Hardware-Based On-Line Intrusion Detection via System Call Routine Fingerprinting

Liwei Zhou^a and Yiorgos Makris^b
Electrical Engineering Department, The University of Texas at Dallas, Richardson, TX 75080, USA.
^alxz100320@utdallas.edu
^bgxm112130@utdallas.edu

ABSTRACT

We introduce a hardware-based methodology for performing on-line intrusion detection in microprocessors. The proposed method extracts fingerprints from the basic blocks of the routine executed in response to a system call and examines their validity using a Bloom filter. Implementation in hardware renders spoofing attacks, to which operating system or hypervisor-level intrusion detection methods are vulnerable, ineffective. The proposed method is evaluated using kernel rootkits which covertly modify the system call service routines of a Linux operating system running on a 32-bit x86 architecture, implemented in the Simics simulation environment, while hardware overhead is evaluated using a predictive 45nm PDK.

---

Full Text (PDF)

© 2017 EDAA. All rights reserved.