치 공격에 대한 효과적인 방어
however, the hypervisor itself has software vulnerabilities and performance overhead. Hardware-based monitors overcome the limitation by isolation from their host system. Nonetheless, a recent study introduced ATRA attack that relocate kernel objects and the related page table data structures to non-monitoring memory region in order to bypass existing hardware-based monitors.
In this paper, we present AA Monitor (Anti-ATRA Monitor) that is an extension of Vigilare system to defend against ATRA. We modified the host processor to extract a CPU register value, which plays role in root pointer of page table structures. We show its effectiveness by implementing the AA Monitor prototype. Address Mapping Verifier in AA Monitor verifies the correctness of the value by walking page tables with the register value. The verifier compares the physical address from the result of the page table walking with the calculated physical address from previously stored kernel objects` virtual addresses. Also, PTBR Value Cache maintains the register values to avoid unnecessary verification. We evaluated our solution with STREAM Bench and observed 0.14% of the performance overhead in the host system, which is negligible.; kernel rootkits that modifies its operating system kernel become the real threat. To defend against them, several hypervisor-based and hardware-based monitors have been introduced. Hypervisor-based monitors use hypervisor as a root-of-trust
- Description
- 한국과학기술원 :정보보호대학원,
- Publisher
- 한국과학기술원
- Issue Date
- 2015
- Identifier
- 325007
- Language
- eng
- Description
학위논문(석사) - 한국과학기술원 : 정보보호대학원, 2015.2 ,[iv, 28 p. :]
- Keywords
Hardware-based monitor; ATRA; kernel integrity; rootkit; 하드웨어 모니터; 주소 변환 재비치 공격; 커널 무결성; 루트킷
- Appears in Collection
- IS-Theses_Master(석사논문)
- Files in This Item
- There are no files associated with this item.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.