About the Project

Kernel-level malwares are harder to detect and respond against because of their essential invisibility and hardening against ordinary security solutions. Obviously this is because they reside on the same privilege level as the operating system kernel. When this research was ongoing, generally researchers decided to tap on the kernel memory and/or mapping area from the even higher trusted previlige area (informally known as "ring -1" in x86 terminology).

This approach was again divided into hardware-based and software-based approaches. Software-based approaches took a protection level generally reserved for supervising the kernel like the hypervisor level to trap the write activities against the monitoring region (e.g., kernel mapping region). If spotted, the monitoring software could take an appropriate measure like rollbacking the change or forcing the reboot. Hardware-based approaches, on the other hand, store the region to monitor and then a separate peripheral taps on the memory bus. When it detects a suspicious activity, it forces the software to rollback to the clean state by e.g., rebooting. Software-based approaches are flexible since it reuses the host's computational power, but they are detrimental to overall system performance due to overhead required for loading and running the software on the higher privilege like nested paging. On the other hand, hardware-based approaches are faster due to the fact they don't rely on the host's computational power, but since a separate peripheral has limited memory and register capacity, flexibility of detection is severely limited.

In this research project, we strived to bring the strengths of hardware-based and software-based approaches together while compensating each approach's drawbacks by devising a hybrid approach. We first loaded a small software agent on the privilege level typically used by software-based approaches (for Hypernel, it is EL2, which is the hypervisor level of ARM) while not using complex features like nested paging. We then leave the area to detect on the host memory in the form of a bitmap. After that, when a write event occurs on the host memory bus, a dedicated hardware device refers to this bitmap and interrupts the host to call the software if the event was against the area to detect. Finally, the software agent receives the interrupt and handles the event appropriately.

Contribution and Information

• Period of Contribution: 10/2015 ~ 11/2017
• Total Participants: 4 people
• My Roles
• Devised the detection software
• Contributed to the hardware firmware design
• Co-first author of the related paper (Hypernel)

References

• Related publication: Hypernel