AA monitor

Abstract

however, the hypervisor itself has software vulnerabilities and performance overhead. Hardware-based monitors overcome the limitation by isolation from their host system. Nonetheless, a recent study introduced ATRA attack that relocate kernel objects and the related page table data structures to non-monitoring memory region in order to bypass existing hardware-based monitors. In this paper, we present AA Monitor (Anti-ATRA Monitor) that is an extension of Vigilare system to defend against ATRA. We modified the host processor to extract a CPU register value, which plays role in root pointer of page table structures. We show its effectiveness by implementing the AA Monitor prototype. Address Mapping Verifier in AA Monitor verifies the correctness of the value by walking page tables with the register value. The verifier compares the physical address from the result of the page table walking with the calculated physical address from previously stored kernel objects` virtual addresses. Also, PTBR Value Cache maintains the register values to avoid unnecessary verification. We evaluated our solution with STREAM Bench and observed 0.14% of the performance overhead in the host system, which is negligible.

kernel rootkits that modifies its operating system kernel become the real threat. To defend against them, several hypervisor-based and hardware-based monitors have been introduced. Hypervisor-based monitors use hypervisor as a root-of-trust