Hardware-Based On-Line Intrusion Detection via System Call Routine Fingerprinting

Liwei Zhoua and Yiorgos Makrisb
Electrical Engineering Department, The University of Texas at Dallas, Richardson, TX 75080, USA.


We introduce a hardware-based methodology for performing on-line intrusion detection in microprocessors. The proposed method extracts fingerprints from the basic blocks of the routine executed in response to a system call and examines their validity using a Bloom filter. Implementation in hardware renders spoofing attacks, to which operating system or hypervisor-level intrusion detection methods are vulnerable, ineffective. The proposed method is evaluated using kernel rootkits which covertly modify the system call service routines of a Linux operating system running on a 32-bit x86 architecture, implemented in the Simics simulation environment, while hardware overhead is evaluated using a predictive 45nm PDK.

Full Text (PDF)