Abstract
An interrupt descriptor table (IDT) is used by a processor to transfer the execution of a program to software routines that handle interrupts raised during the normal course of operation or to signal an exceptional condition such as a hardware failure. Attackers frequently modify IDT pointers to execute malicious code. This paper describes the IDTchecker tool, which uses a rule-based approach to check the integrity of the IDT and the corresponding interrupt handling code based on a common scenario encountered in cloud environments. In this scenario, multiple virtual machines (VMs) run the same version of an operating system kernel, which implies that IDT-related code should also be identical across the pool of VMs. IDTchecker leverages this scenario to compare the IDTs and the corresponding interrupt handlers across the VMs for inconsistencies based on a pre-defined set of rules. Experimental results related to the effectiveness and runtime performance of IDTchecker are presented. The results demonstrate that IDTchecker can detect IDT and interrupt handling code modifications without much impact on guest VM resources.
Chapter PDF
Similar content being viewed by others
References
I. Ahmed, A. Zoranic, S. Javaid and G. Richard III, ModChecker: Kernel module integrity checking in the cloud environment, Proceedings of the Forty-First International Conference on Parallel Processing Workshops, pp. 306–313, 2012.
A. Bassov, Hooking the kernel directly ( www.codeproject.com/Articles/13677/Hooking-the-kernel-directly ), 2006.
J. Butler and G. Hoglund, Rootkits: Subverting the Windows Kernel, Addison-Wesley, Boston, Massachusetts, 2005.
T. Garfinkel and M. Rosenblum, A virtual machine introspection based architecture for intrusion detection, Proceedings of the Network and Distributed System Security Symposium, pp. 191–206, 2003.
Intel, Intel 64 and IA-32 Architectures Software Developer’s Manuals, Santa Clara, California ( www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html ), 2013.
Kad, Handling the interrupt descriptor table for fun and profit, Phrack, vol. 0x0b(0x3b), 2002.
G. Kroah-Hartman, Signed kernel modules, Linux Journal, vol. 2004(117), article no. 4, 2004.
P. Loscocco, P. Wilson, J. Pendergrass and C. McDonell, Linux kernel integrity measurement using contextual inspection, Proceedings of the Second ACM Workshop on Scalable Trusted Computing, pp. 21–29, 2007.
Microsoft, Digital Signatures for Kernel Modules on Windows, Redmond, Washington ( msdn.microsoft.com/en-us/library/windows/hardware/gg487332.aspx ), 2007.
mxatone and ivanlef0u, Stealth hooking: Another way to subvert the Windows kernel, Phrack, vol. 0x0c(0x41), 2008.
W. Oney, Programming the Microsoft Windows Driver Model, Microsoft Press, Redmond, Washington, 2002.
Opdis Project, Opdis ( mkfs.github.com/content/opdis ).
OpenSSL Core and Development Team, OpenSSL Cryptography and SSL/TLS Toolkit ( www.openssl.org ), 2009.
pragmatic, (Nearly) complete Linux loadable kernel modules: The definitive guide for hackers, virus coders and system administrators ( newdata.box.sk/raven/lkm.html ), 1999.
J. Rutkowska, System virginity verifier: Defining the roadmap for malware detection in Windows systems, presented at the Hack in the Box Conference, 2005.
sd and devik, Linux on-the-fly kernel patching without LKM, Phrack, vol. 0x0b(0x3a), 2001.
A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn and P. Khosla, Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems, Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 1–16, 2005.
S. Skape, Bypassing PatchGuard on Windows x64 ( uninformed.org/?v=3&a=3&t=sumry ), 2005.
M. Suiche, IDTGuard v0.1 December 2005 Build ( www.msuiche.net/2006/12/10/idtguard-v01-december-2005-build ), 2005.
VMI Tools Project, LibVMI ( code.google.com/p/vmitools ).
Volatility Project, The Volatility Framework ( code.google.com/p/volatility ).
Volatility Project, Volatility Plugin ( code.google.com/p/volatility/source/browse/trunk/volatility/plugins/linux/check_idt.py?spec=svn2273&r=2273 ).
Xen Project, Xen, Cambridge, United Kingdom ( www.xenproject.org ).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ahmed, I., Zoranic, A., Javaid, S., Richard, G., Roussev, V. (2013). Rule-Based Integrity Checking of Interrupt Descriptor Tables in Cloud Environments. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics IX. DigitalForensics 2013. IFIP Advances in Information and Communication Technology, vol 410. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41148-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-41148-9_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41147-2
Online ISBN: 978-3-642-41148-9
eBook Packages: Computer ScienceComputer Science (R0)