DADE: a fast data anomaly detection engine for kernel integrity monitoring

Abstract

In computer systems, ensuring the integrity of the kernel assumes importance as attacks against the kernel allow an adversary to obtain the highest privilege within a compromised system. For this task, typically, an external monitor would perform memory introspection and verify the integrity of kernel data by checking whether certain integrity specifications hold or not. These specifications were commonly written by hand in the past. However, as adversaries turned their eyes to attacking a system through non-control kernel data, the need arose for verifying non-control kernel data, which is, unfortunately, nontrivial to do manually. Acknowledging this, Baliga et al. (Computer security applications conference, 2008. ACSAC 2008. Annual. IEEE, 2008) suggested a framework leveraging machine learning to generate integrity specifications. This generated specifications for both control and non-control data across the entire kernel with little human involvement. Unfortunately, there is a problem in the original design of this framework in regard to its practicality for deployment in real-world systems. In this paper, we propose a new design that accelerates the overall introspection process by virtually eliminating the booting delay that was needed in prior work. To evaluate the effectiveness of our design, we have implemented a prototype engine DADE and found that it only induces a delay of 68.49 ms with each reboot and a delay of 900 ms for an initial scan and an average of 160 ms for subsequent scans.